[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

/etc/security Hardening? - Console Lockdown - pam_access - access.conf

Why is whonixcheck trying to access it? Why not just add it to the whonixcheck profile?

Maybe this would work:

Conflicts: sudo
1 Like

Ah, the issue isn’t /etc/pam.d/sudo but /etc/pam.d/common-account (which sudo has an include rule for).

1 Like

It’s not. But it uses sudo. And then pam calls it.

It’s just a symptom. Would be happening with other applications too.

Exactly.

1 Like

Then it should be added to the base abstraction.

Found a potential solution. Using pam_exec, environment variable PAM_SERVICE, exit codes (depending on if PAM_SERVICE is set to login) and then using the /etc/pam.d feature “jumping over the next N modules in the stack”.

That probably means just that when users run sudo pam-auth-update that they cannot enable two conflicting pam modules at the same time.

1 Like
1 Like

use pam_acccess only for /etc/pam.d/login
remove Allow members of group 'ssh' to login.
remove +:ssh:ALL EXCEPT LOCAL

The SSH restrictions earlier was just a byproduct of not knowing how to implement this better, i.e like how it is implemented now. Now this is effectively only used for /etc/pam.d/login.

Does pam_access line

+:ssh:ALL EXCEPT LOCAL

make sense for /etc/pam.d/ssh or should pam_access be used for any other services in /etc/pam.d folder too?

1 Like
1 Like
1 Like

Why don’t we allow group members of group sudo to use console by editing /etc/security/access-security-misc.conf ? Group members of group sudo could run sudo addgroup user console anyhow. Therefore no security advantage by not doing that.

Did that:

Review for full file welcome:

https://github.com/Whonix/security-misc/blob/master/etc/security/access-security-misc.conf

1 Like

@Patrick, there are syntax errors in the file. Groups should be surrounded with “(group)” instead of as “group”. It works as is unless any users with the same name as the groups are created. See access.conf to verify. I fixed it for you.

line 30: +:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9

line 34: +:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9

line 38: -:ALL EXCEPT (console-unrestricted):ALL

2 Likes

Thanks. Good catch. Fixed.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]