Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
to avoid needlessly bumping pam_tally2 counter https://forums.whonix.org/t/restrict-root-access/7658/1
- Loading branch information
Patrick Schleizer
committed
Aug 17, 2019
1 parent
e0e2536
commit 41b2819
Showing
4 changed files
with
26 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/bash | ||
|
||
if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then | ||
true "INFO: Password not locked." | ||
else | ||
echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2 | ||
|
||
if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then | ||
if [ "$PAM_USER" = "root" ]; then | ||
echo "$0: ERROR: root account is locked by default. See:" >&2 | ||
echo "https://www.whonix.org/wiki/root" >&2 | ||
echo "" >&2 | ||
fi | ||
fi | ||
|
||
exit 1 | ||
fi | ||
|
||
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 6 additions & 0 deletions
6
usr/share/pam-configs/pam-abort-on-locked-password-security-misc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
Name: abort on locked password (by package security-misc) | ||
Default: yes | ||
Priority: 280 | ||
Auth-Type: Primary | ||
Auth: | ||
requisite pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam-abort-on-locked-password |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
Name: group sudo membership required to use su (by package security-misc) | ||
Default: yes | ||
Priority: 270 | ||
Priority: 280 | ||
Auth-Type: Primary | ||
Auth: | ||
requisite pam_wheel.so group=sudo debug |