diff options
| -rw-r--r-- | files/group | 65 | ||||
| -rw-r--r-- | files/gshadow | 65 | ||||
| -rw-r--r-- | files/passwd | 37 | ||||
| -rw-r--r-- | files/shadow | 37 | ||||
| -rwxr-xr-x | hooks/build-os-post/10-test-preseed-ips | 16 | ||||
| -rwxr-xr-x | hooks/build-os/05-preseed-ids | 7 | ||||
| -rwxr-xr-x | hooks/build-os/70-system-config | 3 |
7 files changed, 227 insertions, 3 deletions
diff --git a/files/group b/files/group new file mode 100644 index 0000000..c667402 --- /dev/null +++ b/files/group @@ -0,0 +1,65 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +systemd-journal:x:999: +systemd-network:x:998: +crontab:x:997: +input:x:996: +sgx:x:995: +clock:x:994: +kvm:x:993: +render:x:992: +netdev:x:101: +messagebus:x:991: +scanner:x:102:saned +tss:x:103: +ssl-cert:x:104: +_ssh:x:105: +lpadmin:x:106: +bluetooth:x:107: +avahi:x:108: +_flatpak:x:109: +fwupd-refresh:x:989: +pipewire:x:110: +saned:x:111: +geoclue:x:112: +gnome-remote-desktop:x:988: +polkitd:x:987: +rtkit:x:113: +colord:x:114: +Debian-gdm:x:115: diff --git a/files/gshadow b/files/gshadow new file mode 100644 index 0000000..62aedde --- /dev/null +++ b/files/gshadow @@ -0,0 +1,65 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +systemd-journal:!*:: +systemd-network:!*:: +crontab:!*:: +input:!*:: +sgx:!*:: +clock:!*:: +kvm:!*:: +render:!*:: +netdev:!:: +messagebus:!*:: +scanner:!::saned +tss:!:: +ssl-cert:!:: +_ssh:!:: +lpadmin:!:: +bluetooth:!:: +avahi:!:: +_flatpak:!:: +fwupd-refresh:!*:: +pipewire:!:: +saned:!:: +geoclue:!:: +gnome-remote-desktop:!*:: +polkitd:!*:: +rtkit:!:: +colord:!:: +Debian-gdm:!:: diff --git a/files/passwd b/files/passwd new file mode 100644 index 0000000..14f048b --- /dev/null +++ b/files/passwd @@ -0,0 +1,37 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin +_apt:x:42:65534::/nonexistent:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin +dhcpcd:x:100:65534:DHCP Client Daemon:/usr/lib/dhcpcd:/bin/false +messagebus:x:991:991:System Message Bus:/nonexistent:/usr/sbin/nologin +tss:x:101:103:TPM software stack:/var/lib/tpm:/bin/false +avahi:x:102:108:Avahi mDNS daemon:/run/avahi-daemon:/usr/sbin/nologin +cups-pk-helper:x:103:106:user for cups-pk-helper service:/nonexistent:/usr/sbin/nologin +sshd:x:990:65534:sshd user:/run/sshd:/usr/sbin/nologin +dnsmasq:x:999:65534:dnsmasq:/var/lib/misc:/usr/sbin/nologin +_flatpak:x:104:109:Flatpak system-wide installation helper:/nonexistent:/usr/sbin/nologin +speech-dispatcher:x:105:29:Speech Dispatcher:/run/speech-dispatcher:/bin/false +usbmux:x:106:46:usbmux daemon:/var/lib/usbmux:/usr/sbin/nologin +fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin +saned:x:107:111::/var/lib/saned:/usr/sbin/nologin +geoclue:x:108:112::/var/lib/geoclue:/usr/sbin/nologin +gnome-remote-desktop:x:988:988:GNOME Remote Desktop:/var/lib/gnome-remote-desktop:/usr/sbin/nologin +polkitd:x:987:987:User for polkitd:/:/usr/sbin/nologin +rtkit:x:109:113:RealtimeKit:/proc:/usr/sbin/nologin +colord:x:110:114:colord colour management daemon:/var/lib/colord:/usr/sbin/nologin +Debian-gdm:x:111:115:Gnome Display Manager:/var/lib/gdm3:/bin/false diff --git a/files/shadow b/files/shadow new file mode 100644 index 0000000..75ce583 --- /dev/null +++ b/files/shadow @@ -0,0 +1,37 @@ +root:$y$j9T$pl58a8E6zphc8hdTaQnNj0$ob6Ny4lMEJpnuRo094Q9MaVpfmWH.29y7V7ccuszxz/:20569:0:99999:7::: +daemon:*:20569:0:99999:7::: +bin:*:20569:0:99999:7::: +sys:*:20569:0:99999:7::: +sync:*:20569:0:99999:7::: +games:*:20569:0:99999:7::: +man:*:20569:0:99999:7::: +lp:*:20569:0:99999:7::: +mail:*:20569:0:99999:7::: +news:*:20569:0:99999:7::: +uucp:*:20569:0:99999:7::: +proxy:*:20569:0:99999:7::: +www-data:*:20569:0:99999:7::: +backup:*:20569:0:99999:7::: +list:*:20569:0:99999:7::: +irc:*:20569:0:99999:7::: +_apt:*:20569:0:99999:7::: +nobody:*:20569:0:99999:7::: +systemd-network:!*:20569:::::1: +dhcpcd:!:20569:::::: +messagebus:!*:20569:::::: +tss:!:20569:::::: +avahi:!:20569:::::: +cups-pk-helper:!:20569:::::: +sshd:!*:20569:::::: +dnsmasq:!:20569:::::: +_flatpak:!:20569:::::: +speech-dispatcher:!:20569:::::: +usbmux:!:20569:::::: +fwupd-refresh:!*:20569:::::: +saned:!:20569:::::: +geoclue:!:20569:::::: +gnome-remote-desktop:!*:20569:::::: +polkitd:!*:20569:::::: +rtkit:!:20569:::::: +colord:!:20569:::::: +Debian-gdm:!:20569:::::: diff --git a/hooks/build-os-post/10-test-preseed-ips b/hooks/build-os-post/10-test-preseed-ips new file mode 100755 index 0000000..8973f7d --- /dev/null +++ b/hooks/build-os-post/10-test-preseed-ips @@ -0,0 +1,16 @@ +#!/bin/bash -xe +set -o pipefail + +# test preseed uid / gids: +DBS_CHANGED=0 +for f in group gshadow passwd shadow; do + echo "Checking $f" + if ! diff -Naur files/"$f" "${root:?}"/etc/"$f"; then + DBS_CHANGED="$(( $DBS_CHANGED + 1 ))" + fi +done + +if [ "$DBS_CHANGED" -gt 0 ]; then + echo "Error: user and/or group databases changed" 1>&2 + exit 1 +fi diff --git a/hooks/build-os/05-preseed-ids b/hooks/build-os/05-preseed-ids new file mode 100755 index 0000000..c472849 --- /dev/null +++ b/hooks/build-os/05-preseed-ids @@ -0,0 +1,7 @@ +#!/bin/bash -xe +set -o pipefail + +# preseed uid / gids: +for f in group gshadow passwd shadow; do + cat files/"$f" > "${root:?}"/etc/"$f" +done diff --git a/hooks/build-os/70-system-config b/hooks/build-os/70-system-config index 38b6f68..ca17bd3 100755 --- a/hooks/build-os/70-system-config +++ b/hooks/build-os/70-system-config @@ -1,9 +1,6 @@ #!/bin/bash -xe set -o pipefail -## Set a root password -echo "root:reznor" | chroot "${root:?}" chpasswd - ## add a default regular user with systemd-homed on firstboot mkdir -p "${root:?}"/usr/lib/credstore cat > "${root:?}"/usr/lib/credstore/home.create.trent << EOF |