fleet/ee/server/service/embedded_scripts/linux_unlock.sh

#!/bin/sh

# Unlock password for all non-root users
awk -F':' '{ if ($3 >= 1000 && $3 < 60000) print $1 }' /etc/passwd | while read user
do
    echo "$user"
    if [ "$user" != "root" ]; then
        echo "Unlocking password for $user"
        STDERR=$(passwd -u "$user" 2>&1 >/dev/null)
        if [ $? -eq 3 ]; then
          # possibly due to the user not having a password
          # use this convoluted case approach to avoid bashisms (POSIX portable)
          case "$STDERR" in
            *"unlocking the password would result in a passwordless account"* )
              # unlock and delete password to set it back to empty
              passwd -ud "$user"
            ;;
          esac
        fi
    fi
done

# Remove the pam_nologin file
[ -f /etc/nologin ] && rm /etc/nologin

# Enable systemd-user-sessions, a service that deletes /etc/nologin
if [ -f /usr/lib/systemd/system/systemd-user-sessions.service ]; then
    systemctl unmask systemd-user-sessions
    systemctl daemon-reload
    /usr/lib/systemd/systemd-user-sessions start
fi

# TODO this should be re-checked and possibly removed in the future.
#
# When we lock a machine using /etc/nologin, GDM seems to get stuck in
# a state where the screen stays black. This didn't used to be the
# case on Ubuntu 22.04. This bug doesn't affect other login managers
# such as lightdm.
#
# Because of a bug, likely in GDM on Ubuntu after 22.04, we have to reboot the
# machine to get the login screen back. Note this bug does not occur
# in Fedora
reboot
Feature: Remote Lock for macOS, Windows and Linux (#16783) Feature branch for the #9949 story. --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com> Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Sarah Gillespie <sarah@fleetdm.com> 2024-02-13 18:03:53 +00:00			`#!/bin/sh`

			`# Unlock password for all non-root users`
			`awk -F':' '{ if ($3 >= 1000 && $3 < 60000) print $1 }' /etc/passwd \| while read user`
			`do`
			`echo "$user"`
			`if [ "$user" != "root" ]; then`
			`echo "Unlocking password for $user"`
Fix the unlock linux host script to support users without password (#19665) 2024-06-12 13:49:37 +00:00			`STDERR=$(passwd -u "$user" 2>&1 >/dev/null)`
			`if [ $? -eq 3 ]; then`
			`# possibly due to the user not having a password`
			`# use this convoluted case approach to avoid bashisms (POSIX portable)`
			`case "$STDERR" in`
			`"unlocking the password would result in a passwordless account" )`
			`# unlock and delete password to set it back to empty`
			`passwd -ud "$user"`
			`;;`
			`esac`
			`fi`
Feature: Remote Lock for macOS, Windows and Linux (#16783) Feature branch for the #9949 story. --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com> Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Sarah Gillespie <sarah@fleetdm.com> 2024-02-13 18:03:53 +00:00			`fi`
			`done`
Use PAM nologin to disable Linux Logins (#20699) #20370 2024-07-29 14:00:48 +00:00
			`# Remove the pam_nologin file`
Linux Mask `systemd-user-sessions` (#20877) #20370 Part 2 to #20699. Apparently `systemd` now automatically deletes `/etc/nologin` on startup. In the previous PR, rebooting the machine would remove the nologin file and allow users to login. This PR masks the service that performs the deletion, preventing it from running. The message displayed to the user will be what is specified in [this file](https://github.com/systemd/systemd/blob/7767896d127264f660e1e8a714e5cd760840921f/tmpfiles.d/systemd-nologin.conf#L10). It's not the best, but I suspect messing with too many systemd files could come back to bite us in the future if things change, so I'll leave it as-is. 2024-08-01 14:27:17 +00:00			`[ -f /etc/nologin ] && rm /etc/nologin`

			`# Enable systemd-user-sessions, a service that deletes /etc/nologin`
			`if [ -f /usr/lib/systemd/system/systemd-user-sessions.service ]; then`
			`systemctl unmask systemd-user-sessions`
			`systemctl daemon-reload`
			`/usr/lib/systemd/systemd-user-sessions start`
			`fi`
Add reboot to linux unlock script (#23382) #22437 There is a bug in Ubuntu 24.04's distribution of GDM that prevents it from starting correctly and displaying a prompt to the user if `/etc/nologin` is present. This issue is not present on the current release of Fedora, meaning it is Ubuntu specific. The way we lock users out is by manually creating the `nologin` file and then masking the `systemd-user-sessions` systemd unit, which creates the file on shutdown and deletes it on startup. This will cause a PAM policy to fail and prevents anyone from logging in. When we unlock the system we delete the `nologin` file, unmask the `systemd-user-sessions` unit, and manually run the binary that it should start. This process removes the cause of the GDM bug, but we need to reboot the machine to get GDM working again. While I have not yet been able to determine the exact cause of the bug, this fix will prevent the user from being stuck with a black screen once the machine is unlocked. This fix will not remedy GDM showing a black screen upon being locked, it only ensures that the user isn't stuck having to manually reboot the machine once it's unlocked. We should check back on this soon to see if the bug gets been fixed upstream. 2024-11-11 19:22:22 +00:00
			`# TODO this should be re-checked and possibly removed in the future.`
			`#`
			`# When we lock a machine using /etc/nologin, GDM seems to get stuck in`
			`# a state where the screen stays black. This didn't used to be the`
			`# case on Ubuntu 22.04. This bug doesn't affect other login managers`
			`# such as lightdm.`
			`#`
			`# Because of a bug, likely in GDM on Ubuntu after 22.04, we have to reboot the`
			`# machine to get the login screen back. Note this bug does not occur`
			`# in Fedora`
			`reboot`