mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-19 12:21:33 -05:00
48 lines
1.6 KiB
Bash
Executable File
48 lines
1.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## This is only a usability feature to avoid needlessly bumping pam_tally2
|
|
## counter. This is not a security feature.
|
|
## https://forums.whonix.org/t/restrict-root-access/7658/1
|
|
|
|
passwd_bin="$(type -P "passwd")"
|
|
|
|
if ! test -x "$passwd_bin" ; then
|
|
echo "\
|
|
$0: ERROR: passwd_bin \"$passwd_bin\" is not executable.
|
|
See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2
|
|
## Identifiable exit codes in case stdout / stderr is not logged in journal.
|
|
exit 2
|
|
fi
|
|
|
|
if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then
|
|
echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
|
|
exit 3
|
|
fi
|
|
|
|
if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then
|
|
true "INFO: Password not locked."
|
|
else
|
|
echo "$0: INFO: Password for user \"$PAM_USER\" is locked."
|
|
|
|
if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then
|
|
if [ "$PAM_USER" = "root" ]; then
|
|
echo "$0: ERROR: root account is locked by default. See:" >&2
|
|
echo "https://www.whonix.org/wiki/root" >&2
|
|
echo "" >&2
|
|
exit 4
|
|
fi
|
|
fi
|
|
|
|
## Should not unconditionally 'exit 1' here.
|
|
## Locked user accounts might have valid sudoers exceptions.
|
|
## https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
|
|
## 'exit 1' would be good for usability here because then the user would get
|
|
## faster feedback. A new login attempt would not be needlessly delayed.
|
|
exit 0
|
|
fi
|
|
|
|
exit 0
|