[Pkg-shadow-devel] Bug#1004418: shadow: Improvements for man 8 pwconv
Markus Hiereth
translation at hiereth.de
Thu Jan 27 08:39:58 GMT 2022
Source: shadow
Severity: minor
Dear Serge,
attached the edited xml file for pwconv as discussed in our correspondence
2022-01-24 / 2022-01-27.
The question whether the two phrases
"Some password aging information is lost by <command>pwunconv</command>.
It will convert what it can."
are adequate/necessary remained open. Perhaps you edit them on your own.
> Sadly, the last sentence is needed - there is a comment
> in src/pwunconv.c which explains:
>
> 187 /*
> 188 * Password aging works differently in the two different
> 189 * systems. With shadow password files you apparently must
> 190 * have some aging information. The maxweeks or minweeks
> 191 * may not map exactly. In pwconv we set max == 10000,
> 192 * which is about 30 years. Here we have to undo that
> 193 * kludge. So, if maxdays == 10000, no aging information
is
> 194 * put into the new file. Otherwise, the days are
converted
> 195 * to weeks and so on.
> 196 */
I was not aware of these details. I just read that pwunconv and
grpunconv delete the shadowed files as the last step of action. On the
other hand, the plain (main) files have just a field for the password,
but no field for password aging information. Therefore i concluded
that password aging information gets lost completely. (And therefore,
Best regards
Markus
-------------- next part --------------
--- shadow-4.8.1/man/pwconv.8.xml 2019-07-23 17:26:08.000000000 +0200
+++ shadow-4.8.1_mh/man/pwconv.8.xml 2022-01-27 09:22:45.352728790 +0100
@@ -71,7 +71,7 @@
<refname>pwunconv</refname>
<refname>grpconv</refname>
<refname>grpunconv</refname>
- <refpurpose>convert to and from shadow passwords and groups</refpurpose>
+ <refpurpose>convert between the system's shadowed and plain account files</refpurpose>
</refnamediv>
<refsynopsisdiv id='synopsis'>
@@ -104,9 +104,9 @@
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
- The <command>pwconv</command> command creates <emphasis
- remap='I'>shadow</emphasis> from <emphasis remap='I'>passwd</emphasis>
- and an optionally existing <emphasis remap='I'>shadow</emphasis>.
+ The <command>pwconv</command> command creates <filename>
+ shadow</filename> from <filename>passwd</filename>
+ and an optionally existing <filename>shadow</filename>.
</para>
<para condition="tcb">
<command>pwconv</command> does not work with
@@ -117,12 +117,12 @@
using <command>tcb_convert</command> (and re-enable
<option>USE_TCB</option> in <filename>login.defs</filename>.)
</para>
-
+
<para>
- The <command>pwunconv</command> command creates <emphasis
- remap='I'>passwd</emphasis> from <emphasis remap='I'>passwd</emphasis>
- and <emphasis remap='I'>shadow</emphasis> and then removes <emphasis
- remap='I'>shadow</emphasis>.
+ The <command>pwunconv</command> command creates
+ <filename>passwd</filename> from <filename>passwd</filename> and
+ <filename>shadow</filename> and then removes
+ <filename>shadow</filename>.
</para>
<para condition="tcb">
<command>pwunconv</command> does not work with
@@ -134,16 +134,16 @@
</para>
<para>
- The <command>grpconv</command> command creates <emphasis
- remap='I'>gshadow</emphasis> from <emphasis remap='I'>group</emphasis>
- and an optionally existing <emphasis remap='I'>gshadow</emphasis>.
+ The <command>grpconv</command> command creates
+ <filename>gshadow</filename> from <filename>group</filename> and
+ an optionally existing <filename>gshadow</filename>.
</para>
<para>
- The <command>grpunconv</command> command creates <emphasis
- remap='I'>group</emphasis> from <emphasis remap='I'>group</emphasis>
- and <emphasis remap='I'>gshadow</emphasis> and then removes <emphasis
- remap='I'>gshadow</emphasis>.
+ The <command>grpunconv</command> command creates
+ <filename>group</filename> from <filename>group</filename> and
+ <filename>gshadow</filename> and then removes
+ <filename>gshadow</filename>.
</para>
<para>
@@ -156,12 +156,12 @@
<para>
Each program acquires the necessary locks before conversion.
<command>pwconv</command> and <command>grpconv</command> are similar.
- First, entries in the shadowed file which don't exist in the main file
- are removed. Then, shadowed entries which don't have `x' as the
- password in the main file are updated. Any missing shadowed entries
- are added. Finally, passwords in the main file are replaced with `x'.
+ First, entries in the shadowed file which don't exist in the plain file
+ are removed. Then, entries in the shadowed file which don't have `x'
+ as the password in plain file are updated. Any missing shadowed entries
+ are added. Finally, passwords in the plain file are replaced with `x'.
These programs can be used for initial conversion as well to update
- the shadowed file if the main file is edited by hand.
+ the shadowed file if the plain file is edited by hand.
</para>
<para>
@@ -175,8 +175,8 @@
<para>
Likewise <command>pwunconv</command> and <command>grpunconv</command>
- are similar. Passwords in the main file are updated from the shadowed
- file. Entries which exist in the main file but not in the shadowed
+ are similar. Passwords in the plain file are updated from the shadowed
+ file. Entries which exist in the plain file but not in the shadowed
file are left alone. Finally, the shadowed file is removed. Some
password aging information is lost by <command>pwunconv</command>. It
will convert what it can.
@@ -219,7 +219,7 @@
entries) may cause these programs to loop forever or fail in other
strange ways. Please run <command>pwck</command> and
<command>grpck</command> to correct any such errors before converting
- to or from shadow passwords or groups.
+ to or from shadowed files.
</para>
</refsect1>
-------------- next part --------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 1996 - 1998, Marek Micha?kiewicz
Copyright (c) 2000 - 2006, Tomasz K?oczko
Copyright (c) 2007 - 2011, Nicolas Fran?ois
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the copyright holders or contributors may not be used to
endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
<!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
<!ENTITY PASS_MIN_DAYS SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
<!ENTITY PASS_WARN_AGE SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
<!ENTITY USE_TCB SYSTEM "login.defs.d/USE_TCB.xml">
<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='pwconv.8'>
<!-- $Id$ -->
<refentryinfo>
<author>
<firstname>Marek</firstname>
<surname>Micha?kiewicz</surname>
<contrib>Creation, 1996</contrib>
</author>
<author>
<firstname>Thomas</firstname>
<surname>K?oczko</surname>
<email>kloczek at pld.org.pl</email>
<contrib>shadow-utils maintainer, 2000 - 2007</contrib>
</author>
<author>
<firstname>Nicolas</firstname>
<surname>Fran?ois</surname>
<email>nicolas.francois at centraliens.net</email>
<contrib>shadow-utils maintainer, 2007 - now</contrib>
</author>
</refentryinfo>
<refmeta>
<refentrytitle>pwconv</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="sectdesc">System Management Commands</refmiscinfo>
<refmiscinfo class="source">shadow-utils</refmiscinfo>
<refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>pwconv</refname>
<refname>pwunconv</refname>
<refname>grpconv</refname>
<refname>grpunconv</refname>
<refpurpose>convert between the system's shadowed and plain account files</refpurpose>
</refnamediv>
<refsynopsisdiv id='synopsis'>
<cmdsynopsis>
<command>pwconv</command>
<arg choice='opt'>
<replaceable>options</replaceable>
</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>pwunconv</command>
<arg choice='opt'>
<replaceable>options</replaceable>
</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>grpconv</command>
<arg choice='opt'>
<replaceable>options</replaceable>
</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>grpunconv</command>
<arg choice='opt'>
<replaceable>options</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
The <command>pwconv</command> command creates <filename>
shadow</filename> from <filename>passwd</filename>
and an optionally existing <filename>shadow</filename>.
</para>
<para condition="tcb">
<command>pwconv</command> does not work with
<option>USE_TCB</option> enabled. To convert to tcb passwords, you
should first use <command>pwconv</command> to convert to shadowed
passwords by disabling <option>USE_TCB</option> in
<filename>login.defs</filename> and then convert to tcb password
using <command>tcb_convert</command> (and re-enable
<option>USE_TCB</option> in <filename>login.defs</filename>.)
</para>
<para>
The <command>pwunconv</command> command creates
<filename>passwd</filename> from <filename>passwd</filename> and
<filename>shadow</filename> and then removes
<filename>shadow</filename>.
