From f2738c399dffe325b5add7b912d9562484f071e3 Mon Sep 17 00:00:00 2001
From: unitexe <unitexe70@gmail.com>
Date: Sat, 3 Jan 2026 15:23:38 -0600
Subject: Introduce core-image-unit

- Add unitexe user
    - Configured for public key authentication SSH
    - Part of sudoers (via drop-in) so admin tasks can be performed
- No root login via SSH or TTY allowed
    - TTY is restricted via PAM
- Added misc. utilities
---
 .../recipes-extended/shadow/shadow-securetty_%.bbappend          | 4 ++++
 meta-unit-core/recipes-extended/sudo/files/50-unitexe            | 1 +
 meta-unit-core/recipes-extended/sudo/sudo_%.bbappend             | 9 +++++++++
 3 files changed, 14 insertions(+)
 create mode 100644 meta-unit-core/recipes-extended/shadow/shadow-securetty_%.bbappend
 create mode 100644 meta-unit-core/recipes-extended/sudo/files/50-unitexe
 create mode 100644 meta-unit-core/recipes-extended/sudo/sudo_%.bbappend

(limited to 'meta-unit-core/recipes-extended')

diff --git a/meta-unit-core/recipes-extended/shadow/shadow-securetty_%.bbappend b/meta-unit-core/recipes-extended/shadow/shadow-securetty_%.bbappend
new file mode 100644
index 0000000..9d17d9b
--- /dev/null
+++ b/meta-unit-core/recipes-extended/shadow/shadow-securetty_%.bbappend
@@ -0,0 +1,4 @@
+do_install:append() {
+    # Empty securetty to disallow root login on all TTYs.
+    echo -n > ${D}${sysconfdir}/securetty
+}
diff --git a/meta-unit-core/recipes-extended/sudo/files/50-unitexe b/meta-unit-core/recipes-extended/sudo/files/50-unitexe
new file mode 100644
index 0000000..744a8a4
--- /dev/null
+++ b/meta-unit-core/recipes-extended/sudo/files/50-unitexe
@@ -0,0 +1 @@
+unitexe ALL=(ALL:ALL) ALL
diff --git a/meta-unit-core/recipes-extended/sudo/sudo_%.bbappend b/meta-unit-core/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..8fa5c5d
--- /dev/null
+++ b/meta-unit-core/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,9 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+SRC_URI:append = " file://50-unitexe"
+
+do_install:append() {
+    install -p -m0440 ${UNPACKDIR}/50-unitexe ${D}${sysconfdir}/sudoers.d/50-unitexe
+}
+
+FILES:${PN}-lib:append = " ${sysconfdir}/sudoers.d/50-unitexe"
-- 
cgit v1.2.3