msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: msw:b8bc0b95ec9b4b72efc6d6dadb2883d3340c12c94d26fbaaf69c07d95e20fa5b
Branches Tags
msw:master
...
compare: msw:5986c451ca775de07df12e48690f56476e4190464299d59016f0c879b2e769c9
Branches Tags
msw:master

2 Commits
b8bc0b95ec ... 5986c451ca

Author SHA256 Message Date
Marc S. Weidner
5986c451ca Merge remote-tracking branch 'origin/master'
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s
Details
2025-10-17 23:26:14 +01:00
Marc S. Weidner
07e5624eea V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-17 23:25:41 +01:00
13 changed files with 230 additions and 152 deletions
Expand all files Collapse all files

6
.preseed/preseed.yaml
View File

@@ -855,7 +855,7 @@ user:
tty: true # Allow TTY (local console) login.
password: true # Allow password login. SSH password login is always disabled.
2fa:
ssh: false # Require 2FA for SSH access.
ssh: false # Require 2FA for SSH access. MUST be either 'true' or 'false' for both ssh and tty.
tty: false # Require 2FA for TTY (local console) login.
privileges:
description: "Root user with full system access and administrative privileges."
@@ -885,7 +885,7 @@ user:
tty: true # Allow TTY (local console) login.
password: true # Allow password login. SSH password login is always disabled.
2fa:
ssh: false # Require 2FA for SSH access.
ssh: false # Require 2FA for SSH access. MUST be either 'true' or 'false' for both ssh and tty.
tty: false # Require 2FA for TTY (local console) login.
privileges:
description: "Primary admin user with full sudo access and interactive login."
@@ -915,7 +915,7 @@ user:
tty: false # Allow TTY (local console) login.
password: false # Allow password login. SSH password login is always disabled.
2fa:
ssh: false # Require 2FA for SSH access.
ssh: false # Require 2FA for SSH access. MUST be either 'true' or 'false' for both ssh and tty.
tty: false # Require 2FA for TTY (local console) login.
privileges:
description: "Ansible automation user with sudo, key-only SSH, no TTY."

2
func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
View File

@@ -39,6 +39,8 @@ prepare_xdg_root() {
chroot_script "${var_target}" '
install -d -m 0755 /etc/xdg
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
### Create canonical directories.
_xdg_umask="$(umask)"
umask 0077

12
func/cdi_4300_network/4330_installation_ssh.sh
View File

@@ -99,16 +99,20 @@ EOF
if [[ -f "${var_target}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
chroot_script "${var_target}" "
dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key"
dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key
"
chroot_script "${var_target}" "
dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key"
dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key
"
chroot_script "${var_target}" "
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub"
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub
"
chroot_script "${var_target}" "
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub"
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub
"
else

14
func/cdi_4400_hardening/4440_hardening_haveged.sh
View File

@@ -15,16 +15,24 @@ guard_sourcing
#######################################
# Hardening haveged.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_haveged() {
insert_header "${TARGET}/etc/default/haveged"
insert_comments "${TARGET}/etc/default/haveged"
cat << EOF >> "${TARGET}/etc/default/haveged"
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
insert_header "${var_target}/etc/default/haveged"
insert_comments "${var_target}/etc/default/haveged"
cat << EOF >> "${var_target}/etc/default/haveged"
# Configuration file for haveged
# Minimal, sane defaults for server/headless systems.
# -w <bits> : target entropy level in bits; 1024 ensures fast pool fill on boot

2
func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
View File

@@ -15,7 +15,9 @@ guard_sourcing
#######################################
# Hardening hardening_jitterentropy.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:

14
func/cdi_4400_hardening/4445_hardening_logrotate.sh
View File

@@ -25,11 +25,15 @@ hardening_logrotate() {
### Declare Arrays, HashMaps, and Variables.
declare -ar ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
declare var_file="" var_log=""
declare var_target="${TARGET}"
rm -f "${TARGET}/etc/logrotate.conf"
insert_header "${TARGET}/etc/logrotate.conf"
insert_comments "${TARGET}/etc/logrotate.conf"
cat << EOF >> "${TARGET}/etc/logrotate.conf"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
rm -f "${var_target}/etc/logrotate.conf"
insert_header "${var_target}/etc/logrotate.conf"
insert_comments "${var_target}/etc/logrotate.conf"
cat << EOF >> "${var_target}/etc/logrotate.conf"
# See "man logrotate" for details. Global options do not affect preceding include directives.
# rotate log files daily
@@ -62,7 +66,7 @@ include /etc/logrotate.d
EOF
for var_log in "${ary_logrotate[@]}"; do
var_file="${TARGET}/etc/logrotate.d/${var_log}"
var_file="${var_target}/etc/logrotate.d/${var_log}"
[[ -e "${var_file}" ]] || continue
### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
sed -E -i \