</para>
<para condition="tcb">
<command>pwunconv</command> does not work with
<option>USE_TCB</option> enabled. You should first switch back from
tcb to shadowed passwords using <command>tcb_unconvert</command>,
and then disable <option>USE_TCB</option> in
<filename>login.defs</filename> before using
<command>pwunconv</command>.
</para>
<para>
The <command>grpconv</command> command creates
<filename>gshadow</filename> from <filename>group</filename> and
an optionally existing <filename>gshadow</filename>.
</para>
<para>
The <command>grpunconv</command> command creates
<filename>group</filename> from <filename>group</filename> and
<filename>gshadow</filename> and then removes
<filename>gshadow</filename>.
</para>
<para>
These four programs all operate on the normal and shadow password and
group files: <filename>/etc/passwd</filename>,
<filename>/etc/group</filename>, <filename>/etc/shadow</filename>, and
<filename>/etc/gshadow</filename>.
</para>
<para>
Each program acquires the necessary locks before conversion.
<command>pwconv</command> and <command>grpconv</command> are similar.
First, entries in the shadowed file which don't exist in the plain file
are removed. Then, entries in the shadowed file which don't have `x'
as the password in plain file are updated. Any missing shadowed entries
are added. Finally, passwords in the plain file are replaced with `x'.
These programs can be used for initial conversion as well to update
the shadowed file if the plain file is edited by hand.
</para>
<para>
<command>pwconv</command> will use the values of <emphasis
remap='I'>PASS_MIN_DAYS</emphasis>, <emphasis
remap='I'>PASS_MAX_DAYS</emphasis>, and <emphasis
remap='I'>PASS_WARN_AGE</emphasis> from
<filename>/etc/login.defs</filename> when adding new entries to
<filename>/etc/shadow</filename>.
</para>
<para>
Likewise <command>pwunconv</command> and <command>grpunconv</command>
are similar. Passwords in the plain file are updated from the shadowed
file. Entries which exist in the plain file but not in the shadowed
file are left alone. Finally, the shadowed file is removed. Some
password aging information is lost by <command>pwunconv</command>. It
will convert what it can.
</para>
</refsect1>
<refsect1 id='options'>
<title>OPTIONS</title>
<para>
The options which apply to the <command>pwconv</command>,
<command>pwunconv</command>, <command>grpconv</command>, and
<command>grpunconv</command> commands are:
</para>
<variablelist remap='IP'>
<varlistentry>
<term><option>-h</option>, <option>--help</option></term>
<listitem>
<para>Display help message and exit.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>-R</option>, <option>--root</option> <replaceable>CHROOT_DIR</replaceable>
</term>
<listitem>
<para>
Apply changes in the <replaceable>CHROOT_DIR</replaceable>
directory and use the configuration files from the
<replaceable>CHROOT_DIR</replaceable> directory.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='bugs'>
<title>BUGS</title>
<para>
Errors in the password or group files (such as invalid or duplicate
entries) may cause these programs to loop forever or fail in other
strange ways. Please run <command>pwck</command> and
<command>grpck</command> to correct any such errors before converting
to or from shadowed files.
</para>
</refsect1>
<refsect1 id='configuration'>
<title>CONFIGURATION</title>
<para>
The following configuration variable in
<filename>/etc/login.defs</filename> changes the behavior of
<command>grpconv</command> and <command>grpunconv</command>:
</para>
<variablelist>
&MAX_MEMBERS_PER_GROUP;
</variablelist>
<para>
The following configuration variables in
<filename>/etc/login.defs</filename> change the behavior of
<command>pwconv</command>:
</para>
<variablelist>
&PASS_MAX_DAYS;
&PASS_MIN_DAYS;
&PASS_WARN_AGE;
&USE_TCB;
</variablelist>
</refsect1>
<refsect1 id='files'>
<title>FILES</title>
<variablelist>
<varlistentry>
<term><filename>/etc/login.defs</filename></term>
<listitem>
<para>Shadow password suite configuration.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>grpck</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pwck</refentrytitle><manvolnum>8</manvolnum>
</citerefentry><phrase condition="tcb">,
<citerefentry>
<refentrytitle>tcb_convert</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>tcb_unconvert</refentrytitle><manvolnum>8</manvolnum>
</citerefentry></phrase>.
</para>
</refsect1>
</refentry>
More information about the Pkg-shadow-devel
mailing list