mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-23 04:31:08 -05:00
pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)
This commit is contained in:
parent
d419898ee4
commit
e5255a630a
@ -3,3 +3,6 @@
|
|||||||
|
|
||||||
user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
|
user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
|
||||||
%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
|
%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
|
||||||
|
|
||||||
|
user ALL=NOPASSWD: /usr/bin/faillock-user
|
||||||
|
%sudo ALL=NOPASSWD: /usr/bin/faillock-user
|
||||||
|
35
usr/bin/faillock-user
Executable file
35
usr/bin/faillock-user
Executable file
@ -0,0 +1,35 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||||
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
|
if ! command -v "/usr/sbin/faillock" &>/dev/null; then
|
||||||
|
true "$0: ERROR: The faillock program is unavailable, exiting."
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
who_ami="$(whoami)"
|
||||||
|
|
||||||
|
if [ "$(id -u)" = "0" ]; then
|
||||||
|
faillock_program="/usr/sbin/faillock"
|
||||||
|
else
|
||||||
|
## as user "user"
|
||||||
|
## /usr/sbin/faillock -u user
|
||||||
|
## faillock: Error opening /var/log/tallylog for update: Permission denied
|
||||||
|
## /usr/sbin/faillock: Authentication error
|
||||||
|
##
|
||||||
|
## xscreensaver runs as user "user", therefore pam_faillock cannot function.
|
||||||
|
## xscreensaver has its own failed login counter.
|
||||||
|
##
|
||||||
|
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
|
||||||
|
##
|
||||||
|
## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
|
||||||
|
#true "$0: not started as root, exiting."
|
||||||
|
#exit 0
|
||||||
|
|
||||||
|
faillock_program="sudo --non-interactive /usr/sbin/faillock"
|
||||||
|
fi
|
||||||
|
|
||||||
|
$faillock_program --user "$who_ami"
|
||||||
|
|
||||||
|
exit $?
|
@ -24,25 +24,13 @@ set -o pipefail
|
|||||||
## Debugging.
|
## Debugging.
|
||||||
who_ami="$(whoami)"
|
who_ami="$(whoami)"
|
||||||
|
|
||||||
if [ ! "$(id -u)" = "0" ]; then
|
if [ "$PAM_USER" = "" ]; then
|
||||||
## as user "user"
|
true "$0: ERROR: Environment variable PAM_USER is unset!"
|
||||||
## /usr/sbin/faillock -u user
|
|
||||||
## faillock: Error opening /var/log/tallylog for update: Permission denied
|
|
||||||
## /usr/sbin/faillock: Authentication error
|
|
||||||
##
|
|
||||||
## xscreensaver runs as user "user", therefore pam_faillock cannot function.
|
|
||||||
## xscreensaver has its own failed login counter.
|
|
||||||
##
|
|
||||||
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
|
|
||||||
##
|
|
||||||
## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
|
|
||||||
## TODO: echo -> true
|
|
||||||
echo "$0: not started as root, exiting."
|
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! command -v "faillock" &>/dev/null; then
|
if ! command -v "/usr/bin/faillock-user" &>/dev/null; then
|
||||||
echo "$0: The faillock program is unavailable, exiting."
|
true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting."
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -102,8 +90,8 @@ fi
|
|||||||
|
|
||||||
## Checking exit code to avoid breaking when read-only disk boot but
|
## Checking exit code to avoid breaking when read-only disk boot but
|
||||||
## without ro-mode-init or grub-live being used.
|
## without ro-mode-init or grub-live being used.
|
||||||
if ! pam_faillock_output="$(faillock --user "$PAM_USER" 2>&1)" ; then
|
if ! pam_faillock_output="$(/usr/bin/faillock-user)" ; then
|
||||||
true "$0: faillock non-zero exit code."
|
true "$0: /usr/bin/faillock-user non-zero exit code."
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user