From ded0fee3f4b31c4e8b2ed4cfdf3c6d5f222e231e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 2 Jun 2018 16:58:11 +0200
Subject: [PATCH] system: mention need to unlock a locked root account

When all actions are privilege-separated we can probably strip
this part again.
---
 src/etc/inc/auth.inc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 96d751718..44eeb1768 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -464,6 +464,14 @@ function local_user_set(&$user, $force_password = false)
         $user_home = '/root';
 
         if ($lock_account == 'lock') {
+            /*
+             * The root account should not be locked, as this will have
+             * side-effects such as cron not working correctly.  Set
+             * password to unreachable "*" instead.  Our auth framework
+             * already checks for disabled elsewhere so we only need to
+             * prevent root login in the console when integrated
+             * authentication is off.
+             */
             $lock_account = 'unlock';
             $user_pass = '*';
         }