diff --git a/files/scripts/patchcommonconf.sh b/files/scripts/patchcommonconf.sh new file mode 100755 index 000000000..c6086bd39 --- /dev/null +++ b/files/scripts/patchcommonconf.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +set -euo pipefail +shopt -s nullglob + +SCRIPT="$(realpath -s -- "${BASH_SOURCE[0]}")" +SCRIPT_DIR="$(dirname -- "$SCRIPT")" +readonly SCRIPT SCRIPT_DIR + +"$SCRIPT_DIR/patchconf.sh" "$SCRIPT_DIR/patches/common" diff --git a/files/scripts/patchconf.sh b/files/scripts/patchconf.sh new file mode 100755 index 000000000..0651b40c2 --- /dev/null +++ b/files/scripts/patchconf.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +set -euo pipefail +shopt -s globstar nullglob + +main() { + local d f + for d; do + for f in "$d"/**/*.patch; do + patch --forward --directory=/ --strip=1 --no-backup-if-mismatch < "$f" + done + done +} + +main "$@" diff --git a/files/scripts/patches/common/login.defs.patch b/files/scripts/patches/common/login.defs.patch new file mode 100644 index 000000000..7b65475c1 --- /dev/null +++ b/files/scripts/patches/common/login.defs.patch @@ -0,0 +1,20 @@ +--- a/etc/login.defs ++++ b/etc/login.defs +@@ -114,7 +114,7 @@ + # 022 is the default value, but 027, or even 077, could be considered + # for increased privacy. There is no One True Answer here: each sysadmin + # must make up their mind. +-UMASK 022 ++UMASK 027 + + # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new + # home directories. +@@ -255,7 +255,7 @@ + # If not specified, a cost factor of 5 will be used. + # The value must be within the 1-11 range. + # +-#YESCRYPT_COST_FACTOR 5 ++YESCRYPT_COST_FACTOR 11 + + # Currently CONSOLE_GROUPS is not supported + diff --git a/files/system/etc/login.defs b/files/system/etc/login.defs deleted file mode 100644 index 3edcfd187..000000000 --- a/files/system/etc/login.defs +++ /dev/null @@ -1,116 +0,0 @@ -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# -MAIL_DIR /var/spool/mail - -# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported - -# Default initial "umask" value used by login(1) on non-PAM enabled systems. -# Default "umask" value for pam_umask(8) on PAM enabled systems. -# UMASK is also used by useradd(8) and newusers(8) to set the mode for new -# home directories if HOME_MODE is not set. -# 022 is the default value, but 027, or even 077, could be considered -# for increased privacy. There is no One True Answer here: each sysadmin -# must make up their mind. -UMASK 027 - -# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new -# home directories. -# If HOME_MODE is not set, the value of UMASK is used to create the mode. -HOME_MODE 0700 - -# Password aging controls: -# -# PASS_MAX_DAYS Maximum number of days a password may be used. -# PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_MIN_LEN Minimum acceptable password length. -# PASS_WARN_AGE Number of days warning given before a password expires. -# -PASS_MAX_DAYS 99999 -PASS_MIN_DAYS 0 -PASS_WARN_AGE 7 - - -# -# Min/max values for automatic uid selection in useradd(8) -# -UID_MIN 1000 -UID_MAX 60000 -# System accounts -SYS_UID_MIN 201 -SYS_UID_MAX 999 -# Extra per user uids -SUB_UID_MIN 524288 -SUB_UID_MAX 600100000 -SUB_UID_COUNT 65536 - -# -# Min/max values for automatic gid selection in groupadd(8) -# -GID_MIN 1000 -GID_MAX 60000 -# System accounts -SYS_GID_MIN 201 -SYS_GID_MAX 999 -# Extra per user group ids -SUB_GID_MIN 524288 -SUB_GID_MAX 600100000 -SUB_GID_COUNT 65536 - -# -# If set to MD5, MD5-based algorithm will be used for encrypting password -# If set to SHA256, SHA256-based algorithm will be used for encrypting password -# If set to SHA512, SHA512-based algorithm will be used for encrypting password -# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password -# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password -# If set to DES, DES-based algorithm will be used for encrypting password (default) -# -ENCRYPT_METHOD YESCRYPT - -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# -MAIL_DIR /var/spool/mail - -# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new -# home directories. -# If HOME_MODE is not set, the value of UMASK is used to create the mode. -HOME_MODE 0700 - -# -# Only works if ENCRYPT_METHOD is set to YESCRYPT. -# -# Define the YESCRYPT cost factor. -# With a higher cost factor, it is more difficult to brute-force the password. -# However, more CPU time and more memory will be needed to authenticate users -# if this value is increased. -# -# If not specified, a cost factor of 5 will be used. -# The value must be within the 1-11 range. -# -YESCRYPT_COST_FACTOR 11 - -# -# Enables userdel(8) to remove user groups if no members exist. -# -USERGROUPS_ENAB yes - -# -# If useradd(8) should create home directories for users by default (non -# system users only). -# This option is overridden with the -M or -m flags on the useradd(8) -# command-line. -# -CREATE_HOME yes - -# -# Select the HMAC cryptography algorithm. -# Used in pam_timestamp module to calculate the keyed-hash message -# authentication code. -# -# Note: It is recommended to check hmac(3) to see the possible algorithms -# that are available in your system. -# -HMAC_CRYPTO_ALGO SHA512 \ No newline at end of file diff --git a/recipes/common/common-scripts.yml b/recipes/common/common-scripts.yml index ddede0ce0..0155e5a7b 100644 --- a/recipes/common/common-scripts.yml +++ b/recipes/common/common-scripts.yml @@ -8,3 +8,4 @@ scripts: - disablegeoclue.sh - enablesecurebluefirstrun.sh - createjustcompletions.sh + - patchcommonconf.sh