2
func/cdi_4500_user/4500_accounts_preparation.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing
#######################################
# Prepare '/etc/skel'-Directory.
# Account generation preparation.
# Globals:
# RECOVERY
# TARGET

7
func/cdi_4500_user/4501_accounts_preparation_ciss.sh
View File

@@ -31,6 +31,13 @@ accounts_preparation_ciss() {
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -d -m 0755 -- "${var_target}/etc/skel/.cache"
install -d -m 0755 -- "${var_target}/etc/skel/.config"
install -d -m 0755 -- "${var_target}/etc/skel/.local/share"
install -d -m 0755 -- "${var_target}/etc/skel/.local/state"
install -d -m 0755 -- "${var_target}/etc/skel/.local/state/bash"
install -d -m 0755 -- "${var_target}/etc/skel/.local/state/less"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.bashrc" "${var_target}/etc/skel/.bashrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.zshrc" "${var_target}/etc/skel/.zshrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"

8
func/cdi_4500_user/4502_accounts_preparation_physnet.sh
View File

@@ -18,6 +18,7 @@ guard_sourcing
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
@@ -30,6 +31,13 @@ accounts_preparation_physnet() {
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -d -m 0755 -- "${var_target}/etc/skel/.cache"
install -d -m 0755 -- "${var_target}/etc/skel/.config"
install -d -m 0755 -- "${var_target}/etc/skel/.local/share"
install -d -m 0755 -- "${var_target}/etc/skel/.local/state"
install -d -m 0755 -- "${var_target}/etc/skel/.local/state/bash"
install -d -m 0755 -- "${var_target}/etc/skel/.local/state/less"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.bashrc" "${var_target}/etc/skel/.bashrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.zshrc" "${var_target}/etc/skel/.zshrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"

181
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -13,12 +13,11 @@
guard_sourcing
#######################################
# Updating user accounts.
# Updating root account and generation user accounts.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# VAR_TEMP_PLAIN_MFA_SEED
# VAR_USER_MAX
# VAR_USER_ROOT_SPECIFIC
@@ -27,7 +26,7 @@ guard_sourcing
# user_root_authentication_access_ssh
# user_root_authentication_access_tty
# user_root_authentication_password
# user_root_shell
# user_root_password
# user_root_sshpubkey
# Arguments:
# None
@@ -44,8 +43,7 @@ accounts_setup() {
tmp_specific=""
declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted="" var_system="" \
var_specific=""
declare var_ssh_totp_update="false"
var_specific="" var_ssh_totp_update="false"
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
@@ -63,6 +61,8 @@ accounts_setup() {
read_totp_seed
do_log "debug" "file_only" "4520() Command: [read_totp_seed]"
### Updating root ------------------------------------------------------------------------------------------------------------
### 0) The 'root' account is generated via debootstrap by default.
### 1) Prepare the 'root' account.
@@ -72,9 +72,9 @@ accounts_setup() {
"physnet") accounts_setup_physnet_root ;;
"none" ) do_log "info" "file_only" "4520() Account preparation [none] selected." ;;
"none" ) do_log "info" "file_only" "4520() Account preparation: 'root' [none] selected." ;;
* ) do_log "warn" "file_only" "4520() Account preparation nothing selected. Keeping defaults." ;;
* ) do_log "warn" "file_only" "4520() Account preparation: 'root' nothing selected. Keeping defaults." ;;
esac
@@ -114,11 +114,11 @@ EOF
;;
true)
### Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
### Allow local access for 'root' on 'tty1' only in '/etc/security/access.conf'.
printf -- "+: root:tty1 \n" >> "${var_target}/etc/security/access.conf"
do_log "info" "file_only" "4520() User: 'root' [allow local access on tty1 in '/etc/security/access.conf']"
### Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
### Allow local access for 'root' on 'tty1' only in '/etc/securetty'.
cat << 'EOF' >| "${var_target}/etc/securetty"
tty1
EOF
@@ -196,6 +196,7 @@ EOF
### 9) Final status logging.
do_log "info" "file_only" "4520() User: 'root' updated."
### Generating user accounts -------------------------------------------------------------------------------------------------
### Iterate through all remaining 'user' accounts and install them.
for ((i = 0; i <= VAR_USER_MAX; i++)); do
@@ -246,7 +247,7 @@ EOF
chroot_exec "${var_target}" useradd \
--comment "${var_fullname}" \
--create-home \
--expiredate 2102-12-31 \
--expiredate 2102-09-17 \
--gid "${var_gid}" \
--home-dir /home/"${var_username}" \
--inactive 0 \
@@ -259,7 +260,7 @@ EOF
true:false)
chroot_exec "${var_target}" useradd \
--comment "${var_fullname}" \
--expiredate 2102-12-31 \
--expiredate 2102-09-17 \
--gid "${var_gid}" \
--inactive 0 \
--no-create-home \
@@ -272,7 +273,7 @@ EOF
chroot_exec "${var_target}" useradd \
--comment "${var_fullname}" \
--create-home \
--expiredate 2102-12-31 \
--expiredate 2102-09-17 \
--gid "${var_gid}" \
--home-dir /home/"${var_username}" \
--inactive 0 \
@@ -285,7 +286,7 @@ EOF
true:true)
chroot_exec "${var_target}" useradd \
--comment "${var_fullname}" \
--expiredate 2102-12-31 \
--expiredate 2102-09-17 \
--gid "${var_gid}" \
--inactive 0 \
--no-create-home \
@@ -303,46 +304,25 @@ EOF
esac
### 1) Prepare the 'user' account.
install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${var_target}/home/${var_username}/.ssh"
install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${var_target}/home/${var_username}/.ssh/authorized_keys"
install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${var_target}/home/${var_username}/"
install -d -m 0700 -- "${var_target}/home/${var_username}/.cache"
install -d -m 0700 -- "${var_target}/home/${var_username}/.config"
install -d -m 0700 -- "${var_target}/home/${var_username}/.local/share"
install -d -m 0700 -- "${var_target}/home/${var_username}/.local/state"
install -d -m 0700 -- "${var_target}/home/${var_username}/.local/state/bash"
install -d -m 0700 -- "${var_target}/home/${var_username}/.local/state/less"
if [[ "${var_shell}" == "/bin/zsh" ]]; then
case "${var_specific}" in
if [[ -x "${var_target}${var_shell}" ]]; then
"ciss" ) accounts_setup_ciss_user "${var_uid}" "${var_gid}" "${var_username}" "${var_shell}" ;;
case "${var_specific,,}" in
"physnet") accounts_setup_physnet_user "${var_uid}" "${var_gid}" "${var_username}" "${var_shell}" ;;
"ciss")
zsh_omz_installer "${var_username}" "${var_target}"
mv "${var_target}/home/${var_username}/.zshrc" "${var_target}/home/${var_username}/.zshrc.bak"
install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/home/${var_username}"
;;
"none" ) do_log "info" "file_only" "4520() Account preparation: '${var_username}' [none] selected." ;;
"physnet")
:
;;
"none"|*)
:
;;
* ) do_log "warn" "file_only" "4520() Account preparation: '${var_username}' nothing selected. Keeping defaults." ;;
esac
chroot_exec "${var_target}" chsh -s "${var_shell}" "${var_username}"
do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
else
chroot_exec "${var_target}" chsh -s /bin/bash "${var_username}"
do_log "info" "file_only" "4520() Shell: '${var_shell}' not found for: '${var_username}'. Using '/bin/bash' instead."
fi
fi
do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
