V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -37,9 +37,11 @@ accounts_setup() {
   declare -r  var_logfile="/root/.ciss/cdi/log/4520_accounts_setup.log"
   declare -i  i=0
   declare     tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" \
-              tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted="" tmp_system=""
+              tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted="" tmp_system="" \
+              tmp_specific=""
   declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
-              var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted="" var_system=""
+              var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted="" var_system="" \
+              var_specific=""
   declare     var_ssh_totp_update="false"
 
   chroot_logger "${TARGET}${var_logfile}"
@@ -60,13 +62,25 @@ accounts_setup() {
 
     if [[ -x "${TARGET}${user_root_shell}" ]]; then
 
-      zsh_omz_installer "root"
+      case "${user_root_specific,,}" in
+
+        "ciss")
+          zsh_omz_installer "root"
+          mv "${TARGET}/root/.zshrc" "${TARGET}/root/.zshrc.bak"
+          install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
+          ;;
+
+        "physnet")
+          :
+          ;;
+
+        "none"|*)
+          :
+          ;;
+
+      esac
 
       chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
-
-      mv "${TARGET}/root/.zshrc" "${TARGET}/root/.zshrc.bak"
-      install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
-
       do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
 
     else
@@ -160,9 +174,8 @@ EOF
       do_log "info" "file_only" "4520() User: 'root' password access: [false]"
       ;;
     true)
-      chpasswd --root "${TARGET}" --crypt-method YESCRYPT <<EOF
-root:${user_root_password}
-EOF
+      chroot_script "${TARGET}" "printf '%s:%s\n' root '${var_password}' | /usr/sbin/chpasswd -e"
+      #chroot_script "${TARGET}" "/usr/sbin/usermod -p '${user_root_password}' root"
       do_log "info" "file_only" "4520() User: 'root' password access: [true]"
       ;;
   esac
@@ -224,6 +237,7 @@ EOF
     tmp_sudo="user_user${i}_privileges_sudo"
     tmp_system="user_user${i}_privileges_system"
     tmp_restricted="user_user${i}_privileges_restricted"
+    tmp_specific="user_user${i}_privileges_restricted"
 
     var_username="${!tmp_username}"
     var_fullname="${!tmp_fullname}"
@@ -239,6 +253,7 @@ EOF
     var_sudo="${!tmp_sudo}"
     var_system="${!tmp_system}"
     var_restricted="${!tmp_restricted}"
+    var_specific="${!tmp_specific}"
 
     ### 0) A) Check if the 'group' of the 'user' already exists.
     if ! chroot_exec "${TARGET}" getent group "${var_username}" >/dev/null; then
@@ -314,10 +329,23 @@ EOF
 
       if [[ -x "${TARGET}${var_shell}" ]]; then
 
-        zsh_omz_installer "${var_username}"
+        case "${var_specific,,}" in
 
-        mv "${TARGET}/home/${var_username}/.zshrc" "${TARGET}/home/${var_username}/.zshrc.bak"
-        install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/home/${var_username}"
+          "ciss")
+            zsh_omz_installer "${var_username}"
+            mv "${TARGET}/home/${var_username}/.zshrc" "${TARGET}/home/${var_username}/.zshrc.bak"
+            install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/home/${var_username}"
+            ;;
+
+          "physnet")
+            :
+            ;;
+
+          "none"|*)
+            :
+            ;;
+
+        esac
 
         chroot_exec "${TARGET}" chsh -s "${var_shell}" "${var_username}"
         do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
@@ -369,9 +397,8 @@ EOF
         do_log "info" "file_only" "4520() User: '${var_username}' password access: [false]"
         ;;
       true)
-        chpasswd --root "${TARGET}" --crypt-method YESCRYPT <<EOF
-${var_username}:${var_password}
-EOF
+        chroot_script "${TARGET}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
+        #chroot_script "${TARGET}" "/usr/sbin/usermod -p '${var_password}' ${var_username}"
         do_log "info" "file_only" "4520() User: '${var_username}' password access: [true]"
         ;;
     esac
@@ -404,7 +431,7 @@ EOF
 
       chroot_exec "${TARGET}" usermod -aG sudo "${var_username}"
       ### Hardening sudo users (idempotent) and ensure WinSCP SFTP-as-root.
-      hardening_sudo "${var_username}"
+      hardening_sudo "${var_username}" "${var_specific:-none}"
       ### Enable per-user TOTP in a given PAM service (login, sshd, su, sudo).
       pam_access_totp_enable "${var_username}" "sudo"
 
@@ -443,6 +470,9 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f accounts_setup
 
 #######################################
 # Install eza CISS theme for the respective user.
@@ -470,6 +500,9 @@ eza_installer() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f eza_installer
 
 #######################################
 # Generates a deterministic TOTP secret based on:
@@ -515,6 +548,9 @@ generate_totp_secret() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_totp_secret
 
 #######################################
 # Hardening of '/bin/su': only members of the group 'sudo' can su to root.
@@ -565,6 +601,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_su
 
