commit 366c97fdf9589c777785ea769380e84b0da9e833 Author: openKylinBot Date: Sat May 14 03:14:23 2022 +0800 Import Upstream version 1.63 diff --git a/finish-install.d/06user-setup b/finish-install.d/06user-setup new file mode 100755 index 0000000..592eed6 --- /dev/null +++ b/finish-install.d/06user-setup @@ -0,0 +1,3 @@ +#! /bin/sh +set -e +user-setup-apply /target diff --git a/functions.sh b/functions.sh new file mode 100644 index 0000000..4c2c1b8 --- /dev/null +++ b/functions.sh @@ -0,0 +1,67 @@ +# Returns a true value if there seems to be a system user account. +# OVERRIDE_SYSTEM_USER overrides this to assume that no system user account +# exists. +is_system_user () { + if [ "$OVERRIDE_SYSTEM_USER" ]; then + return 1 + fi + + if ! [ -e $ROOT/etc/passwd ]; then + return 1 + fi + + # Assume NIS, or any uid from 1000 to 59999, means there is a user. + if grep -q '^+:' $ROOT/etc/passwd || \ + grep -q '^[^:]*:[^:]*:[1-9][0-9][0-9][0-9]:' $ROOT/etc/passwd || \ + grep -q '^[^:]*:[^:]*:[1-5][0-9][0-9][0-9][0-9]:' $ROOT/etc/passwd; then + return 0 + else + return 1 + fi +} + +# Returns a true value if root already has a password. +root_password () { + if ! [ -e $ROOT/etc/passwd ]; then + return 1 + fi + + # Assume there is a root password if NIS is being used. + if grep -q '^+:' $ROOT/etc/passwd; then + return 0 + fi + + # Be more careful than usual about test arguments in the following, + # just in case (for example) the encrypted password string is "!". + + if [ -e $ROOT/etc/shadow ] && \ + [ -n "`grep ^root: $ROOT/etc/shadow | cut -d : -f 2`" ] && \ + [ "x`grep ^root: $ROOT/etc/shadow | cut -d : -f 2`" != 'x*' ] && \ + [ "x`grep ^root: $ROOT/etc/shadow | cut -d : -f 2`" != 'x!' ]; then + return 0 + fi + + if [ -e $ROOT/etc/passwd ] && \ + [ -n "`grep ^root: $ROOT/etc/passwd | cut -d : -f 2`" ] && \ + [ "x`grep ^root: $ROOT/etc/passwd | cut -d : -f 2`" != 'xx' ]; then + return 0 + fi + + return 1 +} + +password_is_empty () { + db_get user-setup/allow-password-empty + if [ "$RET" = true ]; then + return 1 # don't consider this as empty if explicitly allowed + fi + [ -z "$1" ] +} + +password_is_weak () { + db_get user-setup/allow-password-weak + if [ "$RET" = true ]; then + return 1 # don't consider this as weak if explicitly allowed + fi + [ "$(printf %s "$1" | wc -c)" -lt 8 ] +} diff --git a/pre-pkgsel.d/10kdesudo b/pre-pkgsel.d/10kdesudo new file mode 100755 index 0000000..b222a5f --- /dev/null +++ b/pre-pkgsel.d/10kdesudo @@ -0,0 +1,10 @@ +#! /bin/sh +set -e + +. /usr/share/debconf/confmodule + +if db_get passwd/root-login && [ "$RET" = false ] && \ + db_get tasksel/desktop && [ "$RET" = kde ]; then + echo "kdesudo kdesudo/kdesu boolean true" | \ + LANG=C chroot /target debconf-set-selections +fi diff --git a/reserved-usernames b/reserved-usernames new file mode 100644 index 0000000..2b6ba2a --- /dev/null +++ b/reserved-usernames @@ -0,0 +1,107 @@ +# Static users from base-passwd/passwd.master (3.5.11). +root +daemon +bin +sys +sync +games +man +lp +mail +news +uucp +proxy +www-data +backup +list +irc +gnats +nobody + +# Other static groups from base-passwd/group.master (3.5.11). +adm +tty +disk +kmem +dialout +fax +voice +cdrom +floppy +tape +sudo +audio +dip +operator +src +shadow +utmp +video +sasl +plugdev +staff +users +nogroup + +# Reserved usernames listed in base-passwd/README (3.5.11). +netplan +ftn +mysql +tac-plus +alias +qmail +qmaild +qmails +qmailr +qmailq +qmaill +qmailp +asterisk +vpopmail +vchkpw + +# Ubuntu creates the admin group and adds the first user to it in order to +# grant them sudo privileges. +admin + +# Other miscellaneous system users/groups created by common packages. While +# it's useful to add things here that people might run into, it's not +# absolutely critical; the worst that will happen is that the installation +# will fail at some later point. +Debian-exim +bind +crontab +cupsys +dcc +dhcp +dictd +dovecot +fetchmail +firebird +ftp +fuse +gdm +haldaemon +hplilp +identd +jwhois +klog +lpadmin +maas +messagebus +mythtv +netdev +powerdev +radvd +saned +sbuild +scanner +slocate +ssh +sshd +ssl-cert +sslwrap +statd +syslog +telnetd +tftpd diff --git a/user-setup b/user-setup new file mode 100755 index 0000000..204e7e4 --- /dev/null +++ b/user-setup @@ -0,0 +1,5 @@ +#! /bin/sh +set -e +export PATH="/usr/lib/user-setup:$PATH" +user-setup-ask +user-setup-apply diff --git a/user-setup-apply b/user-setup-apply new file mode 100755 index 0000000..96e760d --- /dev/null +++ b/user-setup-apply @@ -0,0 +1,423 @@ +#! /bin/sh +set -e + +. /usr/share/debconf/confmodule + +if [ "$1" ]; then + export LANG=C # avoid locale errors from perl + ROOT="$1" + chroot=chroot + log='log-output -t user-setup' +else + ROOT= + chroot= + log= +fi + +. /usr/lib/user-setup/functions.sh + +# Set a password, via chpasswd. +# Use a heredoc rather than echo, to avoid the password +# showing in the process table. (However, this is normally +# only called when first installing the system, when root has no +# password at all, so that should be an unnecessary precaution). +# +# Pass in four arguments: the user, the password, 'true' if the +# password has been pre-crypted (by preseeding), and a 'true' if +# the home directory is encrypted +setpassword () { + local USER PASSWD PAM_SET_PWD + USER="$1" + PASSWD="$2" + + local VERSION=$($chroot $ROOT dpkg-query -W -f '${Version}\n' passwd) + PAM_SET_PWD=false + if $chroot $ROOT dpkg --compare-versions "$VERSION" ge "1:4.1.4-1"; then + # support for versions with PAM support (Squeeze) + PAM_SET_PWD=true + if [ "$3" = true ]; then + $chroot $ROOT usermod --password=$PASSWD $USER + else + $chroot $ROOT chpasswd <&2 + db_input critical user-setup/encrypt-home-failed || true + db_go || true + fi + fi +} + +# Enable/disable shadow passwords. +db_get passwd/shadow +if [ "$RET" = true ]; then + $log $chroot $ROOT shadowconfig on +else + $log $chroot $ROOT shadowconfig off +fi + +if ! root_password; then + # Was the root password preseeded encrypted? + if db_get passwd/root-password-crypted && [ "$RET" ]; then + # The root password was preseeded encrypted. + ROOT_PW="$RET" + PRECRYPTED=true + else + db_get passwd/root-password + ROOT_PW="$RET" + PRECRYPTED=false + fi + # Clear the root password from the database, and set the password. + db_set passwd/root-password-crypted '' + db_set passwd/root-password '' + db_set passwd/root-password-again '' + if [ "$ROOT_PW" ]; then + setpassword root "$ROOT_PW" "$PRECRYPTED" + fi + ROOT_PW= +else + # Just in case, clear any preseeded root password from the database + # anyway. + db_set passwd/root-password-crypted '' + db_set passwd/root-password '' + db_set passwd/root-password-again '' +fi + +db_get passwd/make-user +if [ "$RET" = true ] && ! is_system_user; then + if db_get passwd/user-password-crypted && [ "$RET" ]; then + USER_PW="$RET" + USER_PW_CRYPTED=true + else + db_get passwd/user-password + USER_PW="$RET" + USER_PW_CRYPTED=false + fi + + if db_get passwd/user-uid && [ "$RET" ]; then + if [ -x $ROOT/usr/sbin/adduser ]; then + UIDOPT="--uid $RET" + else + UIDOPT="-u $RET" + fi + else + UIDOPT= + fi + + ENCRYPT_HOME="false" + ENCRYPT_HOME_OPT= + if [ "$OVERRIDE_ALREADY_ENCRYPTED_SWAP" ]; then + ENCRYPT_HOME="true" + ENCRYPT_HOME_OPT="--encrypt-home" + elif db_get user-setup/encrypt-home && [ "$RET" = true ]; then + ENCRYPT_HOME="true" + ENCRYPT_HOME_OPT="--encrypt-home" + if type anna-install >/dev/null 2>&1 && [ -d /lib/debian-installer ]; then + ANNA_QUIET=1 DEBIAN_FRONTEND=none $log anna-install crypto-modules || true + depmod -a >/dev/null 2>&1 || true + fi + for module in aes cbc ecb; do + modprobe -q "$module" || true + done + apt-install ecryptfs-utils 2>/dev/null + apt-install cryptsetup 2>/dev/null + + umountproc=false + umountsys=false + umountdev=false + if [ ! -e $ROOT/proc/cmdline ]; then + $log $chroot $ROOT mount -t proc proc /proc + umountproc=: + fi + if [ ! -e $ROOT/sys/block ]; then + # We need /sys for devtmpfs to create block devices. + $log $chroot $ROOT mount -t sysfs sysfs /sys + umountsys=: + fi + if [ "$(stat -c %d "$ROOT/dev")" -eq "$(stat -c %d "$ROOT/")" ]; then + mount --bind /dev $ROOT/dev + umountdev=: + else + $log $chroot $ROOT udevadm settle + fi + if ! $log $chroot $ROOT ecryptfs-setup-swap -f -n; then + echo "ecryptfs-setup-swap failed." >&2 + db_input critical user-setup/encrypt-home-failed || true + db_go || true + ENCRYPT_HOME="false" + ENCRYPT_HOME_OPT= + fi + if $umountproc; then + $log $chroot $ROOT umount /proc + fi + if $umountsys; then + $log $chroot $ROOT umount /sys + fi + if $umountdev; then + umount $ROOT/dev + fi + fi + + + # Add the user to the database, using adduser in noninteractive + # mode. + db_get passwd/username + USER="$RET" + db_get passwd/user-fullname + + HOME_EXISTED= + if [ -d "$ROOT/home/$USER" ]; then + HOME_EXISTED=1 + # user-setup-ask shouldn't have allowed this, but for safety: + ENCRYPT_HOME="false" + ENCRYPT_HOME_OPT= + fi + + umountproc=false + umountsys=false + if [ -n "$ENCRYPT_HOME_OPT" ]; then + if [ ! -e $ROOT/sys/kernel ]; then + $log $chroot $ROOT mount -t sysfs sysfs /sys + umountsys=: + fi + mkdir -p $ROOT/dev/shm + $log $chroot $ROOT mount -t tmpfs tmpfs /dev/shm + if [ ! -e $ROOT/proc/cmdline ]; then + $log $chroot $ROOT mount -t proc proc /proc + umountproc=: + fi + fi + if [ -x $ROOT/usr/sbin/adduser ]; then + $log $chroot $ROOT adduser --disabled-password --gecos "$RET" $UIDOPT $ENCRYPT_HOME_OPT "$USER" >/dev/null || true + else + $log $chroot $ROOT useradd -c "$RET" -m "$USER" $UIDOPT >/dev/null || true + fi + + # Clear the user password from the database. + db_set passwd/user-password-crypted '' + db_set passwd/user-password '' + db_set passwd/user-password-again '' + setpassword "$USER" "$USER_PW" "$USER_PW_CRYPTED" "$ENCRYPT_HOME" + if [ -n "$ENCRYPT_HOME_OPT" ]; then + if $umountsys; then + $log $chroot $ROOT umount /sys + fi + $log $chroot $ROOT umount /dev/shm + if $umountproc; then + $log $chroot $ROOT umount /proc + fi + fi + + if [ "$HOME_EXISTED" ]; then + # The user's home directory already existed before we called + # adduser. This often means that a mount point under + # /home/$USER was selected in (and thus created by) partman, + # and the home directory may have ended up owned by root. + $log $chroot $ROOT chown "$USER:$USER" "/home/$USER" >/dev/null || true + fi + + if [ -n "$USER" ]; then + for group in