From 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Wed, 18 Dec 2024 21:34:16 -0600
Subject: [PATCH] Add sysmaint account lock detection

---
 usr/libexec/security-misc/pam-info | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info
index 32fdeaf..adde5bc 100755
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@@ -72,6 +72,14 @@ https://www.kicksecure.com/wiki/root#console
    fi
 fi
 
+if [ "$PAM_USER" = 'sysmaint' ]; then
+   sysmaint_passwd_info="$(passwd -S sysmaint 2>/dev/null)" || true
+   sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")"
+   if [ "${sysmaint_lock_info}" = 'L' ]; then
+      echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint"
+   fi
+fi
+
 ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
 
 ## Does not work (yet) for login, pam_securetty runs before and aborts.