security(archsetup): lock root account at end of script

Root is locked last so it remains available for recovery if script fails earlier.
Users must use sudo for privileged operations after successful install.

1 files changed, 4 insertions, 0 deletions

diff --git a/archsetup b/archsetup
index 73e4365..829fa19 100755
--- a/archsetup
+++ b/archsetup
@@ -1472,6 +1472,10 @@ outro() {
     action="forcing user password change on first login" && display "task" "$action"
     chage -d 0 "$username"  >> "$logfile" 2>&1 || error "error" "$action" "$?"
 
+    # Lock root account last - if script fails earlier, root is still available for recovery
+    action="locking root account (use sudo instead)" && display "task" "$action"
+    passwd -l root >> "$logfile" 2>&1 || error "error" "$action" "$?"
+
     display "subtitle" "Statistics"
     action="identifying newly installed packages" && display "task" "$action"
     pacman -Q > "$packages_after"  || error "error" "$action" "$?"