 #######################################
 # Hardening sudo users (idempotent) and ensure WinSCP SFTP-as-root.
@@ -580,6 +619,7 @@ EOF
 hardening_sudo() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_user="$1"
+  declare     var_specific="$2"
   declare -r  var_logfile="/root/.ciss/cdi/log/4520_accounts_setup.log"
   declare -r  var_sudo_iolog_dir="${TARGET}/var/log/sudo-io"
   declare -r  var_sudoers_main="${TARGET}/etc/sudoers"
@@ -607,14 +647,17 @@ Defaults log_host, log_year, log_input, log_exit_status, log_subcmds, logfile="/
 EOF
   fi
 
-  ### Install global WinSCP SFTP-as-root command alias (idempotent).
-  if [[ -x "${TARGET}${var_sftp_bin}" ]]; then
+  case "${var_specific,,}" in
 
-    if [[ ! -f "${var_sudoers_winscp_global}" ]]; then
+    "ciss")
+      ### Install global WinSCP SFTP-as-root command alias (idempotent).
+      if [[ -x "${TARGET}${var_sftp_bin}" ]]; then
 
-      insert_header   "${var_sudoers_winscp_global}"
-      insert_header "${var_sudoers_winscp_global}"
-      cat << EOF >|    "${var_sudoers_winscp_global}"
+        if [[ ! -f "${var_sudoers_winscp_global}" ]]; then
+
+          insert_header   "${var_sudoers_winscp_global}"
+          insert_comments "${var_sudoers_winscp_global}"
+          cat << EOF >|   "${var_sudoers_winscp_global}"
 ### Added by CISS.debian.installer. WinSCP SFTP-as-root (least privilege).
 ### Allow exactly the sftp-server binary, optionally with -e (stderr logging).
 Cmnd_Alias CISS_SFTPROOT = ${var_sftp_bin}, ${var_sftp_bin} -e
@@ -627,34 +670,45 @@ Defaults!CISS_SFTPROOT noexec, !setenv, timestamp_timeout=0
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-      chmod 0440 "${var_sudoers_winscp_global}"
+          chmod 0440 "${var_sudoers_winscp_global}"
 
-    fi
+        fi
 
-  else
+      else
 
-    do_log "warn" "file_only" "4520() sftp-server not found at [${var_sftp_bin}] in TARGET; skipping global alias for now."
+        do_log "warn" "file_only" "4520() sftp-server not found at [${var_sftp_bin}] in TARGET; skipping global alias for now."
 
-  fi
+      fi
 
-  ### Grant this user access to the alias (idempotent). Only add if not already present; keep the file permissive correctness.
-  if [[ -f "${var_sudoers_winscp_user}" ]]; then
+      ### Grant this user access to the alias (idempotent). Only add if not already present; keep the file permissive correctness.
+      if [[ -f "${var_sudoers_winscp_user}" ]]; then
 
-    if ! grep -qE "^${var_user}\s+ALL=\(root\)\s+NOPASSWD:\s+CISS_SFTPROOT\b" "${var_sudoers_winscp_user}" 2>/dev/null; then
+        if ! grep -qE "^${var_user}\s+ALL=\(root\)\s+NOPASSWD:\s+CISS_SFTPROOT\b" "${var_sudoers_winscp_user}" 2>/dev/null; then
 
-      echo "${var_user} ALL=(root) NOPASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
+          echo "${var_user} ALL=(root) NOPASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
 
-    fi
+        fi
 
-  else
+      else
 
-    insert_header   "${var_sudoers_winscp_user}"
-    insert_header "${var_sudoers_winscp_user}"
-    echo "${var_user} ALL=(root) PASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
-    printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_sudoers_winscp_user}"
+        insert_header   "${var_sudoers_winscp_user}"
+        insert_comments "${var_sudoers_winscp_user}"
+        echo "${var_user} ALL=(root) PASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
+        printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_sudoers_winscp_user}"
 
-  fi
-  chmod 0440 "${var_sudoers_winscp_user}"
+      fi
+      chmod 0440 "${var_sudoers_winscp_user}"
+      ;;
+
+    "physnet")
+      :
+      ;;
+
+    "none"|*)
+      :
+      ;;
+
+  esac
 
   ### Tighten perms on sudoers.d (idempotent).
   find "${var_sudoers_dir}" -type f -exec chmod 0440 {} \;
@@ -709,6 +763,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_sudo
 
 #######################################
 # Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
@@ -774,6 +831,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f pam_access_sync_login_sshd
 
 #######################################
 # Enable per-user TOTP in a given PAM service (login, sshd, su, sudo).
@@ -869,6 +929,9 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f pam_access_totp_enable
 
 #######################################
 # Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
@@ -901,12 +964,14 @@ read_totp_seed(){
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f read_totp_seed
 
 #######################################
 # Writes '.google_authenticator'-file for the respective user.
 # Globals:
 #   DIR_TMP
-#   RANDOM
 #   TARGET
 # Arguments:
 #   1: Username
@@ -965,6 +1030,9 @@ write_google_authenticator_file() {
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_google_authenticator_file
 
 #######################################
 # Use the official ohmyzsh-installer but force non-interactive behavior; do not run zsh; do not chsh.
@@ -1089,4 +1157,7 @@ EOF
 
   return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f zsh_omz_installer
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh