V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m30s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m30s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -21,11 +21,61 @@ set -Ceuo pipefail
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -g VAR_MAP_FILE="/etc/ciss/2fa.map"
|
||||
declare -g VAR_POLICY="${CISS_POLICY:-strict}"
|
||||
declare -g VAR_BINDING="${CISS_SU_BINDING:-caller}"
|
||||
declare -g VAR_U=""
|
||||
|
||||
### PAM variables provided by pam_exec:
|
||||
declare -g VAR_U="${PAM_USER:-}"
|
||||
declare -g VAR_S="${PAM_SERVICE:-}"
|
||||
|
||||
#######################################
|
||||
# Which identity to check in the 2FA map per PAM service.
|
||||
# - $PAM_USER = target user (su/sudo: usually "root")
|
||||
# - $PAM_RUSER = calling user
|
||||
# Globals:
|
||||
# PAM_RUSER
|
||||
# PAM_USER
|
||||
# VAR_BINDING
|
||||
# VAR_S
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
identify_subject() {
|
||||
# shellcheck disable=SC2249
|
||||
case "${VAR_S,,}" in
|
||||
|
||||
login|sshd)
|
||||
echo "${PAM_USER:-}"
|
||||
;;
|
||||
|
||||
sudo|sudo-i)
|
||||
### Enforce 2FA policy by caller for sudo.
|
||||
echo "${PAM_RUSER:-${PAM_USER:-}}"
|
||||
;;
|
||||
|
||||
su|su-l)
|
||||
### Default: Bind su policy to the caller. Set CISS_SU_BINDING="target" if you want policy bound to the target account.
|
||||
case "${VAR_BINDING,,}" in
|
||||
|
||||
caller) echo "${PAM_RUSER:-${PAM_USER:-}}" ;;
|
||||
target) echo "${PAM_USER:-}" ;;
|
||||
|
||||
esac
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "${PAM_USER:-}"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f identify_subject
|
||||
|
||||
#######################################
|
||||
# Read flag for user and service (0/1), default: empty (not found).
|
||||
# Globals:
|
||||
@@ -84,12 +134,14 @@ readonly -f read_flag
|
||||
map_service_to_col() {
|
||||
declare -r var_s="${1}"
|
||||
case "${var_s}" in
|
||||
login) echo 2 ;;
|
||||
sshd) echo 3 ;;
|
||||
su) echo 4 ;;
|
||||
sudo) echo 5 ;;
|
||||
login) echo 2 ;;
|
||||
sshd) echo 3 ;;
|
||||
su|su-l) echo 4 ;;
|
||||
sudo|sudo-i) echo 5 ;;
|
||||
*) echo 0 ;; # Unknown services => behave as "not enforced".
|
||||
esac
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
@@ -109,6 +161,10 @@ readonly -f map_service_to_col
|
||||
# 1: on failure
|
||||
#######################################
|
||||
main() {
|
||||
VAR_U="$(identify_subject)"
|
||||
### On missing User, behave like "not listed" (skip GA).
|
||||
[[ -n "${VAR_U}" ]] || exit 0
|
||||
|
||||
### On missing map, behave like "not listed" (skip GA), analogous to onerr=ignore.
|
||||
if [[ ! -r "${VAR_MAP_FILE}" || -z "${VAR_U}" || -z "${VAR_S}" ]]; then
|
||||
exit 0
|
||||
|
||||
Reference in New Issue
Block a user