lintian FHS

usr/libexec/security-misc/pam-abort-on-locked-password

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This is only a usability feature to avoid needlessly bumping pam_tally2
+## counter. This is not a security feature.
+## https://forums.whonix.org/t/restrict-root-access/7658/1
+
+passwd_bin="$(type -P "passwd")"
+
+if ! test -x "$passwd_bin" ; then
+   echo "\
+$0: ERROR: passwd_bin \"$passwd_bin\" is not executable.
+See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2
+   ## Identifiable exit codes in case stdout / stderr is not logged in journal.
+   exit 2
+fi
+
+if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then
+   echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
+   exit 3
+fi
+
+if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then
+   true "INFO: Password not locked."
+else
+   echo "$0: INFO: Password for user \"$PAM_USER\" is locked."
+
+   if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then
+      if [ "$PAM_USER" = "root" ]; then
+         echo "$0: ERROR: root account is locked by default. See:" >&2
+         echo "https://www.whonix.org/wiki/root" >&2
+         echo "" >&2
+         exit 4
+      fi
+   fi
+
+   ## Should not unconditionally 'exit 1' here.
+   ## Locked user accounts might have valid sudoers exceptions.
+   ## https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
+   ## 'exit 1' would be good for usability here because then the user would get
+   ## faster feedback. A new login attempt would not be needlessly delayed.
+   exit 0
+fi
+
+exit 0