#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # Updating user accounts. # Globals: # TARGET # VAR_SETUP_PATH # VAR_USER_MAX # user_root_authentication_access_ssh # user_root_password # user_root_shell # user_root_sshpubkey # Arguments: # None # Returns: # 0: on success ####################################### installation_accounts() { ####################################### # Declare Variables ####################################### declare -i i declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \ tmp_restricted="" declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \ var_restricted="" var_chpasswd="" var_sshdir="" ### Hardening '/etc/login.defs' rm -f "${TARGET}/etc/login.defs" install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/login.defs" "${TARGET}/etc/" ### Hardening '/etc/security/pwquality.conf' rm -f "${TARGET}/etc/security/pwquality.conf" install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/security/pwquality.cnf" "${TARGET}/etc/security/pwquality.conf" ### Preparing the root account chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/shadow" "${TARGET}/etc/group" "${TARGET}/etc/gshadow" chmod 0644 "${TARGET}/etc/passwd" "${TARGET}/etc/group" chmod 0600 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow" if [[ -x "${TARGET}${user_root_shell}" ]]; then do_in_target "${TARGET}" chsh -s "${user_root_shell}" root else do_log "warn" "file_only" "Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead." fi var_chpasswd="root:${user_root_password}" do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e" var_chpasswd="" install -d -m 0700 -o root -g root "${TARGET}/root/.ssh" install -m 0600 -o root -g root /dev/null "${TARGET}/root/.ssh/authorized_keys" grep -qxF "${user_root_sshpubkey}" "${TARGET}/root/.ssh/authorized_keys" || \ printf "%s\n" "${user_root_sshpubkey}" >> "${TARGET}/root/.ssh/authorized_keys" if [[ "${user_root_authentication_access_ssh}" == "false" ]]; then if grep -q '^\s*PermitRootLogin' "${TARGET}/etc/ssh/sshd_config"; then sed -i 's/^\s*PermitRootLogin\s\+.*/PermitRootLogin no/' "${TARGET}/etc/ssh/sshd_config" else echo 'PermitRootLogin no' >> "${TARGET}/etc/ssh/sshd_config" fi fi install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.bashrc" "${TARGET}/root/" install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.zshrc" "${TARGET}/root/" install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/root/.ciss/" install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/root/.ciss/" install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/root/.ciss/" # To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content: echo 'set clipboard=unnamed' >| "${TARGET}/root/.vimrc" chmod 0600 "${TARGET}/root/.vimrc" do_log "info" "file_only" "User: 'root' updated." ### Install all user accounts. for ((i = 0; i <= VAR_USER_MAX; i++)); do tmp_username="user_user${i}_name" tmp_fullname="user_user${i}_fullname" tmp_uid="user_user${i}_uid" tmp_gid="user_user${i}_gid" tmp_shell="user_user${i}_shell" tmp_password="user_user${i}_password" tmp_sshpubkey="user_user${i}_sshpubkey" tmp_sudo="user_user${i}_privileges_sudo" tmp_restricted="user_user${i}_privileges_restricted" var_username="${!tmp_username}" var_fullname="${!tmp_fullname}" var_uid="${!tmp_uid}" var_gid="${!tmp_gid}" var_shell="${!tmp_shell}" var_password="${!tmp_password}" var_sshpubkey="${!tmp_sshpubkey}" var_sudo="${!tmp_sudo}" var_restricted="${!tmp_restricted}" do_in_target "${TARGET}" getent group "${var_username}" >/dev/null || \ do_in_target "${TARGET}" groupadd --gid "${var_gid}" "${var_username}" if [[ "${var_restricted}" == "false" ]]; then do_in_target "${TARGET}" useradd \ --comment "${var_fullname}" \ --create-home \ --expiredate 2102-12-31 \ --gid "${var_gid}" \ --home-dir /home/"${var_username}" \ --inactive 0 \ --shell "${var_shell}" \ --uid "${var_uid}" \ "${var_username}" else do_in_target "${TARGET}" useradd \ --comment "${var_fullname}" \ --expiredate 2102-12-31 \ --gid "${var_gid}" \ --home-dir /home/"${var_username}" \ --inactive 0 \ --no-create-home \ --shell "${var_shell}" \ --uid "${var_uid}" \ "${var_username}" fi var_chpasswd="${var_username}:${var_password}" do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e" var_chpasswd="" if [[ "${var_sudo}" == "true" ]]; then do_in_target "${TARGET}" usermod -aG sudo "${var_username}" fi if [[ -n "${var_sshpubkey}" ]]; then var_sshdir="${TARGET}/home/${var_username}/.ssh" install -d -m 0700 -o "${var_username}" -g "${var_username}" "${var_sshdir}" install -m 0600 -o "${var_username}" -g "${var_username}" /dev/null "${var_sshdir}/authorized_keys" grep -qxF "${var_sshpubkey}" "${var_sshdir}/authorized_keys" || \ printf "%s\n" "${var_sshpubkey}" >> "${var_sshdir}/authorized_keys" fi do_log "info" "file_only" "Created user: [${var_username}] UID: [${var_uid}], GID: [${var_gid}]" done guard_dir && return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh