From dd14a7922e732fbaaf47509850df4022d29be016 Mon Sep 17 00:00:00 2001
From: "T. R. Bernstein" <137705289+trbernstein@users.noreply.github.com>
Date: Mon, 1 Jul 2024 21:52:15 +0200
Subject: [PATCH] Use azw binary in launch daemon
---
bin/azw-ensure-single-fv-user | 36 +++++++++++++++++++++++++
modules/01-install-zsh-libraries.sh | 2 +-
modules/02-single-filevault-user.sh | 41 ++---------------------------
3 files changed, 39 insertions(+), 40 deletions(-)
create mode 100755 bin/azw-ensure-single-fv-user
diff --git a/bin/azw-ensure-single-fv-user b/bin/azw-ensure-single-fv-user
new file mode 100755
index 0000000..9526b85
--- /dev/null
+++ b/bin/azw-ensure-single-fv-user
@@ -0,0 +1,36 @@
+#!/usr/bin/env zsh
+# vi: set ft=zsh tw=80 ts=2
+
+function main {
+ local username="\$1"
+
+ function doesFilevaultUserExist() {
+ dscl . -list /Users | grep \${username} >&! /dev/null
+ }
+
+ function isFilevaultUserEnabled() {
+ fdesetup list | grep \${username} &> /dev/null
+ }
+
+ function isFilevaultEnabled() {
+ fdesetup status | grep On &> /dev/null
+ }
+
+ function allowOnlyFilevaultUserToUnlock() {
+ local fdeuser
+ for fdeuser in \${(f)"\$(fdesetup list | cut -d',' -f1)"}; do
+ [[ \${fdeuser} != \${username} ]] && fdesetup remove -user "\${fdeuser}"
+ done
+ return 0
+ }
+
+ [[ \$(id -un) == 'root' ] || { lop -- -e 'This script needs to be run by root. Aborting.'; return }
+ isFilevaultEnabled || { lop -- -e 'FileVault is disabled. Aborting.'; return }
+ doesFilevaultUserExist && isFilevaultUserEnabled && allowOnlyFilevaultUserToUnlock
+}
+
+if [[ "${ZSH_EVAL_CONTEXT}" == toplevel || "${ZSH_EVAL_CONTEXT}" == cmdarg ]]; then
+ _DIR="${0:A:h}"
+ autoload -w zshlib
+ main "$@"
+fi
diff --git a/modules/01-install-zsh-libraries.sh b/modules/01-install-zsh-libraries.sh
index 112694f..65e8cad 100755
--- a/modules/01-install-zsh-libraries.sh
+++ b/modules/01-install-zsh-libraries.sh
@@ -11,7 +11,7 @@ function createLaunchDaemon() {
${serviceName}
ProgramArguments
- azw
+ /usr/local/bin/azw
update-zsh-libraries
StartCalendarInterval
diff --git a/modules/02-single-filevault-user.sh b/modules/02-single-filevault-user.sh
index 1d50c44..a218c98 100755
--- a/modules/02-single-filevault-user.sh
+++ b/modules/02-single-filevault-user.sh
@@ -5,42 +5,6 @@ function getDefaultFilevaultUsername() {
print 'azwdevice'
}
-function createEnsurerBinary() {
- [[ -x $binaryPath ]] && return
- cat > $binaryPath <<- BINARY
- #!/usr/bin/env zsh
- function {
- local username="\$1"
-
- function doesFilevaultUserExist() {
- dscl . -list /Users | grep \${username} >&! /dev/null
- }
-
- function isFilevaultUserEnabled() {
- fdesetup list | grep \${username} &> /dev/null
- }
-
- function isFilevaultEnabled() {
- fdesetup status | grep On &> /dev/null
- }
-
- function allowOnlyFilevaultUserToUnlock() {
- local fdeuser
- for fdeuser in \${(f)"\$(fdesetup list | cut -d',' -f1)"}; do
- [[ \${fdeuser} != \${username} ]] && fdesetup remove -user "\${fdeuser}"
- done
- return 0
- }
-
- [[ \$(id -un) == 'root' ] || return
- isFilevaultEnabled || return
- doesFilevaultUserExist && isFilevaultUserEnabled && allowOnlyFilevaultUserToUnlock
- }
- BINARY
- chown root:wheel $binaryPath
- chmod ug=rx,o=r $binaryPath
-}
-
function createLaunchDaemon() {
cat > ${launchDaemonPath} <<- LDAEMON
@@ -51,7 +15,8 @@ function createLaunchDaemon() {
${serviceName}
ProgramArguments
- ${binaryPath}
+ /usr/local/bin/azw
+ ensure-single-fv-user
${filevault_username}
OnDemand
@@ -79,8 +44,6 @@ function createLaunchdService() {
function configure_system() {
lop -y h1 -- -i 'Allow only Filevault user to unlock disk'
- local binaryPath='/usr/local/bin/ensure-single-filevault-user'
- indicateActivity -- 'Create ensurer binary' createEnsurerBinary
createLaunchdService
}