[Pkg-shadow-devel] Bug#621810: shadow: usermod and passwd man pages wrongly suggest `usermod -e 1` to expire account
enok srd
enoksrd at gmail.com
Sat Apr 9 02:46:45 UTC 2011
Package: shadow
Severity: normal
*** Please type your report below this line ***
The usermod and passwd man pages wrongly suggest [1] using
usermod --expiredate 1 <user>
to expire accounts. Both of
chage --expiredate 1 <user>
and
usermod --expiredate 1970-01-02 <user>
do the right thing, but
usermod --expiredate 1 <user>
sets <user>'s account to expire TOMORROW, because "1" gets interpreted
as today's date! (I don't understand why, but it's probably related to
the gigantic bison grammar in getdate.y ...)
Suggested fix: `change usermod --expiredate` to handle numeric
arguments the same way chage does, and update the usermod man page
accordingly.
Here's some relevant code from usermod and chage in the most recent
source I could find
(ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-4.1.4.3.tar.bz).
Note the isnum check in chage:
shadow-4.1.4.3/src/usermod.c:
937 case 'e':
938 if ('\0' != *optarg) {
939 user_newexpire =
strtoday (optarg);
940 if (user_newexpire == -1) {
941 fprintf (stderr,
942
_("%s: invalid date '%s'\n"),
943 Prog, optarg);
944 exit (E_BAD_ARG);
945 }
946 user_newexpire *= DAY / SCALE;
947 } else {
948 user_newexpire = -1;
949 }
950 eflg = true;
951 break;
shadow-4.1.4.3/src/chage.c:
419 case 'E':
420 Eflg = true;
421 if (!isnum (optarg)) {
422 expdate = strtoday (optarg);
423 } else if ( (getlong (optarg, &expdate) == 0)
424 || (expdate < -1)) {
425 fprintf (stderr,
426 _("%s: invalid date '%s'\n"),
427 Prog, optarg);
428 usage ();
429 }
430 break;
I experienced this problem on an Ubuntu10.10 system, but I don't think
that's relevant. Thanks,
-enoksrd
[1] The relevant man page entries:
The passwd man page says:
-l, --lock
Lock the password of the named account. This option
disables a password by changing it to a value which matches no
possible encrypted value
(it adds a ´!´ at the beginning of the password).
Note that this does not disable the account. The user may
still be able to login using another authentication token (e.g. an SSH
key). To
disable the account, administrators should use usermod
--expiredate 1 (this set the accounts expire date to Jan 2, 1970).
Users with a locked password are not allowed to change
their password.
and the usermod man page says:
-L, --lock
Lock a users password. This puts a ! in front of the
encrypted password, effectively disabling the password. You cant use
this option with -p
or -U.
Note: if you wish to lock the account (not only access with
a password), you should also set the EXPIRE_DATE to 1.
-e, --expiredate EXPIRE_DATE
The date on which the user account will be disabled. The
date is specified in the format YYYY-MM-DD.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389183#122 where
the incorrect suggestion was added to passwd manual page.
-- System Information:
Debian Release: squeeze/sid
APT prefers maverick-updates
APT policy: (500, 'maverick-updates'), (500, 'maverick-security'),
(500, 'maverick-backports'), (500, 'maverick')
Architecture: i386 (i686)
Kernel: Linux 2.6.35-28-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Pkg-shadow-devel
mailing list