Bug#78961: [Pkg-shadow-devel] Bug#78961: passwd treats expiry=0 as expired while chage doesn't
Alexander Gattin
Alexander Gattin <arg@online.com.ua>, 78961@bugs.debian.org
Mon, 28 Mar 2005 22:39:59 +0300
Hi, Nicolas!
On Mon, Mar 28, 2005 at 01:24:04AM +0200, Nicolas François wrote:
> > If the user has the expiry field[0] set to 0 in /etc/shadow, the passwd
> > command treats it as an expired account[1] whereas chage[2] displays
> > that it will never expire. Removing the 0 to make the field empty makes
> > passwd[3] and chage[2] accept it. I can ssh in with openssh.
...
> su consider the password will never expire, as chage.
> passwd consider it has expired.
...
> > This did not happen in Debian 2.1. In Red Hat 7.0 you can neither su to
> > the account (from non-root), run passwd nor login with openssh.
> >
> > The question is.. what's right? is 0 disabled or enabled? Just lack of
> > good spec?
IMHO, the right way is to treat the semanthics of
shadow's 8th field literally. I.e. value of 0 should
mean that account expires Jan 1, 1970. Period.
Everything else should be fixed accordingly. Debian
2.1 and RH7.0 did the things right in this aspect.
> That is the question, and the reason why I'm CCing the Debian PAM
> maintainer.
> Maybe Tomasz, you can also help on this issue.
Tomasz could consult us about Solaris behavior
with regard to these matters. ;)
> Is there a specification on the expiry field?
I'd love to know, too...
> IMHO PAM is standardized by the Open Group, but
> to what extend?
I would not rely upon "PAM specification" :-/.
> Currently, the best solution I can see is to document the fact that an
> expiry field of 0 means the password never expire
With this you propose to kill any distinction between
0 value in the 8th shadow filed and _no_ _value_ in it.
// None vs. 0 concept
None == no expiration
0 == earliest possible expiration
--
WBR,
xrgtn