mirror of
https://github.com/kuhyx/scripts.git
synced 2026-07-04 13:03:05 +02:00
* Initial plan * fix: format shell scripts with shfmt (convert tabs to 2 spaces) Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com> * feat: enhance shell-check workflow for PR pre-merge validation - Add pull_request_target trigger to check PRs from forks - Add explicit failure message with instructions - Create BRANCH_PROTECTION.md with setup guide - Ensure workflow runs on all PRs targeting main/master Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com> * refactor: improve workflow security and remove redundant exit code - Remove pull_request_target to avoid executing untrusted fork code - Remove redundant exit 1 from failure step - Update documentation to reflect changes - Standard pull_request trigger handles forks securely Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| pacman-hooks | ||
| psychological | ||
| enforce-hosts.sh | ||
| hosts-bind-mount.service | ||
| hosts-guard.path | ||
| hosts-guard.service | ||
| install_pacman_hooks.sh | ||
| README.md | ||
| setup_hosts_guard.sh | ||
Hosts Guard Components
This directory contains templates for hardening /etc/hosts against impulsive tampering by adding friction, NOT providing absolute security against a determined root user.
Components:
- enforce-hosts.sh – Idempotent script that: compares /etc/hosts with canonical copy at /usr/local/share/locked-hosts and restores if different; reapplies immutable attribute.
- systemd units (to be installed under /etc/systemd/system):
- hosts-guard.service (oneshot enforcement)
- hosts-guard.path (triggers on PathChanged=/etc/hosts)
- hosts-bind-mount.service (bind mounts /etc/hosts read-only after boot)
- psychological/ directory – scripts that add delay + journaling before allowing a maintenance/unlock operation.
- pacman hooks – automatically unlock/re-lock /etc/hosts around package transactions so pacman never fails due to the read-only bind mount.
Install Flow (suggested):
- After generating /etc/hosts via your existing hosts/install.sh, copy it to /usr/local/share/locked-hosts.
- Install enforce-hosts.sh to /usr/local/sbin/ (chmod 755).
- Place units and enable: systemctl daemon-reload systemctl enable --now hosts-guard.path systemctl enable --now hosts-bind-mount.service
- (Optional) Use psychological/unlock-hosts.sh as the ONLY sanctioned way to modify hosts (it removes protections temporarily, launches an editor after a delay, and re-enforces on close).
- Make pacman automatic (recommended):
./install_pacman_hooks.sh
This installs hooks under /etc/pacman.d/hooks that:
- PreTransaction: temporarily disable guard and make /etc/hosts writable
- PostTransaction: re-run enforcement and re-enable guard (bind mount + path watcher)
Limitations:
- A root user can still disable units, remount, remove attributes.
- Purpose is to interrupt habit loops and create intentional friction.