diff options
| -rw-r--r-- | src/package.lisp | 1 | ||||
| -rw-r--r-- | src/property/user.lisp | 11 |
2 files changed, 12 insertions, 0 deletions
diff --git a/src/package.lisp b/src/package.lisp index 09dfd58..74d9fa4 100644 --- a/src/package.lisp +++ b/src/package.lisp @@ -451,6 +451,7 @@ #:has-desktop-groups #:has-login-shell #:has-enabled-password + #:has-locked-password #:passwd-entry)) (defpackage :consfigurator.property.chroot diff --git a/src/property/user.lisp b/src/property/user.lisp index 516b809..84ddc43 100644 --- a/src/property/user.lisp +++ b/src/property/user.lisp @@ -109,6 +109,17 @@ and then this property will do nothing." (:apply (mrun :input (format nil "~A:~A" username initial-password) "chpasswd"))) +(defprop has-locked-password :posix (username) + "Ensure that USERNAME cannot login via a password." + (:desc #?"${username} has a locked password") + (:hostattrs (os:required 'os:debianlike)) + (:check + (assert-euid-root) + (string= "L" (cadr (split-string (run "passwd" "-S" username))))) + (:apply + (assert-euid-root) + (mrun "passwd" "--lock" username))) + (defun %getent-entry (n name-or-id &optional (database "passwd")) "Get the nth entry in the getent(1) output for NAME-OR-ID in DATABASE." (let ((u (etypecase name-or-id |