[Pkg-shadow-devel] Bug#562221: manpages of passwd and usermod report wrong instructions about locking accounts
Paride Legovini
legovini at spiro.fisica.unipd.it
Wed Dec 23 23:53:15 UTC 2009
On Wed, Dec 23, 2009 at 03:16:52PM -0700, Justin T Pryzby wrote:
> Note that there's chage -E and usermod -e. usermod -e advertizes its
> input as being YYYY-MM-DD, chage advertizes its input as being the
> same, or an integer in days since 1970.
>
> So the problem is that usermod fails to sanitize its input.
I agree, in fact chage.c checks if the argument is a number or a date
(see the third line):
case 'E':
Eflg = true;
if (!isnum (optarg)) {
expdate = strtoday (optarg);
} else if ( (getlong (optarg, &expdate) == 0)
|| (expdate < -1)) {
while in usermod.c there's no such check:
case 'e':
if ('\0' != *optarg) {
user_newexpire = strtoday (optarg);
So it seems to me that we just need to add an isnum() check inside the
if ('\0' != *optarg) conditional. I say inside because we don't want to
break the possibility to run usermod -e '' (null string) to set the
expiration date to 'never'.
Paride
More information about the Pkg-shadow-devel
mailing list