V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -100,23 +100,30 @@ accounts_setup() {
       pam_access_sync_login_sshd
 
       ### 3) A) 2) Ensure 'pam_securetty' in the auth phase; requisite causes immediate fail for disallowed ttys.
-      chroot_script "${TARGET}" "
+      chroot_stdin "${TARGET}" "__payload__" <<'EOF'
-        if ! grep -Eq '^[[:space:]]*auth[[:space:]]+requisite[[:space:]]+pam_securetty\.so' /etc/pam.d/login; then
+export LC_ALL=C
-          awk '
+if ! grep -Eq '^[[:space:]]*auth[[:space:]]+requisite[[:space:]]+pam_securetty[.]so([[:space:]]|$)' /etc/pam.d/login; then
-            BEGIN{ins=0}
+  tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
-              {
+  awk '
-                if(!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix\.so/){
+    BEGIN { ins=0 }
-                print \"auth  requisite  pam_securetty.so\"
+    {
-                ins=1
+      if (!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix[.]so/) {
-              }
+        print "auth  requisite  pam_securetty.so"
-              print
+        ins=1
-            }
+      }
-            END{
+      print
-              if(!ins) print \"auth  requisite  pam_securetty.so\"
+    }
-            }
+    END {
-          ' /etc/pam.d/login >| /etc/pam.d/login.new && mv -f /etc/pam.d/login.new /etc/pam.d/login
+      if (!ins) print "auth  requisite  pam_securetty.so"
-        fi
+    }
-      "
+  ' /etc/pam.d/login >| "${tmp}"
+
+  test -s "${tmp}"
+  mv -f "${tmp}" /etc/pam.d/login
+  rm -f -- "${tmp}"
+fi
+:
+EOF
 
       ### 3) A) 3) Disallow all local access for root in '/etc/security/access.conf'.
       printf -- '-: root:ALL\n' >> "${TARGET}/etc/security/access.conf"