fleet/scripts/mdm/linux/linux-lock.sh

#!/bin/sh

# Disable automatic login for common display managers
disable_autologin() {
    # GDM (GNOME Display Manager)
    if [ -f /etc/gdm3/custom.conf ]; then
        sed -i '/^AutomaticLoginEnable/s/^/#/' /etc/gdm3/custom.conf
        sed -i '/^AutomaticLogin/s/^/#/' /etc/gdm3/custom.conf
    fi

    # LightDM
    if [ -f /etc/lightdm/lightdm.conf ]; then
        sed -i '/^autologin-user=/s/^/#/' /etc/lightdm/lightdm.conf
    fi

    # Add similar cases for other display managers if needed
}

# Disable automatic login
disable_autologin

# Loop through all users in /etc/passwd
awk -F':' '{ if ($3 >= 1000 && $3 < 60000) print $1 }' /etc/passwd | while read user
do
    if [ "$user" != "root" ]; then
        echo "Logging out $user"
        pkill -KILL -u "$user" # Kill user processes. This will log out logged-in users.
        passwd -l "$user"      # Lock the user account
    fi
done

# Logout any non-passwd users
logged_in=$(users | tr ' ' '\n' | sort  | uniq)
for user in $logged_in; do
    [ "$user" = "root" ] && continue
    echo "Logging out $user"
    pkill -KILL -u "$user"
done

# Create the pam_nologin file
echo "Locked by administrator" > /etc/nologin

# Disable systemd-user-sessions, a service that deletes /etc/nologin
if [ -f /usr/lib/systemd/system/systemd-user-sessions.service ]; then
    systemctl mask systemd-user-sessions
    systemctl daemon-reload
fi

echo "All non-root users have been logged out and their accounts locked."
Linux and Windows MDM scripts (#15501) 2023-12-12 20:52:27 +00:00			`#!/bin/sh`

			`# Disable automatic login for common display managers`
			`disable_autologin() {`
			`# GDM (GNOME Display Manager)`
			`if [ -f /etc/gdm3/custom.conf ]; then`
			`sed -i '/^AutomaticLoginEnable/s/^/#/' /etc/gdm3/custom.conf`
			`sed -i '/^AutomaticLogin/s/^/#/' /etc/gdm3/custom.conf`
			`fi`

			`# LightDM`
			`if [ -f /etc/lightdm/lightdm.conf ]; then`
			`sed -i '/^autologin-user=/s/^/#/' /etc/lightdm/lightdm.conf`
			`fi`

			`# Add similar cases for other display managers if needed`
			`}`

			`# Disable automatic login`
			`disable_autologin`

			`# Loop through all users in /etc/passwd`
			`awk -F':' '{ if ($3 >= 1000 && $3 < 60000) print $1 }' /etc/passwd \| while read user`
			`do`
			`if [ "$user" != "root" ]; then`
			`echo "Logging out $user"`
			`pkill -KILL -u "$user" # Kill user processes. This will log out logged-in users.`
			`passwd -l "$user" # Lock the user account`
			`fi`
			`done`

Use PAM nologin to disable Linux Logins (#20699) #20370 2024-07-29 14:00:48 +00:00			`# Logout any non-passwd users`
			`logged_in=$(users \| tr ' ' '\n' \| sort \| uniq)`
			`for user in $logged_in; do`
			`[ "$user" = "root" ] && continue`
			`echo "Logging out $user"`
			`pkill -KILL -u "$user"`
			`done`

			`# Create the pam_nologin file`
Linux Mask `systemd-user-sessions` (#20877) #20370 Part 2 to #20699. Apparently `systemd` now automatically deletes `/etc/nologin` on startup. In the previous PR, rebooting the machine would remove the nologin file and allow users to login. This PR masks the service that performs the deletion, preventing it from running. The message displayed to the user will be what is specified in [this file](https://github.com/systemd/systemd/blob/7767896d127264f660e1e8a714e5cd760840921f/tmpfiles.d/systemd-nologin.conf#L10). It's not the best, but I suspect messing with too many systemd files could come back to bite us in the future if things change, so I'll leave it as-is. 2024-08-01 14:27:17 +00:00			`echo "Locked by administrator" > /etc/nologin`

			`# Disable systemd-user-sessions, a service that deletes /etc/nologin`
			`if [ -f /usr/lib/systemd/system/systemd-user-sessions.service ]; then`
			`systemctl mask systemd-user-sessions`
			`systemctl daemon-reload`
			`fi`
Use PAM nologin to disable Linux Logins (#20699) #20370 2024-07-29 14:00:48 +00:00
Linux and Windows MDM scripts (#15501) 2023-12-12 20:52:27 +00:00			`echo "All non-root users have been logged out and their accounts locked."`