V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/system/4200_setup_accounts.sh

@@ -0,0 +1,153 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Updating user accounts.
+# Globals:
+#   TARGET
+#   VAR_SETUP_PATH
+#   VAR_USER_MAX
+#   user_root_authentication_access_ssh
+#   user_root_password
+#   user_root_shell
+#   user_root_sshpubkey
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+setup_accounts() {
+
+  #######################################
+  # Declare Variables
+  #######################################
+  declare -i i
+  declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
+    tmp_restricted=""
+  declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
+    var_restricted="" var_chpasswd="" var_sshdir=""
+
+  ### Hardening '/etc/login.defs'
+  rm -f "${TARGET}/etc/login.defs"
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/login.defs" "${TARGET}/etc/"
+
+  ### Hardening '/etc/security/pwquality.conf'
+  rm -f "${TARGET}/etc/security/pwquality.conf"
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/security/pwquality.cnf" "${TARGET}/etc/security/pwquality.conf"
+
+  ### Preparing the root account
+  chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/shadow" "${TARGET}/etc/group" "${TARGET}/etc/gshadow"
+  chmod 0644 "${TARGET}/etc/passwd" "${TARGET}/etc/group"
+  chmod 0600 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
+
+  if [[ -x "${TARGET}${user_root_shell}" ]]; then
+    do_in_target "${TARGET}" chsh -s "${user_root_shell}" root
+  else
+    do_log "warn" "true" "Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
+  fi
+
+  var_chpasswd="root:${user_root_password}"
+  do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
+  var_chpasswd=""
+
+  install -d -m 0700 -o root -g root "${TARGET}/root/.ssh"
+  install -m 0600 -o root -g root /dev/null "${TARGET}/root/.ssh/authorized_keys"
+
+  grep -qxF "${user_root_sshpubkey}" "${TARGET}/root/.ssh/authorized_keys" || \
+    printf "%s\n" "${user_root_sshpubkey}" >> "${TARGET}/root/.ssh/authorized_keys"
+
+  if [[ "${user_root_authentication_access_ssh}" == "false" ]]; then
+    if grep -q '^\s*PermitRootLogin' "${TARGET}/etc/ssh/sshd_config"; then
+      sed -i 's/^\s*PermitRootLogin\s\+.*/PermitRootLogin no/' "${TARGET}/etc/ssh/sshd_config"
+    else
+      echo 'PermitRootLogin no' >> "${TARGET}/etc/ssh/sshd_config"
+    fi
+  fi
+
+  ### Install all user accounts.
+  for ((i = 0; i <= VAR_USER_MAX; i++)); do
+    tmp_username="user_user${i}_name"
+    tmp_fullname="user_user${i}_fullname"
+    tmp_uid="user_user${i}_uid"
+    tmp_gid="user_user${i}_gid"
+    tmp_shell="user_user${i}_shell"
+    tmp_password="user_user${i}_password"
+    tmp_sshpubkey="user_user${i}_sshpubkey"
+    tmp_sudo="user_user${i}_privileges_sudo"
+    tmp_restricted="user_user${i}_privileges_restricted"
+
+    var_username="${!tmp_username}"
+    var_fullname="${!tmp_fullname}"
+    var_uid="${!tmp_uid}"
+    var_gid="${!tmp_gid}"
+    var_shell="${!tmp_shell}"
+    var_password="${!tmp_password}"
+    var_sshpubkey="${!tmp_sshpubkey}"
+    var_sudo="${!tmp_sudo}"
+    var_restricted="${!tmp_restricted}"
+
+    do_in_target "${TARGET}" getent group "${var_username}" >/dev/null || \
+      do_in_target "${TARGET}" groupadd --gid "${var_gid}" "${var_username}"
+
+    if [[ "${var_restricted}" == "false" ]]; then
+
+      do_in_target "${TARGET}" useradd \
+        --comment "${var_fullname}" \
+        --create-home \
+        --expiredate 2102-12-31 \
+        --gid "${var_gid}" \
+        --home-dir /home/"${var_username}" \
+        --inactive 0 \
+        --shell "${var_shell}" \
+        --uid "${var_uid}" \
+        "${var_username}"
+
+    else
+
+      do_in_target "${TARGET}" useradd \
+        --comment "${var_fullname}" \
+        --expiredate 2102-12-31 \
+        --gid "${var_gid}" \
+        --home-dir /home/"${var_username}" \
+        --inactive 0 \
+        --no-create-home \
+        --shell "${var_shell}" \
+        --uid "${var_uid}" \
+        "${var_username}"
+
+    fi
+
+    var_chpasswd="${var_username}:${var_password}"
+    do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
+    var_chpasswd=""
+
+    if [[ "${var_sudo}" == "true" ]]; then
+      do_in_target "${TARGET}" usermod -aG sudo "${var_username}"
+    fi
+
+    if [[ -n "${var_sshpubkey}" ]]; then
+      var_sshdir="${TARGET}/home/${var_username}/.ssh"
+      install -d -m 0700 -o "${var_username}" -g "${var_username}" "${var_sshdir}"
+      install -m 0600 -o "${var_username}" -g "${var_username}" /dev/null "${var_sshdir}/authorized_keys"
+      grep -qxF "${var_sshpubkey}" "${var_sshdir}/authorized_keys" || \
+       printf "%s\n" "${var_sshpubkey}" >> "${var_sshdir}/authorized_keys"
+    fi
+
+    do_log "info" "true" "Created user: [${var_username}] UID: [${var_uid}], GID: [${var_gid}]"
+
+  done
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh