diff options
author | David Bremner <david@tethera.net> | 2021-09-28 14:28:13 -0300 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2021-09-29 17:24:31 -0700 |
commit | 214fb5ef7195ef7239f10dcd36c2eaf37b1b5e72 (patch) | |
tree | 79df1e43effe115c74793d7ff669b0691717f06b | |
parent | b40a5930ae62b5491ccf371dd1adbc47290d1953 (diff) | |
download | consfigurator-214fb5ef7195ef7239f10dcd36c2eaf37b1b5e72.tar.gz |
add USER:HAS-LOCKED-PASSWORD
This is useful when access is provided by other means (e.g. ssh keypairs) or
as part of locking a user out completely.
Signed-off-by: David Bremner <david@tethera.net>
-rw-r--r-- | src/package.lisp | 1 | ||||
-rw-r--r-- | src/property/user.lisp | 11 |
2 files changed, 12 insertions, 0 deletions
diff --git a/src/package.lisp b/src/package.lisp index 09dfd58..74d9fa4 100644 --- a/src/package.lisp +++ b/src/package.lisp @@ -451,6 +451,7 @@ #:has-desktop-groups #:has-login-shell #:has-enabled-password + #:has-locked-password #:passwd-entry)) (defpackage :consfigurator.property.chroot diff --git a/src/property/user.lisp b/src/property/user.lisp index 516b809..84ddc43 100644 --- a/src/property/user.lisp +++ b/src/property/user.lisp @@ -109,6 +109,17 @@ and then this property will do nothing." (:apply (mrun :input (format nil "~A:~A" username initial-password) "chpasswd"))) +(defprop has-locked-password :posix (username) + "Ensure that USERNAME cannot login via a password." + (:desc #?"${username} has a locked password") + (:hostattrs (os:required 'os:debianlike)) + (:check + (assert-euid-root) + (string= "L" (cadr (split-string (run "passwd" "-S" username))))) + (:apply + (assert-euid-root) + (mrun "passwd" "--lock" username))) + (defun %getent-entry (n name-or-id &optional (database "passwd")) "Get the nth entry in the getent(1) output for NAME-OR-ID in DATABASE." (let ((u (etypecase name-or-id |