feat: Patch /etc/login.defs instead of replacing it (secureblue#850)

nihil-admirari · Feb 14, 2025 · 2dee045 · 2dee045
1 parent dddf4b6
commit 2dee045
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 116 deletions.
diff --git a/files/scripts/patchcommonconf.sh b/files/scripts/patchcommonconf.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s nullglob
+
+SCRIPT="$(realpath -s -- "${BASH_SOURCE[0]}")"
+SCRIPT_DIR="$(dirname -- "$SCRIPT")"
+readonly SCRIPT SCRIPT_DIR
+
+"$SCRIPT_DIR/patchconf.sh" "$SCRIPT_DIR/patches/common"
diff --git a/files/scripts/patchconf.sh b/files/scripts/patchconf.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s globstar nullglob
+
+main() {
+    local d f
+    for d; do
+        for f in "$d"/**/*.patch; do
+            patch --forward --directory=/ --strip=1 --no-backup-if-mismatch < "$f"
+        done
+    done
+}
+
+main "$@"
diff --git a/files/scripts/patches/common/login.defs.patch b/files/scripts/patches/common/login.defs.patch
@@ -0,0 +1,20 @@
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -114,7 +114,7 @@
+ # 022 is the default value, but 027, or even 077, could be considered
+ # for increased privacy. There is no One True Answer here: each sysadmin
+ # must make up their mind.
+-UMASK		022
++UMASK		027
+
+ # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+ # home directories.
+@@ -255,7 +255,7 @@
+ # If not specified, a cost factor of 5 will be used.
+ # The value must be within the 1-11 range.
+ #
+-#YESCRYPT_COST_FACTOR 5
++YESCRYPT_COST_FACTOR 11
+
+ # Currently CONSOLE_GROUPS is not supported
+
diff --git a/files/system/etc/login.defs b/files/system/etc/login.defs
diff --git a/recipes/common/common-scripts.yml b/recipes/common/common-scripts.yml
@@ -8,3 +8,4 @@ scripts:
   - disablegeoclue.sh
   - enablesecurebluefirstrun.sh
   - createjustcompletions.sh
+  - patchcommonconf.sh