[Pkg-shadow-devel] Bug#562221: manpages of passwd and usermod report wrong instructions about locking accounts

Paride Legovini legovini at spiro.fisica.unipd.it
Wed Dec 23 23:53:15 UTC 2009


On Wed, Dec 23, 2009 at 03:16:52PM -0700, Justin T Pryzby wrote:
> Note that there's chage -E and usermod -e.  usermod -e advertizes its
> input as being YYYY-MM-DD, chage advertizes its input as being the
> same, or an integer in days since 1970.
> 
> So the problem is that usermod fails to sanitize its input.

I agree, in fact chage.c checks if the argument is a number or a date
(see the third line):

case 'E':
        Eflg = true;
        if (!isnum (optarg)) {
                expdate = strtoday (optarg);
        } else if (   (getlong (optarg, &expdate) == 0)
                || (expdate < -1)) {

while in usermod.c there's no such check:

case 'e':
        if ('\0' != *optarg) {
                user_newexpire = strtoday (optarg);

So it seems to me that we just need to add an isnum() check inside the
if ('\0' != *optarg) conditional. I say inside because we don't want to
break the possibility to run usermod -e '' (null string) to set the
expiration date to 'never'.

Paride






More information about the Pkg-shadow-devel mailing list