lpadmin sambashare; do + $log $chroot $ROOT addgroup --system $group >/dev/null 2>&1 || true + done + if type archdetect >/dev/null 2>&1; then + SUBARCH="$(archdetect)" + case $SUBARCH in + powerpc/ps3|powerpc/cell) + $log $chroot $ROOT addgroup --system spu >/dev/null 2>&1 || true + ;; + esac + fi + db_get passwd/user-default-groups + for group in $RET; do + $log $chroot $ROOT adduser "$USER" $group >/dev/null 2>&1 || true + done + + # Configure desktop auto-login if instructed by preseeding + db_get passwd/auto-login + if [ "$RET" = true ]; then + db_get passwd/auto-login-backup + BACKUP="${RET:+.$RET}" + + if [ -d "$ROOT/etc/gdm3" ]; then + # Configure GDM autologin + GDMCustomFile=$ROOT/etc/gdm3/custom.conf + if [ -e "$GDMCustomFile" ] && [ "$BACKUP" ]; then + cp "$GDMCustomFile" "${GDMCustomFile}$BACKUP" + fi + AutologinParameters="AutomaticLoginEnable=true\n\ +AutomaticLogin=$USER\n" + + # Prevent from updating if parameters already present (persistent usb key) + if ! `grep -qs "AutomaticLogin=$USER" $GDMCustomFile` ; then + if [ -e "$GDMCustomFile" ]; then + sed -i '/\(Automatic\)Login/d' $GDMCustomFile + fi + if ! `grep -qs '\[daemon\]' $GDMCustomFile` ; then + echo '[daemon]' >> $GDMCustomFile + fi + sed -i "s/\[daemon\]/\[daemon\]\n$AutologinParameters/" $GDMCustomFile + fi + fi + + if $chroot $ROOT [ -f /etc/kde4/kdm/kdmrc ]; then + # Configure KDM autologin + $log $chroot $ROOT sed -i$BACKUP -r \ + -e "s/^#?AutoLoginEnable=.*\$/AutoLoginEnable=true/" \ + -e "s/^#?AutoLoginUser=.*\$/AutoLoginUser=$USER/" \ + -e "s/^#?AutoReLogin=.*\$/AutoReLogin=true/" \ + /etc/kde4/kdm/kdmrc + fi + + if $chroot $ROOT [ -f /etc/lxdm/lxdm.conf ]; then + # Configure LXDM autologin with LXDE session + $log $chroot $ROOT sed -i$BACKUP -r \ + -e "s/^# autologin=dgod/autologin=$USER/" \ + -e "s/^# session/session/" \ + /etc/lxdm/lxdm.conf + fi + + if $chroot $ROOT [ -f /etc/xdg/lubuntu/lxdm/lxdm.conf ]; then + # Configure LXDM autologin with Lubuntu session + $log $chroot $ROOT sed -i$BACKUP -r \ + -e "s/^# autologin=dgod/autologin=$USER/" \ + -e "s/^# session/session/" \ + -e "s/startlxde/startlubuntu/" \ + /etc/xdg/lubuntu/lxdm/lxdm.conf + fi + + if $chroot $ROOT [ -f /usr/bin/sddm ]; then + # Configure SDDM autologin with an appropiate session + $log $chroot $ROOT /bin/sh -c "cat > /etc/sddm.conf" << EOF +[Autologin] +User=$USER +Session=PLACEHOLDER +EOF + if $chroot $ROOT [ -f /usr/share/xsessions/plasma.desktop ]; then + sed -i 's/PLACEHOLDER/plasma.desktop/' $ROOT/etc/sddm.conf + elif $chroot $ROOT [ -f /usr/share/xsessions/Lubuntu.desktop ]; then + sed -i 's/PLACEHOLDER/Lubuntu.desktop/' $ROOT/etc/sddm.conf + elif $chroot $ROOT [ -f /usr/share/xsessions/lxqt.desktop ]; then + sed -i 's/PLACEHOLDER/lxqt.desktop/' $ROOT/etc/sddm.conf + else #fallback if some other DE/WM is used + SDDMSESSION=$(ls /usr/share/xsessions | head -1) + sed -i "s/PLACEHOLDER/$SDDMSESSION/" $ROOT/etc/sddm.conf + fi + fi + if $chroot $ROOT [ -d /etc/lightdm ]; then + # Configure LightDM autologin + LightDMCustomFile=$ROOT/etc/lightdm/lightdm.conf + AutologinParameters="autologin-guest=false\n\ +autologin-user=$USER\n\ +autologin-user-timeout=0" + if ! grep -qs '^autologin-user' $LightDMCustomFile; then + if ! grep -qs '^\[Seat:\*\]' $LightDMCustomFile; then + echo '[Seat:*]' >> $LightDMCustomFile + fi + sed -i "s/\[Seat:\*\]/\[Seat:\*\]\n$AutologinParameters/" $LightDMCustomFile + #oem config scenario + else + sed -i "s/^\(\(str *\)\?autologin-user\)=.