pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)

This commit is contained in:
Patrick Schleizer 2022-11-22 05:57:30 -05:00
parent d419898ee4
commit e5255a630a
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 44 additions and 18 deletions

View File

@ -3,3 +3,6 @@
user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
user ALL=NOPASSWD: /usr/bin/faillock-user
%sudo ALL=NOPASSWD: /usr/bin/faillock-user

35
usr/bin/faillock-user Executable file
View File

@ -0,0 +1,35 @@
#!/bin/bash
## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
if ! command -v "/usr/sbin/faillock" &>/dev/null; then
true "$0: ERROR: The faillock program is unavailable, exiting."
exit 2
fi
who_ami="$(whoami)"
if [ "$(id -u)" = "0" ]; then
faillock_program="/usr/sbin/faillock"
else
## as user "user"
## /usr/sbin/faillock -u user
## faillock: Error opening /var/log/tallylog for update: Permission denied
## /usr/sbin/faillock: Authentication error
##
## xscreensaver runs as user "user", therefore pam_faillock cannot function.
## xscreensaver has its own failed login counter.
##
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
##
## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
#true "$0: not started as root, exiting."
#exit 0
faillock_program="sudo --non-interactive /usr/sbin/faillock"
fi
$faillock_program --user "$who_ami"
exit $?

View File

@ -24,25 +24,13 @@ set -o pipefail
## Debugging. ## Debugging.
who_ami="$(whoami)" who_ami="$(whoami)"
if [ ! "$(id -u)" = "0" ]; then if [ "$PAM_USER" = "" ]; then
## as user "user" true "$0: ERROR: Environment variable PAM_USER is unset!"
## /usr/sbin/faillock -u user
## faillock: Error opening /var/log/tallylog for update: Permission denied
## /usr/sbin/faillock: Authentication error
##
## xscreensaver runs as user "user", therefore pam_faillock cannot function.
## xscreensaver has its own failed login counter.
##
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
##
## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
## TODO: echo -> true
echo "$0: not started as root, exiting."
exit 0 exit 0
fi fi
if ! command -v "faillock" &>/dev/null; then if ! command -v "/usr/bin/faillock-user" &>/dev/null; then
echo "$0: The faillock program is unavailable, exiting." true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting."
exit 0 exit 0
fi fi
@ -102,8 +90,8 @@ fi
## Checking exit code to avoid breaking when read-only disk boot but ## Checking exit code to avoid breaking when read-only disk boot but
## without ro-mode-init or grub-live being used. ## without ro-mode-init or grub-live being used.
if ! pam_faillock_output="$(faillock --user "$PAM_USER" 2>&1)" ; then if ! pam_faillock_output="$(/usr/bin/faillock-user)" ; then
true "$0: faillock non-zero exit code." true "$0: /usr/bin/faillock-user non-zero exit code."
exit 0 exit 0
fi fi