Marc S. Weidner
c026d9a324
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 39s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
165 lines
6.2 KiB
Bash
165 lines
6.2 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.installer
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
guard_sourcing
|
|
|
|
#######################################
|
|
# Updating user accounts.
|
|
# Globals:
|
|
# TARGET
|
|
# VAR_SETUP_PATH
|
|
# VAR_USER_MAX
|
|
# user_root_authentication_access_ssh
|
|
# user_root_password
|
|
# user_root_shell
|
|
# user_root_sshpubkey
|
|
# Arguments:
|
|
# None
|
|
# Returns:
|
|
# 0: on success
|
|
#######################################
|
|
setup_accounts() {
|
|
|
|
#######################################
|
|
# Declare Variables
|
|
#######################################
|
|
declare -i i
|
|
declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
|
|
tmp_restricted=""
|
|
declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
|
|
var_restricted="" var_chpasswd="" var_sshdir=""
|
|
|
|
### Hardening '/etc/login.defs'
|
|
rm -f "${TARGET}/etc/login.defs"
|
|
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/login.defs" "${TARGET}/etc/"
|
|
|
|
### Hardening '/etc/security/pwquality.conf'
|
|
rm -f "${TARGET}/etc/security/pwquality.conf"
|
|
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/security/pwquality.cnf" "${TARGET}/etc/security/pwquality.conf"
|
|
|
|
### Preparing the root account
|
|
chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/shadow" "${TARGET}/etc/group" "${TARGET}/etc/gshadow"
|
|
chmod 0644 "${TARGET}/etc/passwd" "${TARGET}/etc/group"
|
|
chmod 0600 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
|
|
|
|
if [[ -x "${TARGET}${user_root_shell}" ]]; then
|
|
do_in_target "${TARGET}" chsh -s "${user_root_shell}" root
|
|
else
|
|
do_log "warn" "file_only" "Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
|
|
fi
|
|
|
|
var_chpasswd="root:${user_root_password}"
|
|
do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
|
|
var_chpasswd=""
|
|
|
|
install -d -m 0700 -o root -g root "${TARGET}/root/.ssh"
|
|
install -m 0600 -o root -g root /dev/null "${TARGET}/root/.ssh/authorized_keys"
|
|
|
|
grep -qxF "${user_root_sshpubkey}" "${TARGET}/root/.ssh/authorized_keys" || \
|
|
printf "%s\n" "${user_root_sshpubkey}" >> "${TARGET}/root/.ssh/authorized_keys"
|
|
|
|
if [[ "${user_root_authentication_access_ssh}" == "false" ]]; then
|
|
if grep -q '^\s*PermitRootLogin' "${TARGET}/etc/ssh/sshd_config"; then
|
|
sed -i 's/^\s*PermitRootLogin\s\+.*/PermitRootLogin no/' "${TARGET}/etc/ssh/sshd_config"
|
|
else
|
|
echo 'PermitRootLogin no' >> "${TARGET}/etc/ssh/sshd_config"
|
|
fi
|
|
fi
|
|
|
|
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.bashrc" "${TARGET}/root/"
|
|
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.zshrc" "${TARGET}/root/"
|
|
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/root/.ciss/"
|
|
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/root/.ciss/"
|
|
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/root/.ciss/"
|
|
# To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content:
|
|
echo 'set clipboard=unnamed' >| "${TARGET}/root/.vimrc"
|
|
chmod 0600 "${TARGET}/root/.vimrc"
|
|
|
|
do_log "info" "file_only" "User: 'root' updated."
|
|
|
|
### Install all user accounts.
|
|
for ((i = 0; i <= VAR_USER_MAX; i++)); do
|
|
tmp_username="user_user${i}_name"
|
|
tmp_fullname="user_user${i}_fullname"
|
|
tmp_uid="user_user${i}_uid"
|
|
tmp_gid="user_user${i}_gid"
|
|
tmp_shell="user_user${i}_shell"
|
|
tmp_password="user_user${i}_password"
|
|
tmp_sshpubkey="user_user${i}_sshpubkey"
|
|
tmp_sudo="user_user${i}_privileges_sudo"
|
|
tmp_restricted="user_user${i}_privileges_restricted"
|
|
|
|
var_username="${!tmp_username}"
|
|
var_fullname="${!tmp_fullname}"
|
|
var_uid="${!tmp_uid}"
|
|
var_gid="${!tmp_gid}"
|
|
var_shell="${!tmp_shell}"
|
|
var_password="${!tmp_password}"
|
|
var_sshpubkey="${!tmp_sshpubkey}"
|
|
var_sudo="${!tmp_sudo}"
|
|
var_restricted="${!tmp_restricted}"
|
|
|
|
do_in_target "${TARGET}" getent group "${var_username}" >/dev/null || \
|
|
do_in_target "${TARGET}" groupadd --gid "${var_gid}" "${var_username}"
|
|
|
|
if [[ "${var_restricted}" == "false" ]]; then
|
|
|
|
do_in_target "${TARGET}" useradd \
|
|
--comment "${var_fullname}" \
|
|
--create-home \
|
|
--expiredate 2102-12-31 \
|
|
--gid "${var_gid}" \
|
|
--home-dir /home/"${var_username}" \
|
|
--inactive 0 \
|
|
--shell "${var_shell}" \
|
|
--uid "${var_uid}" \
|
|
"${var_username}"
|
|
|
|
else
|
|
|
|
do_in_target "${TARGET}" useradd \
|
|
--comment "${var_fullname}" \
|
|
--expiredate 2102-12-31 \
|
|
--gid "${var_gid}" \
|
|
--home-dir /home/"${var_username}" \
|
|
--inactive 0 \
|
|
--no-create-home \
|
|
--shell "${var_shell}" \
|
|
--uid "${var_uid}" \
|
|
"${var_username}"
|
|
|
|
fi
|
|
|
|
var_chpasswd="${var_username}:${var_password}"
|
|
do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
|
|
var_chpasswd=""
|
|
|
|
if [[ "${var_sudo}" == "true" ]]; then
|
|
do_in_target "${TARGET}" usermod -aG sudo "${var_username}"
|
|
fi
|
|
|
|
if [[ -n "${var_sshpubkey}" ]]; then
|
|
var_sshdir="${TARGET}/home/${var_username}/.ssh"
|
|
install -d -m 0700 -o "${var_username}" -g "${var_username}" "${var_sshdir}"
|
|
install -m 0600 -o "${var_username}" -g "${var_username}" /dev/null "${var_sshdir}/authorized_keys"
|
|
grep -qxF "${var_sshpubkey}" "${var_sshdir}/authorized_keys" || \
|
|
printf "%s\n" "${var_sshpubkey}" >> "${var_sshdir}/authorized_keys"
|
|
fi
|
|
|
|
do_log "info" "file_only" "Created user: [${var_username}] UID: [${var_uid}], GID: [${var_gid}]"
|
|
|
|
done
|
|
|
|
return 0
|
|
}
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|