mirror of
https://github.com/kuhyx/testsAndMisc.git
synced 2026-07-04 15:43:06 +02:00
- Add enforce-resolved.sh: validates ReadEtcHosts=yes, prevents DNSOverTLS bypass, removes drop-in overrides, locks drop-in dir - Add resolved-guard.path/service: watches /etc/systemd/resolved.conf and its drop-in directory for tampering - Update pacman hooks to unlock/relock nsswitch.conf and resolved.conf alongside /etc/hosts during package transactions - Extend setup_hosts_guard.sh with --skip-resolved option, resolved canonical snapshot, drop-in directory locking, and enforcement - Add resolved.conf checks to check_and_enable_services.sh: validates ReadEtcHosts, DNSOverTLS, drop-in overrides, immutable attribute, and resolved-guard.path status with auto-fix capability Fixed on live system: ReadEtcHosts was set to 'no' and nsswitch.conf was missing 'files' in the hosts line, completely bypassing /etc/hosts.
31 lines
816 B
Bash
Executable File
31 lines
816 B
Bash
Executable File
#!/usr/bin/env bash
|
|
# pacman-pre-unlock-hosts.sh - Temporarily unlock guarded config files before pacman
|
|
# Unlocks: /etc/hosts, /etc/nsswitch.conf, /etc/systemd/resolved.conf
|
|
set -euo pipefail
|
|
|
|
# Source shared functions
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
# shellcheck source=hosts-guard-common.sh
|
|
source "$SCRIPT_DIR/hosts-guard-common.sh"
|
|
|
|
# Remove protective attributes from all guarded files
|
|
remove_all_guard_attrs
|
|
sudo rm /etc/hosts
|
|
|
|
# Stop guard services (hosts, nsswitch, resolved watchers)
|
|
stop_units_if_present
|
|
|
|
log_hook "pre" "unlocking(start)"
|
|
|
|
# Collapse any existing mount layers
|
|
collapse_mounts
|
|
|
|
# Ensure writable by remounting if still read-only
|
|
if is_ro_mount; then
|
|
mount -o remount,rw "$TARGET" >/dev/null 2>&1 || collapse_mounts
|
|
fi
|
|
|
|
log_hook "pre" "unlocking(done)"
|
|
|
|
exit 0
|