V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -62,6 +62,7 @@ accounts_setup() {
|
||||
write_pam_login "${var_target}"
|
||||
write_pam_sshd "${var_target}"
|
||||
write_pam_su "${var_target}"
|
||||
write_pam_su-l "${var_target}"
|
||||
write_pam_sudo "${var_target}"
|
||||
write_pam_sudo-i "${var_target}"
|
||||
|
||||
@@ -1343,8 +1344,10 @@ auth required pam_google_authenticator.so
|
||||
# ===== CISS 2FA block end =====
|
||||
|
||||
|
||||
@include common-account
|
||||
@include common-session
|
||||
@include common-account
|
||||
session required pam_env.so
|
||||
session required pam_env.so envfile=/etc/default/locale
|
||||
@include common-session
|
||||
|
||||
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
|
||||
session required pam_limits.so
|
||||
@@ -1366,6 +1369,45 @@ EOF
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f write_pam_su
|
||||
|
||||
#######################################
|
||||
# Writes CISS Header for '/etc/pam.d/su-l'.
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
# 1: TARGET
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
write_pam_su-l() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_target="$1"
|
||||
|
||||
mv "${var_target}/etc/pam.d/su-l" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su-l"
|
||||
|
||||
cat << EOF >| "${var_target}/etc/pam.d/su-l"
|
||||
#%PAM-1.0
|
||||
# su-l: login-shell semantics; reuse 'su' stacks.
|
||||
|
||||
# Reuse exactly the 'su' stacks (incl. CISS 2FA in auth):
|
||||
auth include su
|
||||
account include su
|
||||
password include su
|
||||
|
||||
# Login-shell extra, then reuse 'su' session (which already has pam_env):
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include su
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
|
||||
do_log "info" "file_only" "4520() Written: [/etc/pam.d/su-l]."
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f write_pam_su-l
|
||||
|
||||
#######################################
|
||||
# Writes CISS Header for '/etc/pam.d/sudo'.
|
||||
# Globals:
|
||||
@@ -1451,8 +1493,8 @@ auth required pam_google_authenticator.so
|
||||
|
||||
|
||||
# Accounts, sessions:
|
||||
@include common-account
|
||||
@include common-session
|
||||
@include common-account
|
||||
@include common-session
|
||||
|
||||
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
|
||||
session required pam_limits.so
|
||||
|
||||
Reference in New Issue
Block a user