blob: aa540f8373b9f00ce23259a123eedc0a94f0876b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
. ${BUILDFILE%/*}/common.sh
pkgver=20180910
package() {
preamble
# #### users
depends+=(sudo shadow)
# `/etc/sudoers.d/00-wheel` gives sudo access to everyone in the
# `wheel` group.
install -d etc
install -dm750 etc/sudoers.d
add-file etc/sudoers.d/00-wheel <<-'EOF'
%wheel ALL=(ALL) ALL
EOF
# The `shadow.service` has been extended to:
#
# - sort the files if they otherwise are ok. This makes dealing with
# pacman updates and such easier
# - check that all users require a password, if login is enabled
#
# This could have been done in very long one-liner in `ExecStart=`,
# but at some point it became easier to just move it to a real script
# file.
add-file etc/systemd/system/shadow.service.d/extra.conf <<-'EOF'
[Service]
ExecStart=
ExecStart=/etc/systemd/system/shadow
EOF
add-file -m755 etc/systemd/system/shadow <<-'EOF'
#!/bin/sh
r=0
set -x
# Always run all checks, but fail the service if any fail
# Extra: Sort the files if the integrity checks pass
/usr/bin/pwck -r && /usr/bin/pwck -s || r=1
/usr/bin/grpck -r && /usr/bin/grpck -s || r=1
# Extra: Check that all users require a password, if login is enabled
/usr/bin/grep '^[^:]*::' /etc/passwd /etc/shadow && r=1
exit $r
EOF
postamble
}
|