testsAndMisc/linux_configuration/hosts/guard/pacman-hooks/pacman-pre-unlock-hosts.sh
Krzysztof Rudnicki 6ec85106b7 Protect nsswitch.conf and resolved.conf from hosts bypass
- Add enforce-resolved.sh: validates ReadEtcHosts=yes, prevents
  DNSOverTLS bypass, removes drop-in overrides, locks drop-in dir
- Add resolved-guard.path/service: watches /etc/systemd/resolved.conf
  and its drop-in directory for tampering
- Update pacman hooks to unlock/relock nsswitch.conf and resolved.conf
  alongside /etc/hosts during package transactions
- Extend setup_hosts_guard.sh with --skip-resolved option, resolved
  canonical snapshot, drop-in directory locking, and enforcement
- Add resolved.conf checks to check_and_enable_services.sh: validates
  ReadEtcHosts, DNSOverTLS, drop-in overrides, immutable attribute,
  and resolved-guard.path status with auto-fix capability

Fixed on live system: ReadEtcHosts was set to 'no' and nsswitch.conf
was missing 'files' in the hosts line, completely bypassing /etc/hosts.
2026-02-20 23:21:25 +01:00

31 lines
816 B
Bash
Executable File

#!/usr/bin/env bash
# pacman-pre-unlock-hosts.sh - Temporarily unlock guarded config files before pacman
# Unlocks: /etc/hosts, /etc/nsswitch.conf, /etc/systemd/resolved.conf
set -euo pipefail
# Source shared functions
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=hosts-guard-common.sh
source "$SCRIPT_DIR/hosts-guard-common.sh"
# Remove protective attributes from all guarded files
remove_all_guard_attrs
sudo rm /etc/hosts
# Stop guard services (hosts, nsswitch, resolved watchers)
stop_units_if_present
log_hook "pre" "unlocking(start)"
# Collapse any existing mount layers
collapse_mounts
# Ensure writable by remounting if still read-only
if is_ro_mount; then
mount -o remount,rw "$TARGET" >/dev/null 2>&1 || collapse_mounts
fi
log_hook "pre" "unlocking(done)"
exit 0