Merge remote-tracking branch 'origin/master'

V8.00.000.2025.06.17
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-17 23:26:14 +01:00 · 2025-10-17 23:25:41 +01:00
13 changed files with 230 additions and 152 deletions
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -855,7 +855,7 @@ user:
        tty: true              # Allow TTY (local console) login.
      password: true           # Allow password login. SSH password login is always disabled.
      2fa:
-        ssh: false             # Require 2FA for SSH access.
+        ssh: false             # Require 2FA for SSH access. MUST be either 'true' or 'false' for both ssh and tty.
        tty: false             # Require 2FA for TTY (local console) login.
    privileges:
      description: "Root user with full system access and administrative privileges."
@@ -885,7 +885,7 @@ user:
        tty: true              # Allow TTY (local console) login.
      password: true           # Allow password login. SSH password login is always disabled.
      2fa:
-        ssh: false             # Require 2FA for SSH access.
+        ssh: false             # Require 2FA for SSH access. MUST be either 'true' or 'false' for both ssh and tty.
        tty: false             # Require 2FA for TTY (local console) login.
    privileges:
      description: "Primary admin user with full sudo access and interactive login."
@@ -915,7 +915,7 @@ user:
        tty: false             # Allow TTY (local console) login.
      password: false          # Allow password login. SSH password login is always disabled.
      2fa:
-        ssh: false             # Require 2FA for SSH access.
+        ssh: false             # Require 2FA for SSH access. MUST be either 'true' or 'false' for both ssh and tty.
        tty: false             # Require 2FA for TTY (local console) login.
    privileges:
      description: "Ansible automation user with sudo, key-only SSH, no TTY."
--- a/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
+++ b/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
@@ -39,6 +39,8 @@ prepare_xdg_root() {
  chroot_script "${var_target}" '
    install -d -m 0755 /etc/xdg
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    ### Create canonical directories.
    _xdg_umask="$(umask)"
    umask 0077
--- a/func/cdi_4300_network/4330_installation_ssh.sh
+++ b/func/cdi_4300_network/4330_installation_ssh.sh
@@ -99,16 +99,20 @@ EOF
  if [[ -f "${var_target}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
    chroot_script "${var_target}" "
-      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key"
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key
    "
    chroot_script "${var_target}" "
-      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key"
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key
    "
    chroot_script "${var_target}" "
-      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub"
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub
    "
    chroot_script "${var_target}" "
-      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub"
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub
    "
  else
--- a/func/cdi_4400_hardening/4440_hardening_haveged.sh
+++ b/func/cdi_4400_hardening/4440_hardening_haveged.sh
@@ -15,16 +15,24 @@ guard_sourcing
 #######################################
 # Hardening haveged.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 hardening_haveged() {
-  insert_header   "${TARGET}/etc/default/haveged"
+  ### Declare Arrays, HashMaps, and Variables.
-  insert_comments "${TARGET}/etc/default/haveged"
+  declare    var_target="${TARGET}"
-  cat << EOF >>   "${TARGET}/etc/default/haveged"
+
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  insert_header   "${var_target}/etc/default/haveged"
  insert_comments "${var_target}/etc/default/haveged"
  cat << EOF >>   "${var_target}/etc/default/haveged"
 # Configuration file for haveged
 # Minimal, sane defaults for server/headless systems.
 # -w <bits> : target entropy level in bits; 1024 ensures fast pool fill on boot
--- a/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
+++ b/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
@@ -15,7 +15,9 @@ guard_sourcing
 #######################################
 # Hardening hardening_jitterentropy.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
--- a/func/cdi_4400_hardening/4445_hardening_logrotate.sh
+++ b/func/cdi_4400_hardening/4445_hardening_logrotate.sh
@@ -25,11 +25,15 @@ hardening_logrotate() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -ar ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
  declare     var_file="" var_log=""
  declare     var_target="${TARGET}"
-  rm -f           "${TARGET}/etc/logrotate.conf"
+  ### Check for TARGET / RECOVERY.
-  insert_header   "${TARGET}/etc/logrotate.conf"
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  insert_comments "${TARGET}/etc/logrotate.conf"
+
-  cat << EOF >>   "${TARGET}/etc/logrotate.conf"
+  rm -f           "${var_target}/etc/logrotate.conf"
  insert_header   "${var_target}/etc/logrotate.conf"
  insert_comments "${var_target}/etc/logrotate.conf"
  cat << EOF >>   "${var_target}/etc/logrotate.conf"
 # See "man logrotate" for details. Global options do not affect preceding include directives.
 # rotate log files daily
@@ -62,7 +66,7 @@ include /etc/logrotate.d
 EOF
  for var_log in "${ary_logrotate[@]}"; do
-    var_file="${TARGET}/etc/logrotate.d/${var_log}"
+    var_file="${var_target}/etc/logrotate.d/${var_log}"
    [[ -e "${var_file}" ]] || continue
    ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
    sed -E -i \
--- a/func/cdi_4500_user/4500_accounts_preparation.sh
+++ b/func/cdi_4500_user/4500_accounts_preparation.sh
@@ -13,7 +13,7 @@
 guard_sourcing
 #######################################
-# Prepare '/etc/skel'-Directory.
