V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -37,9 +37,9 @@ accounts_setup() {
   declare -r  var_logfile="/root/.ciss/cdi/log/4520_accounts_setup.log"
   declare -i  i=0
   declare     tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" \
-              tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted=""
+              tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted="" tmp_system=""
   declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
-              var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted=""
+              var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted="" var_system=""
   declare     var_ssh_totp_update="false"
 
   chroot_logger "${TARGET}${var_logfile}"
@@ -142,7 +142,7 @@ EOF
 
     true)
       ### 3) B) 1) Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
-      printf "+: root:tty1 \n" >> "${TARGET}/etc/security/access.conf"
+      printf -- "+: root:tty1 \n" >> "${TARGET}/etc/security/access.conf"
 
       ### 3) B) 2) Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
       cat << 'EOF' >| "${TARGET}/etc/securetty"
@@ -208,6 +208,7 @@ EOF
     tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
     tmp_2fa_tty="user_user${i}_authentication_2fa_tty"
     tmp_sudo="user_user${i}_privileges_sudo"
+    tmp_system="user_user${i}_privileges_system"
     tmp_restricted="user_user${i}_privileges_restricted"
 
     var_username="${!tmp_username}"
@@ -222,6 +223,7 @@ EOF
     var_2fa_ssh="${!tmp_2fa_ssh}"
     var_2fa_tty="${!tmp_2fa_tty}"
     var_sudo="${!tmp_sudo}"
+    var_system="${!tmp_system}"
     var_restricted="${!tmp_restricted}"
 
     ### 0) A) Check if the 'group' of the 'user' already exists.
@@ -231,32 +233,62 @@ EOF
 
     ### 0) B) Generates the user account.
     ###       If the 'user' is not restricted in scope, then generate the account accordingly, with a predefined expiry date.
-    if [[ "${var_restricted}" == "false" ]]; then
+    ###       If the 'user' is a system user, then generate with flag '--system'.
+    case "${var_restricted}":"${var_system}" in
 
-      chroot_exec "${TARGET}" useradd \
+      false:false)
-        --comment "${var_fullname}" \
+        chroot_exec "${TARGET}" useradd \
-        --create-home \
+          --comment "${var_fullname}" \
-        --expiredate 2102-12-31 \
+          --create-home \
-        --gid "${var_gid}" \
+          --expiredate 2102-12-31 \
-        --home-dir /home/"${var_username}" \
+          --gid "${var_gid}" \
-        --inactive 0 \
+          --home-dir /home/"${var_username}" \
-        --shell "${var_shell}" \
+          --inactive 0 \
-        --uid "${var_uid}" \
+          --shell "${var_shell}" \
-        "${var_username}"
+          --uid "${var_uid}" \
+          "${var_username}"
+        ;;
 
-    else
+      true:false)
+        chroot_exec "${TARGET}" useradd \
+          --comment "${var_fullname}" \
+          --expiredate 2102-12-31 \
+          --gid "${var_gid}" \
+          --inactive 0 \
+          --no-create-home \
+          --shell "${var_shell}" \
+          --uid "${var_uid}" \
+          "${var_username}"
+        ;;
 
-      chroot_exec "${TARGET}" useradd \
+      false:true)
-        --comment "${var_fullname}" \
+        chroot_exec "${TARGET}" useradd \
-        --expiredate 2102-12-31 \
+          --comment "${var_fullname}" \
-        --gid "${var_gid}" \
+          --create-home \
-        --inactive 0 \
+          --expiredate 2102-12-31 \
-        --no-create-home \
+          --gid "${var_gid}" \
-        --shell "${var_shell}" \
+          --home-dir /home/"${var_username}" \
-        --uid "${var_uid}" \
+          --inactive 0 \
-        "${var_username}"
+          --shell "${var_shell}" \
+          --system \
+          --uid "${var_uid}" \
+          "${var_username}"
+        ;;
 
-    fi
+      true:true)
+        chroot_exec "${TARGET}" useradd \
+          --comment "${var_fullname}" \
+          --expiredate 2102-12-31 \
+          --gid "${var_gid}" \
+          --inactive 0 \
+          --no-create-home \
+          --shell "${var_shell}" \
+          --system \
+          --uid "${var_uid}" \
+          "${var_username}"
+        ;;
+
+    esac
 
     ### 1) Prepare the 'user' account.
     install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${TARGET}/home/${var_username}/.ssh"
@@ -298,7 +330,7 @@ EOF
         ### 3) A) 2) This step is not required for user accounts.
 
         ### 3) A) 3) Disallow all local access for user in '/etc/security/access.conf'.
-        printf "-: %s:ALL \n" "${var_username}" >> "${TARGET}/etc/security/access.conf"
+        printf '%s\n' "-: ${var_username}:ALL" >> "${TARGET}/etc/security/access.conf"
 
         ### 3) A) 4) This step is not required for user accounts.
 
@@ -307,7 +339,7 @@ EOF
 
       true)
         ### 3) B) 1) Allow local access for 'user' only on 'tty1' in '/etc/security/access.conf'.
-        printf "+: %s:tty1 \n" "${var_username}" >> "${TARGET}/etc/security/access.conf"
+        printf '%s\n' "+: ${var_username}:tty1" >> "${TARGET}/etc/security/access.conf"
 
         ### 3) B) 2) This step is not required for user accounts.