mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-23 01:03:35 +07:00
Code Issues Packages Projects Releases Wiki Activity

use end-of-options

Browse Source
This commit is contained in:
Patrick Schleizer 2024-10-18 12:45:02 -04:00
parent 0cfcdf4f89
commit b6433309fd
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
usr/libexec/security-misc/pam-abort-on-locked-password
View File

@ -7,7 +7,7 @@
## counter. This is not a security feature.
## https://forums.whonix.org/t/restrict-root-access/7658/1
passwd_bin="$(type -P "passwd")"
passwd_bin="$(type -P -- "passwd")"
if ! test -x "$passwd_bin" ; then
echo "\
@ -17,7 +17,7 @@ See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&
exit 2
fi
if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then
if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then
echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
exit 3
fi

14
usr/libexec/security-misc/pam-info
View File

@ -32,22 +32,22 @@ if [ "$PAM_USER" = "" ]; then
exit 0
fi
grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
## Check if grep matched something.
if [ ! "$grep_result" = "" ]; then
## Yes, grep matched.
## Check if not out commented.
if ! echo "$grep_result" | grep -q "#" ; then
if ! echo "$grep_result" | grep --quiet -- "#" ; then
## Not out commented indeed.
## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592
if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then
if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then
console_allowed=true
fi
if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then
if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console-unrestricted"; then
console_allowed=true
fi
@ -102,7 +102,7 @@ fi
##
## Checking exit code to avoid breaking when read-only disk boot but
## without ro-mode-init or grub-live being used.
if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then
if ! pam_faillock_output="$(faillock --user -- "$PAM_USER")" ; then
true "$0: faillock non-zero exit code."
exit 0
fi
@ -159,7 +159,7 @@ fi
deny=3
if test -f /etc/security/faillock.conf ; then
deny_line=$(grep --invert-match "#" /etc/security/faillock.conf | grep "deny =")
deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =")
deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")"
## Example:
#deny=50
@ -181,7 +181,7 @@ $0: ERROR: Login blocked after $failed_login_counter attempts.
To unlock, run the following command as superuser:
(If you still have a sudo/root shell somewhere.)
faillock --reset --user $PAM_USER
faillock --reset --user -- $PAM_USER
However, most likely unlock procedure is required.
First boot into recovery mode at grub boot menu and then run above command.