+# Account generation preparation.
 # Globals:
 #   RECOVERY
 #   TARGET
--- a/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
+++ b/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
@@ -31,6 +31,13 @@ accounts_preparation_ciss() {
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0755 -- "${var_target}/etc/skel/.cache"
  install -d -m 0755 -- "${var_target}/etc/skel/.config"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/share"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state/bash"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state/less"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.bashrc" "${var_target}/etc/skel/.bashrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.zshrc" "${var_target}/etc/skel/.zshrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
--- a/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
+++ b/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
@@ -18,6 +18,7 @@ guard_sourcing
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
@@ -30,6 +31,13 @@ accounts_preparation_physnet() {
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0755 -- "${var_target}/etc/skel/.cache"
  install -d -m 0755 -- "${var_target}/etc/skel/.config"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/share"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state/bash"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state/less"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.bashrc" "${var_target}/etc/skel/.bashrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.zshrc" "${var_target}/etc/skel/.zshrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -13,12 +13,11 @@
 guard_sourcing
 #######################################
-# Updating user accounts.
+# Updating root account and generation user accounts.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 #   VAR_TEMP_PLAIN_MFA_SEED
 #   VAR_USER_MAX
 #   VAR_USER_ROOT_SPECIFIC
@@ -27,7 +26,7 @@ guard_sourcing
 #   user_root_authentication_access_ssh
 #   user_root_authentication_access_tty
 #   user_root_authentication_password
-#   user_root_shell
+#   user_root_password
 #   user_root_sshpubkey
 # Arguments:
 #   None
@@ -44,8 +43,7 @@ accounts_setup() {
              tmp_specific=""
  declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
              var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted="" var_system="" \
-              var_specific=""
+              var_specific="" var_ssh_totp_update="false"
  declare     var_ssh_totp_update="false"
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
@@ -63,6 +61,8 @@ accounts_setup() {
  read_totp_seed
  do_log "debug" "file_only" "4520() Command: [read_totp_seed]"
  ### Updating root ------------------------------------------------------------------------------------------------------------
  ### 0) The 'root' account is generated via debootstrap by default.
  ### 1) Prepare the 'root' account.
@@ -72,9 +72,9 @@ accounts_setup() {
    "physnet") accounts_setup_physnet_root ;;
-    "none"   ) do_log "info" "file_only" "4520() Account preparation [none] selected." ;;
+    "none"   ) do_log "info" "file_only" "4520() Account preparation: 'root' [none] selected." ;;
-    *        ) do_log "warn" "file_only" "4520() Account preparation nothing selected. Keeping defaults." ;;
+    *        ) do_log "warn" "file_only" "4520() Account preparation: 'root' nothing selected. Keeping defaults." ;;
  esac
@@ -114,11 +114,11 @@ EOF
      ;;
    true)
-      ### Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
+      ### Allow local access for 'root' on 'tty1' only in '/etc/security/access.conf'.
      printf -- "+: root:tty1 \n" >> "${var_target}/etc/security/access.conf"
      do_log "info" "file_only" "4520() User: 'root' [allow local access on tty1 in '/etc/security/access.conf']"
-      ### Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
+      ### Allow local access for 'root' on 'tty1' only in '/etc/securetty'.
      cat << 'EOF' >| "${var_target}/etc/securetty"
 tty1
 EOF
@@ -196,6 +196,7 @@ EOF
  ### 9) Final status logging.
  do_log "info" "file_only" "4520() User: 'root' updated."
  ### Generating user accounts -------------------------------------------------------------------------------------------------
  ### Iterate through all remaining 'user' accounts and install them.
  for ((i = 0; i <= VAR_USER_MAX; i++)); do
@@ -246,7 +247,7 @@ EOF
        chroot_exec "${var_target}" useradd \
          --comment "${var_fullname}" \
          --create-home \
-          --expiredate 2102-12-31 \
+          --expiredate 2102-09-17 \
          --gid "${var_gid}" \
          --home-dir /home/"${var_username}" \
          --inactive 0 \
@@ -259,7 +260,7 @@ EOF
      true:false)
        chroot_exec "${var_target}" useradd \
          --comment "${var_fullname}" \
-          --expiredate 2102-12-31 \
+          --expiredate 2102-09-17 \
          --gid "${var_gid}" \
          --inactive 0 \
          --no-create-home \
@@ -272,7 +273,7 @@ EOF
        chroot_exec "${var_target}" useradd \
          --comment "${var_fullname}" \
          --create-home \
-          --expiredate 2102-12-31 \
+          --expiredate 2102-09-17 \
          --gid "${var_gid}" \
          --home-dir /home/"${var_username}" \
          --inactive 0 \
@@ -285,7 +286,7 @@ EOF
      true:true)
        chroot_exec "${var_target}" useradd \
          --comment "${var_fullname}" \
-          --expiredate 2102-12-31 \
+          --expiredate 2102-09-17 \
          --gid "${var_gid}" \
          --inactive 0 \
          --no-create-home \
@@ -303,46 +304,25 @@ EOF
    esac
    ### 1) Prepare the 'user' account.
-    install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${var_target}/home/${var_username}/.ssh"
+    install -d -m 0700 -- "${var_target}/home/${var_username}/.cache"
-    install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${var_target}/home/${var_username}/.ssh/authorized_keys"
+    install -d -m 0700 -- "${var_target}/home/${var_username}/.config"
-    install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${var_target}/home/${var_username}/"
+    install -d -m 0700 -- "${var_target}/home/${var_username}/.local/share"
    install -d -m 0700 -- "${var_target}/home/${var_username}/.local/state"
    install -d -m 0700 -- "${var_target}/home/${var_username}/.local/state/bash"
    install -d -m 0700 -- "${var_target}/home/${var_username}/.local/state/less"
-    if [[ "${var_shell}" == "/bin/zsh" ]]; then
+    case "${var_specific}" in
-      if [[ -x "${var_target}${var_shell}" ]]; then
+      "ciss"   ) accounts_setup_ciss_user    "${var_uid}" "${var_gid}" "${var_username}" "${var_shell}" ;;
-        case "${var_specific,,}" in
+      "physnet") accounts_setup_physnet_user "${var_uid}" "${var_gid}" "${var_username}" "${var_shell}" ;;
-          "ciss")
+      "none"   ) do_log "info" "file_only" "4520() Account preparation: '${var_username}' [none] selected." ;;
            zsh_omz_installer "${var_username}" "${var_target}"
            mv "${var_target}/home/${var_username}/.zshrc" "${var_target}/home/${var_username}/.zshrc.bak"
            install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/home/${var_username}"
            ;;
-          "physnet")
+      *        ) do_log "warn" "file_only" "4520() Account preparation: '${var_username}' nothing selected. Keeping defaults." ;;
            :
            ;;
          "none"|*)
            :
            ;;
    esac
        chroot_exec "${var_target}" chsh -s "${var_shell}" "${var_username}"
        do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
      else
        chroot_exec "${var_target}" chsh -s /bin/bash "${var_username}"
        do_log "info" "file_only" "4520() Shell: '${var_shell}' not found for: '${var_username}'. Using '/bin/bash' instead."
      fi
    fi
    do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
    ### 2) Check SSH access capabilities.
    ### Nothing to do here as per-user SSH capabilities are already handled in '4330_installation_ssh.sh'.
@@ -350,26 +330,15 @@ EOF
    case "${var_access_tty,,}" in
      false)
-        ### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
+        ### Disallow all local access for user in '/etc/security/access.conf'.
        pam_access_sync_login_sshd
        ### 3) A) 2) This step is not required for user accounts.
        ### 3) A) 3) Disallow all local access for user in '/etc/security/access.conf'.
        printf '%s\n' "-: ${var_username}:ALL" >> "${var_target}/etc/security/access.conf"
-
+        do_log "info" "file_only" "4520() User: '${var_username}' [disallow all local access in '/etc/security/access.conf']"
        ### 3) A) 4) This step is not required for user accounts.
        do_log "info" "file_only" "4520() User: '${var_username}' tty access: [false]"
        ;;
      true)
-        ### 3) B) 1) Allow local access for 'user' only on 'tty1' in '/etc/security/access.conf'.
+        ### Allow local access for 'user' only on 'tty1' in '/etc/security/access.conf'.
        printf '%s\n' "+: ${var_username}:tty1" >> "${var_target}/etc/security/access.conf"
-
+        do_log "info" "file_only" "4520() User: '${var_username}' [allow local access on tty1 in '/etc/security/access.conf']"
        ### 3) B) 2) This step is not required for user accounts.
        do_log "info" "file_only" "4520() User: '${var_username}' tty access: [true]"
        ;;
      *)
@@ -380,6 +349,8 @@ EOF
    esac
    ### 4) Check the password policy for the 'user' account.
    chroot_script "${var_target}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
    case "${var_auth_pwd}" in
      false)
@@ -388,8 +359,7 @@ EOF
        ;;
      true)
-        chroot_script "${var_target}" "printf '%s:%s\n' \"${var_username}\" '${var_password}' | /usr/sbin/chpasswd -e"
+        chroot_script "${var_target}" "passwd -u ${var_username}"
        #chroot_script "${var_target}" "/usr/sbin/usermod -p '${var_password}' ${var_username}"
        do_log "info" "file_only" "4520() User: '${var_username}' password access: [true]"
        ;;
@@ -408,16 +378,16 @@ EOF
    fi
-    ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
+    ### 6) Update the 'user' 'totp'-policy and write the '.google_authenticator'-file.
    if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
      write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}" "${var_target}"
      printf '%s\n' "${var_username}" >> "${var_target}/etc/ciss/2fa.users"
    fi
    if [[ "${var_2fa_ssh}" == "true" ]]; then
      pam_access_totp_enable "${var_username}" "sshd" "${var_target}"
      var_ssh_totp_update="true"
      cat << EOF >> "${var_target}/etc/ssh/sshd_config"
 Match User ${var_username}
@@ -426,16 +396,12 @@ Match User ${var_username}
 EOF
    fi
    [[ "${var_2fa_tty}" == "true" ]] && pam_access_totp_enable "${var_username}" "login" "${var_target}"
    ### 7) Check sudo membership for user.
    if [[ "${var_sudo}" == "true" ]]; then
      chroot_exec "${var_target}" usermod -aG sudo "${var_username}"
      ### Hardening sudo users (idempotent) and ensure WinSCP SFTP-as-root.
      hardening_sudo "${var_username}" "${var_specific:-none}" "${var_target}"
      ### Enable per-user TOTP in a given PAM service (login, sshd, su, sudo).
      pam_access_totp_enable "${var_username}" "sudo" "${var_target}"
    fi
@@ -471,9 +437,6 @@ EOF
  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf"
  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config"
  ### Hardening of '/bin/su': only members of the group 'sudo' can su to root.
  hardening_su
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
@@ -560,59 +523,6 @@ generate_totp_secret() {
 # shellcheck disable=SC2034
 readonly -f generate_totp_secret
 #######################################
 # Hardening of '/bin/su': only members of the group 'sudo' can su to root.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 hardening_su() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  pam_su="/etc/pam.d/su"
  [[ -f "${var_target}${pam_su}" ]] || return 0
  chroot_stdin "${var_target}" "__payload__" -- "${pam_su}" <<'EOF'
 export LC_ALL=C
 pam="$1"
 if grep -Eq '^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_wheel[.]so([[:space:]].*)?group=sudo([[:space:]].*)?use_uid' "${pam}"; then
  :
 else
  tmp="$(mktemp "${pam}.XXXXXX")"
  ### 1) Insert rule before pam_unix.so or pam_rootok.so (fail early). Fallback: append.
  awk '
    BEGIN { ins=0 }
    {
      if (!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_(unix|rootok)[.]so/ ) {
        print "auth  required  pam_wheel.so use_uid group=sudo"
        ins=1
      }
      print
    }
    END {
      if (!ins) {
        print "auth  required  pam_wheel.so use_uid group=sudo"
      }
    }
  ' "${pam}" >| "${tmp}"
  test -s "${tmp}"
  mv -f "${tmp}" "${pam}"
  rm -f -- "${tmp}" || :
 fi
 :
 EOF
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_su
 #######################################
 # Hardening sudo users (idempotent) and ensure WinSCP SFTP-as-root.
 # Globals:
@@ -1126,7 +1036,7 @@ readonly -f write_pam_sshd
 # Returns:
 #   0: on success
 #######################################
-write_pam_sudo() {
+write_pam_su() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
@@ -1139,6 +1049,9 @@ write_pam_sudo() {
 # PAM configuration for the su service
 #
 # Hardening of '/bin/su': only members of the group 'sudo' can su to root.
 auth     required   pam_wheel.so use_uid group=sudo
 # If caller is already root, allow quickly without further auth:
 auth     sufficient pam_rootok.so
@@ -1282,7 +1195,16 @@ if [[ "${uid}" -eq 0 ]]; then
  /bin/bash -s <<'ZSHROOT'
 #!/bin/bash
 set -Ceuo pipefail
 export LC_ALL=C
 export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
 export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
 export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
 export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
 export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
 export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
 umask 077
 ### We are running as the target user here
@@ -1329,7 +1251,16 @@ else
  su - "${user}" -s /bin/bash <<'ZSHUSER'
 #!/bin/bash
 set -Ceuo pipefail
 export LC_ALL=C
 export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
 export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
 export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
 export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
 export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
 export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
 umask 077
 ### We are running as the target user here
--- a/func/cdi_4500_user/4521_accounts_setup_ciss.sh
+++ b/func/cdi_4500_user/4521_accounts_setup_ciss.sh
@@ -18,6 +18,8 @@ guard_sourcing
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 #   user_root_shell
 # Arguments:
 #   None
 # Returns:
@@ -79,4 +81,59 @@ accounts_setup_ciss_root() {
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f accounts_setup_ciss_root
 #######################################
 # Generates user account skeleton and activates chosen bash / zsh.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   1: var_uid
 #   2: var_gid
 #   3: var_username
 #   4: var_shell
 # Returns:
 #   0: on success
 #######################################
 accounts_setup_ciss_user() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_uid="${1}" var_gid="${2}" var_username="${3}" var_shell="${4}"
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${var_target}/home/${var_username}/.ssh"
  install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${var_target}/home/${var_username}/.ssh/authorized_keys"
  install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.bashrc" "${var_target}/home/${var_username}/.bashrc"
  if [[ "${var_shell}" == "/bin/zsh" ]]; then
    if [[ -x "${var_target}${var_shell}" ]]; then
      zsh_omz_installer "${var_username}" "${var_target}"
      mv "${var_target}/home/${var_username}/.zshrc" "${var_target}/home/${var_username}/.zshrc.bak"
      install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/home/${var_username}"
      chroot_exec "${var_target}" chsh -s "${var_shell}" "${var_username}"
      do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
    else
      chroot_exec "${var_target}" chsh -s /bin/bash "${var_username}"
      do_log "info" "file_only" "4520() Shell: '${var_shell}' not found for: '${var_username}'. Using '/bin/bash' instead."
    fi
  fi
  do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f accounts_setup_ciss_user
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4500_user/4522_accounts_setup_physnet.sh
+++ b/func/cdi_4500_user/4522_accounts_setup_physnet.sh
@@ -18,6 +18,8 @@ guard_sourcing
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 #   user_root_shell
 # Arguments:
 #   None
 # Returns:
@@ -30,7 +32,6 @@ accounts_setup_physnet_root() {
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
  install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
@@ -79,5 +80,60 @@ accounts_setup_physnet_root() {
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
-readonly -f accounts_setup_physnet
+readonly -f accounts_setup_physnet_root
 #######################################
 # Generates user account skeleton and activates chosen bash / zsh.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   1: var_uid
 #   2: var_gid
 #   3: var_username
 #   4: var_shell
 # Returns:
 #   0: on success
 #######################################
 accounts_setup_physnet_user() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_uid="${1}" var_gid="${2}" var_username="${3}" var_shell="${4}"
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${var_target}/home/${var_username}/.ssh"
  install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${var_target}/home/${var_username}/.ssh/authorized_keys"
  install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.bashrc" "${var_target}/home/${var_username}/.bashrc"
  if [[ "${var_shell}" == "/bin/zsh" ]]; then
    if [[ -x "${var_target}${var_shell}" ]]; then
      zsh_omz_installer "${var_username}" "${var_target}"
      mv "${var_target}/home/${var_username}/.zshrc" "${var_target}/home/${var_username}/.zshrc.bak"
      install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.zshrc" "${var_target}/home/${var_username}/.zshrc"
      chroot_exec "${var_target}" chsh -s "${var_shell}" "${var_username}"
      do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
    else
      chroot_exec "${var_target}" chsh -s /bin/bash "${var_username}"
      do_log "info" "file_only" "4520() Shell: '${var_shell}' not found for: '${var_username}'. Using '/bin/bash' instead."
    fi
  fi
  do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f accounts_setup_physnet_user
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4900_xtended/4900_final_command.sh
+++ b/func/cdi_4900_xtended/4900_final_command.sh
@@ -39,7 +39,6 @@ final_commands() {
  rm -f "${var_target}/etc/root/ciss_xdg_tmp.sh"
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
Author	SHA256	Message	Date
Marc S. Weidner	5986c451ca	Merge remote-tracking branch 'origin/master' All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s Details	2025-10-17 23:26:14 +01:00
Marc S. Weidner	07e5624eea	V8.00.000.2025.06.17 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-17 23:25:41 +01:00