mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-24 10:06:25 +07:00
Code Issues Packages Projects Releases Wiki Activity

pam-abort-on-locked-password: more descriptive error handling

Browse Source 
https://forums.whonix.org/t/restrict-root-access/7658/1
This commit is contained in:
Patrick Schleizer 2021-06-20 11:18:56 -04:00
parent 0f3dbfc4a1
commit 74e39cbf69
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
usr/lib/security-misc/pam-abort-on-locked-password
View File

@ -7,9 +7,19 @@
## counter. This is not a security feature. ## counter. This is not a security feature.
## https://forums.whonix.org/t/restrict-root-access/7658/1 ## https://forums.whonix.org/t/restrict-root-access/7658/1
if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then passwd_bin="$(type -P "passwd")"
if ! test -x "$passwd_bin" ; then
echo "\
$0: ERROR: passwd_bin \"$passwd_bin\" is not executable.
See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2
## Identifiable exit codes in case stdout / stderr is not logged in journal.
exit 2
fi
if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then
echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
exit 1 exit 3
fi fi
if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then
@ -22,7 +32,7 @@ else
echo "$0: ERROR: root account is locked by default. See:" >&2 echo "$0: ERROR: root account is locked by default. See:" >&2
echo "https://www.whonix.org/wiki/root" >&2 echo "https://www.whonix.org/wiki/root" >&2
echo "" >&2 echo "" >&2
exit 1 exit 4
fi fi
fi fi