From c01aed56f58648a18ccde317d45b14e53ea753c1 Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Sat, 17 Jan 2026 23:58:48 -0600
Subject: security(archsetup): lock root account at end of script

Root is locked last so it remains available for recovery if script fails earlier.
Users must use sudo for privileged operations after successful install.
---
 archsetup | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'archsetup')

diff --git a/archsetup b/archsetup
index 73e4365..829fa19 100755
--- a/archsetup
+++ b/archsetup
@@ -1472,6 +1472,10 @@ outro() {
     action="forcing user password change on first login" && display "task" "$action"
     chage -d 0 "$username"  >> "$logfile" 2>&1 || error "error" "$action" "$?"
 
+    # Lock root account last - if script fails earlier, root is still available for recovery
+    action="locking root account (use sudo instead)" && display "task" "$action"
+    passwd -l root >> "$logfile" 2>&1 || error "error" "$action" "$?"
+
     display "subtitle" "Statistics"
     action="identifying newly installed packages" && display "task" "$action"
     pacman -Q > "$packages_after"  || error "error" "$action" "$?"
-- 
cgit v1.2.3