V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -40,7 +40,7 @@ accounts_setup() {
               tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted=""
   declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
               var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted=""
-  declare     var_chpasswd="" var_ssh_totp_update="false"
+  declare     var_ssh_totp_update="false"
 
   chroot_logger "${TARGET}${var_logfile}"
 
@@ -159,9 +159,9 @@ EOF
       do_log "info" "file_only" "4520() User: 'root' password access: [false]"
       ;;
     true)
-      var_chpasswd="root:${user_root_password}"
-      chroot_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
-      var_chpasswd=""
+      chpasswd --root "${TARGET}" --crypt-method YESCRYPT <<EOF
+root:${user_root_password}
+EOF
       do_log "info" "file_only" "4520() User: 'root' password access: [true]"
       ;;
   esac
@@ -270,7 +270,7 @@ EOF
         zsh_omz_installer "${var_username}"
 
         mv "${TARGET}/home/${var_username}/.zshrc" "${TARGET}/home/${var_username}/.zshrc.bak"
-        install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/home/${var_username}"
+        install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/home/${var_username}"
 
         chroot_exec "${TARGET}" chsh -s "${var_shell}" "${var_username}"
         do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
@@ -322,9 +322,9 @@ EOF
         do_log "info" "file_only" "4520() User: '${var_username}' password access: [false]"
         ;;
       true)
-        var_chpasswd="${var_username}:${var_password}"
-        chroot_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
-        var_chpasswd=""
+        chpasswd --root "${TARGET}" --crypt-method YESCRYPT <<EOF
+${var_username}:${var_password}
+EOF
         do_log "info" "file_only" "4520() User: '${var_username}' password access: [true]"
         ;;
     esac
@@ -363,7 +363,15 @@ EOF
 
     fi
 
-    ### 8) Final status logging.
+    ### 8) Double check permissions.
+    ###    Directories: 0700
+    find "${TARGET}/home/${var_username}" -type d -exec chmod 0700 {} +
+    ###    Executable files: 0700 (any x-bit set)
+    find "${TARGET}/home/${var_username}" -type f -perm /111 -exec chmod 0700 {} +
+    ###    Non-executable files: 0600
+    find "${TARGET}/home/${var_username}" -type f ! -perm /111 -exec chmod 0600 {} +
+
+    ### 9) Final status logging.
     do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]"
 
   done
@@ -374,8 +382,8 @@ EOF
 
   unset VAR_TEMP_PLAIN_MFA_SEED
 
-  if ! grep -qxF "-: ALL:ALL" "${TARGET}/etc/security/access.conf"; then
-    printf -- '-: ALL:ALL\n' >> "${TARGET}/etc/security/access.conf"
+  if ! grep -Fqx -- '-: ALL:ALL' "${TARGET}/etc/security/access.conf"; then
+    printf '%s\n' '-: ALL:ALL' >> "${TARGET}/etc/security/access.conf"
   fi
 
   printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"