Утилиты для настройки функций безопасности ОС Linux
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

128 lines
6.5 KiB

#!/bin/bash
set -e
# detect running from git tree
if [ -f ./common.sh ] && [ -f "$0" ]
then
source common.sh
source back_pwquality.sh
else
source /usr/share/linux-infosec-setupper/common.sh
source "${SHARE_DIR_PWQUALITY}/back_pwquality.sh"
fi
PWQUALITY_FRONT=1
# Check whether we are running the script for the first time
# Since the config may be standard from the package, it may not be parsed correctly.
# We write our default config instead of the original one, so that the parsing works correctly
if ! [[ -f "${VAR_DIR_PWQUALITY}/pw_changed" ]]; then
cat "$PW_DEFAULT" > "${DESTDIR}/etc/security/pwquality.conf" || { error $"Unable to write to file %s" "${DESTDIR}/etc/security/pwquality.conf"; exit 1; }
install -D -m 444 /dev/null "${VAR_DIR_PWQUALITY}/pw_changed" || { error $"Unable to write to file %s" "${VAR_DIR_PWQUALITY}/pw_changed"; exit 1; }
fi
if [[ "$(grep "^#" "${DESTDIR}/etc/security/pwquality.conf")" ]]; then
cat "$PW_DEFAULT" > "${DESTDIR}/etc/security/pwquality.conf" || { error $"Unable to write to file %s" "${DESTDIR}/etc/security/pwquality.conf"; exit 1; }
install -D -m 444 /dev/null "${VAR_DIR_PWQUALITY}/pw_changed" || { error $"Unable to write to file %s" "${VAR_DIR_PWQUALITY}/pw_changed"; exit 1; }
fi
# In case the config was changed manually, or there were errors in it,
# we check whether everything can be parsed correctly, and if not, it outputs an error
while read -r line; do declare "$line" || { _yad_error $"Unable to parse %s correctly; execute \n%s" "${VAR_DIR_PWQUALITY}/pw_changed" "rm ${VAR_DIR_PWQUALITY}/pw_changed"; exit 1; }; done < <(_pw_parse_conf)
# For yad checkboxes, the words TRUE or FALSE are required.
# We change the following parameters 0 to FALSE and 1 to TRUE
for i in gecoscheck enforce_for_root local_users_only dictcheck usercheck enforcing; do
# The variables have the same name as the lines in the config
eval 'if [[ $'$i' == 1 ]]; then declare $i=TRUE; else declare $i=FALSE; fi' || { _yad_error $"Unable to set variable %s" "$i"; exit 1; }
done
_tag1="<span weight='bold'>"
_tag2="</span>"
set +e
var="$(yad --title="linux-infosec-setupper: pwquality" --form \
--text-align=center \
--bool-fmt=T \
--text=$"<span size='xx-large' weight='bold'>Password policies setup</span>" \
--image=gcr-key \
--scroll \
--width=800 \
--height=800 \
--button=$"Load defaults!view-refresh:3" --button=$"yad-save:0" --button=$"yad-close:1" \
--field=$"Number of characters in the new password that must not be present in the old password::LBL" "!" \
--field=$"${_tag1}Value (difok)${_tag2}:NUM" "$difok!1..9999!1" \
--field=$"Minimum acceptable size for the new password::LBL" "!" \
--field=$"${_tag1}Value (minlen)${_tag2}:NUM" "$minlen!6..9999!1" \
--field=$"The maximum credit for having digits in the new password::LBL" "!" \
--field=$"${_tag1}Value (dcredit)${_tag2}:NUM" "$dcredit!-9999..+9999!1" \
--field=$"The maximum credit for having uppercase characters in the new password::LBL" "!" \
--field=$"${_tag1}Value (ucredit)${_tag2}:NUM" "$ucredit!-9999..+9999!1" \
--field=$"The maximum credit for having lowercase characters in the new password::LBL" "!" \
