mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-05-06 23:35:00 -04:00
36 lines
1.3 KiB
Bash
Executable file
36 lines
1.3 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## This is only a usability feature to avoid needlessly bumping pam_tally2
|
|
## counter. This is not a security feature.
|
|
## https://forums.whonix.org/t/restrict-root-access/7658/1
|
|
|
|
if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then
|
|
echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then
|
|
true "INFO: Password not locked."
|
|
else
|
|
echo "$0: INFO: Password for user \"$PAM_USER\" is locked."
|
|
|
|
if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then
|
|
if [ "$PAM_USER" = "root" ]; then
|
|
echo "$0: ERROR: root account is locked by default. See:" >&2
|
|
echo "https://www.whonix.org/wiki/root" >&2
|
|
echo "" >&2
|
|
fi
|
|
fi
|
|
|
|
## Should not unconditionally 'exit 1' here.
|
|
## Locked user accounts might have valid sudoers exceptions.
|
|
## https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
|
|
## 'exit 1' would be good for usability here because then the user would get
|
|
## faster feedback. A new login attempt would not be needlessly delayed.
|
|
exit 0
|
|
fi
|
|
|
|
exit 0
|