Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-27 18:30:59 -05:00
Code Issues Projects Releases Packages Wiki Activity

Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server: rename files

Browse source 
https://github.com/Kicksecure/security-misc/issues/187
This commit is contained in:
Patrick Schleizer 2025-09-17 14:49:28 -04:00
parent 2de10d5b7b
commit f70550d015
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
132 changed files with 35 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

53
usr/libexec/security-misc/pam-abort-on-locked-password#security-misc-shared Executable file
View file

@ -0,0 +1,53 @@
#!/bin/bash
## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This is only a usability feature to avoid needlessly bumping pam_faillock
## counter. This is not a security feature.
## https://forums.whonix.org/t/restrict-root-access/7658/1
passwd_bin="$(type -P -- "passwd")"
if ! test -x "$passwd_bin" ; then
echo "\
$0: ERROR: passwd_bin \"$passwd_bin\" is not executable.
See https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2
## Identifiable exit codes in case stdout / stderr is not logged in journal.
exit 2
fi
if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then
echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
exit 3
fi
password_status_field="$(echo "$passwd_output" | cut -d ' ' -f 2)"
if [ "$password_status_field" = "P" ]; then
true "$0: INFO: user \"$PAM_USER\" has a usable password."
elif [ "$password_status_field" = "NP" ]; then
true "$0: INFO: user \"$PAM_USER\" has no password."
elif [ "$password_status_field" = "L" ]; then
echo "$0: INFO: Password for user \"$PAM_USER\" is locked."
if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then
if [ "$PAM_USER" = "root" ]; then
echo "$0: ERROR: root account is locked by default. See:" >&2
echo "https://www.kicksecure.com/wiki/root" >&2
echo "" >&2
exit 4
fi
fi
## Should not unconditionally 'exit 1' here.
## Locked user accounts might have valid sudoers exceptions.
## https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
## 'exit 1' would be good for usability here because then the user would get
## faster feedback. A new login attempt would not be needlessly delayed.
exit 0
else
echo "$0: INFO: Password status field for user \"$PAM_USER\" could not be parsed. Please report this bug."
fi
exit 0