mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:23:36 +07:00
250 lines
7.5 KiB
Bash
250 lines
7.5 KiB
Bash
#!/bin/bash
|
|
|
|
## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
|
|
source /usr/libexec/helper-scripts/pre.bsh
|
|
fi
|
|
|
|
set -e
|
|
|
|
true "
|
|
#####################################################################
|
|
## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
|
|
#####################################################################
|
|
"
|
|
|
|
user_groups_modifications() {
|
|
## /usr/libexec/security-misc/hide-hardware-info
|
|
addgroup --system sysfs
|
|
addgroup --system cpuinfo
|
|
|
|
## /usr/lib/systemd/system/proc-hidepid.service
|
|
addgroup --system proc
|
|
|
|
## group 'sudo' membership required to use 'su'
|
|
## /usr/share/pam-configs/wheel-security-misc
|
|
adduser root sudo
|
|
|
|
## Useful to create groups in preinst rather than postinst.
|
|
## Otherwise if a user saw an error message such as this:
|
|
##
|
|
## /var/lib/ dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted.
|
|
## /var/lib/ dpkg/tmp.ci/preinst: ERROR: You probably want to run:
|
|
## sudo adduser user console
|
|
##
|
|
## Then the user could not run 'sudo adduser user console' but also would
|
|
## have to create the groups himself.
|
|
|
|
## Related to Console Lockdown.
|
|
## /usr/share/pam-configs/console-lockdown-security-misc
|
|
## /etc/security/access-security-misc.conf
|
|
addgroup --system console
|
|
addgroup --system console-unrestricted
|
|
## This has no effect since by default this package also ships and an
|
|
## /etc/securetty configuration file that contains nothing but comments, i.e.
|
|
## an "empty" /etc/securetty.
|
|
## In case a system administrator edits /etc/securetty, there is no need to
|
|
## block for this to be still blocked by console lockdown. See also:
|
|
## https://www.whonix.org/wiki/Root#Root_Login
|
|
adduser root console
|
|
}
|
|
|
|
output_skip_checks() {
|
|
echo "security-misc '$0' INFO: Allow installation of security-misc anyway." >&2
|
|
echo "security-misc '$0' INFO: (technical reason: $@)" >&2
|
|
echo "security-misc '$0' INFO: If this is a chroot this is probably OK." >&2
|
|
echo "security-misc '$0' INFO: Otherwise you might not be able to login." >&2
|
|
}
|
|
|
|
sudo_users_check () {
|
|
if command -v "qubesdb-read" &>/dev/null; then
|
|
## Qubes users can use dom0 to get a root terminal emulator.
|
|
## For example:
|
|
## qvm-run -u root debian-10 xterm
|
|
return 0
|
|
fi
|
|
|
|
local sudo_users user_with_sudo are_there_any_sudo_users OLD_IFS
|
|
|
|
sudo_users="$(getent group sudo | cut -d: -f4)"
|
|
## example sudo_users:
|
|
## user,root
|
|
|
|
OLD_IFS="$IFS"
|
|
IFS=","
|
|
export IFS
|
|
|
|
for user_with_sudo in $sudo_users ; do
|
|
if [ "$user_with_sudo" = "root" ]; then
|
|
## root login is also restricted.
|
|
## Therefore user "root" being member of group "sudo" is
|
|
## considered insufficient.
|
|
continue
|
|
fi
|
|
are_there_any_sudo_users=yes
|
|
break
|
|
done
|
|
|
|
IFS="$OLD_IFS"
|
|
export IFS
|
|
|
|
if [ "$are_there_any_sudo_users" = "yes" ]; then
|
|
return 0
|
|
fi
|
|
|
|
## Prevent users from locking themselves out.
|
|
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
|
|
echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2
|
|
echo "$0: ERROR: You probably want to run:" >&2
|
|
echo "$0: NOTE: Replace user 'user' with your actual Linux user account name." >&2
|
|
echo "" >&2
|
|
echo "sudo adduser user sudo" >&2
|
|
echo "sudo adduser user console" >&2
|
|
echo "" >&2
|
|
echo "$0: ERROR: See also installation instructions:" >&2
|
|
echo "https://www.kicksecure.com/wiki/security-misc#install" >&2
|
|
|
|
if [ "$SECURITY_MISC_INSTALL" = "force" ]; then
|
|
output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'."
|
|
return 0
|
|
fi
|
|
if test -f "/var/lib/security-misc/skip_install_check" ; then
|
|
output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists."
