fleet/ee/server/service/embedded_scripts/linux_unlock.sh

#!/bin/sh

# Unlock password for all non-root users
awk -F':' '{ if ($3 >= 1000 && $3 < 60000) print $1 }' /etc/passwd | while read user
do
    echo "$user"
    if [ "$user" != "root" ]; then
        echo "Unlocking password for $user"
        STDERR=$(passwd -u "$user" 2>&1 >/dev/null)
        if [ $? -eq 3 ]; then
          # possibly due to the user not having a password
          # use this convoluted case approach to avoid bashisms (POSIX portable)
          case "$STDERR" in
            *"unlocking the password would result in a passwordless account"* )
              # unlock and delete password to set it back to empty
              passwd -ud "$user"
            ;;
          esac
        fi
    fi
done

# Remove the pam_nologin files
[ -f /etc/nologin ] && rm /etc/nologin
[ -f /run/nologin ] && rm /run/nologin

# Remove GDM banner if we set one
if [ -f /etc/dconf/db/gdm.d/99-fleet-lock-banner ]; then
    echo "Removing GDM lock banner"
    rm /etc/dconf/db/gdm.d/99-fleet-lock-banner
    dconf update 2>/dev/null || true
fi

# Remove our custom lock message service
if [ -f /etc/systemd/system/fleet-lock-message.service ]; then
    systemctl stop fleet-lock-message.service 2>/dev/null || true
    systemctl disable fleet-lock-message.service 2>/dev/null
    rm /etc/systemd/system/fleet-lock-message.service
    systemctl daemon-reload
fi

# Enable systemd-user-sessions, a service that deletes /etc/nologin
if [ -f /usr/lib/systemd/system/systemd-user-sessions.service ]; then
    systemctl unmask systemd-user-sessions
    systemctl daemon-reload
    /usr/lib/systemd/systemd-user-sessions start
fi

# Check if we switched to text mode during lock and restore GUI if needed
if [ -f /etc/fleet.text-mode-lock ]; then
    echo "Restoring graphical mode"
    
    # Restore the original systemd target
    if [ -f /etc/fleet.systemd-target.backup ]; then
        TARGET=$(cat /etc/fleet.systemd-target.backup)
        systemctl set-default "$TARGET" 2>/dev/null
        rm /etc/fleet.systemd-target.backup
    else
        # Default to graphical target if no backup found
        systemctl set-default graphical.target
    fi
    
    # Clean up marker file
    rm /etc/fleet.text-mode-lock
    
    # System needs reboot to properly restore GUI
fi

echo "All non-root users have been unlocked."

# Schedule a reboot to resolve UI issues (e.g., password prompt not fully visible in LightDM+Ubuntu24.04)
# We schedule it instead of immediate reboot to ensure the script completes and reports success to Fleet
echo "Scheduling system reboot in 10 seconds to complete unlock process..."
systemd-run --on-active=10s --timer-property=AccuracySec=100ms /sbin/reboot
exit 0
Feature: Remote Lock for macOS, Windows and Linux (#16783) Feature branch for the #9949 story. --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com> Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Sarah Gillespie <sarah@fleetdm.com> 2024-02-13 18:03:53 +00:00			`#!/bin/sh`

			`# Unlock password for all non-root users`
			`awk -F':' '{ if ($3 >= 1000 && $3 < 60000) print $1 }' /etc/passwd \| while read user`
			`do`
			`echo "$user"`
			`if [ "$user" != "root" ]; then`
			`echo "Unlocking password for $user"`
Fix the unlock linux host script to support users without password (#19665) 2024-06-12 13:49:37 +00:00			`STDERR=$(passwd -u "$user" 2>&1 >/dev/null)`
			`if [ $? -eq 3 ]; then`
			`# possibly due to the user not having a password`
			`# use this convoluted case approach to avoid bashisms (POSIX portable)`
			`case "$STDERR" in`
			`"unlocking the password would result in a passwordless account" )`
			`# unlock and delete password to set it back to empty`
			`passwd -ud "$user"`
			`;;`
			`esac`
			`fi`
Feature: Remote Lock for macOS, Windows and Linux (#16783) Feature branch for the #9949 story. --------- Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com> Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Sarah Gillespie <sarah@fleetdm.com> 2024-02-13 18:03:53 +00:00			`fi`
			`done`
Use PAM nologin to disable Linux Logins (#20699) #20370 2024-07-29 14:00:48 +00:00
On lock, drop GDM Ubuntu into text mode to work around blank/unresponsive screen. (#32100) Fixes #31291 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Linux lock now switches Ubuntu + GDM systems to text mode to avoid GUI issues. - Persistent lock message is shown and survives reboots. - Unlock restores the original GUI mode automatically when applicable. - Bug Fixes - Prevents black-screen behavior on Ubuntu + GDM after locking by rebooting to text mode. - Ensures lock message consistently appears across sessions. - Improves reliability of session handling during lock/unlock. - Chores - Added change note describing the updated Linux lock behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-08-21 18:55:00 +00:00			`# Remove the pam_nologin files`
Linux Mask `systemd-user-sessions` (#20877) #20370 Part 2 to #20699. Apparently `systemd` now automatically deletes `/etc/nologin` on startup. In the previous PR, rebooting the machine would remove the nologin file and allow users to login. This PR masks the service that performs the deletion, preventing it from running. The message displayed to the user will be what is specified in [this file](https://github.com/systemd/systemd/blob/7767896d127264f660e1e8a714e5cd760840921f/tmpfiles.d/systemd-nologin.conf#L10). It's not the best, but I suspect messing with too many systemd files could come back to bite us in the future if things change, so I'll leave it as-is. 2024-08-01 14:27:17 +00:00			`[ -f /etc/nologin ] && rm /etc/nologin`
On lock, drop GDM Ubuntu into text mode to work around blank/unresponsive screen. (#32100) Fixes #31291 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Linux lock now switches Ubuntu + GDM systems to text mode to avoid GUI issues. - Persistent lock message is shown and survives reboots. - Unlock restores the original GUI mode automatically when applicable. - Bug Fixes - Prevents black-screen behavior on Ubuntu + GDM after locking by rebooting to text mode. - Ensures lock message consistently appears across sessions. - Improves reliability of session handling during lock/unlock. - Chores - Added change note describing the updated Linux lock behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-08-21 18:55:00 +00:00			`[ -f /run/nologin ] && rm /run/nologin`

