Bug#389183: (forw) [Pkg-shadow-devel] Re: pam_unix: in 'account' mode, deny authorization if user's account is locked

Mon Sep 25 22:13:05 UTC 2006

On Mon, Sep 25, 2006 at 06:47:40AM +0200, bubulle at debian.org wrote:
> This suggestion comes from the Debian BTS and turns out to be "passwd
> -l/-u option should edit the shadow account expiry field *in addition*
> to editing the password field".
> 
> Tomasz and other contributors to shadow, what's your opinion about it?

This sounds good to me.
I can't think of a situation where it would harm.

I'm attaching a patch.
Due to http://bugs.debian.org/308229 I set the accound expiry field to 1
rather than 0. This should be OK (Well, on a system without battery, the
date after a reboot could be 1970-01-01, and the account would not be
expired in that case).

Munging the password field is still necessary (at least on non shadowed
systems).

There is also another utility that can be used to expire an account,
without munging the password field: chage -E.

Kind Regards,
-- 
Nekral
-------------- next part --------------
Index: shadow-4.0.18.1/man/passwd.1.xml
===================================================================

--- shadow-4.0.18.1.orig/man/passwd.1.xml	2006-09-25 22:34:52.000000000 +0200
+++ shadow-4.0.18.1/man/passwd.1.xml	2006-09-25 22:46:28.000000000 +0200
@@ -214,7 +214,8 @@
 	<listitem>
 	  <para>
 	    Lock the named account. This option disables an account by changing
-	    the password to a value which matches no possible encrypted value.
+	    the password to a value which matches no possible encrypted value,
+	    and by setting the account expiry field to 1.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -275,7 +276,8 @@
 	  <para>
 	    Unlock the named account. This option re-enables an account by
 	    changing the password back to its previous value (to value before
-	    using <option>-l</option> option).
+	    using <option>-l</option> option), and by resetting the account
+	    expiry field.
 	  </para>
 	</listitem>
       </varlistentry>
Index: shadow-4.0.18.1/src/passwd.c
===================================================================
--- shadow-4.0.18.1.orig/src/passwd.c	2006-09-25 22:34:45.000000000 +0200
+++ shadow-4.0.18.1/src/passwd.c	2006-09-25 22:52:06.000000000 +0200
@@ -531,6 +531,16 @@
 		nsp->sp_inact = (inact * DAY) / SCALE;
 	if (do_update_age)
 		nsp->sp_lstchg = time ((time_t *) 0) / SCALE;
+	if (lflg)
+	{
+		/* Set the account expiry field to 1.
+		 * Some PAM implementation consider zero as a non expired
+		 * account.
+		 */
+		nsp->sp_expire = 1;
+	}
+	if (uflg)
+		nsp->sp_expire = -1;
 
 	/*
 	 * Force change on next login, like SunOS 4.x passwd -e or Solaris
