diff --git a/changelog.upstream b/changelog.upstream index 12bbc46..088bb95 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,167 @@ +commit 6d7a78262464c054c46df155605a480f1b32f22c +Author: Patrick Schleizer +Date: Thu Nov 24 07:21:46 2022 -0500 + + fix + +commit 421f03ae9e648d366146415532d4dd9dda106980 +Author: Patrick Schleizer +Date: Thu Nov 24 07:20:56 2022 -0500 + + fix + +commit ad1e722879ef049ef421f0062ee383770d66bfee +Author: Patrick Schleizer +Date: Thu Nov 24 07:00:33 2022 -0500 + + bumped changelog version + +commit a806c782d78d691617dd650808a0403ce72d4a1a +Author: Patrick Schleizer +Date: Thu Nov 24 07:00:23 2022 -0500 + + fix + +commit 4601e106c4823f2cb0dc7a8ba601670395c96326 +Author: Patrick Schleizer +Date: Thu Nov 24 06:49:26 2022 -0500 + + bumped changelog version + +commit 39b35ef9ac7489685df5486334a0acf5936e9b47 +Author: Patrick Schleizer +Date: Thu Nov 24 06:49:15 2022 -0500 + + fix + +commit 73963a9e6847fd8099093da1253267d79db7d261 +Author: Patrick Schleizer +Date: Thu Nov 24 06:31:37 2022 -0500 + + bumped changelog version + +commit d05c10172178d04781976026243297fa153125a0 +Author: Patrick Schleizer +Date: Thu Nov 24 06:31:24 2022 -0500 + + debugging + +commit 36454c2dbf43de4805f2f156b05d263c37b9615a +Author: Patrick Schleizer +Date: Thu Nov 24 06:25:47 2022 -0500 + + debugging + +commit e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0 +Author: Patrick Schleizer +Date: Thu Nov 24 06:24:14 2022 -0500 + + debugging + +commit 97722d1926bc106a0645783fcb55b7d5691c873b +Author: Patrick Schleizer +Date: Thu Nov 24 06:14:15 2022 -0500 + + bumped changelog version + +commit 497b5b45442b1293b130fef63de1b84d091d27eb +Author: Patrick Schleizer +Date: Thu Nov 24 06:14:04 2022 -0500 + + fix + +commit d7222b5678aa182866c389d8a88f55b6488e74e0 +Author: Patrick Schleizer +Date: Tue Nov 22 06:03:13 2022 -0500 + + bumped changelog version + +commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9 +Author: Patrick Schleizer +Date: Tue Nov 22 05:57:30 2022 -0500 + + pam-info: support non-root environments (such as during graphical display manager login and xscreensaver) + +commit d419898ee494fb159ed6811a719dbb4a5ffb469a +Author: Patrick Schleizer +Date: Thu Nov 17 10:15:36 2022 -0500 + + bumped changelog version + +commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7 +Author: Patrick Schleizer +Date: Wed Nov 16 02:01:23 2022 -0500 + + pam-info refactoring + +commit caf0099064747a2048363e3600a53af51df549ad +Author: Patrick Schleizer +Date: Wed Nov 16 02:00:32 2022 -0500 + + pam-info refactoring + +commit 487f63bb01c6dfc71d0e4efef2c70dae94093dce +Author: Patrick Schleizer +Date: Wed Nov 16 01:56:01 2022 -0500 + + comment + +commit f59f959a8d43ebd80a4037e65ec26df7143bcaf5 +Author: Patrick Schleizer +Date: Wed Nov 16 01:55:14 2022 -0500 + + pam-info fix + +commit ae113442a162969561a24fcf17718ceb6a11d928 +Author: Patrick Schleizer +Date: Wed Nov 16 01:49:45 2022 -0500 + + pam-info refactoring + +commit bb6b509d06a1ae34ee407cb309c530e5dddfedfd +Author: Patrick Schleizer +Date: Wed Nov 16 01:44:21 2022 -0500 + + pam-info refactoring + +commit e5d7ab7082908e64596ccd1da835a781cae22456 +Author: Patrick Schleizer +Date: Tue Nov 15 12:44:12 2022 -0500 + + comment + +commit 23b936b573c8989222a50d1ef8c35dc95589bb0e +Author: Patrick Schleizer +Date: Tue Nov 15 12:31:14 2022 -0500 + + also support /usr/local/etc/pam-info-debug + +commit 95487346dbb18c4ac9133fc21b4abed12dc346b3 +Author: Patrick Schleizer +Date: Tue Nov 15 12:29:41 2022 -0500 + + pam-info: create debug log file ~/pam-info-debug.txt + + when file /etc/pam-info-debug exists + +commit 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a +Author: Patrick Schleizer +Date: Tue Nov 15 12:00:59 2022 -0500 + + comments + +commit 6033de78152cb5d7a9659f58aa8035ae2a7d6532 +Author: Patrick Schleizer +Date: Tue Nov 15 11:58:50 2022 -0500 + + debugging + +commit 2319458e9f1a0ae2b60cf5786122c19459bbaea1 +Author: Patrick Schleizer +Date: Wed Aug 24 18:28:39 2022 -0400 + + bumped changelog version + commit cdfc175953a8ab358bb8e6db2610df11733ba258 Merge: ff84514 ae4d498 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 5367362..9181bec 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,45 @@ +security-misc (3:26.