			`# Remove GDM banner if we set one`
			`if [ -f /etc/dconf/db/gdm.d/99-fleet-lock-banner ]; then`
			`echo "Removing GDM lock banner"`
			`rm /etc/dconf/db/gdm.d/99-fleet-lock-banner`
			`dconf update 2>/dev/null \|\| true`
			`fi`

			`# Remove our custom lock message service`
			`if [ -f /etc/systemd/system/fleet-lock-message.service ]; then`
			`systemctl stop fleet-lock-message.service 2>/dev/null \|\| true`
			`systemctl disable fleet-lock-message.service 2>/dev/null`
			`rm /etc/systemd/system/fleet-lock-message.service`
			`systemctl daemon-reload`
			`fi`
Linux Mask `systemd-user-sessions` (#20877) #20370 Part 2 to #20699. Apparently `systemd` now automatically deletes `/etc/nologin` on startup. In the previous PR, rebooting the machine would remove the nologin file and allow users to login. This PR masks the service that performs the deletion, preventing it from running. The message displayed to the user will be what is specified in [this file](https://github.com/systemd/systemd/blob/7767896d127264f660e1e8a714e5cd760840921f/tmpfiles.d/systemd-nologin.conf#L10). It's not the best, but I suspect messing with too many systemd files could come back to bite us in the future if things change, so I'll leave it as-is. 2024-08-01 14:27:17 +00:00
			`# Enable systemd-user-sessions, a service that deletes /etc/nologin`
			`if [ -f /usr/lib/systemd/system/systemd-user-sessions.service ]; then`
			`systemctl unmask systemd-user-sessions`
			`systemctl daemon-reload`
			`/usr/lib/systemd/systemd-user-sessions start`
			`fi`
Add reboot to linux unlock script (#23382) #22437 There is a bug in Ubuntu 24.04's distribution of GDM that prevents it from starting correctly and displaying a prompt to the user if `/etc/nologin` is present. This issue is not present on the current release of Fedora, meaning it is Ubuntu specific. The way we lock users out is by manually creating the `nologin` file and then masking the `systemd-user-sessions` systemd unit, which creates the file on shutdown and deletes it on startup. This will cause a PAM policy to fail and prevents anyone from logging in. When we unlock the system we delete the `nologin` file, unmask the `systemd-user-sessions` unit, and manually run the binary that it should start. This process removes the cause of the GDM bug, but we need to reboot the machine to get GDM working again. While I have not yet been able to determine the exact cause of the bug, this fix will prevent the user from being stuck with a black screen once the machine is unlocked. This fix will not remedy GDM showing a black screen upon being locked, it only ensures that the user isn't stuck having to manually reboot the machine once it's unlocked. We should check back on this soon to see if the bug gets been fixed upstream. 2024-11-11 19:22:22 +00:00
On lock, drop GDM Ubuntu into text mode to work around blank/unresponsive screen. (#32100) Fixes #31291 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Linux lock now switches Ubuntu + GDM systems to text mode to avoid GUI issues. - Persistent lock message is shown and survives reboots. - Unlock restores the original GUI mode automatically when applicable. - Bug Fixes - Prevents black-screen behavior on Ubuntu + GDM after locking by rebooting to text mode. - Ensures lock message consistently appears across sessions. - Improves reliability of session handling during lock/unlock. - Chores - Added change note describing the updated Linux lock behavior. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-08-21 18:55:00 +00:00			`# Check if we switched to text mode during lock and restore GUI if needed`
			`if [ -f /etc/fleet.text-mode-lock ]; then`
			`echo "Restoring graphical mode"`

			`# Restore the original systemd target`
			`if [ -f /etc/fleet.systemd-target.backup ]; then`
			`TARGET=$(cat /etc/fleet.systemd-target.backup)`
			`systemctl set-default "$TARGET" 2>/dev/null`
			`rm /etc/fleet.systemd-target.backup`
			`else`
			`# Default to graphical target if no backup found`
			`systemctl set-default graphical.target`
			`fi`

			`# Clean up marker file`
			`rm /etc/fleet.text-mode-lock`

			`# System needs reboot to properly restore GUI`
			`fi`

			`echo "All non-root users have been unlocked."`

Delaying reboot so that script can report status. (#33386) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #33381 unreleased Linux unlock bug. # Checklist for submitter ## Testing - [x] QA'd all new/changed functionality manually 2025-09-24 19:25:52 +00:00			`# Schedule a reboot to resolve UI issues (e.g., password prompt not fully visible in LightDM+Ubuntu24.04)`
			`# We schedule it instead of immediate reboot to ensure the script completes and reports success to Fleet`
			`echo "Scheduling system reboot in 10 seconds to complete unlock process..."`
			`systemd-run --on-active=10s --timer-property=AccuracySec=100ms /sbin/reboot`
			`exit 0`