pam-abort-on-locked-password: more descriptive error handling

https://forums.whonix.org/t/restrict-root-access/7658/1
2024-10-01 08:25:45 -04:00 · 2021-06-20 11:18:56 -04:00 · 2021-06-20 11:18:56 -04:00 · 74e39cbf69
commit 74e39cbf69
parent 0f3dbfc4a1
1 changed files with 13 additions and 3 deletions
--- a/usr/lib/security-misc/pam-abort-on-locked-password
+++ b/usr/lib/security-misc/pam-abort-on-locked-password
@ -7,9 +7,19 @@
 ## counter. This is not a security feature.
 ## https://forums.whonix.org/t/restrict-root-access/7658/1

-if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then
+passwd_bin="$(type -P "passwd")"
+
+if ! test -x "$passwd_bin" ; then
+   echo "\
+$0: ERROR: passwd_bin \"$passwd_bin\" is not executable.
+See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2
+   ## Identifiable exit codes in case stdout / stderr is not logged in journal.
+   exit 2
+fi
+
+if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then
   echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
-   exit 1
+   exit 3
 fi

 if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then
@ -22,7 +32,7 @@ else
         echo "$0: ERROR: root account is locked by default. See:" >&2
         echo "https://www.whonix.org/wiki/root" >&2
         echo "" >&2
-         exit 1
+         exit 4
      fi
   fi