msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.022.2026.06.11: enforce secret and cleanup safeguards

Browse Source
This commit is contained in:
André H. Zimnol
2026-06-11 05:08:01 +02:00
parent 74897d85b1
commit 9d3f283297
10 changed files with 182 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/lib_arg_parser.sh
+26 -50
View File
@@ -57,20 +57,17 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# None
# Returns:
# ERR_ARG_MSMTCH: on failure
# ERR_ARG_MSMTCH: on failure
# ERR_BUILD_PATH: on failure
# ERR_CONTROL_CT: on failure
# ERR_DROPBEAR_V: on failure
# ERR_MISS_PWD_F: on failure
# ERR_MISS_PWD_P: on failure
# ERR_NOTABSPATH: on failure
# ERR_OWNS_PWD_F: on failure
# ERR_PASS_LENGH: on failure
# ERR_PASS_PLICY: on failure
# ERR_REIONICE_P: on failure
# ERR_REIO_C_VAL: on failure
# ERR_REIO_P_VAL: on failure
# ERR_RENICE_PRI: on failure
# ERR_RGHT_PWD_F: on failure
# ERR_SECRET_PATH: on failure
# ERR_SPLASH_PNG: on failure
# ERR__SOPS__VER: on failure
# ERR__SSH__PORT: on failure
@@ -134,12 +131,9 @@ arg_parser() {
;;
--build-directory)
declare -gx VAR_HANDLER_BUILD_DIR="${2}"
if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
exit "${ERR_NOTABSPATH}"
fi
declare build_directory="${2-}"
validate_build_directory_path "${build_directory}" build_directory || exit "${ERR_BUILD_PATH}"
declare -gx VAR_HANDLER_BUILD_DIR="${build_directory}"
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/cdlb_${VAR_ISO8601}_build.log"
shift 2
;;
@@ -266,18 +260,22 @@ arg_parser() {
;;
--key_age=*)
declare age_key="${1#*=}"
validate_secret_file_in_root "${age_key}" "SOPS Age key" || exit "${ERR_SECRET_PATH}"
# shellcheck disable=SC2034
declare -gx VAR_AGE="true"
# shellcheck disable=SC2034
declare -gx VAR_AGE_KEY="${1#*=}"
declare -gx VAR_AGE_KEY="${age_key}"
shift 1
;;
--key_luks=*)
declare luks_key="${1#*=}"
validate_secret_file_in_root "${luks_key}" "LUKS key file" || exit "${ERR_SECRET_PATH}"
# shellcheck disable=SC2034
declare -gx VAR_LUKS="true"
# shellcheck disable=SC2034
declare -gx VAR_LUKS_KEY="${1#*=}"
declare -gx VAR_LUKS_KEY="${luks_key}"
shift 1
;;
@@ -473,39 +471,7 @@ arg_parser() {
fi
if [[ ! -f "${pw_file}" ]]; then
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_MISS_PWD_F}"
fi
declare owner
owner=$(stat -c '%U:%G' "${pw_file}")
if [[ "${owner}" != "root:root" ]]; then
chown root:root "${pw_file}" || {
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file failed to set owner root:root on '%s'.\e[0m\n" "${pw_file}" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_OWNS_PWD_F}"
}
fi
declare perms
perms=$(stat -c '%a' "${pw_file}")
if [[ "${perms}" -ne 400 ]]; then
chmod 0400 "${pw_file}" || {
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file failed to set permissions 0400 on '%s'.\e[0m\n" "${pw_file}" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_RGHT_PWD_F}"
}
fi
validate_secret_absolute_file "${pw_file}" "root password file" || exit "${ERR_SECRET_PATH}"
declare plaintext_pw
### No tracing for security reasons ----------------------------------------------------------------------------------
@@ -558,6 +524,7 @@ arg_parser() {
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
register_secret_value "${hash_temp}"
### Turn on tracing again --------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
@@ -606,16 +573,20 @@ arg_parser() {
;;
--signing_ca=*)
declare signing_ca="${1#*=}"
validate_secret_file_in_root "${signing_ca}" "signing CA file" || exit "${ERR_SECRET_PATH}"
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_CA="${1#*=}"
declare -gx VAR_SIGNING_CA="${signing_ca}"
shift 1
;;
--signing_key=*)
declare signing_key="${1#*=}"
validate_secret_file_in_root "${signing_key}" "signing key file" || exit "${ERR_SECRET_PATH}"
# shellcheck disable=SC2034
declare -gx VAR_SIGNER="true"
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_KEY="${1#*=}"
declare -gx VAR_SIGNING_KEY="${signing_key}"
shift 1
;;
@@ -626,8 +597,10 @@ arg_parser() {
;;
--signing_key_pass=*)
declare signing_key_pass="${1#*=}"
validate_secret_file_in_root "${signing_key_pass}" "signing passphrase file" || exit "${ERR_SECRET_PATH}"
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_KEY_PASS="${1#*=}"
declare -gx VAR_SIGNING_KEY_PASS="${signing_key_pass}"
shift 1
;;
@@ -694,8 +667,11 @@ arg_parser() {
;;
--ssh-pubkey)
declare ssh_pubkey_dir="${2-}"
validate_secret_absolute_directory "${ssh_pubkey_dir}" "SSH public-key directory" || exit "${ERR_SECRET_PATH}"
validate_secret_file "${ssh_pubkey_dir}/authorized_keys" "SSH authorized_keys file" || exit "${ERR_SECRET_PATH}"
# shellcheck disable=SC2034
declare -gx VAR_SSHPUBKEY="${2}"
declare -gx VAR_SSHPUBKEY="${ssh_pubkey_dir}"
shift 2
;;