From 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 20 Dec 2024 11:04:22 -0600 Subject: [PATCH] Add warning about using non-sysmaint accounts in sysmaint mode --- usr/libexec/security-misc/pam-info | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 382e2ac..3ffad57 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -76,10 +76,17 @@ if [ "$PAM_USER" = 'sysmaint' ]; then sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then - echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint" + echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi fi +kernel_cmdline="$(cat /proc/cmdline)" + +if [ "$PAM_USER" != 'sysmaint' ] \ + && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then + echo "$0: WARNING: Reboot and choose 'PERSISTENT mode USER' for normal work. See https://www.kicksecure.com/wiki/Sysmaint" +fi + ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 ## Does not work (yet) for login, pam_securetty runs before and aborts.