From 3d37a1940c113a901cd57f0c689e596ce2255de0d88cef83e3af3b3fe0c37ab5 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Wed, 10 Sep 2025 10:54:27 +0200
Subject: [PATCH] V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 func/cdi_4500_user/4520_accounts_setup.sh | 27 +++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/func/cdi_4500_user/4520_accounts_setup.sh b/func/cdi_4500_user/4520_accounts_setup.sh
index 50c99d3..9dea1b2 100644
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -256,7 +256,34 @@ EOF
     ### 2) Check SSH access capabilities.
     # Nothing to do here as per user SSH capabilities are already handled in '4330_installation_ssh.sh'
 
+    ### 3) Check tty access capabilities.
+    case "${var_access_tty}" in
+      false)
+        ### 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
+        pam_access_sync_login_sshd
 
+        ### 2) This step is not required for user accounts.
+
+        ### 3) Disallow all local access for user in '/etc/security/access.conf'.
+        printf "-: %s:ALL \n" "${var_username}" >> "${TARGET}/etc/security/access.conf"
+
+        ### 4) This step is not required for user accounts.
+
+
+        do_log "info" "file_only" "4520() User: '${var_username}' tty access: [false]"
+        ;;
+
+      true)
+        ### 1) Allow local access for 'user' only on 'tty1' in '/etc/security/access.conf'.
+        printf "+: %s:tty1 \n" "${var_username}" >> "${TARGET}/etc/security/access.conf"
+
+        ### 2) Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
+        cat << 'EOF' >| "${TARGET}/etc/securetty"
+tty1
+EOF
+        do_log "info" "file_only" "4520() User: 'root' tty access: [true]"
+        ;;
+    esac