### 2) Check SSH access capabilities.
### Nothing to do here as per-user SSH capabilities are already handled in '4330_installation_ssh.sh'.
@@ -350,26 +330,15 @@ EOF
case "${var_access_tty,,}" in
false)
### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
pam_access_sync_login_sshd
### 3) A) 2) This step is not required for user accounts.
### 3) A) 3) Disallow all local access for user in '/etc/security/access.conf'.
### Disallow all local access for user in '/etc/security/access.conf'.
printf '%s\n' "-: ${var_username}:ALL" >> "${var_target}/etc/security/access.conf"
### 3) A) 4) This step is not required for user accounts.
do_log "info" "file_only" "4520() User: '${var_username}' tty access: [false]"
do_log "info" "file_only" "4520() User: '${var_username}' [disallow all local access in '/etc/security/access.conf']"
;;
true)
### 3) B) 1) Allow local access for 'user' only on 'tty1' in '/etc/security/access.conf'.
### Allow local access for 'user' only on 'tty1' in '/etc/security/access.conf'.
printf '%s\n' "+: ${var_username}:tty1" >> "${var_target}/etc/security/access.conf"
### 3) B) 2) This step is not required for user accounts.
do_log "info" "file_only" "4520() User: '${var_username}' tty access: [true]"
do_log "info" "file_only" "4520() User: '${var_username}' [allow local access on tty1 in '/etc/security/access.conf']"
;;
*)
@@ -380,6 +349,8 @@ EOF
esac
### 4) Check the password policy for the 'user' account.
chroot_script "${var_target}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
case "${var_auth_pwd}" in
false)
@@ -388,8 +359,7 @@ EOF
;;
true)
chroot_script "${var_target}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
#chroot_script "${var_target}" "/usr/sbin/usermod -p '${var_password}' ${var_username}"
chroot_script "${var_target}" "passwd -u ${var_username}"
do_log "info" "file_only" "4520() User: '${var_username}' password access: [true]"
;;
@@ -408,16 +378,16 @@ EOF
fi
### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
### 6) Update the 'user' 'totp'-policy and write the '.google_authenticator'-file.
if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}" "${var_target}"
printf '%s\n' "${var_username}" >> "${var_target}/etc/ciss/2fa.users"
fi
if [[ "${var_2fa_ssh}" == "true" ]]; then
pam_access_totp_enable "${var_username}" "sshd" "${var_target}"
var_ssh_totp_update="true"
cat << EOF >> "${var_target}/etc/ssh/sshd_config"
Match User ${var_username}
@@ -426,16 +396,12 @@ Match User ${var_username}
EOF
fi
[[ "${var_2fa_tty}" == "true" ]] && pam_access_totp_enable "${var_username}" "login" "${var_target}"
### 7) Check sudo membership for user.
if [[ "${var_sudo}" == "true" ]]; then
chroot_exec "${var_target}" usermod -aG sudo "${var_username}"
### Hardening sudo users (idempotent) and ensure WinSCP SFTP-as-root.
hardening_sudo "${var_username}" "${var_specific:-none}" "${var_target}"
### Enable per-user TOTP in a given PAM service (login, sshd, su, sudo).
pam_access_totp_enable "${var_username}" "sudo" "${var_target}"
fi
@@ -471,9 +437,6 @@ EOF
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf"
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config"
### Hardening of '/bin/su': only members of the group 'sudo' can su to root.
hardening_su
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
@@ -560,59 +523,6 @@ generate_totp_secret() {
# shellcheck disable=SC2034
readonly -f generate_totp_secret
#######################################
# Hardening of '/bin/su': only members of the group 'sudo' can su to root.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_su() {
### Declare Arrays, HashMaps, and Variables.
declare -r pam_su="/etc/pam.d/su"
[[ -f "${var_target}${pam_su}" ]] || return 0
chroot_stdin "${var_target}" "__payload__" -- "${pam_su}" <<'EOF'
export LC_ALL=C
pam="$1"
if grep -Eq '^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_wheel[.]so([[:space:]].*)?group=sudo([[:space:]].*)?use_uid' "${pam}"; then
:
else
tmp="$(mktemp "${pam}.XXXXXX")"
### 1) Insert rule before pam_unix.so or pam_rootok.so (fail early). Fallback: append.
awk '
BEGIN { ins=0 }
{
if (!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_(unix|rootok)[.]so/ ) {
print "auth required pam_wheel.so use_uid group=sudo"
ins=1
}
print
}
END {
if (!ins) {
print "auth required pam_wheel.so use_uid group=sudo"
}
}
' "${pam}" >| "${tmp}"
test -s "${tmp}"
mv -f "${tmp}" "${pam}"
rm -f -- "${tmp}" || :
fi
:
EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_su
#######################################
# Hardening sudo users (idempotent) and ensure WinSCP SFTP-as-root.
# Globals:
@@ -1126,7 +1036,7 @@ readonly -f write_pam_sshd
# Returns:
# 0: on success
#######################################
write_pam_sudo() {
write_pam_su() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
@@ -1139,6 +1049,9 @@ write_pam_sudo() {
# PAM configuration for the su service
#
# Hardening of '/bin/su': only members of the group 'sudo' can su to root.
auth required pam_wheel.so use_uid group=sudo
# If caller is already root, allow quickly without further auth:
auth sufficient pam_rootok.so
@@ -1282,7 +1195,16 @@ if [[ "${uid}" -eq 0 ]]; then
/bin/bash -s <<'ZSHROOT'
#!/bin/bash
set -Ceuo pipefail
export LC_ALL=C
export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
umask 077
### We are running as the target user here
@@ -1329,7 +1251,16 @@ else
su - "${user}" -s /bin/bash <<'ZSHUSER'
#!/bin/bash
set -Ceuo pipefail
export LC_ALL=C
export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
umask 077
### We are running as the target user here

