mirror of
https://github.com/kuhyx/testsAndMisc.git
synced 2026-07-04 14:43:01 +02:00
| .. | ||
| pacman-hooks | ||
| psychological | ||
| enforce-hosts.sh | ||
| enforce-nsswitch.sh | ||
| hosts-bind-mount.service | ||
| hosts-guard.path | ||
| hosts-guard.service | ||
| install_pacman_hooks.sh | ||
| nsswitch-guard.path | ||
| nsswitch-guard.service | ||
| README_FOR_LLM.md | ||
| README.md | ||
| setup_hosts_guard.sh | ||
Hosts Guard Components
This directory contains templates for hardening /etc/hosts against impulsive tampering by adding friction, NOT providing absolute security against a determined root user.
Components:
- enforce-hosts.sh – Idempotent script that: compares /etc/hosts with canonical copy at /usr/local/share/locked-hosts and restores if different; reapplies immutable attribute.
- systemd units (to be installed under /etc/systemd/system):
- hosts-guard.service (oneshot enforcement)
- hosts-guard.path (triggers on PathChanged=/etc/hosts)
- hosts-bind-mount.service (bind mounts /etc/hosts read-only after boot)
- psychological/ directory – scripts that add delay + journaling before allowing a maintenance/unlock operation.
- pacman hooks – automatically unlock/re-lock /etc/hosts around package transactions so pacman never fails due to the read-only bind mount.
Install Flow (suggested):
- After generating /etc/hosts via your existing hosts/install.sh, copy it to /usr/local/share/locked-hosts.
- Install enforce-hosts.sh to /usr/local/sbin/ (chmod 755).
- Place units and enable: systemctl daemon-reload systemctl enable --now hosts-guard.path systemctl enable --now hosts-bind-mount.service
- (Optional) Use psychological/unlock-hosts.sh as the ONLY sanctioned way to modify hosts (it removes protections temporarily, launches an editor after a delay, and re-enforces on close).
- Make pacman automatic (recommended):
./install_pacman_hooks.sh
This installs hooks under /etc/pacman.d/hooks that:
- PreTransaction: temporarily disable guard and make /etc/hosts writable
- PostTransaction: re-run enforcement and re-enable guard (bind mount + path watcher)
Limitations:
- A root user can still disable units, remount, remove attributes.
- Purpose is to interrupt habit loops and create intentional friction.