mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-23 01:13:40 +07:00
Code Issues Packages Projects Releases Wiki Activity

use end-of-options

Browse Source
This commit is contained in:
Patrick Schleizer 2024-10-18 12:45:02 -04:00
parent 0cfcdf4f89
commit b6433309fd
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
usr/libexec/security-misc/pam-abort-on-locked-password
View File

@ -7,7 +7,7 @@
## counter. This is not a security feature. ## counter. This is not a security feature.
## https://forums.whonix.org/t/restrict-root-access/7658/1 ## https://forums.whonix.org/t/restrict-root-access/7658/1
passwd_bin="$(type -P "passwd")" passwd_bin="$(type -P -- "passwd")"
if ! test -x "$passwd_bin" ; then if ! test -x "$passwd_bin" ; then
echo "\ echo "\
@ -17,7 +17,7 @@ See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&
exit 2 exit 2
fi fi
if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then
echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
exit 3 exit 3
fi fi

14
usr/libexec/security-misc/pam-info
View File

@ -32,22 +32,22 @@ if [ "$PAM_USER" = "" ]; then
exit 0 exit 0
fi fi
grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
## Check if grep matched something. ## Check if grep matched something.
if [ ! "$grep_result" = "" ]; then if [ ! "$grep_result" = "" ]; then
## Yes, grep matched. ## Yes, grep matched.
## Check if not out commented. ## Check if not out commented.
if ! echo "$grep_result" | grep -q "#" ; then if ! echo "$grep_result" | grep --quiet -- "#" ; then
## Not out commented indeed. ## Not out commented indeed.
## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592
if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then
console_allowed=true console_allowed=true
fi fi
if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console-unrestricted"; then
console_allowed=true console_allowed=true
fi fi
@ -102,7 +102,7 @@ fi
## ##
## Checking exit code to avoid breaking when read-only disk boot but ## Checking exit code to avoid breaking when read-only disk boot but
## without ro-mode-init or grub-live being used. ## without ro-mode-init or grub-live being used.
if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then if ! pam_faillock_output="$(faillock --user -- "$PAM_USER")" ; then
true "$0: faillock non-zero exit code." true "$0: faillock non-zero exit code."
exit 0 exit 0
fi fi
@ -159,7 +159,7 @@ fi
deny=3 deny=3
if test -f /etc/security/faillock.conf ; then if test -f /etc/security/faillock.conf ; then
deny_line=$(grep --invert-match "#" /etc/security/faillock.conf | grep "deny =") deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =")
deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")" deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")"
## Example: ## Example:
#deny=50 #deny=50
@ -181,7 +181,7 @@ $0: ERROR: Login blocked after $failed_login_counter attempts.
To unlock, run the following command as superuser: To unlock, run the following command as superuser:
(If you still have a sudo/root shell somewhere.) (If you still have a sudo/root shell somewhere.)
faillock --reset --user $PAM_USER faillock --reset --user -- $PAM_USER
However, most likely unlock procedure is required. However, most likely unlock procedure is required.
First boot into recovery mode at grub boot menu and then run above command. First boot into recovery mode at grub boot menu and then run above command.