msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
cccd2f09a8b95a7e238b0d8dfe47aa9d0a1cd1289764efd4f0fffac600f92fac
CISS.debian.live.builder/config/hooks/live/9991_file_permissions.chroot
Marc S. Weidner ae0bd5f3e9
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m6s
Details
V8.13.384.2025.11.06 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-06 23:04:22 +01:00

116 lines
3.5 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
chmod 0644 /etc/banner
chmod 0644 /etc/issue
chmod 0644 /etc/issue.net
if [[ -f /etc/motd ]]; then
cp -a /etc/motd /root/.ciss/cdlb/backup/motd.bak
chmod 0644 /root/.ciss/cdlb/backup/motd.bak
rm /etc/motd
fi
touch /etc/motd
cat << EOF >| /etc/motd
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2018 - 2025
Centurion Intelligence Consulting Agency (tm)
https://coresecret.eu/
Please consider making a donation:
https://coresecret.eu/spenden/
EOF
cp -a /etc/login.defs /root/.ciss/cdlb/backup/login.defs.bak
sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
sed -i 's/UMASK 022/UMASK 077/' /etc/login.defs
sed -i 's/PASS_MAX_DAYS 99999/PASS_MAX_DAYS 16384/' /etc/login.defs
sed -i 's/PASS_MIN_DAYS 0/PASS_MIN_DAYS 1/' /etc/login.defs
sed -i 's/PASS_WARN_AGE 7/PASS_WARN_AGE 128/' /etc/login.defs
sed -i 's/ENCRYPT_METHOD SHA512/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
sed -i 's/#SHA_CRYPT_MIN_ROUNDS 5000/SHA_CRYPT_MIN_ROUNDS 8388608/' /etc/login.defs
sed -i 's/#SHA_CRYPT_MAX_ROUNDS 5000/SHA_CRYPT_MAX_ROUNDS 8388608/' /etc/login.defs
sed -i 's/#YESCRYPT_COST_FACTOR 5/YESCRYPT_COST_FACTOR 8/' /etc/login.defs
if [[ -f /etc/cron.deny ]]; then
rm /etc/cron.deny
fi
if [[ -f /etc/cron.allow ]]; then
cp -u /etc/cron.allow /root/.backup/cron.allow.bak
chmod 0644 /root/.backup/cron.allow.bak
chmod 0600 /etc/cron.allow
cat << EOF >| /etc/cron.allow
root
EOF
else
touch /etc/cron.allow
chmod 0600 /etc/cron.allow
cat << EOF >| /etc/cron.allow
root
EOF
fi
chmod g-wx,o-rwx /etc/cron.allow
chown root:root /etc/cron.allow
chmod 0640 /etc/shadow
chown root:shadow /etc/shadow
chmod 0700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
chmod 0700 /etc/sudoers.d
chmod 0600 /etc/crontab
chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
chmod 0750 /home
if chmod 0750 /var/spool/apt-mirror; then :; fi
mkdir /root/.ansible
declare bin
declare target
for bin in as gcc g++ cc clang; do
target=$(readlink -f "/usr/bin/${bin}") || {
printf "\e[92m✅ Info: '%s' not found, skipping. \e[0m\n" "${bin}"
continue
}
chmod 700 "${target}" || {
printf "\e[92m❌ Error: chmod failed for '%s', skipping. \e[0m\n" "${bin}"
}
done
unset bin target
### Directories: 0700
find /root -type d -exec chmod 0700 {} +
### Executable files: 0700 (any x-bit set)
find /root -type f -perm /111 -exec chmod 0700 {} +
### Non-executable files: 0600
find /root -type f ! -perm /111 -exec chmod 0600 {} +
### Ownership: UID:GID (do not dereference symlinks; stay on this filesystem)
find /root -xdev -exec chown -h root:root {} +
rm -f /etc/tmpfiles.d/legacy.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink