Bug#78961: [Pkg-shadow-devel] Bug#78961: passwd treats expiry=0 as expired while chage doesn't
Nicolas François
Nicolas François , 78961@bugs.debian.org
Mon, 28 Mar 2005 23:56:05 +0200
Hi,
On Mon, Mar 28, 2005 at 10:39:59PM +0300, Alexander Gattin wrote:
> IMHO, the right way is to treat the semanthics of
> shadow's 8th field literally. I.e. value of 0 should
> mean that account expires Jan 1, 1970. Period.
>
> Everything else should be fixed accordingly. Debian
> 2.1 and RH7.0 did the things right in this aspect.
Thanks for your answer Alexander, I now concur in your opinion.
Since the last mail, I had a closer look at PAM.
Debian's PAM treat 0 and "no value" (-1) the same way since #45446. The
fix (007_modules_pam_unix) was another try at fixing this PAM / chage
difference.
I had a look at other PAM sources (upstream on kernel.org, RedHat Fedora
core 3 and development). They do not have such a patch.
So I now think the best way is to fix chage so that it does not display
Account Expires: Never
but
Account Expires: Jan 01, 1970
(Other changes not related to this field will be needed, e.g. lastday == 0
means that the password must be changed on next login).
This is I think the only change for the shadow package (this is IMO
coherent with the chage and shadow.5 pages).
Regarding PAM, I think a big part of 007_modules_pam_unix should be
dropped. This concerns the handling of the sp_expire, sp_max sp_inact and
sp_warn fields when they are null.
> Tomasz could consult us about Solaris behavior
> with regard to these matters. ;)
That would be interesting.
I would also like to have Sam Hartman (Debian PAM maintainer) opinion.
(I will anyway submit a bug to pam because of the pam_sm_acct_mgmt /
pam_sm_chauthtok difference)
Kind Regards,
--
Nekral