#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024โ€“2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu ####################################### # Updates the Live ISO to use root password authentication for local console access. # Globals: # VAR_HANDLER_BUILD_DIR # VAR_HASHED_PWD # Arguments: # None # Returns: # 0: In case no root password is desired. ####################################### hardening_root_pw() { if [[ -z ${VAR_HASHED_PWD} ]]; then printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… No Root Password for Console set, skipping root password hook.\e[0m\n" # sleep 1 return 0 fi printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Setup Root Password for Console ... \e[0m\n" # sleep 1 declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live" declare cfg_file="${cfg_dir}/config.conf" declare dropin_dir="${cfg_dir}/config.conf.d" declare dropin_file="${dropin_dir}/20-root-password.conf" mkdir -p "${dropin_dir}" cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf live-config.noautologin EOF if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}" fi declare clean_hash="${VAR_HASHED_PWD//\"/}" printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}" chmod 0600 "${dropin_file}" chown root:root "${dropin_file}" mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root" printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf [Service] ExecStart= #ExecStart=-/usr/sbin/agetty --noclear %I $TERM ExecStart=-agetty --noclear %I $TERM EOF mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty tty1 tty2 tty3 tty4 tty5 tty6 EOF mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/sbin cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty" cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty" cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty" ### Hotfix I mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators" cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" #!/bin/sh # bypass live-config-getty-generator exit 0 EOF chmod +x "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" ### Hotfix II #mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators" #touch "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" #chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Setup Root Password for Console done. \e[0m\n" # sleep 1 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh