From 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Fri, 20 Dec 2024 11:04:22 -0600
Subject: [PATCH] Add warning about using non-sysmaint accounts in sysmaint
 mode

---
 usr/libexec/security-misc/pam-info | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 382e2ac..3ffad57 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -76,10 +76,17 @@ if [ "$PAM_USER" = 'sysmaint' ]; then
    sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true
    sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")"
    if [ "${sysmaint_lock_info}" = 'L' ]; then
-      echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint"
+      echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint"
    fi
 fi
 
+kernel_cmdline="$(cat /proc/cmdline)"
+
+if [ "$PAM_USER" != 'sysmaint' ] \
+   && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then
+   echo "$0: WARNING: Reboot and choose 'PERSISTENT mode USER' for normal work. See https://www.kicksecure.com/wiki/Sysmaint"
+fi
+
 ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
 
 ## Does not work (yet) for login, pam_securetty runs before and aborts.