mirror/iopsys-feed
1
0
Fork 0
mirror of https://dev.iopsys.eu/feed/iopsys.git synced 2025-12-10 07:44:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
iopsys-feed/usermngr/files/etc/init.d/users

220 lines
5.5 KiB
Bash
Executable file
Raw Blame History

#!/bin/sh /etc/rc.common
START=11
STOP=90
USE_PROCD=1
PROG=/usr/sbin/usermngr
# List of required .so files
REQUIRED_MODULES="
/usr/lib/security/pam_faildelay.so
/usr/lib/security/pam_faillock.so
/usr/lib/security/pam_unix.so
/usr/lib/security/pam_deny.so
/usr/lib/security/pam_permit.so
/usr/lib/security/pam_passwdqc.so
"
check_required_modules() {
for mod in $REQUIRED_MODULES; do
if [ ! -f "$mod" ]; then
logger -p err -t usermngr "ERROR: Cannot setup security policy, missing PAM module: $mod"
return 1
fi
done
return 0
}
write_line() {
local filepath="$1"
local line="$2"
echo "$line" >> "$filepath"
}
compare_and_replace() {
local src dst
src="$1"
dst="$2"
if [ ! -f "$dst" ] || ! cmp -s "$src" "$dst"; then
cp "$src" "$dst"
logger -t pam_policy_setup "Updated $dst"
fi
}
update_auth() {
# Write /etc/pam.d/common-auth
local tmp_file pam_file
tmp_file="/tmp/common-auth"
pam_file="/etc/pam.d/common-auth"
local auth_enabled="${1}"
local enabled="${2}"
local faildelay="$(uci -q get users.authentication_policy.fail_delay)"
local faillock_lockout_time="$(uci -q get users.authentication_policy.faillock_lockout_time)"
local faillock_attempts="$(uci -q get users.authentication_policy.faillock_attempts)"
[ -n "$faildelay" ] || faildelay=3
[ -n "$faillock_attempts" ] || faillock_attempts=6
[ -n "$faillock_lockout_time" ] || faillock_lockout_time=300
# Convert seconds to microseconds for pam_faildelay
local faildelay_usec=$((faildelay * 1000000))
rm -f "$tmp_file"
touch "$tmp_file"
if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
write_line "$tmp_file" "auth optional pam_faildelay.so delay=$faildelay_usec"
write_line "$tmp_file" "auth required pam_faillock.so preauth deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
fi
write_line "$tmp_file" "auth sufficient pam_unix.so nullok_secure"
if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
write_line "$tmp_file" "auth [default=die] pam_faillock.so authfail audit deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
write_line "$tmp_file" ""
fi
write_line "$tmp_file" "auth requisite pam_deny.so"
write_line "$tmp_file" "auth required pam_permit.so"
compare_and_replace "$tmp_file" "$pam_file"
}
build_pam_passwdqc_line() {
local base="password requisite pam_passwdqc.so"
local k v line
for line in $(uci show users.passwdqc 2>/dev/null); do
case "$line" in
users.passwdqc=*) continue ;;
users.passwdqc.enabled=*) continue ;;
esac
k="${line%%=*}"
k="${k#users.passwdqc.}"
v="${line#*=}"
v="${v%\'}"
v="${v#\'}"
base="$base $k=$v"
done
echo "$base"
}
# NOTE:
# for some reason setting min 8 makes passwdqc accept minimum 12 letter password with this configuration
# if we set it to 12 then we need atleast 16 characters and so on
# passphrase = 0 means no space separated words
# passphrase = N means the number of words required for a passphrase or 0 to disable the support for user-chosen passphrases.
# rest can be figured out from passwdqc man page
update_password() {
local tmp_file pam_file enabled line
tmp_file="/tmp/common-password"
pam_file="/etc/pam.d/common-password"
local auth_enabled="${1}"
rm -f "$tmp_file"
touch "$tmp_file"
# Check if section exists
if uci -q get users.passwdqc >/dev/null 2>&1; then
# if enabled is not present it is assumed to be 0
enabled=$(uci -q get users.passwdqc.enabled || echo "0")
if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
line="$(build_pam_passwdqc_line)"
write_line "$tmp_file" "$line"
fi
fi
write_line "$tmp_file" "password [success=1 default=ignore] pam_unix.so obscure sha512"
write_line "$tmp_file" ""
write_line "$tmp_file" "password requisite pam_deny.so"
write_line "$tmp_file" "password required pam_permit.so"
compare_and_replace "$tmp_file" "$pam_file"
}
update_account() {
# Write /etc/pam.d/common-account
local tmp_file pam_file
tmp_file="/tmp/common-account"
pam_file="/etc/pam.d/common-account"
local auth_enabled="${1}"
local enabled="${2}"
rm -f "$tmp_file"
touch "$tmp_file"
if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
write_line "$tmp_file" "account required pam_faillock.so"
fi
write_line "$tmp_file" "account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so"
write_line "$tmp_file" ""
write_line "$tmp_file" "account requisite pam_deny.so"
write_line "$tmp_file" "account required pam_permit.so"
compare_and_replace "$tmp_file" "$pam_file"
}
handle_security_policy() {
local auth_enabled enabled
# Read UCI values
auth_enabled="$(uci -q get users.users.auth_policy_enable || echo 0)"
enabled="$(uci -q get users.authentication_policy.enabled || echo 0)"
# if any .so files are missing, then we cannot setup security
if ! check_required_modules; then
return
fi
update_auth "${auth_enabled}" "${enabled}"
update_account "${auth_enabled}" "${enabled}"
update_password "${auth_enabled}"
}
start_service() {
local loglevel
loglevel="$(uci -q get users.users.loglevel)"
handle_security_policy
procd_open_instance usermngr
procd_set_param command $PROG
if [ -n "${loglevel}" ]; then
procd_append_param command -l "${loglevel}"
fi
procd_set_param respawn
procd_close_instance
}
reload_service() {
ret=$(ubus call service list '{"name":"users"}' | jsonfilter -qe '@.users.instances.usermngr.running')
if [ "$ret" != "true" ]; then
stop
start
else
handle_security_policy
ubus send usermngr.reload
fi
return 0
}
service_triggers()
{
procd_add_reload_trigger "users"
}
Reference in a new issue View git blame Copy permalink