spacebar/macos-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
582ce875fbc411ac6cb144b02c250f615b24d6e3
macos-system/modules/02-single-filevault-user.sh
T. R. Bernstein 6461d6143f Fix syntax and naming error
2024-06-28 21:44:11 +02:00

143 lines
4.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env zsh
# vi: set ft=zsh tw=80 ts=2
function getDefaultFilevaultUsername() {
print 'azwdevice'
}
function createEnsurerBinary() {
[[ -x $binaryPath ]] && return
cat > $binaryPath <<- BINARY
#!/usr/bin/env zsh
function {
local username="\$1"
function doesFilevaultUserExist() {
dscl . -list /Users | grep \${username} >&! /dev/null
}
function isFilevaultUserEnabled() {
fdesetup list | grep \${username} &> /dev/null
}
function isFilevaultEnabled() {
fdesetup status | grep On &> /dev/null
}
function allowOnlyFilevaultUserToUnlock() {
local fdeuser
for fdeuser in \${(f)"\$(fdesetup list | cut -d',' -f1)"}; do
[[ \${fdeuser} != \${username} ]] && fdesetup remove -user "\${fdeuser}"
done
return 0
}
[[ \$(id -un) == 'root' ] || return
isFilevaultEnabled || return
doesFilevaultUserExist && isFilevaultUserEnabled && allowOnlyFilevaultUserToUnlock
}
BINARY
chown root:wheel $binaryPath
chmod ug=rx,o=r $binaryPath
}
function createLaunchDaemon() {
cat > ${launchDaemonPath} <<- LDAEMON
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>${serviceName}</string>
<key>ProgramArguments</key>
<array>
<string>${binaryPath}</string>
<string>${filevault_username}</string>
</array>
<key>OnDemand</key>
<false/>
<key>LaunchOnlyOnce</key>
<true/>
</dict>
</plist>
LDAEMON
chown root:wheel $launchDaemonPath
chmod ugo=r $launchDaemonPath
}
function enableLaunchDaemon() {
launchctl enable system/${launchDaemonPath%.*}
launchctl bootstrap system ${launchDaemonPath}
}
function createLaunchdService() {
local serviceName='de.astzweig.macos.launchdaemons.ensure-single-filevault-user'
local launchDaemonPath="/Library/LaunchDaemons/${serviceName}.plist"
[[ -f ${launchDaemonPath} ]] || indicateActivity -- 'Create Launch Daemon' createLaunchDaemon
indicateActivity -- 'Enable Launch Daemon' enableLaunchDaemon
}
function configure_system() {
lop -y h1 -- -i 'Allow only Filevault user to unlock disk'
local binaryPath='/usr/local/bin/ensure-single-filevault-user'
indicateActivity -- 'Create ensurer binary' createEnsurerBinary
createLaunchdService
}
function getHelpPrerequisites() {
cmds=()
addDocoptsToCmds
}
function getQuestionsPrerequisites() {
cmds=()
}
function getExecPrerequisites() {
cmds=(
[awk]=''
[cat]=''
[fdesetup]=''
)
requireRootPrivileges
}
function getQuestions() {
local defaultUsername="`getDefaultFilevaultUsername`"
questions=(
'i: filevault-username=What shall the FileVault user'\''s username be? # default:'"${defaultUsername}"
)
}
function getUsage() {
local cmdName=$1 text='' varname=
local defaultUsername="`getDefaultFilevaultUsername`"
read -r -d '' text <<- USAGE
Usage:
$cmdName show-questions [<modkey> <modans>]...
$cmdName [-v] [-d FILE] [--filevault-username NAME]
Create a script that ensures only a specified user of all FileVault enabled
users can unlock FileVault. That way a secure password can be used to
unlock the disk as opposed to macOS standard, where each user is allowed to
unlock the disk with his password that may or may not be secure (in terms of
length and randomness).
Options:
--filevault-username NAME Username of the designated FileVault user [default: ${defaultUsername}].
-d FILE, --logfile FILE Print log message to logfile instead of stdout.
-v, --verbose Be more verbose.
----
$cmdName 0.1.0
Copyright (C) 2022 Rezart Qelibari, Astzweig GmbH & Co. KG
License EUPL-1.2. There is NO WARRANTY, to the extent permitted by law.
USAGE
print -- ${text}
}
if [[ "${ZSH_EVAL_CONTEXT}" == toplevel ]]; then
test -f "${ASTZWEIG_MACOS_SYSTEM_LIB}" || { echo 'This module requires macos-system library. Please run again with macos-system library provieded as a path in ASTZWEIG_MACOS_SYSTEM_LIB env variable.'; return 10 }
source "${ASTZWEIG_MACOS_SYSTEM_LIB}"
module_main $0 "$@"
fi
Reference in New Issue View Git Blame Copy Permalink