V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-12 15:09:33 +02:00
parent 0e1d45e66f
commit ccdc44666e
2 changed files with 49 additions and 38 deletions
--- a/func/cdi_4000_debootstrap/4000_debootstrap.sh
+++ b/func/cdi_4000_debootstrap/4000_debootstrap.sh
@@ -57,6 +57,10 @@ func_debootstrap() {
    mv -T "${var_target}/debootstrap" "${var_target}/root/.ciss/cdi/debootstrap"
    chmod 0700 "${var_target}/root/.ciss"
    chmod 0700 "${var_target}/root/.ciss/cdi"
    chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
    guard_dir && return 0
  else
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -100,23 +100,25 @@ accounts_setup() {
      pam_access_sync_login_sshd
      ### 3) A) 2) Ensure 'pam_securetty' in the auth phase; requisite causes immediate fail for disallowed ttys.
-      if ! grep -qE '^\s*auth\s+requisite\s+pam_securetty\.so' "${var_pam_login}"; then
+      chroot_script "${TARGET}" "
-        ### Insert pam_securetty before pam_unix to fail early.
+        if ! grep -qE '^\s*auth\s+requisite\s+pam_securetty\.so' /etc/pam.d/login; then
-        awk '
+          ### Insert pam_securetty before pam_unix to fail early.
-          BEGIN{ins=0}
+          awk '
-          {
+            BEGIN{ins=0}
-            if(!ins && $0 ~ /^\s*auth\s+.*pam_unix\.so/){
+            {
-              print "auth  requisite  pam_securetty.so"
+              if(!ins && $0 ~ /^\s*auth\s+.*pam_unix\.so/){
-              ins=1
+                print 'auth  requisite  pam_securetty.so'
                ins=1
              }
              print
            }
-            print
+            END{ if(!ins) print 'auth  requisite  pam_securetty.so' }
-          }
+          ' /etc/pam.d/login >| /etc/pam.d/login.new && mv -f /etc/pam.d/login.new /etc/pam.d/login
-          END{ if(!ins) print "auth  requisite  pam_securetty.so" }
+        fi
-        ' "${var_pam_login}" >| "${var_pam_login}.new" && mv -f "${var_pam_login}.new" "${var_pam_login}"
+      "
      fi
      ### 3) A) 3) Disallow all local access for root in '/etc/security/access.conf'.
-      printf "-: root:ALL \n" >> "${TARGET}/etc/security/access.conf"
+      printf -- '-: root:ALL\n' >> "${TARGET}/etc/security/access.conf"
      ### 3) A) 4) Empty "/etc/securetty".
      cat << 'EOF' >| "${TARGET}/etc/securetty"
@@ -355,7 +357,7 @@ EOF
  unset VAR_TEMP_PLAIN_MFA_SEED
  if ! grep -qxF "-: ALL:ALL" "${TARGET}/etc/security/access.conf"; then
-    printf "-: ALL:ALL \n" >> "${TARGET}/etc/security/access.conf"
+    printf -- '-: ALL:ALL\n' >> "${TARGET}/etc/security/access.conf"
  fi
  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"
@@ -580,6 +582,7 @@ EOF
 #######################################
 # Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
 # MUST be executed inside chroot.
 # Globals:
 #   None
 # Arguments:
@@ -593,41 +596,45 @@ pam_access_sync_login_sshd() {
  declare     var_file_sshd="/etc/pam.d/sshd"
  ### Guard: files must exist, no-op otherwise.
-  if [[ ! -f "${var_file_login}" ]]; then
+  if [[ ! -f "${TARGET}${var_file_login}" ]]; then
    return 0
  fi
-  if [[ ! -f "${var_file_sshd}" ]]; then
+  if [[ ! -f "${TARGET}${var_file_sshd}" ]]; then
    : ### Still continue, only '/etc/pam.d/login' will be processed
  fi
  ### 1) If the 'pam_access' line is commented in '/etc/pam.d/login', uncomment exactly one occurrence.
  ### Match lines like: [spaces]# [spaces]account required pam_access.so ...
-  if grep -Eq '^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)' "${var_file_login}"; then
+  chroot_script "${TARGET}" "
-    awk '
+    if grep -Eq '^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)' /etc/pam.d/login; then
-      BEGIN { done=0 }
+      awk '
-      {
+        BEGIN { done=0 }
-        if (!done && $0 ~ /^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/) {
+        {
-          sub(/^[[:space:]]*#[[:space:]]*/, "", $0);  # drop leading # and following spaces
+          if (!done && \$0 ~ /^[[:space:]]*#[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/) {
-          done=1;
+            sub(/^[[:space:]]*#[[:space:]]*/, "", \$0);  ### drop leading '#' and following spaces.
            done=1;
          }
          print;
        }
-        print;
+      ' /etc/pam.d/login >| /etc/pam.d/login.new
-      }
+      mv -f /etc/pam.d/login.new /etc/pam.d/login
-    ' "${var_file_login}" >| "${var_file_login}.new"
+    fi
-    mv -f "${var_file_login}.new" "${var_file_login}"
+  "
  fi
  ### 2) If '/etc/pam.d/login' now has an active pam_access line, ensure '/etc/pam.d/sshd' pam_access line(s) are commented out.
-  if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)' "${var_file_login}"; then
+  chroot_script "${TARGET}" "
-    if [[ -f "${var_file_sshd}" ]]; then
+    if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)' /etc/pam.d/login; then
-      awk '
+      if [[ -f /etc/pam.d/sshd ]]; then
-        ### Comment only active matches; leave already-commented lines as-is.
+        awk '
-        /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/ { print "# " $0; next }
+          ### Comment only active matches; leave already-commented lines as-is.
-        { print }
+          /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access\.so([[:space:]]|$)/ { print \"# \" $0; next }
-      ' "${var_file_sshd}" > "${var_file_sshd}.new"
+          { print }
-      mv -f "${var_file_sshd}.new" "${var_file_sshd}"
+        ' /etc/pam.d/sshd >| /etc/pam.d/sshd.new
        mv -f /etc/pam.d/sshd.new /etc/pam.d/sshd
      fi
    fi
-  fi
+  "
  return 0
 }