CISS.debian.live.builder/config/hooks/live/9991_file_permissions.chroot

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

chmod 0644 /etc/banner
chmod 0644 /etc/issue
chmod 0644 /etc/issue.net

if [[ -f /etc/motd ]]; then
  cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
  chmod 0644 /root/.ciss/dlb/backup/motd.bak
  rm /etc/motd
fi

touch /etc/motd
cat << EOF >| /etc/motd

      (c) Marc S. Weidner, 2018 - 2025
      (p) Centurion Press, 2018 - 2025
          Centurion Intelligence Consulting Agency (tm)
          https://coresecret.eu/
          Please consider making a donation:
          https://coresecret.eu/spenden/


EOF

cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak

sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs
sed -i 's/PASS_WARN_AGE	7/PASS_WARN_AGE	128/' /etc/login.defs
sed -i 's/ENCRYPT_METHOD SHA512/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
sed -i 's/#SHA_CRYPT_MIN_ROUNDS 5000/SHA_CRYPT_MIN_ROUNDS 8388608/' /etc/login.defs
sed -i 's/#SHA_CRYPT_MAX_ROUNDS 5000/SHA_CRYPT_MAX_ROUNDS 8388608/' /etc/login.defs
sed -i 's/#YESCRYPT_COST_FACTOR 5/YESCRYPT_COST_FACTOR 8/' /etc/login.defs

if [[ -f /etc/cron.deny ]]; then
  rm /etc/cron.deny
fi

if [[ -f /etc/cron.allow ]]; then
  cp -u /etc/cron.allow /root/.backup/cron.allow.bak
  chmod 0644 /root/.backup/cron.allow.bak
  chmod 0600 /etc/cron.allow
  cat << EOF >| /etc/cron.allow
root
EOF

else
  touch /etc/cron.allow
  chmod 0600 /etc/cron.allow
  cat << EOF >| /etc/cron.allow
root
EOF
fi

chmod g-wx,o-rwx /etc/cron.allow
chown root:root /etc/cron.allow
chmod 0640 /etc/shadow
chown root:shadow /etc/shadow

chmod 0700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
chmod 0700 /etc/sudoers.d
chmod 0600 /etc/crontab

chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config

chmod 0750 /home

if chmod 0750 /var/spool/apt-mirror; then :; fi

mkdir /root/.ansible

declare bin
declare target
for bin in as gcc g++ cc clang; do
  target=$(readlink -f "/usr/bin/${bin}") || {
    printf "\e[92m✅ Info: '%s' not found, skipping. \e[0m\n" "${bin}"
    continue
  }
  chmod 700 "${target}" || {
    printf "\e[92m❌ Error: chmod failed for '%s', skipping. \e[0m\n" "${bin}"
  }
done
unset bin target

###    Directories: 0700
find /root -type d -exec chmod 0700 {} +
###    Executable files: 0700 (any x-bit set)
find /root -type f -perm /111 -exec chmod 0700 {} +
###    Non-executable files: 0600
find /root -type f ! -perm /111 -exec chmod 0600 {} +
###    Ownership: UID:GID (do not dereference symlinks; stay on this filesystem)
find /root -xdev -exec chown -h root:root {} +

rm -f /etc/tmpfiles.d/legacy.conf

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh