From f368d8f3ef6c86912f05743840078a10bfe6eb9d Mon Sep 17 00:00:00 2001 From: user1 Date: Thu, 6 Apr 2023 14:59:19 +0200 Subject: [PATCH] =?UTF-8?q?Setze=20die=20die=20UIDs=20und=20GIDs=20standar?= =?UTF-8?q?tm=C3=A4ssig=20auf=202000=20bei=20der=20erstellung=20von=20neue?= =?UTF-8?q?n=20Benutzern=20und=20Gruppen?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- arch-graphical-install-auto.sh | 16 +- arch-install.sh | 4 +- configs/login.defs | 272 +++++++++++++++++++++++++++++++++ scripts/aurinstall.sh | 4 +- scripts/aurupdater.sh | 4 +- scripts/startup-script.sh | 4 +- 6 files changed, 290 insertions(+), 14 deletions(-) create mode 100644 configs/login.defs diff --git a/arch-graphical-install-auto.sh b/arch-graphical-install-auto.sh index 8ea872d..a47a919 100755 --- a/arch-graphical-install-auto.sh +++ b/arch-graphical-install-auto.sh @@ -34,8 +34,8 @@ do shift done -if cat /etc/passwd | grep "x:2000" > /dev/null; then - tempuser=$(cat /etc/passwd | grep "x:2000" | awk '{print $1}') +if cat /etc/passwd | grep "x:1000" > /dev/null; then + tempuser=$(cat /etc/passwd | grep "x:1000" | awk '{print $1}') user=${tempuser%%:*} #else # user=$(whoami) @@ -106,7 +106,7 @@ function standartinstallation() { function addusers() { # Erstelle Gruppen - groupid=2000 + groupid=1000 for wort in master users wheel audio input power storage video sys optical adm lp scanner sddm kvm fuse autologin network wireshark docker libvirt libvirtdbus; do if ! cat /etc/group | grep ${wort}; then while cat /etc/group | grep ${groupid}; do @@ -116,7 +116,7 @@ function addusers() { fi done - useruid=2000 + useruid=1000 while cat /etc/passwd | grep ${useruid}; do useruid=$((${useruid} + 1)) done @@ -257,7 +257,7 @@ pacmanconf if [ "$1" == "adduser" ]; then user="$2" userpass="$3" - if cat /etc/passwd | grep "x:2000" > /dev/null; then + if cat /etc/passwd | grep "x:1000" > /dev/null; then echo "${user} existiert bereits!!!" else addusers @@ -292,8 +292,12 @@ echo "root:root" | chpasswd echo "Lege $SUDOERS neu an!!!" echo "root ALL=(ALL) NOPASSWD: ALL" > $SUDOERS - echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> $SUDOERS +echo "%master ALL=(ALL) NOPASSWD: ALL" >> $SUDOERS + +# Setze die die UIDs und GIDs standartmässig auf 2000 bei der erstellung von neuen Benutzern und Gruppen +sed -i 's/UID_MIN=.*$/UID_MIN=2000/' /etc/login.defs +sed -i 's/GID_MIN=.*$/GID_MIN=2000/' /etc/login.defs # systemaktualisierung diff --git a/arch-install.sh b/arch-install.sh index 41b59ec..f4d1fd9 100755 --- a/arch-install.sh +++ b/arch-install.sh @@ -11,8 +11,8 @@ repo1=shell-scripte-code cache=/var/cache/pacman/pkg/ repo_url="https://git.spectreos.de/simono41/SpectreOS/raw/master/repo.sh" -if cat /etc/passwd | grep "x:2000" > /dev/null; then - tempuser=$(cat /etc/passwd | grep "x:2000" | awk '{print $1}') +if cat /etc/passwd | grep "x:1000" > /dev/null; then + tempuser=$(cat /etc/passwd | grep "x:1000" | awk '{print $1}') user=${tempuser%%:*} else user=$(whoami) diff --git a/configs/login.defs b/configs/login.defs new file mode 100644 index 0000000..ea84125 --- /dev/null +++ b/configs/login.defs @@ -0,0 +1,272 @@ +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# +# $Id$ +# +# NOTE: This file is adapted for the use on Arch Linux! +# Unsupported options due to the use of util-linux or PAM are removed. + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +# pam_unix(8) enforces a 2s delay) +# +FAIL_DELAY 3 + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +LOG_UNKFAIL_ENAB no + +# +# Limit the highest user ID number for which the lastlog entries should +# be updated. +# +# No LASTLOG_UID_MAX means that there is no user ID limit for writing +# lastlog entries. +# +#LASTLOG_UID_MAX + +# +# If defined, ":" delimited list of "message of the day" files to +# be displayed upon login. +# +MOTD_FILE +#MOTD_FILE /etc/motd:/usr/lib/news/news-motd + +# +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin +ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a write(1) program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP as the number of such group +# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +# set TTYPERM to either 622 or 600. +# +TTYGROUP tty +TTYPERM 0600 + +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 077 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +#HOME_MODE 0700 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd(8) +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 500 +SYS_UID_MAX 999 +# Extra per user uids +SUB_UID_MIN 100000 +SUB_UID_MAX 600100000 +SUB_UID_COUNT 65536 + +# +# Min/max values for automatic gid selection in groupadd(8) +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 500 +SYS_GID_MAX 999 +# Extra per user group ids +SUB_GID_MIN 100000 +SUB_GID_MAX 600100000 +SUB_GID_COUNT 65536 + +# +# Max number of login(1) retries if password is bad +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login(1) +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn(1) - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Only works if compiled with ENCRYPTMETHOD_SELECT defined: +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +# +# Note: If you use PAM, it is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD SHA512 + +# +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. +# +# If not specified, the libc will choose the default number of rounds (5000), +# which is orders of magnitude too low for modern hardware. +# The values must be within the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +#SHA_CRYPT_MIN_ROUNDS 5000 +#SHA_CRYPT_MAX_ROUNDS 5000 + +# +# Only works if ENCRYPT_METHOD is set to BCRYPT. +# +# Define the number of BCRYPT rounds. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. +# +# If not specified, 13 rounds will be attempted. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +#BCRYPT_MIN_ROUNDS 13 +#BCRYPT_MAX_ROUNDS 13 + +# +# Only works if ENCRYPT_METHOD is set to YESCRYPT. +# +# Define the YESCRYPT cost factor. +# With a higher cost factor, it is more difficult to brute-force the password. +# However, more CPU time and more memory will be needed to authenticate users +# if this value is increased. +# +# If not specified, a cost factor of 5 will be used. +# The value must be within the 1-11 range. +# +#YESCRYPT_COST_FACTOR 5 + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# The pwck(8) utility emits a warning for any system account with a home +# directory that does not exist. Some system accounts intentionally do +# not have a home directory. Such accounts may have this string as +# their home directory in /etc/passwd to avoid a spurious warning. +# +NONEXISTENT /nonexistent + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# Enable setting of the umask group bits to be the same as owner bits +# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is +# the same as gid, and username is the same as the primary group name. +# +# This also enables userdel(8) to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# +# If set to a non-zero number, the shadow utilities will make sure that +# groups never have more than this number of users on one line. +# This permits to support split groups (groups split into multiple lines, +# with the same group ID, to avoid limitation of the line length in the +# group file). +# +# 0 is the default value and disables this feature. +# +#MAX_MEMBERS_PER_GROUP 0 + +# +# If useradd(8) should create home directories for users by default (non +# system users only). +# This option is overridden with the -M or -m flags on the useradd(8) +# command-line. +# +#CREATE_HOME yes + +# +# Force use shadow, even if shadow passwd & shadow group files are +# missing. +# +#FORCE_SHADOW yes + +# +# Allow newuidmap and newgidmap when running under an alternative +# primary group. +# +#GRANT_AUX_GROUP_SUBIDS yes + +# +# Select the HMAC cryptography algorithm. +# Used in pam_timestamp module to calculate the keyed-hash message +# authentication code. +# +# Note: It is recommended to check hmac(3) to see the possible algorithms +# that are available in your system. +# +#HMAC_CRYPTO_ALGO SHA512 diff --git a/scripts/aurinstall.sh b/scripts/aurinstall.sh index 453724e..90e9233 100755 --- a/scripts/aurinstall.sh +++ b/scripts/aurinstall.sh @@ -2,8 +2,8 @@ set -x -if cat /etc/passwd | grep "x:2000" > /dev/null; then - tempuser=$(cat /etc/passwd | grep "x:2000" | awk '{print $1}') +if cat /etc/passwd | grep "x:1000" > /dev/null; then + tempuser=$(cat /etc/passwd | grep "x:1000" | awk '{print $1}') user=${tempuser%%:*} else user=$(whoami) diff --git a/scripts/aurupdater.sh b/scripts/aurupdater.sh index 6f44fd9..f2a2f4f 100755 --- a/scripts/aurupdater.sh +++ b/scripts/aurupdater.sh @@ -2,8 +2,8 @@ set -x -if cat /etc/passwd | grep "x:2000" > /dev/null; then - tempuser=$(cat /etc/passwd | grep "x:2000" | awk '{print $1}') +if cat /etc/passwd | grep "x:1000" > /dev/null; then + tempuser=$(cat /etc/passwd | grep "x:1000" | awk '{print $1}') user=${tempuser%%:*} else user=$(whoami) diff --git a/scripts/startup-script.sh b/scripts/startup-script.sh index 319bb04..acd7d14 100755 --- a/scripts/startup-script.sh +++ b/scripts/startup-script.sh @@ -6,8 +6,8 @@ cmdlineparameter=$(cat /proc/cmdline) repo=SpectreOS user=user1 -if cat /etc/passwd | grep "x:2000" > /dev/null; then - tempuser=$(cat /etc/passwd | grep "x:2000" | awk '{print $1}') +if cat /etc/passwd | grep "x:1000" > /dev/null; then + tempuser=$(cat /etc/passwd | grep "x:1000" | awk '{print $1}') user=${tempuser%%:*} #else # user=$(whoami)