Closed dherder closed 1 month ago
Thanks for tracking this @dherder.
From Slack:
If I'm understanding @mna, it sounds like a relatively quick win if the proposed solution works on Fleet's supported host operating systems:
@noahtalerman this is critical for prospect-redwine. I do believe an order form is out.
Thanks @dherder!
Let's plan to weigh this one at the next feature fest on 2024-08-01. Please let me know if we need to move faster.
Brock: Let's double check that this change doesn't affect this improvement (and vice versa): https://github.com/fleetdm/fleet/issues/18343
@noahtalerman this looks to be completed in #20370
@noahtalerman this looks to be completed in https://github.com/fleetdm/fleet/issues/20370
Hey @dherder that's great.
Just checking, with the improvements in #20370, did prospect-redwine
confirm that Linux lock now works for them?
@noahtalerman yes, confirmed that the fix is in place.
Thanks @dherder!
I'm closing this issue because, with the fix made in #20370, Linux lock now locks out directory service users.
Lock script transforms, Like leaves falling, no user Escapes the firm grasp.
Problem
we have some feedback from prospect-redwine regarding the Lock function on Fedora 40. Specifically, our linux lock script will check for the user in /etc/passwd, loop through that user list, and logout the user and lock the account. But, if there is no local user (ie: a directory service user is logged in), this approach doesn't work. What about the approach of using /etc/nologin to block user logins?
See https://fleetdm.slack.com/archives/C03C41L5YEL/p1720638181329129
What is the expected workflow as a result of your proposal?
Even if there is no local user in /etc/passwd, the directory service account user should be locked from the device