diff options
author | Luke Shumaker <lukeshu@lukeshu.com> | 2018-08-27 14:10:46 -0400 |
---|---|---|
committer | Luke Shumaker <lukeshu@lukeshu.com> | 2018-08-27 14:10:46 -0400 |
commit | 761d91c3c2393144d5ff3173365adc7b0a485a40 (patch) | |
tree | f3c820ca67a5607565b148f2f45ab038194eaac8 | |
parent | e6703fc24249cee29d1960d446369bfc43503603 (diff) |
mgmt-users-base: Clean up, add comments, also check that paswords are required
-rw-r--r-- | config-parabola-mgmt-users-base.PKGBUILD | 43 |
1 files changed, 34 insertions, 9 deletions
diff --git a/config-parabola-mgmt-users-base.PKGBUILD b/config-parabola-mgmt-users-base.PKGBUILD index 5059329..9237103 100644 --- a/config-parabola-mgmt-users-base.PKGBUILD +++ b/config-parabola-mgmt-users-base.PKGBUILD @@ -1,21 +1,46 @@ . ${BUILDFILE%/*}/common.sh -pkgver=20180826 +pkgver=20180827 package() { preamble # #### users +# `/etc/sudoers.d/00-wheel` gives sudo access to everyone in the +# `wheel` group. install -d etc install -dm750 etc/sudoers.d -add-file etc/sudoers.d/00-wheel <<EOF -%wheel ALL=(ALL) ALL -EOF +add-file etc/sudoers.d/00-wheel <<-'EOF' + %wheel ALL=(ALL) ALL + EOF -add-file etc/systemd/system/shadow.service.d/sort.conf <<EOF -[Service] -ExecStart= -ExecStart=/bin/bash -c '/usr/bin/pwck -r && /usr/bin/pwck -s && /usr/bin/grpck -r && /usr/bin/grpck -s' -EOF +# The `shadow.service` has been extended to: +# +# - sort the files if they otherwise are ok. This makes dealing with +# pacman updates and such easier +# - check that all users require a password, if login is enabled +# +# This could have been done in very long one-liner in `ExecStart=`, +# but at some point it became easier to just move it to a real script +# file. +add-file etc/systemd/system/shadow.service.d/extra.conf <<-'EOF' + [Service] + ExecStart= + ExecStart=/etc/systemd/system/shadow + EOF +add-file -m755 etc/systemd/system/shadow <<-'EOF' + #!/bin/sh + r=0 + set -x + + # Always run all checks, but fail the service if any fail + # Extra: Sort the files if the integrity checks pass + /usr/bin/pwck -r && /usr/bin/pwck -s || r=1 + /usr/bin/grpck -r && /usr/bin/grpck -s || r=1 + # Extra: Check that all users require a password, if login is enabled + /usr/bin/grep '^[^:]*::' /etc/passwd /etc/shadow && r=1 + + exit $r + EOF postamble } |