#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing declare pw_file="${2}" if [[ -z "${pw_file}" ]]; then if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi printf "%s❌ Error: --root-password-file missing password file path argument.%s%s" "${C_RED}" "${C_RES}" "${NL}" >&2 # shellcheck disable=SC2162 read -p $'%s✅ Press \'ENTER\' to exit the script ... %s' ${C_GRE}" "${C_RES}" exit "${ERR_MISS_PWD_P}" fi if [[ ! -f "${pw_file}" ]]; then if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi printf "%s❌ Error: --root-password-file password file '%s' does not exist.%s%s" "${pw_file}" >&2 # shellcheck disable=SC2162 read -p $'%s✅ Press \'ENTER\' to exit the script ... %s' exit "${ERR_MISS_PWD_F}" fi declare owner owner=$(stat -c '%U:%G' "${pw_file}") if [[ "${owner}" != "root:root" ]]; then chown root:root "${pw_file}" || { if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi printf "%s❌ Error: --root-password-file failed to set owner root:root on '%s'.%s%s" "${pw_file}" >&2 # shellcheck disable=SC2162 read -p $'%s✅ Press \'ENTER\' to exit the script ... %s' exit "${ERR_OWNS_PWD_F}" } fi declare perms perms=$(stat -c '%a' "${pw_file}") if [[ "${perms}" -ne 400 ]]; then chmod 400 "${pw_file}" || { if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi printf "%s❌ Error: --root-password-file failed to set permissions 0400 on '%s'.%s%s" "${pw_file}" >&2 # shellcheck disable=SC2162 read -p $'%s✅ Press \'ENTER\' to exit the script ... %s' exit "${ERR_RGHT_PWD_F}" } fi declare plaintext_pw [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons if ! IFS= read -r plaintext_pw < "${pw_file}"; then : fi [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again declare pw_length pw_length=${#plaintext_pw} if (( pw_length < 20 || pw_length > 64 )); then if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi printf "%s❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).%s%s" "${pw_length}" >&2 # shellcheck disable=SC2162 read -p $'%s✅ Press \'ENTER\' to exit the script ... %s' exit "${ERR_PASS_LENGH}" fi [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons if [[ "${plaintext_pw}" == *\"* ]]; then [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi printf "%s❌ Error: --root-password-file password MUST NOT contain double quotes (\").%s%s" >&2 # shellcheck disable=SC2162 read -p $'%s✅ Press \'ENTER\' to exit the script ... %s' exit "${ERR_PASS_PLICY}" fi [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again declare salt set +o pipefail while :; do salt=$(tr -dc 'A-Za-z0-9' /dev/null 2>&1; then printf "%s✅ Password file '%s': shred -vfzu -n 5 >> done. %s%s" "${pw_file}" > /dev/null 2>&1 else printf "%s❌ Password file '%s': shred -vfzu -n 5 >> NOT successful. %s%s" "${pw_file}" > /dev/null 2>&1 fi sync # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh