system: disable root, but do not lock it; closes #2246

Set password to unreachable "*" instead. Our auth framework already checks for disabled elsewhere. While here inline two functions that are not used anywhere else.
2026-03-20 03:16:12 +00:00 · 2018-06-02 11:22:30 +00:00 · 2018-06-02 11:22:30 +00:00 · 118bedc5df
commit 118bedc5df
parent 01409ac623
1 changed files with 13 additions and 31 deletions
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@ -445,39 +445,44 @@ function local_user_set(&$user, $force_password = false)
        return;
    }

+    @mkdir('/home', 0755);
+
    $user_pass = $user['password'];
    $user_name = $user['name'];
    $user_uid = $user['uid'];
    $lock_account = 'lock';

+    /* unlock valid shell users */
+    if (!isset($user['disabled']) && !(!empty($user['expires']) &&
+        strtotime('-1 day') > strtotime(date('m/d/Y', strtotime($user['expires']))))) {
+        $lock_account = 'unlock';
+    }
+
    if ($user_uid == 0) {
        $user_shell = isset($user['shell']) ? $user['shell'] : '/usr/local/sbin/opnsense-shell';
        $user_group = 'wheel';
        $user_home = '/root';
+
+        if ($lock_account == 'lock') {
+            $lock_account = 'unlock';
+            $user_pass = '*';
+        }
    } else {
        $user_shell = isset($user['shell']) ? $user['shell'] : '/sbin/nologin';
        $user_home = "/home/{$user_name}";
        $user_group = 'nobody';
    }

-    @mkdir('/home', 0755);
-
    /* admins access gives wheely rights */
    if (userHasPrivilege($user, 'page-all')) {
        $user_group = 'wheel';
    }

-    /* unlock valid shell users */
-    if (!is_account_disabled($user_name) && !is_account_expired($user_name)) {
-        $lock_account = 'unlock';
-    }
-
    /* passwords only when integrated auth is disabled or forced */
    if (!$force_password && empty($config['system']['disableintegratedauth'])) {
        $user_pass = '*';
    }

-
    /* read from pw db */
    $fd = popen("/usr/sbin/pw usershow -n {$user_name} 2>&1", "r");
    $pwread = fgets($fd);
@ -706,29 +711,6 @@ function ldap_setup_caenv($authcfg)
    putenv("LDAPTLS_CACERT=/var/run/certs/{$caref['refid']}.ca");
 }

-
-function is_account_expired($username)
-{
-    $user = getUserEntry($username);
-    if (isset($user['expires']) && !empty($user['expires'])) {
-        if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($user['expires'])))) {
-            return true;
-        }
-    }
-
-    return false;
-}
-
-function is_account_disabled($username)
-{
-    $user = getUserEntry($username);
-    if (isset($user['disabled'])) {
-        return true;
-    }
-
-    return false;
-}
-
 function auth_get_authserver($name)
 {
    global $config;