268 lines
7.1 KiB
Bash
Executable File
268 lines
7.1 KiB
Bash
Executable File
#!/bin/sh -e
|
|
|
|
. /usr/share/debconf/confmodule
|
|
|
|
db_capb "backup"
|
|
|
|
if [ "$1" ]; then
|
|
ROOT="$1"
|
|
else
|
|
ROOT=
|
|
fi
|
|
export ROOT
|
|
|
|
. /usr/lib/user-setup/functions.sh
|
|
|
|
# Main loop starts here. Use a state machine to allow jumping back to
|
|
# previous questions.
|
|
STATE=0
|
|
while :; do
|
|
case "$STATE" in
|
|
0)
|
|
# Ask if root should be allowed to login.
|
|
db_input medium passwd/root-login || true
|
|
;;
|
|
1)
|
|
db_get passwd/root-login
|
|
if [ "$RET" = false ]; then
|
|
# root password will be locked
|
|
db_set passwd/root-password ""
|
|
db_set passwd/root-password-crypted "!"
|
|
elif ! root_password; then
|
|
# First check whether the root password was preseeded
|
|
# crypted to an actual password (not locked)
|
|
db_get passwd/root-password-crypted || true
|
|
if ! test "$RET" || [ "x$RET" = "x!" ]; then
|
|
# No preseed of the root password hash
|
|
# we will prompt the user
|
|
db_set passwd/root-password-crypted ""
|
|
db_input critical passwd/root-password || true
|
|
db_input critical passwd/root-password-again || true
|
|
fi
|
|
fi
|
|
;;
|
|
2)
|
|
db_get passwd/root-login
|
|
if [ "$RET" = false ]; then
|
|
# root password will be locked
|
|
db_set passwd/root-password-again ""
|
|
elif ! root_password; then
|
|
# First check whether the root password was preseeded crypted
|
|
db_get passwd/root-password-crypted || true
|
|
if ! test "$RET" ; then
|
|
# Compare the two passwords, loop back if not
|
|
# identical, or if empty.
|
|
db_get passwd/root-password
|
|
ROOT_PW="$RET"
|
|
if [ -z "$ROOT_PW" ]; then
|
|
db_set passwd/root-login false
|
|
STATE=1
|
|
continue
|
|
elif password_is_weak "$ROOT_PW"; then
|
|
db_set user-setup/password-weak false
|
|
db_fset user-setup/password-weak seen false
|
|
db_input critical user-setup/password-weak
|
|
# TODO would be better to extend state machine
|
|
if ! db_go; then
|
|
STATE=1
|
|
continue
|
|
fi
|
|
db_get user-setup/password-weak || RET=
|
|
if [ "$RET" != true ]; then
|
|
# user doesn't want to force
|
|
# weak password
|
|
db_fset passwd/root-password seen false
|
|
db_fset passwd/root-password-again seen false
|
|
STATE=1
|
|
continue
|
|
fi
|
|
fi
|
|
db_get passwd/root-password-again
|
|
if [ "$ROOT_PW" != "$RET" ]; then
|
|
db_fset user-setup/password-mismatch seen false
|
|
db_input critical user-setup/password-mismatch
|
|
db_fset passwd/root-password seen false
|
|
db_fset passwd/root-password-again seen false
|
|
STATE=1
|
|
continue
|
|
fi
|
|
ROOT_PW=''
|
|
fi
|
|
fi
|
|
;;
|
|
3)
|
|
# Ask if a non-root user should be made, if there is not
|
|
# already one.
|
|
db_get passwd/root-login
|
|
if [ "$RET" = false ]; then
|
|
# always make non-root user; this user will be able
|
|
# to sudo to root
|
|
db_set passwd/make-user true
|
|
elif ! is_system_user; then
|
|
db_input medium passwd/make-user || true
|
|
fi
|
|
;;
|
|
4)
|
|
# Prompt for user info.
|
|
db_get passwd/make-user
|
|
if [ "$RET" = true ] && ! is_system_user; then
|
|
db_input critical passwd/user-fullname || true
|
|
fi
|
|
;;
|
|
5)
|
|
# Prompt for user info.
|
|
db_get passwd/make-user
|
|
if [ "$RET" = true ] && ! is_system_user; then
|
|
LOOP=""
|
|
db_get passwd/username
|
|
if [ -z "$RET" ]; then
|
|
db_get passwd/user-fullname
|
|
fullname=$RET
|
|
userdefault=$(echo "$fullname" | \
|
|
sed 's/ .*//' | LC_ALL=C tr A-Z a-z)
|
|
if test -n "$userdefault" && \
|
|
LC_ALL=C expr "$userdefault" : '[a-z][-a-z0-9]*$' >/dev/null; then
|
|
db_set passwd/username "$userdefault"
|
|
fi
|
|
fi
|
|
db_input critical passwd/username || true
|
|
fi
|
|
;;
|
|
6)
|
|
# Verify user.
|
|
db_get passwd/make-user
|
|
if [ "$RET" = true ] && ! is_system_user; then
|
|
# Verify the user name, loop with message if bad.
|
|
db_get passwd/username
|
|
USER="$RET"
|
|
if ! LC_ALL=C expr "$USER" : '[a-z][-a-z0-9_]*$' >/dev/null || \
|
|
! LC_ALL=C expr length "$USER" '<=' 32 >/dev/null; then
|
|
db_fset passwd/username seen false
|
|
db_fset passwd/username-bad seen false
|
|
db_input critical passwd/username-bad
|
|
STATE=3
|
|
continue
|
|
fi
|
|
|
|
if grep -v '^#' /usr/lib/user-setup/reserved-usernames | \
|
|
grep -q "^$USER\$"; then
|
|
db_fset passwd/username seen false
|
|
db_fset passwd/username-reserved seen false
|
|
db_subst passwd/username-reserved USERNAME "$USER"
|
|
db_input critical passwd/username-reserved
|
|
STATE=3
|
|
continue
|
|
fi
|
|
|
|
db_get passwd/user-password-crypted || true
|
|
if ! test "$RET" ; then
|
|
db_input critical passwd/user-password || true
|
|
db_input critical passwd/user-password-again || true
|
|
fi
|
|
fi
|
|
;;
|
|
7)
|
|
db_get passwd/make-user
|
|
if [ "$RET" = true ] && ! is_system_user; then
|
|
db_get passwd/user-password-crypted || true
|
|
if ! test "$RET" ; then
|
|
# Compare the two passwords, loop with message if not
|
|
# identical
|
|
db_get passwd/user-password
|
|
USER_PW="$RET"
|
|
db_get passwd/user-password-again
|
|
if [ "$USER_PW" != "$RET" ]; then
|
|
db_set passwd/user-password ""
|
|
db_set passwd/user-password-again ""
|
|
db_fset user-setup/password-mismatch seen false
|
|
db_input critical user-setup/password-mismatch
|
|
db_fset passwd/user-password seen false
|
|
db_fset passwd/user-password-again seen false
|
|
STATE=6
|
|
continue
|
|
fi
|
|
# Loop if the password is empty, and it's not
|
|
# specifically allowed by preseeding
|
|
if password_is_empty "$USER_PW"; then
|
|
db_set passwd/user-password ""
|
|
db_set passwd/user-password-again ""
|
|
db_fset user-setup/password-empty seen false
|
|
db_input critical user-setup/password-empty
|
|
db_fset passwd/user-password seen false
|
|
db_fset passwd/user-password-again seen false
|
|
STATE=6
|
|
continue
|
|
elif [ "$USER_PW" ] && password_is_weak "$USER_PW"; then
|
|
db_set user-setup/password-weak false
|
|
db_fset user-setup/password-weak seen false
|
|
db_input critical user-setup/password-weak
|
|
# TODO would be better to extend state machine
|
|
if ! db_go; then
|
|
STATE=6
|
|
continue
|
|
fi
|
|
db_get user-setup/password-weak || RET=
|
|
if [ "$RET" != true ]; then
|
|
# user doesn't want to force
|
|
# weak password
|
|
db_set passwd/user-password ""
|
|
db_set passwd/user-password-again ""
|
|
db_fset passwd/user-password seen false
|
|
db_fset passwd/user-password-again seen false
|
|
STATE=6
|
|
continue
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
;;
|
|
8)
|
|
db_get passwd/username
|
|
USER="$RET"
|
|
db_get passwd/make-user
|
|
if [ "$RET" = true ] && [ ! -d "$ROOT/home/$USER" ]; then
|
|
db_get user-setup/force-encrypt-home
|
|
if [ "$RET" = true ]; then
|
|
db_set user-setup/encrypt-home true
|
|
else
|
|
db_input medium user-setup/encrypt-home || true
|
|
fi
|
|
fi
|
|
;;
|
|
9)
|
|
ecryptfs_in_use=
|
|
for homedir in "$ROOT/home"/*; do
|
|
if [ -d "$homedir/.ecryptfs" ]; then
|
|
ecryptfs_in_use=1
|
|
break
|
|
fi
|
|
done
|
|
if [ "$ecryptfs_in_use" ] || \
|
|
(db_get user-setup/encrypt-home && [ "$RET" = true ]); then
|
|
# If the user wants an encrypted home, we *must* have the
|
|
# cleartext password here!
|
|
db_get passwd/user-password || true
|
|
if ! test "$RET" ; then
|
|
db_set passwd/user-password-crypted ""
|
|
STATE=7
|
|
continue
|
|
fi
|
|
fi
|
|
;;
|
|
*)
|
|
break
|
|
;;
|
|
esac
|
|
|
|
if db_go; then
|
|
STATE=$(($STATE + 1))
|
|
else
|
|
STATE=$(($STATE - 1))
|
|
fi
|
|
#echo "ON STATE: $STATE"
|
|
done
|
|
|
|
if [ "$STATE" = -1 ]; then
|
|
exit 10
|
|
fi
|