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 12:21:58 +0000 + +security-misc (3:26.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 12:00:33 +0000 + +security-misc (3:26.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 11:49:25 +0000 + +security-misc (3:26.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 11:31:37 +0000 + +security-misc (3:26.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 11:14:15 +0000 + +security-misc (3:26.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 22 Nov 2022 11:03:13 +0000 + +security-misc (3:26.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 17 Nov 2022 15:15:36 +0000 + security-misc (3:25.9-1) unstable; urgency=medium * New upstream version (local package). diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index f6bf3a6..96b9b92 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -3,3 +3,4 @@ user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops + diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 906fc0d..381bedc 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -3,6 +3,35 @@ ## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## To enable debug log, run: +## sudo touch /etc/pam-info-debug +## +## Debug log if enabled can be found in file: +## /root/pam-info-debug.txt + +true "$0: START PHASE 1" + +if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then + set -x + exec 5>&1 1>> ~/pam-info-debug.txt + exec 6>&2 2>> ~/pam-info-debug.txt +fi + +true "$0: START PHASE 2" + +set -o pipefail + +## Debugging. +who_ami="$(whoami)" +true "$0: who_ami: $who_ami" +true "$0: PAM_USER: $PAM_USER" +true "$0: SUDO_USER: $SUDO_USER" + +if [ "$PAM_USER" = "" ]; then + true "$0: ERROR: Environment variable PAM_USER is unset!" + exit 0 +fi + grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" ## Check if grep matched something. @@ -23,17 +52,18 @@ if [ ! "$grep_result" = "" ]; then fi if [ ! "$console_allowed" = "true" ]; then - echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2 - echo "$0: To unlock, run the following command as superuser:" >&2 - echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 - echo "" >&2 - echo "adduser $PAM_USER console" >&2 - echo "" >&2 - echo "$0: However, possibly unlock procedure is required." >&2 - echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 - echo "$0: See also:" >&2 - echo "https://www.kicksecure.com/wiki/root#console" >&2 - echo "" >&2 + echo "\ +$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console' +To unlock, run the following command as superuser: +(If you still have a sudo/root shell somewhere.) + +adduser $PAM_USER console + +However, possibly unlock procedure is required. +First boot into recovery mode at grub boot menu and then run above command. +See also: +https://www.kicksecure.com/wiki/root#console +" >&2 exit 0 fi fi @@ -41,73 +71,91 @@ fi ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 -if [ ! "$(id -u)" = "0" ]; then - ## as user "user" - ## /usr/sbin/faillock -u user - ## faillock: Error opening /var/log/tallylog for update: Permission denied - ## /usr/sbin/faillock: Authentication error - ## - ## xscreensaver runs as user "user", therefore pam_faillock cannot function. - ## xscreensaver has its own failed login counter. - ## - ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts - ## - ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html - ## TODO: echo -> true - echo "$0: not started as root, exiting." - exit 0 -fi - ## Does not work (yet) for login, pam_securetty runs before and aborts. ## Also this should only run for login since securetty covers only login. # if [ "$PAM_USER" = "root" ]; then # if [ -f /etc/securetty ]; then # grep_result="$(grep "^[^#]" /etc/securetty)" # if [ "$grep_result" = "" ]; then -# echo "$0: ERROR: Root login is disabled." >&2 -# echo "$0: ERROR: This is because /etc/securetty is empty." >&2 -# echo "$0: See also:" >&2 -# echo "https://www.kicksecure.com/wiki/root#login" >&2 -# echo "" >&2 +# echo "\ +# $0: ERROR: Root login is disabled. +# ERROR: This is because /etc/securetty is empty. +# See also: +# https://www.kicksecure.com/wiki/root#login +# " >&2 # exit 0 # fi # fi # fi -## Using || true to not break read-only disk boot without ro-mode-init or grub-live. -pam_faillock_output="$(faillock --user "$PAM_USER")" || true +## as user "user" +## /usr/sbin/faillock -u user +## faillock: Error opening /var/log/tallylog for update: Permission denied +## /usr/sbin/faillock: Authentication error +## +## xscreensaver runs as user "user", therefore pam_faillock cannot function. +## xscreensaver has its own failed login counter. +## +## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts +## +## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html +## +## Checking exit code to avoid breaking when read-only disk boot but +## without ro-mode-init or grub-live being used. +if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then + true "$0: faillock non-zero exit code." + exit 0 +fi if [ "$pam_faillock_output" = "" ]; then true "$0: no failed login" exit 0 fi -## Example: +## example pam_faillock_output (stdout): ## user: ## When Type Source Valid ## 2021-08-10 16:26:33 RHOST V ## 2021-08-10 16:26:54 RHOST V -pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head -1)" +## example pam_faillock_output (stderr): +## faillock: No user name supplied. +## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset] + +## Get first line. +#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)" +while read -t 10 -r pam_faillock_output_first_line ; do + break +done <<< "$pam_faillock_output" + +true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" +## example pam_faillock_output_first_line: +## user: + user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")" +## example user_name: +## user +## root pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" +## example pam_faillock_output_count: +## 2 +## example pam_faillock_output_count: +## 4 +## Do not count the first two informational textual output lines +## (starting with "user:" and "When"). failed_login_counter=$(( pam_faillock_output_count - 2 )) -if [ ! "$PAM_USER" = "$user_name" ]; then - echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2 - echo "$0: ERROR: Please report this bug." >&2 - echo "" >&2 - exit 0 -fi +## example failed_login_counter: +## 2 if [ "$failed_login_counter" = "0" ]; then true "$0: INFO: Failed login counter is 0, ok." exit 0 fi -## pam_faillock default +## pam_faillock default if it cannot be determined below. deny=3 if test -f /etc/security/faillock.conf ; then @@ -118,37 +166,43 @@ if test -f /etc/security/faillock.conf ; then fi if [[ "$deny" == *[!0-9]* ]]; then - echo "$0: ERROR: deny is not numeric. deny: '$deny'" >&2 - echo "$0: ERROR: Please report this bug." >&2 - echo "" >&2 + echo "\ +$0: ERROR: deny is not numeric. deny: '$deny' +ERROR: Please report this bug. +" >&2 exit 0 fi remaining_attempts="$(( $deny - $failed_login_counter ))" if [ "$remaining_attempts" -le "0" ]; then - echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2 - echo "$0: To unlock, run the following command as superuser:" >&2 - echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 - echo "" >&2 - echo "faillock --reset --user $PAM_USER" >&2 - echo "" >&2 - echo "$0: However, most likely unlock procedure is required." >&2 - echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 - echo "$0: See also:" >&2 - echo "https://www.kicksecure.com/wiki/root#unlock" >&2 - echo "" >&2 + echo "\ +$0: ERROR: Login blocked after $failed_login_counter attempts. +To unlock, run the following command as superuser: +(If you still have a sudo/root shell somewhere.) + +faillock --reset --user $PAM_USER + +However, most likely unlock procedure is required. +First boot into recovery mode at grub boot menu and then run above command. +See also: +https://www.kicksecure.com/wiki/root#unlock +" >&2 exit 0 fi -echo "$0: WARNING: $failed_login_counter failed login attempts." >&2 -echo "$0: Login will be blocked after $deny attempts." >&2 -echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2 -echo "" >&2 +echo "\ +$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'. +Login will be blocked after $deny attempts. +You have $remaining_attempts more attempts before unlock procedure is required. +" >&2 if [ "$PAM_SERVICE" = "su" ]; then - echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2 - echo "" >&2 + echo "\ +$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown. +" >&2 fi +true "$0: END" + exit 0