pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)

etc/sudoers.d/security-misc

@@ -3,3 +3,6 @@
 
 user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+
+user ALL=NOPASSWD: /usr/bin/faillock-user
+%sudo ALL=NOPASSWD: /usr/bin/faillock-user

usr/bin/faillock-user

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+## Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if ! command -v "/usr/sbin/faillock" &>/dev/null; then
+   true "$0: ERROR: The faillock program is unavailable, exiting."
+   exit 2
+fi
+
+who_ami="$(whoami)"
+
+if [ "$(id -u)" = "0" ]; then
+   faillock_program="/usr/sbin/faillock"
+else
+   ## as user "user"
+   ## /usr/sbin/faillock -u user
+   ## faillock: Error opening /var/log/tallylog for update: Permission denied
+   ## /usr/sbin/faillock: Authentication error
+   ##
+   ## xscreensaver runs as user "user", therefore pam_faillock cannot function.
+   ## xscreensaver has its own failed login counter.
+   ##
+   ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
+   ##
+   ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
+   #true "$0: not started as root, exiting."
+   #exit 0
+
+   faillock_program="sudo --non-interactive /usr/sbin/faillock"
+fi
+
+$faillock_program --user "$who_ami"
+
+exit $?

usr/libexec/security-misc/pam-info

@@ -24,25 +24,13 @@ set -o pipefail
 ## Debugging.
 who_ami="$(whoami)"
 
-if [ ! "$(id -u)" = "0" ]; then
-   ## as user "user"
-   ## /usr/sbin/faillock -u user
-   ## faillock: Error opening /var/log/tallylog for update: Permission denied
-   ## /usr/sbin/faillock: Authentication error
-   ##
-   ## xscreensaver runs as user "user", therefore pam_faillock cannot function.
-   ## xscreensaver has its own failed login counter.
-   ##
-   ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
-   ##
-   ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html
-   ## TODO: echo -> true
-   echo "$0: not started as root, exiting."
+if [ "$PAM_USER" = "" ]; then
+   true "$0: ERROR: Environment variable PAM_USER is unset!"
    exit 0
 fi
 
-if ! command -v "faillock" &>/dev/null; then
-   echo "$0: The faillock program is unavailable, exiting."
+if ! command -v "/usr/bin/faillock-user" &>/dev/null; then
+   true "$0: The /usr/bin/faillock-user wrapper is unavailable, exiting."
    exit 0
 fi
 
@@ -102,8 +90,8 @@ fi
 
 ## Checking exit code to avoid breaking when read-only disk boot but
 ## without ro-mode-init or grub-live being used.
-if ! pam_faillock_output="$(faillock --user "$PAM_USER" 2>&1)" ; then
-   true "$0: faillock non-zero exit code."
+if ! pam_faillock_output="$(/usr/bin/faillock-user)" ; then
+   true "$0: /usr/bin/faillock-user non-zero exit code."
    exit 0
 fi