From 74e39cbf690dae2bf72bd9f152ea91c364f5feff Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun, 20 Jun 2021 11:18:56 -0400
Subject: [PATCH] pam-abort-on-locked-password: more descriptive error handling

https://forums.whonix.org/t/restrict-root-access/7658/1
---
 .../security-misc/pam-abort-on-locked-password   | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password
index afbfcb1..9f08e77 100755
--- a/usr/lib/security-misc/pam-abort-on-locked-password
+++ b/usr/lib/security-misc/pam-abort-on-locked-password
@@ -7,9 +7,19 @@
 ## counter. This is not a security feature.
 ## https://forums.whonix.org/t/restrict-root-access/7658/1
 
-if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then
+passwd_bin="$(type -P "passwd")"
+
+if ! test -x "$passwd_bin" ; then
+   echo "\
+$0: ERROR: passwd_bin \"$passwd_bin\" is not executable.
+See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2
+   ## Identifiable exit codes in case stdout / stderr is not logged in journal.
+   exit 2
+fi
+
+if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then
    echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
-   exit 1
+   exit 3
 fi
 
 if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then
@@ -22,7 +32,7 @@ else
          echo "$0: ERROR: root account is locked by default. See:" >&2
          echo "https://www.whonix.org/wiki/root" >&2
          echo "" >&2
-         exit 1
+         exit 4
       fi
    fi