From 71634a1c03437d062cc77c00267ae51a04f4d576 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9rgio=20Barbosa?= <s.barbosa@del-c.net>
Date: Sun, 21 Sep 2025 21:57:16 +0100
Subject: [PATCH] Refactor sysadmin password locking logic in setup script to
 conditionally lock based on the successful creation of an additional user.
 Improve feedback on sysadmin password status during finalization, enhancing
 security and user awareness.

---
 setup.sh | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/setup.sh b/setup.sh
index febc3e1..b801090 100755
--- a/setup.sh
+++ b/setup.sh
@@ -455,9 +455,18 @@ configure_security() {
     log "Locking root password..."
     passwd -l root
     
-    # Lock sysadmin password
-    log "Locking sysadmin password..."
-    passwd -l "$SYSADMIN_USER"
+    # Lock sysadmin password only if an additional user was successfully created/configured
+    if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]]; then
+        # Verify the additional user actually exists and can be used
+        if id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
+            log "Locking sysadmin password (additional user $ADDITIONAL_USER is available)..."
+            passwd -l "$SYSADMIN_USER"
+        else
+            warn "Additional user $ADDITIONAL_USER not properly configured - keeping sysadmin password unlocked for safety"
+        fi
+    else
+        warn "No additional user created - keeping sysadmin password unlocked for access"
+    fi
     
     # Configure firewall if requested
     if [[ "$USE_UFW" == "yes" ]]; then
@@ -630,7 +639,13 @@ finalize_setup() {
     echo -e "${YELLOW}• Root SSH login: DISABLED${NC}"
     echo -e "${YELLOW}• Root password: LOCKED${NC}"
     echo -e "${YELLOW}• Sysadmin SSH login: DISABLED${NC}"
-    echo -e "${YELLOW}• Sysadmin password: LOCKED${NC}"
+    
+    # Show sysadmin password status based on actual configuration
+    if [[ "$CREATE_ADDITIONAL_USER" == "yes" && -n "$ADDITIONAL_USER" ]] && id "$ADDITIONAL_USER" &>/dev/null && getent group sudo | grep -q "$ADDITIONAL_USER"; then
+        echo -e "${YELLOW}• Sysadmin password: LOCKED (additional user available)${NC}"
+    else
+        echo -e "${RED}• Sysadmin password: UNLOCKED (no additional user or failed setup)${NC}"
+    fi
     echo -e "${YELLOW}• Main user: $SYSADMIN_USER (sudo access)${NC}"
     
     if [[ -n "$SYSADMIN_NEW_PASSWORD" ]]; then