Linux lock: lock out directory service users

[dherder]

Problem

we have some feedback from prospect-redwine regarding the Lock function on Fedora 40. Specifically, our linux lock script will check for the user in /etc/passwd, loop through that user list, and logout the user and lock the account. But, if there is no local user (ie: a directory service user is logged in), this approach doesn't work. What about the approach of using /etc/nologin to block user logins?

See https://fleetdm.slack.com/archives/C03C41L5YEL/p1720638181329129

What is the expected workflow as a result of your proposal?

Even if there is no local user in /etc/passwd, the directory service account user should be locked from the device

[noahtalerman]

Thanks for tracking this @dherder.

From Slack:

If I'm understanding @mna, it sounds like a relatively quick win if the proposed solution works on Fleet's supported host operating systems:

[dherder]

@noahtalerman this is critical for prospect-redwine. I do believe an order form is out.

[noahtalerman]

Thanks @dherder!

Let's plan to weigh this one at the next feature fest on 2024-08-01. Please let me know if we need to move faster.

[JoStableford]

Related to a Slack conversation

[noahtalerman]

Brock: Let's double check that this change doesn't affect this improvement (and vice versa): https://github.com/fleetdm/fleet/issues/18343

[dherder]

@noahtalerman this looks to be completed in #20370

[noahtalerman]

@noahtalerman this looks to be completed in https://github.com/fleetdm/fleet/issues/20370

Hey @dherder that's great.

Just checking, with the improvements in #20370, did prospect-redwine confirm that Linux lock now works for them?

[dherder]

@noahtalerman yes, confirmed that the fix is in place.

[noahtalerman]

Thanks @dherder!

I'm closing this issue because, with the fix made in #20370, Linux lock now locks out directory service users.

[fleet-release]

Lock script transforms, Like leaves falling, no user Escapes the firm grasp.