*$/\1=$USER/g;" $ROOT/etc/lightdm/lightdm.conf + fi + fi + fi + fi + + db_get passwd/root-login + if [ "$RET" = false ] && [ -n "$USER" ]; then + # Ensure sudo is installed, and set up the user to be able + # to use it. + if [ ! -e $ROOT/etc/sudoers ]; then + # try to work in d-i and out; it's better to + # use apt-install in d-i + apt-install sudo 2>/dev/null || $log $chroot $ROOT apt-get -q -y install sudo || true + fi + if [ -e $ROOT/etc/sudoers ]; then + # Test if we can add the user to the sudo group + # (possible if sudo >= 1.7.2-2 is installed on the target system) + # If we can, do it this way, otherwise add the user to sudoers + # See #597239 + if ! $log $chroot $ROOT adduser "$USER" sudo >/dev/null 2>&1; then + echo "$USER ALL=(ALL) ALL" >> $ROOT/etc/sudoers + fi + else + # sudo failed to install, system won't be usable + exit 1 + fi + # Configure gksu to use sudo, via an alternative, if it's + # installed and the alternative is registered. + if $chroot $ROOT update-alternatives --display libgksu-gconf-defaults >/dev/null 2>&1; then + $log $chroot $ROOT update-alternatives --set libgksu-gconf-defaults /usr/share/libgksu/debian/gconf-defaults.libgksu-sudo + $log $chroot $ROOT update-gconf-defaults || true + fi + # Configure aptitude to use sudo. + echo 'Aptitude::Get-Root-Command "sudo:/usr/bin/sudo";' > $ROOT/etc/apt/apt.conf.d/00aptitude + else + # Configure gksu to use su, via an alternative, if it's + # installed and the alternative is registered. + if $chroot $ROOT update-alternatives --display libgksu-gconf-defaults >/dev/null 2>&1; then + $log $chroot $ROOT update-alternatives --set libgksu-gconf-defaults /usr/share/libgksu/debian/gconf-defaults.libgksu-su + $log $chroot $ROOT update-gconf-defaults || true + fi + fi + if [ -z "$OVERRIDE_ALREADY_ENCRYPTED_SWAP" ] && \ + [ -n "$ENCRYPT_HOME_OPT" ] && [ -e $ROOT/etc/crypttab ]; then + # Zero out all encrypted swap partitions. It is assumed that + # passwords are not used beyond this point in the install. + # cryptswap0 /dev/sda5 /dev/urandom swap,cipher=aes-cbc-essiv:sha256 + # Ideally we would set up a new progress bar here, but we're + # inside finish-install's and cdebconf doesn't support nested + # progress bars. + db_progress INFO user-setup/progress/wipe-swap + while read name device source options; do + if echo "$options" | grep -q "swap"; then + if swapoff $device; then + if [ ! -b $device ]; then + ONE_MEG=$((1024*1024)) + size=$(($(stat -c %s ${device})/${ONE_MEG})) + dd if=/dev/zero of=$device bs=${ONE_MEG} count=$size 2>/dev/null || true + else + dd if=/dev/zero of=$device bs=16M 2>/dev/null || true + fi + fi + fi + done < $ROOT/etc/crypttab + fi + +else + # Just in case, clear any preseeded user password from the database + # anyway. + db_set passwd/user-password-crypted '' + db_set passwd/user-password '' + db_set passwd/user-password-again '' +fi + +exit 0 diff --git a/user-setup-ask b/user-setup-ask new file mode 100755 index 0000000..6fc3814 --- /dev/null +++ b/user-setup-ask @@ -0,0 +1,285 @@ +#!/bin/sh -e + +. /usr/share/debconf/confmodule + +db_capb "backup" + +if [ "$1" ]; then + ROOT="$1" +else + ROOT= +fi +export ROOT + +. /usr/lib/user-setup/functions.sh + +# For the convenience of heavy testers +set_special_users() { + local realname + case "$fullname" in + bubulle) realname="Christian PERRIER" ;; + tbm) realname="Martin Michlmayr" ;; + *) return 1 ;; + esac + db_set passwd/user-fullname "$realname" + userdefault=$fullname + db_fset passwd/username seen true + return 0 +} + +# Main loop starts here. Use a state machine to allow jumping back to +# previous questions. +STATE=0 +while :; do + case "$STATE" in + 0) + # Ask how the password files should be set up. + db_input low passwd/shadow || true + # Ask if root should be allowed to login. + db_input medium passwd/root-login || true + ;; + 1) + db_get passwd/root-login + if [ "$RET" = false ]; then + # root password will be locked + db_set passwd/root-password "" + db_set passwd/root-password-crypted "!" + elif ! root_password; then + # First check whether the root password was preseeded + # crypted to an actual password (not locked) + db_get passwd/root-password-crypted || true + if ! test "$RET" || [ "x$RET" = "x!" ]; then + # No preseed of the root password hash + # we will prompt the user + db_set passwd/root-password-crypted "" + db_input critical passwd/root-password || true + db_input critical passwd/root-password-again || true + fi + fi + ;; + 2) + db_get passwd/root-login + if [ "$RET" = false ]; then + # root password will be locked + db_set passwd/root-password-again "" + elif ! root_password; then + # First check whether the root password was preseeded crypted + db_get passwd/root-password-crypted || true + if ! test "$RET" ; then + # Compare the two passwords, loop back if not + # identical, or if empty. + db_get passwd/root-password + ROOT_PW="$RET" + if [ -z "$ROOT_PW" ]; then + db_set passwd/root-login false + STATE=1 + continue + elif password_is_weak "$ROOT_PW"; then + db_set user-setup/password-weak false + db_fset user-setup/password-weak seen false + db_input critical user-setup/password-weak + # TODO would be better to extend state machine + if ! db_go; then + STATE=1 + continue + fi + db_get user-setup/password-weak || RET= + if [ "$RET" != true ]; then + # user doesn't want to force + # weak password + db_fset passwd/root-password seen false + db_fset passwd/root-password-again seen false + STATE=1 + continue + fi + fi + db_get passwd/root-password-again + if [ "$ROOT_PW" != "$RET" ]; then + db_fset user-setup/password-mismatch seen false + db_input critical user-setup/password-mismatch + db_fset passwd/root-password seen false + db_fset passwd/root-password-again seen false + STATE=1 + continue + fi + ROOT_PW='' + fi + fi + ;; + 3) + # Ask if a non-root user should be made, if there is not + # already one. + db_get passwd/root-login + if [ "$RET" = false ]; then + # always make non-root user; this user will be able + # to sudo to root + db_set passwd/make-user true + elif ! is_system_user; then + db_input medium passwd/make-user || true + fi + ;; + 4) + # Prompt for user info. + db_get passwd/make-user + if [ "$RET" = true ] && ! is_system_user; then + db_input critical passwd/user-fullname || true + fi + ;; + 5) + # Prompt for user info. + db_get passwd/make-user + if [ "$RET" = true ] && ! is_system_user; then + LOOP="" + db_get passwd/username + if [ -z "$RET" ]; then + db_get passwd/user-fullname + fullname=$RET + if ! set_special_users; then + userdefault=$(echo "$fullname" | \ + sed 's/ .*//' | LC_ALL=C tr A-Z a-z) + fi + if test -n "$userdefault" && \ + LC_ALL=C expr "$userdefault" : '[a-z][-a-z0-9]*$' >/dev/null; then + db_set passwd/username "$userdefault" + fi + fi + db_input critical passwd/username || true + fi + ;; + 6) + # Verify user. + db_get passwd/make-user + if [ "$RET" = true ] && ! is_system_user; then + # Verify the user name, loop with message if bad. + db_get passwd/username + USER="$RET" + if ! LC_ALL=C expr "$USER" : '[a-z][-a-z0-9_]*$' >/dev/null || \ + ! LC_ALL=C expr length "$USER" '<=' 32 >/dev/null; then + db_fset passwd/username seen false + db_fset passwd/username-bad seen false + db_input critical passwd/username-bad + STATE=3 + continue + fi + + if grep -v '^#' /usr/lib/user-setup/reserved-usernames | \ + grep -q "^$USER\$"; then + db_fset passwd/username seen false + db_fset passwd/username-reserved seen false + db_subst passwd/username-reserved USERNAME "$USER" + db_input critical passwd/username-reserved + STATE=3 + continue + fi + + db_get passwd/user-password-crypted || true + if ! test "$RET" ; then + db_input critical passwd/user-password || true + db_input critical passwd/user-password-again || true + fi + fi + ;; + 7) + db_get passwd/make-user + if [ "$RET" = true ] && ! is_system_user; then + db_get passwd/user-password-crypted || true + if ! test "$RET" ; then + # Compare the two passwords, loop with message if not + # identical + db_get passwd/user-password + USER_PW="$RET" + db_get passwd/user-password-again + if [ "$USER_PW" != "$RET" ]; then + db_set passwd/user-password "" + db_set passwd/user-password-again "" + db_fset user-setup/password-mismatch seen false + db_input critical user-setup/password-mismatch + db_fset passwd/user-password seen false + db_fset passwd/user-password-again seen false + STATE=6 + continue + fi + # Loop if the password is empty, and it's not + # specifically allowed by preseeding + if password_is_empty "$USER_PW"; then + db_set passwd/user-password "" + db_set passwd/user-password-again "" + db_fset user-setup/password-empty seen false + db_input critical user-setup/password-empty + db_fset passwd/user-password seen false + db_fset passwd/user-password-again seen false + STATE=6 + continue + elif [ "$USER_PW" ] && password_is_weak "$USER_PW"; then + db_set user-setup/password-weak false + db_fset user-setup/password-weak seen false + db_input critical user-setup/password-weak + # TODO would be better to extend state machine + if ! db_go; then + STATE=6 + continue + fi + db_get user-setup/password-weak || RET= + if [ "$RET" != true ]; then + # user doesn't want to force + # weak password + db_set passwd/user-password "" + db_set passwd/user-password-again "" + db_fset passwd/user-password seen false + db_fset passwd/user-password-again seen false + STATE=6 + continue + fi + fi + fi + fi + ;; + 8) + db_get passwd/username + USER="$RET" + db_get passwd/make-user + if [ "$RET" = true ] && [ ! -d "$ROOT/home/$USER" ]; then + db_get user-setup/force-encrypt-home + if [ "$RET" = true ]; then + db_set user-setup/encrypt-home true + else + db_input medium user-setup/encrypt-home || true + fi + fi + ;; + 9) + ecryptfs_in_use= + for homedir in "$ROOT/home"/*; do + if [ -d "$homedir/.ecryptfs" ]; then + ecryptfs_in_use=1 + break + fi + done + if [ "$ecryptfs_in_use" ] || \ + (db_get user-setup/encrypt-home && [ "$RET" = true ]); then + # If the user wants an encrypted home, we *must* have the + # cleartext password here! + db_get passwd/user-password || true + if ! test "$RET" ; then + db_set passwd/user-password-crypted "" + STATE=7 + continue + fi + fi + ;; + *) + break + ;; + esac + + if db_go; then + STATE=$(($STATE + 1)) + else + STATE=$(($STATE - 1)) + fi + #echo "ON STATE: $STATE" +done + +if [ "$STATE" = -1 ]; then + exit 10 +fi