[PATCH 2/2] add user:has-locked-password
David Bremner
david at tethera.net
Tue Sep 28 18:28:13 BST 2021
This is useful when access is provided by other means (e.g. ssh keypairs) or
as part of locking a user out completely.
Signed-off-by: David Bremner <david at tethera.net>
---
src/package.lisp | 1 +
src/property/user.lisp | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/src/package.lisp b/src/package.lisp
index c3b1948..96ba7f9 100644
--- a/src/package.lisp
+++ b/src/package.lisp
@@ -450,6 +450,7 @@
#:has-desktop-groups
#:has-login-shell
#:has-enabled-password
+ #:has-locked-password
#:passwd-entry))
(defpackage :consfigurator.property.chroot
diff --git a/src/property/user.lisp b/src/property/user.lisp
index 9e3cf07..61fd37f 100644
--- a/src/property/user.lisp
+++ b/src/property/user.lisp
@@ -109,6 +109,16 @@ and then this property will do nothing."
(:apply
(mrun :input (format nil "~A:~A" username initial-password) "chpasswd")))
+(defprop has-locked-password :posix (username)
+ "Ensure that USERNAME cannot login via a password."
+ (:desc #?"${username} has a locked password")
+ (:check
+ (assert-euid-root)
+ (string= "L" (cadr (split-string (run "passwd" "-S" username)))))
+ (:apply
+ (assert-euid-root)
+ (mrun "passwd" "--lock" username)))
+
(defun passwd-entry (n username-or-uid)
"Get the nth entry in the getent(1) output for USERNAME-OR-UID.
Note that getent(1) is not specified in POSIX so use of this function makes
--
2.33.0
More information about the sgo-software-discuss
mailing list