V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m1s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m1s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -37,9 +37,9 @@ accounts_setup() {
|
||||
declare -r var_logfile="/root/.ciss/cdi/log/4520_accounts_setup.log"
|
||||
declare -i i=0
|
||||
declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" \
|
||||
tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted=""
|
||||
tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted="" tmp_system=""
|
||||
declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
|
||||
var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted=""
|
||||
var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted="" var_system=""
|
||||
declare var_ssh_totp_update="false"
|
||||
|
||||
chroot_logger "${TARGET}${var_logfile}"
|
||||
@@ -142,7 +142,7 @@ EOF
|
||||
|
||||
true)
|
||||
### 3) B) 1) Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
|
||||
printf "+: root:tty1 \n" >> "${TARGET}/etc/security/access.conf"
|
||||
printf -- "+: root:tty1 \n" >> "${TARGET}/etc/security/access.conf"
|
||||
|
||||
### 3) B) 2) Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
|
||||
cat << 'EOF' >| "${TARGET}/etc/securetty"
|
||||
@@ -208,6 +208,7 @@ EOF
|
||||
tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
|
||||
tmp_2fa_tty="user_user${i}_authentication_2fa_tty"
|
||||
tmp_sudo="user_user${i}_privileges_sudo"
|
||||
tmp_system="user_user${i}_privileges_system"
|
||||
tmp_restricted="user_user${i}_privileges_restricted"
|
||||
|
||||
var_username="${!tmp_username}"
|
||||
@@ -222,6 +223,7 @@ EOF
|
||||
var_2fa_ssh="${!tmp_2fa_ssh}"
|
||||
var_2fa_tty="${!tmp_2fa_tty}"
|
||||
var_sudo="${!tmp_sudo}"
|
||||
var_system="${!tmp_system}"
|
||||
var_restricted="${!tmp_restricted}"
|
||||
|
||||
### 0) A) Check if the 'group' of the 'user' already exists.
|
||||
@@ -231,8 +233,10 @@ EOF
|
||||
|
||||
### 0) B) Generates the user account.
|
||||
### If the 'user' is not restricted in scope, then generate the account accordingly, with a predefined expiry date.
|
||||
if [[ "${var_restricted}" == "false" ]]; then
|
||||
### If the 'user' is a system user, then generate with flag '--system'.
|
||||
case "${var_restricted}":"${var_system}" in
|
||||
|
||||
false:false)
|
||||
chroot_exec "${TARGET}" useradd \
|
||||
--comment "${var_fullname}" \
|
||||
--create-home \
|
||||
@@ -243,9 +247,9 @@ EOF
|
||||
--shell "${var_shell}" \
|
||||
--uid "${var_uid}" \
|
||||
"${var_username}"
|
||||
;;
|
||||
|
||||
else
|
||||
|
||||
true:false)
|
||||
chroot_exec "${TARGET}" useradd \
|
||||
--comment "${var_fullname}" \
|
||||
--expiredate 2102-12-31 \
|
||||
@@ -255,8 +259,36 @@ EOF
|
||||
--shell "${var_shell}" \
|
||||
--uid "${var_uid}" \
|
||||
"${var_username}"
|
||||
;;
|
||||
|
||||
fi
|
||||
false:true)
|
||||
chroot_exec "${TARGET}" useradd \
|
||||
--comment "${var_fullname}" \
|
||||
--create-home \
|
||||
--expiredate 2102-12-31 \
|
||||
--gid "${var_gid}" \
|
||||
--home-dir /home/"${var_username}" \
|
||||
--inactive 0 \
|
||||
--shell "${var_shell}" \
|
||||
--system \
|
||||
--uid "${var_uid}" \
|
||||
"${var_username}"
|
||||
;;
|
||||
|
||||
true:true)
|
||||
chroot_exec "${TARGET}" useradd \
|
||||
--comment "${var_fullname}" \
|
||||
--expiredate 2102-12-31 \
|
||||
--gid "${var_gid}" \
|
||||
--inactive 0 \
|
||||
--no-create-home \
|
||||
--shell "${var_shell}" \
|
||||
--system \
|
||||
--uid "${var_uid}" \
|
||||
"${var_username}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
### 1) Prepare the 'user' account.
|
||||
install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${TARGET}/home/${var_username}/.ssh"
|
||||
@@ -298,7 +330,7 @@ EOF
|
||||
### 3) A) 2) This step is not required for user accounts.
|
||||
|
||||
### 3) A) 3) Disallow all local access for user in '/etc/security/access.conf'.
|
||||
printf "-: %s:ALL \n" "${var_username}" >> "${TARGET}/etc/security/access.conf"
|
||||
printf '%s\n' "-: ${var_username}:ALL" >> "${TARGET}/etc/security/access.conf"
|
||||
|
||||
### 3) A) 4) This step is not required for user accounts.
|
||||
|
||||
@@ -307,7 +339,7 @@ EOF
|
||||
|
||||
true)
|
||||
### 3) B) 1) Allow local access for 'user' only on 'tty1' in '/etc/security/access.conf'.
|
||||
printf "+: %s:tty1 \n" "${var_username}" >> "${TARGET}/etc/security/access.conf"
|
||||
printf '%s\n' "+: ${var_username}:tty1" >> "${TARGET}/etc/security/access.conf"
|
||||
|
||||
### 3) B) 2) This step is not required for user accounts.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user