[Pkg-shadow-devel] Bug#389183: passwd: 'passwd -l/-u' should edit the shadow account expiry field *in addition* to editing the password field as they do know
Nicolas François
nicolas.francois at centraliens.net
Sun Aug 3 03:13:57 UTC 2008
tags 389183 wontfix
thanks
This bug is indeed not fixed since its patch was reverted.
I decided to revert it because it breaks some expectations from users
used to passwd -l only locking the passwd.
I could have a look at 3 different sources:
* pwdutils (provides passwd on Suse)
passwd -l is documented as locking the account but only locks the
user's account (as documented by the usage string)
* OpenSolaris
locks the user's password
* fedora's passwd package
passwd -l is documented as locking the account but only locks the
user's account
The reversion was done after 492307, which was triggered by Ubuntu bugs:
* https://bugs.launchpad.net/bugs/185767
* https://bugs.launchpad.net/bugs/238755
* https://bugs.launchpad.net/bugs/251696
These bugs were caused by users expecting passwd -l to only lock the
password / users being recommended to use passwd -l:
https://help.ubuntu.com/community/RootSudo
I currently think that passwd should only touch the password.
(I would also prefer usermod --lock to locks the account)
Together with the reversion of the patch, I documented passwd -l to
actually mention what it really does:
-l, --lock
Lock the password of the named account. This option disables a
password by changing it to a value which matches no possible
encrypted value (it adds a ´!´ at the beginning of the password.
Note that this does not disable the account. The user may still be
able to login using another authentication token (e.g. an SSH key).
To disable the account, administrators should use usermod
--expiredate 1 (this set the account´s expire date to Jan 2, 1970).
Users with a locked password are not allowed to change their
password.
Best Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list