V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -100,23 +100,30 @@ accounts_setup() {
       pam_access_sync_login_sshd
 
       ### 3) A) 2) Ensure 'pam_securetty' in the auth phase; requisite causes immediate fail for disallowed ttys.
-      chroot_script "${TARGET}" "
-        if ! grep -Eq '^[[:space:]]*auth[[:space:]]+requisite[[:space:]]+pam_securetty\.so' /etc/pam.d/login; then
+      chroot_stdin "${TARGET}" "__payload__" <<'EOF'
+export LC_ALL=C
+if ! grep -Eq '^[[:space:]]*auth[[:space:]]+requisite[[:space:]]+pam_securetty[.]so([[:space:]]|$)' /etc/pam.d/login; then
+  tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
   awk '
-            BEGIN{ins=0}
+    BEGIN { ins=0 }
     {
-                if(!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix\.so/){
-                print \"auth  requisite  pam_securetty.so\"
+      if (!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix[.]so/) {
+        print "auth  requisite  pam_securetty.so"
         ins=1
       }
       print
     }
-            END{
-              if(!ins) print \"auth  requisite  pam_securetty.so\"
+    END {
+      if (!ins) print "auth  requisite  pam_securetty.so"
     }
-          ' /etc/pam.d/login >| /etc/pam.d/login.new && mv -f /etc/pam.d/login.new /etc/pam.d/login
-        fi
-      "
+  ' /etc/pam.d/login >| "${tmp}"
+
+  test -s "${tmp}"
+  mv -f "${tmp}" /etc/pam.d/login
+  rm -f -- "${tmp}"
+fi
+:
+EOF
 
       ### 3) A) 3) Disallow all local access for root in '/etc/security/access.conf'.
       printf -- '-: root:ALL\n' >> "${TARGET}/etc/security/access.conf"