--field=$"${_tag1}Value (lcredit)${_tag2}:NUM" "$lcredit!-9999..+9999!1" \
--field=$"The maximum credit for having other characters in the new password::LBL" "!" \
--field=$"${_tag1}Value (ocredit)${_tag2}:NUM" "$ocredit!-9999..+9999!1" \
--field=$"The minimum number of required classes of characters for the new password::LBL" "!" \
--field=$"${_tag1}Value (minclass)${_tag2}:NUM" "$minclass!0..9999!1" \
--field=$"The maximum number of allowed same consecutive charatcers in the new password::LBL" "!" \
--field=$"${_tag1}Value (maxrepeat)${_tag2}:NUM" "$maxrepeat!0..9999!1" \
--field=$"The maximum length of monotonic chatacter sequences in the new password::LBL" "!" \
--field=$"${_tag1}Value (maxsequence)${_tag2}:NUM" "$maxsequence!0..9999!1" \
--field=$"The maximum number of allowed consecutive characters of the same class in the new password::LBL" "!" \
--field=$"${_tag1}Value (maxclassrepeat)${_tag2}:NUM" "$maxclassrepeat!0..9999!1" \
--field=$"Check whether the password contains a substring of at least N length::LBL" "!" \
--field=$"${_tag1}Value (usersubstr)${_tag2}:NUM" "$usersubstr:0..9999:1" \
--field=$"Prompt the user at most N times before returning error::LBL" "!" \
--field=$"${_tag1}Value (retry)${_tag2}:NUM" "$retry:0..9999:1" \
--field=$"Check whether the words longer than 3 characters from the GECO field of passwd::LBL" "!" \
--field=$"Status (gecoscheck):CHK" "$gecoscheck" \
--field=$"Check whether the password matches a word in a dictionary::LBL" "!" \
--field=$"Status (dictcheck):CHK" "$dictcheck" \
--field=$"Check whether the password contains the user name in some form::LBL" "!" \
--field=$"Status (usercheck):CHK" "$usercheck" \
--field=$"Reject the password if it fails the checks::LBL" "!" \
--field=$"Status (enforcing):CHK" "$enforcing" \
--field=$"Return error on failed check even if the user changing the password is root::LBL" "!" \
--field=$"Status (enforce_for_root):CHK" "$enforce_for_root" \
--field=$"Not test the password quality for users that are not present in /etc/passwd::LBL" "!" \
--field=$"Status (local_users_only):CHK" "$local_users_only")"
_status="$?"
set -e
# If we clicked on the "Load default" button, we decided to restore the settings.
# The exit code after clicking on this button is 3. We restore the config if we clicked on this button
if [ "$_status" == 3 ]; then
cat "$PW_DEFAULT" > "${DESTDIR}/etc/security/pwquality.conf" || { _yad_error $"Unable to write to file %s" "${DESTDIR}/etc/security/pwquality.conf"; exit 1; }
fi
# If we decide to undo the changes and not change anything, the var variable will be empty.
[ -z "$var" ] && exit 0
# The default delimiter in yad is |
var2="$(while read -rd '|' line; do
echo $line
done <<<"$var" | sed '/^$/d' | \
sed 's/TRUE/1/
;s/FALSE/0/
;1s/^/--difok /
;2s/^/--minlen /
;3s/^/--dcredit /
;4s/^/--ucredit /
;5s/^/--lcredit /
;6s/^/--ocredit /
;7s/^/--minclass /
;8s/^/--maxrepeat /
;9s/^/--maxsequence /
;10s/^/--maxclassrepeat /
;11s/^/--usersubstr /
;12s/^/--retry /
;13s/^/--gecoscheck /
;14s/^/--dictcheck /
;15s/^/--usercheck /
;16s/^/--enforcing /
;17s/^/--enforce_for_root /
;18s/^/--local_users_only /' | tr '\n' ' ')"
_mk_pwquality_conf $var2 > "${DESTDIR}/etc/security/pwquality.conf" || { _yad_error $"Unable to write to file %s" "${DESTDIR}/etc/security/pwquality.conf"; exit 1; }