V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -256,7 +256,34 @@ EOF
     ### 2) Check SSH access capabilities.
     # Nothing to do here as per user SSH capabilities are already handled in '4330_installation_ssh.sh'
 
+    ### 3) Check tty access capabilities.
+    case "${var_access_tty}" in
+      false)
+        ### 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
+        pam_access_sync_login_sshd
 
+        ### 2) This step is not required for user accounts.
+
+        ### 3) Disallow all local access for user in '/etc/security/access.conf'.
+        printf "-: %s:ALL \n" "${var_username}" >> "${TARGET}/etc/security/access.conf"
+
+        ### 4) This step is not required for user accounts.
+
+
+        do_log "info" "file_only" "4520() User: '${var_username}' tty access: [false]"
+        ;;
+
+      true)
+        ### 1) Allow local access for 'user' only on 'tty1' in '/etc/security/access.conf'.
+        printf "+: %s:tty1 \n" "${var_username}" >> "${TARGET}/etc/security/access.conf"
+
+        ### 2) Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
+        cat << 'EOF' >| "${TARGET}/etc/securetty"
+tty1
+EOF
+        do_log "info" "file_only" "4520() User: 'root' tty access: [true]"
+        ;;
+    esac