mirror of
https://github.com/fleetdm/fleet
synced 2026-05-09 02:01:09 +00:00
3604a9abf8
#22437 There is a bug in Ubuntu 24.04's distribution of GDM that prevents it from starting correctly and displaying a prompt to the user if `/etc/nologin` is present. This issue is not present on the current release of Fedora, meaning it is Ubuntu specific. The way we lock users out is by manually creating the `nologin` file and then masking the `systemd-user-sessions` systemd unit, which creates the file on shutdown and deletes it on startup. This will cause a PAM policy to fail and prevents anyone from logging in. When we unlock the system we delete the `nologin` file, unmask the `systemd-user-sessions` unit, and manually run the binary that it should start. This process removes the cause of the GDM bug, but we need to reboot the machine to get GDM working again. While I have not yet been able to determine the exact cause of the bug, this fix will prevent the user from being stuck with a black screen once the machine is unlocked. This fix will not remedy GDM showing a black screen upon being locked, it only ensures that the user isn't stuck having to manually reboot the machine once it's unlocked. We should check back on this soon to see if the bug gets been fixed upstream.
43 lines
1.5 KiB
Bash
43 lines
1.5 KiB
Bash
#!/bin/sh
|
|
|
|
# Unlock password for all non-root users
|
|
awk -F':' '{ if ($3 >= 1000 && $3 < 60000) print $1 }' /etc/passwd | while read user
|
|
do
|
|
echo "$user"
|
|
if [ "$user" != "root" ]; then
|
|
echo "Unlocking password for $user"
|
|
STDERR=$(passwd -u "$user" 2>&1 >/dev/null)
|
|
if [ $? -eq 3 ]; then
|
|
# possibly due to the user not having a password
|
|
# use this convoluted case approach to avoid bashisms (POSIX portable)
|
|
case "$STDERR" in
|
|
*"unlocking the password would result in a passwordless account"* )
|
|
# unlock and delete password to set it back to empty
|
|
passwd -ud "$user"
|
|
;;
|
|
esac
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# Remove the pam_nologin file
|
|
[ -f /etc/nologin ] && rm /etc/nologin
|
|
|
|
# Enable systemd-user-sessions, a service that deletes /etc/nologin
|
|
if [ -f /usr/lib/systemd/system/systemd-user-sessions.service ]; then
|
|
systemctl unmask systemd-user-sessions
|
|
systemctl daemon-reload
|
|
/usr/lib/systemd/systemd-user-sessions start
|
|
fi
|
|
|
|
# TODO this should be re-checked and possibly removed in the future.
|
|
#
|
|
# When we lock a machine using /etc/nologin, GDM seems to get stuck in
|
|
# a state where the screen stays black. This didn't used to be the
|
|
# case on Ubuntu 22.04. This bug doesn't affect other login managers
|
|
# such as lightdm.
|
|
#
|
|
# Because of a bug, likely in GDM on Ubuntu after 22.04, we have to reboot the
|
|
# machine to get the login screen back. Note this bug does not occur
|
|
# in Fedora
|
|
reboot
|