Del-c.net/debian-first-boot-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor sysadmin password locking logic in setup script to conditionally lock based on the successful creation of an additional user. Improve feedback on sysadmin password status during finalization, enhancing security and user awareness.

Browse Source
This commit is contained in:
Sérgio
2025-09-21 21:57:16 +01:00
parent d37019cca9
commit 71634a1c03
1 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
setup.sh
View File

@@ -455,9 +455,18 @@ configure_security() {
log "Locking root password..." log "Locking root password..."
passwd -l root passwd -l root
# Lock sysadmin password # Lock sysadmin password only if an additional user was successfully created/configured
log "Locking sysadmin password..." if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
passwd -l "$SYSADMIN_USER" # Verify the additional user actually exists and can be used
if id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
log "Locking sysadmin password (additional user $ADDITIONAL_USER is available)..."
passwd -l "$SYSADMIN_USER"
else
warn "Additional user $ADDITIONAL_USER not properly configured - keeping sysadmin password unlocked for safety"
fi
else
warn "No additional user created - keeping sysadmin password unlocked for access"
fi
# Configure firewall if requested # Configure firewall if requested
if [[ "$USE_UFW" == "yes" ]]; then if [[ "$USE_UFW" == "yes" ]]; then
@@ -630,7 +639,13 @@ finalize_setup() {
echo -e "${YELLOW}• Root SSH login: DISABLED${NC}" echo -e "${YELLOW}• Root SSH login: DISABLED${NC}"
echo -e "${YELLOW}• Root password: LOCKED${NC}" echo -e "${YELLOW}• Root password: LOCKED${NC}"
echo -e "${YELLOW}• Sysadmin SSH login: DISABLED${NC}" echo -e "${YELLOW}• Sysadmin SSH login: DISABLED${NC}"
echo -e "${YELLOW}• Sysadmin password: LOCKED${NC}"
# Show sysadmin password status based on actual configuration
if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]] && id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
echo -e "${YELLOW}• Sysadmin password: LOCKED (additional user available)${NC}"
else
echo -e "${RED}• Sysadmin password: UNLOCKED (no additional user or failed setup)${NC}"
fi
echo -e "${YELLOW}• Main user: $SYSADMIN_USER (sudo access)${NC}" echo -e "${YELLOW}• Main user: $SYSADMIN_USER (sudo access)${NC}"
if [[ -n "$SYSADMIN_NEW_PASSWORD" ]]; then if [[ -n "$SYSADMIN_NEW_PASSWORD" ]]; then