mirror of
https://github.com/kuhyx/testsAndMisc.git
synced 2026-07-04 17:03:05 +02:00
|
Some checks are pending
Pre-commit checks / pre-commit (push) Waiting to run
Replaces the bespoke chattr/bind-mount/systemd-watcher implementations for /etc/hosts and /etc/shutdown-schedule.conf with the new shared guard-lib (~/guard-lib, guardctl), so screen-locker and steam-backlog-enforcer's new block-gaming feature stop maintaining parallel copies of the same tamper-resistance mechanism. - pacman_wrapper.sh: pre/post hook fallbacks now call guard-lib's generic unlock-all/relock-all scripts (covers every registered guard instance, not just /etc/hosts) - setup_midnight_shutdown.sh: installs/updates its guarded config via guardctl file-guard instead of hand-rolled chattr + systemd unit generation; the schedule ratchet logic (block-if-more-lenient) stays bespoke since guardctl's generic unlock can't represent it - new hosts/guard/plugins/nsswitch-plugin.sh, resolved-plugin.sh Also fixes, at user's request even though pre-existing: 3 shellcheck SC2329 false positives in pacman_wrapper.sh (functions invoked indirectly by name, not actually dead) and 1 SC2001 style warning (echo|sed VM-name extraction replaced with parameter expansion, verified equivalent output). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AFNiYQQgSLAkiBXswyimPq |
||
|---|---|---|
| .. | ||
| pacman-hooks | ||
| plugins | ||
| psychological | ||
| enforce-hosts.sh | ||
| enforce-nsswitch.sh | ||
| enforce-resolved.sh | ||
| hosts-bind-mount.service | ||
| hosts-guard.path | ||
| hosts-guard.service | ||
| install_pacman_hooks.sh | ||
| nsswitch-guard.path | ||
| nsswitch-guard.service | ||
| README_FOR_LLM.md | ||
| README.md | ||
| resolved-guard.path | ||
| resolved-guard.service | ||
| setup_hosts_guard.sh | ||
Hosts Guard Components
This directory contains templates for hardening /etc/hosts against impulsive tampering by adding friction, NOT providing absolute security against a determined root user.
Components:
- enforce-hosts.sh – Idempotent script that: compares /etc/hosts with canonical copy at /usr/local/share/locked-hosts and restores if different; reapplies immutable attribute.
- systemd units (to be installed under /etc/systemd/system):
- hosts-guard.service (oneshot enforcement)
- hosts-guard.path (triggers on PathChanged=/etc/hosts)
- hosts-bind-mount.service (bind mounts /etc/hosts read-only after boot)
- psychological/ directory – scripts that add delay + journaling before allowing a maintenance/unlock operation.
- pacman hooks – automatically unlock/re-lock /etc/hosts around package transactions so pacman never fails due to the read-only bind mount.
Install Flow (suggested):
- After generating /etc/hosts via your existing hosts/install.sh, copy it to /usr/local/share/locked-hosts.
- Install enforce-hosts.sh to /usr/local/sbin/ (chmod 755).
- Place units and enable: systemctl daemon-reload systemctl enable --now hosts-guard.path systemctl enable --now hosts-bind-mount.service
- (Optional) Use psychological/unlock-hosts.sh as the ONLY sanctioned way to modify hosts (it removes protections temporarily, launches an editor after a delay, and re-enforces on close).
- Make pacman automatic (recommended):
./install_pacman_hooks.sh
This installs hooks under /etc/pacman.d/hooks that:
- PreTransaction: temporarily disable guard and make /etc/hosts writable
- PostTransaction: re-run enforcement and re-enable guard (bind mount + path watcher)
Limitations:
- A root user can still disable units, remount, remove attributes.
- Purpose is to interrupt habit loops and create intentional friction.