|
|
return 0
|
|
fi
|
|
|
|
exit 200
|
|
}
|
|
|
|
console_users_check() {
|
|
if [ "$SECURITY_MISC_INSTALL" = "force" ]; then
|
|
return 0
|
|
fi
|
|
if test -f "/var/lib/security-misc/skip_install_check" ; then
|
|
return 0
|
|
fi
|
|
if command -v "qubesdb-read" &>/dev/null; then
|
|
## Qubes users can use dom0 to get a root terminal emulator.
|
|
## For example:
|
|
## qvm-run -u root debian-10 xterm
|
|
return 0
|
|
fi
|
|
|
|
local console_users console_unrestricted_users user_with_console are_there_any_console_users OLD_IFS
|
|
|
|
console_users="$(getent group console | cut -d: -f4)"
|
|
## example console_users:
|
|
## user
|
|
console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)"
|
|
|
|
OLD_IFS="$IFS"
|
|
IFS=","
|
|
export IFS
|
|
|
|
for user_with_console in $console_users $console_unrestricted_users ; do
|
|
if [ "$user_with_console" = "root" ]; then
|
|
## root login is also restricted.
|
|
## Therefore user "root" being member of group "console" is
|
|
## considered insufficient.
|
|
continue
|
|
fi
|
|
are_there_any_console_users=yes
|
|
break
|
|
done
|
|
|
|
IFS="$OLD_IFS"
|
|
export IFS
|
|
|
|
## Prevent users from locking themselves out.
|
|
## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
|
|
if [ "$are_there_any_console_users" = "yes" ]; then
|
|
return 0
|
|
fi
|
|
|
|
echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2
|
|
echo "$0: ERROR: You probably want to run:" >&2
|
|
echo "" >&2
|
|
echo "sudo adduser user console" >&2
|
|
echo "" >&2
|
|
echo "$0: ERROR: See also installation instructions:" >&2
|
|
echo "https://www.whonix.org/wiki/security-misc#install" >&2
|
|
|
|
if [ "$SECURITY_MISC_INSTALL" = "force" ]; then
|
|
output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'."
|
|
return 0
|
|
fi
|
|
if test -f "/var/lib/security-misc/skip_install_check" ; then
|
|
output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists."
|
|
return 0
|
|
fi
|
|
|
|
exit 201
|
|
}
|
|
|
|
legacy() {
|
|
if [ -f "/var/lib/legacy/do_once/${FUNCNAME}_version_1" ]; then
|
|
return 0
|
|
fi
|
|
|
|
local continue_yes user_to_be_created
|
|
|
|
if [ -f "/usr/share/whonix/marker" ]; then
|
|
continue_yes=true
|
|
fi
|
|
if [ -f "/usr/share/kicksecure/marker" ]; then
|
|
continue_yes=true
|
|
fi
|
|
|
|
if [ ! "$continue_yes" = "true" ]; then
|
|
return 0
|
|
fi
|
|
|
|
if command -v "qubesdb-read" &>/dev/null; then
|
|
## Qubes users can use dom0 to get a root terminal emulator.
|
|
## For example:
|
|
## qvm-run -u root debian-10 xterm
|
|
return 0
|
|
fi
|
|
|
|
## https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
|
|
|
|
user_to_be_created=user
|
|
|
|
if ! id "$user_to_be_created" &>/dev/null ; then
|
|
true "INFO: user '$user_to_be_created' does not exist. Skipping adduser console and pam-auth-update."
|
|
return 0
|
|
fi
|
|
|
|
adduser "$user_to_be_created" console
|
|
|
|
pam-auth-update --enable console-lockdown-security-misc
|
|
|
|
mkdir --parents "/var/lib/legacy/do_once"
|
|
touch "/var/lib/legacy/do_once/${FUNCNAME}_version_1"
|
|
}
|
|
|
|
user_groups_modifications
|
|
legacy
|
|
|
|
if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
|
|
sudo_users_check
|
|
console_users_check
|
|
fi
|
|
|
|
true "INFO: debhelper beginning here."
|
|
|
|
#DEBHELPER#
|
|
|
|
true "INFO: Done with debhelper."
|
|
|
|
true "
|
|
#####################################################################
|
|
## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
|
|
#####################################################################
|
|
"
|
|
|
|
## Explicitly "exit 0", so eventually trapped errors can be ignored.
|
|
exit 0
|