V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4530_accounts_timings.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Iterates all '/etc/shadow' entries and sets:
+#   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
+#   Safe: creates a timestamped backup and (if available) locks /etc/.pwd.lock.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+update_shadow() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_target="${TARGET}"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  declare -r  var_shadow="${var_target}/etc/shadow"
+  declare -r  var_backup="${var_target}/root/.ciss/cdi/etc/shadow.$(date +%s).bak"
+  declare -r  var_temp="${var_shadow}.new.$$"
+  declare -r  var_exp_dt="17.09.2102"
+  declare     var_exp_ds=""
+
+  var_exp_ds="$(
+    awk -v d="${var_exp_dt}" 'BEGIN{
+      # Force UTC to avoid DST/timezone off-by-one errors
+      ENVIRON["TZ"]="UTC";
+      if (match(d, /^([0-9]{2})\.([0-9]{2})\.([0-9]{4})$/, a)) {
+        dd=a[1]+0; mm=a[2]+0; yyyy=a[3]+0;
+        sec = mktime(sprintf("%04d %02d %02d 00 00 00 0", yyyy, mm, dd));
+        if (sec < 0) { print "ERR"; exit 1 }
+        print int(sec/86400);
+        exit 0
+      } else { print "ERR"; exit 1 }
+    }'
+  )" || { do_log "info" "file_only" "4530() Date parse failed: '${var_exp_dt}'."; return 127; }
+
+  # shellcheck disable=SC2249
+  case "${var_exp_ds}" in
+
+    ''|*ERR*) do_log "info" "file_only" "4530() Invalid date: '${var_exp_dt}'."
+              return 127
+              ;;
+
+  esac
+
+  umask 0077
+  cp --preserve=mode,ownership "${var_shadow}" "${var_backup}"
+
+  ### Rewrite fields 4..8 for every line
+  ### Preserve fields 1..3 and 9, keep password hashes untouched.
+  ### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
+  awk -v FS=":" -v OFS=":" -v exp="${var_exp_ds}" '
+    NF==0 { print; next }                     # preserve blank lines verbatim
+    {
+      # pad missing trailing fields to 9
+      for (i=NF+1; i<=9; i++) $i="";
+      $4=0; $5=16384; $6=128; $7=42; $8=exp;  # set required fields
+      print
+    }
+  ' "${var_backup}" >| "${var_temp}"
+
+  ### Defensive: ensure non-empty output.
+  if [[ ! -s "${var_temp}" ]]; then
+    do_log "info" "file_only" "4530() Empty output, aborting."
+    rm -f "${var_temp}"
+    return 127
+  fi
+
+  ### Preserve owner/mode (fallback to 0640 root:shadow if reference fails).
+  chown --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chown root:shadow "${var_temp}" 2>/dev/null || true
+  chmod --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chmod 640 "${var_temp}" 2>/dev/null || true
+
+  ### Atomic replace.
+  mv -f "${var_temp}" "${var_shadow}"
+
+  guard_dir && return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_shadow
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_func.sh

@@ -104,6 +104,7 @@ source_guard "./func/cdi_4500_user/4510_accounts_hardening.sh"
 source_guard "./func/cdi_4500_user/4520_accounts_setup.sh"
 source_guard "./func/cdi_4500_user/4521_accounts_setup_ciss.sh"
 source_guard "./func/cdi_4500_user/4522_accounts_setup_physnet.sh"
+source_guard "./func/cdi_4500_user/4530_accounts_timings.sh"
 
 ### cdi_4600_packages
 source_guard "./func/cdi_4600_packages/4600_installation_packages.sh"