Split out host specific from FileVault module
This commit is contained in:
T. R. Bernstein
committed by
T. R. Bernstein
T. R. Bernstein
parent
d1bd48f22a
commit
99236a577b
143
modules/02-single-filevault-user.sh
Executable file
143
modules/02-single-filevault-user.sh
Executable file
@@ -0,0 +1,143 @@
|
||||
#!/usr/bin/env zsh
|
||||
# vi: set ft=zsh tw=80 ts=2
|
||||
|
||||
function getDefaultFilevaultUsername() {
|
||||
print 'azwdevice'
|
||||
}
|
||||
|
||||
function createEnsurerBinary() {
|
||||
[[ -x $binaryPath ]] && return
|
||||
cat > $binaryPath <<- BINARY
|
||||
#!/usr/bin/env zsh
|
||||
function {
|
||||
local username="\$1"
|
||||
|
||||
function doesFilevaultUserExist() {
|
||||
dscl . -list /Users | grep \${username} >&! /dev/null
|
||||
}
|
||||
|
||||
function isFilevaultUserEnabled() {
|
||||
fdesetup list | grep \${username} &> /dev/null
|
||||
}
|
||||
|
||||
function isFilevaultEnabled() {
|
||||
fdesetup status | grep On &> /dev/null
|
||||
}
|
||||
|
||||
function allowOnlyFilevaultUserToUnlock() {
|
||||
local fdeuser
|
||||
for fdeuser in \${(f)"\$(fdesetup list | cut -d',' -f1)"}; do
|
||||
[[ \${fdeuser} != \${username} ]] && fdesetup remove -user "\${fdeuser}"
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
[[ \$(id -un) == 'root' ] || return
|
||||
isFilevaultEnabled || return
|
||||
doesFilevaultUserExist && isFilevaultUserEnabled && allowOnlyFilevaultUserToUnlock
|
||||
}
|
||||
BINARY
|
||||
chown root:wheel $binaryPath
|
||||
chmod ug=rx,o=r $binaryPath
|
||||
}
|
||||
|
||||
function createLaunchDaemon() {
|
||||
cat > ${launchDaemonPath} <<- LDAEMON
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>Label</key>
|
||||
<string>${serviceName}</string>
|
||||
<key>ProgramArguments</key>
|
||||
<array>
|
||||
<string>${$binaryPath}</string>
|
||||
<string>${filevault_username}</string>
|
||||
</array>
|
||||
<key>OnDemand</key>
|
||||
<false/>
|
||||
<key>LaunchOnlyOnce</key>
|
||||
<true/>
|
||||
</dict>
|
||||
</plist>
|
||||
LDAEMON
|
||||
ensureRightAccess ${launchDaemonPath}
|
||||
chown root:wheel $binaryPath
|
||||
chmod ugo=r $binaryPath
|
||||
}
|
||||
|
||||
function enableLaunchDaemon() {
|
||||
launchctl enable system/${launchDaemonPath%.*}
|
||||
launchctl bootstrap system ${launchDaemonPath}
|
||||
}
|
||||
|
||||
function createLaunchdService() {
|
||||
local serviceName='de.astzweig.macos.launchdaemons.ensure-single-filevault-user'
|
||||
local launchDaemonPath="/Library/LaunchDaemons/${serviceName}.plist"
|
||||
[[ -f ${launchDaemonPath} ]] || indicateActivity -- 'Create Launch Daemon' createLaunchDaemon
|
||||
indicateActivity -- 'Enable Launch Daemon' enableLaunchDaemon
|
||||
}
|
||||
|
||||
function configure_system() {
|
||||
lop -y h1 -- -i 'Allow only Filevault user to unlock disk'
|
||||
local binaryPath = '/usr/local/bin/ensure-single-filevault-user'
|
||||
indicateActivity -- 'Create ensurer binary' createEnsurerBinary
|
||||
createLaunchdService
|
||||
}
|
||||
|
||||
function getHelpPrerequisites() {
|
||||
cmds=()
|
||||
addDocoptsToCmds
|
||||
}
|
||||
|
||||
function getQuestionsPrerequisites() {
|
||||
cmds=()
|
||||
}
|
||||
|
||||
function getExecPrerequisites() {
|
||||
cmds=(
|
||||
[awk]=''
|
||||
[cat]=''
|
||||
[fdesetup]=''
|
||||
)
|
||||
requireRootPrivileges
|
||||
}
|
||||
|
||||
function getQuestions() {
|
||||
local defaultUsername="`getDefaultFilevaultUsername`"
|
||||
questions=(
|
||||
'i: filevault-username=What shall the FileVault user'\''s username be? # default:'"${defaultUsername}"
|
||||
)
|
||||
}
|
||||
|
||||
function getUsage() {
|
||||
local cmdName=$1 text='' varname=
|
||||
local defaultUsername="`getDefaultFilevaultUsername`"
|
||||
read -r -d '' text <<- USAGE
|
||||
Usage:
|
||||
$cmdName show-questions [<modkey> <modans>]...
|
||||
$cmdName [-v] [-d FILE] [--filevault-username NAME]
|
||||
|
||||
Create a script that ensures only a specified user of all FileVault enabled
|
||||
users can unlock FileVault. That way a secure password can be used to
|
||||
unlock the disk as opposed to macOS standard, where each user is allowed to
|
||||
unlock the disk with his password that may or may not be secure (in terms of
|
||||
length and randomness).
|
||||
|
||||
Options:
|
||||
--filevault-username NAME Username of the designated FileVault user [default: ${defaultUsername}].
|
||||
-d FILE, --logfile FILE Print log message to logfile instead of stdout.
|
||||
-v, --verbose Be more verbose.
|
||||
----
|
||||
$cmdName 0.1.0
|
||||
Copyright (C) 2022 Rezart Qelibari, Astzweig GmbH & Co. KG
|
||||
License EUPL-1.2. There is NO WARRANTY, to the extent permitted by law.
|
||||
USAGE
|
||||
print -- ${text}
|
||||
}
|
||||
|
||||
if [[ "${ZSH_EVAL_CONTEXT}" == toplevel ]]; then
|
||||
test -f "${ASTZWEIG_MACOS_SYSTEM_LIB}" || { echo 'This module requires macos-system library. Please run again with macos-system library provieded as a path in ASTZWEIG_MACOS_SYSTEM_LIB env variable.'; return 10 }
|
||||
source "${ASTZWEIG_MACOS_SYSTEM_LIB}"
|
||||
module_main $0 "$@"
|
||||
fi
|
||||
Reference in New Issue
Block a user