V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -62,6 +62,7 @@ accounts_setup() {
|
|||||||
write_pam_login "${var_target}"
|
write_pam_login "${var_target}"
|
||||||
write_pam_sshd "${var_target}"
|
write_pam_sshd "${var_target}"
|
||||||
write_pam_su "${var_target}"
|
write_pam_su "${var_target}"
|
||||||
|
write_pam_su-l "${var_target}"
|
||||||
write_pam_sudo "${var_target}"
|
write_pam_sudo "${var_target}"
|
||||||
write_pam_sudo-i "${var_target}"
|
write_pam_sudo-i "${var_target}"
|
||||||
|
|
||||||
@@ -1343,8 +1344,10 @@ auth required pam_google_authenticator.so
|
|||||||
# ===== CISS 2FA block end =====
|
# ===== CISS 2FA block end =====
|
||||||
|
|
||||||
|
|
||||||
@include common-account
|
@include common-account
|
||||||
@include common-session
|
session required pam_env.so
|
||||||
|
session required pam_env.so envfile=/etc/default/locale
|
||||||
|
@include common-session
|
||||||
|
|
||||||
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
|
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
|
||||||
session required pam_limits.so
|
session required pam_limits.so
|
||||||
@@ -1366,6 +1369,45 @@ EOF
|
|||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
readonly -f write_pam_su
|
readonly -f write_pam_su
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
# Writes CISS Header for '/etc/pam.d/su-l'.
|
||||||
|
# Globals:
|
||||||
|
# None
|
||||||
|
# Arguments:
|
||||||
|
# 1: TARGET
|
||||||
|
# Returns:
|
||||||
|
# 0: on success
|
||||||
|
#######################################
|
||||||
|
write_pam_su-l() {
|
||||||
|
### Declare Arrays, HashMaps, and Variables.
|
||||||
|
declare -r var_target="$1"
|
||||||
|
|
||||||
|
mv "${var_target}/etc/pam.d/su-l" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su-l"
|
||||||
|
|
||||||
|
cat << EOF >| "${var_target}/etc/pam.d/su-l"
|
||||||
|
#%PAM-1.0
|
||||||
|
# su-l: login-shell semantics; reuse 'su' stacks.
|
||||||
|
|
||||||
|
# Reuse exactly the 'su' stacks (incl. CISS 2FA in auth):
|
||||||
|
auth include su
|
||||||
|
account include su
|
||||||
|
password include su
|
||||||
|
|
||||||
|
# Login-shell extra, then reuse 'su' session (which already has pam_env):
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include su
|
||||||
|
|
||||||
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||||
|
EOF
|
||||||
|
|
||||||
|
do_log "info" "file_only" "4520() Written: [/etc/pam.d/su-l]."
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
### Prevents accidental 'unset -f'.
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
readonly -f write_pam_su-l
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
# Writes CISS Header for '/etc/pam.d/sudo'.
|
# Writes CISS Header for '/etc/pam.d/sudo'.
|
||||||
# Globals:
|
# Globals:
|
||||||
@@ -1451,8 +1493,8 @@ auth required pam_google_authenticator.so
|
|||||||
|
|
||||||
|
|
||||||
# Accounts, sessions:
|
# Accounts, sessions:
|
||||||
@include common-account
|
@include common-account
|
||||||
@include common-session
|
@include common-session
|
||||||
|
|
||||||
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
|
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
|
||||||
session required pam_limits.so
|
session required pam_limits.so
|
||||||
|
|||||||
Reference in New Issue
Block a user