57
func/cdi_4500_user/4521_accounts_setup_ciss.sh
View File

@@ -18,6 +18,8 @@ guard_sourcing
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# user_root_shell
# Arguments:
# None
# Returns:
@@ -79,4 +81,59 @@ accounts_setup_ciss_root() {
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f accounts_setup_ciss_root
#######################################
# Generates user account skeleton and activates chosen bash / zsh.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# Arguments:
# 1: var_uid
# 2: var_gid
# 3: var_username
# 4: var_shell
# Returns:
# 0: on success
#######################################
accounts_setup_ciss_user() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_uid="${1}" var_gid="${2}" var_username="${3}" var_shell="${4}"
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${var_target}/home/${var_username}/.ssh"
install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${var_target}/home/${var_username}/.ssh/authorized_keys"
install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.bashrc" "${var_target}/home/${var_username}/.bashrc"
if [[ "${var_shell}" == "/bin/zsh" ]]; then
if [[ -x "${var_target}${var_shell}" ]]; then
zsh_omz_installer "${var_username}" "${var_target}"
mv "${var_target}/home/${var_username}/.zshrc" "${var_target}/home/${var_username}/.zshrc.bak"
install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/home/${var_username}"
chroot_exec "${var_target}" chsh -s "${var_shell}" "${var_username}"
do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
else
chroot_exec "${var_target}" chsh -s /bin/bash "${var_username}"
do_log "info" "file_only" "4520() Shell: '${var_shell}' not found for: '${var_username}'. Using '/bin/bash' instead."
fi
fi
do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f accounts_setup_ciss_user
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

60
func/cdi_4500_user/4522_accounts_setup_physnet.sh
View File

@@ -18,6 +18,8 @@ guard_sourcing
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# user_root_shell
# Arguments:
# None
# Returns:
@@ -30,7 +32,6 @@ accounts_setup_physnet_root() {
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
@@ -79,5 +80,60 @@ accounts_setup_physnet_root() {
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f accounts_setup_physnet
readonly -f accounts_setup_physnet_root
#######################################
# Generates user account skeleton and activates chosen bash / zsh.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# Arguments:
# 1: var_uid
# 2: var_gid
# 3: var_username
# 4: var_shell
# Returns:
# 0: on success
#######################################
accounts_setup_physnet_user() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_uid="${1}" var_gid="${2}" var_username="${3}" var_shell="${4}"
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${var_target}/home/${var_username}/.ssh"
install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${var_target}/home/${var_username}/.ssh/authorized_keys"
install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.bashrc" "${var_target}/home/${var_username}/.bashrc"
if [[ "${var_shell}" == "/bin/zsh" ]]; then
if [[ -x "${var_target}${var_shell}" ]]; then
zsh_omz_installer "${var_username}" "${var_target}"
mv "${var_target}/home/${var_username}/.zshrc" "${var_target}/home/${var_username}/.zshrc.bak"
install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.zshrc" "${var_target}/home/${var_username}/.zshrc"
chroot_exec "${var_target}" chsh -s "${var_shell}" "${var_username}"
do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
else
chroot_exec "${var_target}" chsh -s /bin/bash "${var_username}"
do_log "info" "file_only" "4520() Shell: '${var_shell}' not found for: '${var_username}'. Using '/bin/bash' instead."
fi
fi
do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f accounts_setup_physnet_user
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
func/cdi_4900_xtended/4900_final_command.sh
View File

@@ -39,7 +39,6 @@ final_commands() {
rm -f "${var_target}/etc/root/ciss_xdg_tmp.sh"
guard_dir && return 0
}
### Prevents accidental 'unset -f'.