I have functionality on a server that allows users to decrypt and mount a luks partition as needed to provide access to data via a web browser. Wanted to make the ability to open it available via the browser interface to make it easier and not have to give everyone ssh access. I tried giving www-data NOPASSWD access to run cryptsetup and mount via sudo to achieve this. I am getting an error that seems to be a Whonix hardening measure:
/usr/lib/security-misc/pam-abort-on-locked-password: ERROR: Password for user “www-data” is locked.
references to this are here: GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc
and here: http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Dev/Strong_Linux_User_Account_Isolation
I don’t know how to disable that security measure or how much of a security risk it would be to do so.
Any suggestions on the best way to achieve my end goal are appreciated.