pam-abort-on-locked-password: more descriptive error handling

https://forums.whonix.org/t/restrict-root-access/7658/1
Kicksecure · Jun 20, 2021 · 74e39cb · 74e39cb
1 parent 0f3dbfc
commit 74e39cb
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password
@@ -7,9 +7,19 @@
 ## counter. This is not a security feature.
 ## https://forums.whonix.org/t/restrict-root-access/7658/1
 
-if ! passwd_output="$(passwd -S "$PAM_USER" 2>/dev/null)" ; then
+passwd_bin="$(type -P "passwd")"
+
+if ! test -x "$passwd_bin" ; then
+   echo "\
+$0: ERROR: passwd_bin \"$passwd_bin\" is not executable.
+See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2
+   ## Identifiable exit codes in case stdout / stderr is not logged in journal.
+   exit 2
+fi
+
+if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then
    echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2
-   exit 1
+   exit 3
 fi
 
 if [ "$(echo "$passwd_output" | cut -d ' ' -f 2)" = "P" ]; then
@@ -22,7 +32,7 @@ else
          echo "$0: ERROR: root account is locked by default. See:" >&2
          echo "https://www.whonix.org/wiki/root" >&2
          echo "" >&2
-         exit 1
+         exit 4
       fi
    fi