[PATCH 2/2] add user:has-locked-password
Sean Whitton
spwhitton at spwhitton.name
Thu Sep 30 00:09:34 BST 2021
Hello,
On Tue 28 Sep 2021 at 02:28PM -03, David Bremner wrote:
> diff --git a/src/property/user.lisp b/src/property/user.lisp
> index 9e3cf07..61fd37f 100644
> --- a/src/property/user.lisp
> +++ b/src/property/user.lisp
> @@ -109,6 +109,16 @@ and then this property will do nothing."
> (:apply
> (mrun :input (format nil "~A:~A" username initial-password) "chpasswd")))
>
> +(defprop has-locked-password :posix (username)
> + "Ensure that USERNAME cannot login via a password."
> + (:desc #?"${username} has a locked password")
> + (:check
> + (assert-euid-root)
> + (string= "L" (cadr (split-string (run "passwd" "-S" username)))))
> + (:apply
> + (assert-euid-root)
> + (mrun "passwd" "--lock" username)))
It looks like --lock is not so portable, as at least FreeBSD's passwd(1)
doesn't have it. Perhaps qualify with OS:DEBIANLIKE and when we have
other Linux distros with types we can make it a disjunct? Qualifying
with OS:LINUX is another option but I am not sure it would be correct.
--
Sean Whitton
More information about the sgo-software-discuss
mailing list