[Pkg-shadow-devel] Bug#1006208: Bug#1006208: shadow: trying to improve man pwck
Serge E. Hallyn
serge at hallyn.com
Wed Mar 2 14:46:44 GMT 2022
Thank you. I will take these diffs (4 I believe?), do one final review, and
push to github.com/shadow-maint/shadow under commits with you as Author.
On Mon, Feb 21, 2022 at 12:40:07PM +0100, Markus Hiereth wrote:
> Source: shadow
> Version: 4.8.1
> Severity: minor
>
> Dear Serge,
>
> in accordance your mail from 2022-02-20 (attached) an edited manual xml file
> and the respective patch file.
>
> Best regards
> Markus
> On Wed, Feb 16, 2022 at 09:42:34PM +0100, Markus Hiereth wrote:
> > Hi Serge and shadow-utils developers
> >
> > a few remarks on this manual page. I do not know whether a bug report
> > or a patch are appreciated.
> >
> > Best regards
> > Markus
> >
> >
> > 69 <refnamediv id='name'>
> > 70 <refname>pwck</refname>
> > 71 <refpurpose>verify integrity of password files</refpurpose>
> > 72 </refnamediv>
> >
> > s/verify integrity/verify the integrity
> >
> > --------
> >
> > 75 <cmdsynopsis>
> > 76 <command>pwck</command>
> > 77 <arg choice='opt'>options</arg>
> > 78 <arg choice='opt'>
> > 79 <arg choice='plain'>
> > 80 <replaceable>passwd</replaceable>
> > 81 </arg>
> > 82 <arg choice='opt'>
> > 83 <arg choice='plain'>
> > 84 <replaceable>shadow</replaceable>
> > 85 </arg>
> > 86 </arg>
> > 87 </arg>
> > 88 </cmdsynopsis>
> >
> > Replaceables appear in capital letters elsewhere, the name of the
> > argument shall indicate that the name of the two files is not
> > pre-defined, thus write:
> >
> > 80 <replaceable>PASSWORDFILE</replaceable>
> > 84 <replaceable>SHADOWFILE</replaceable>
> >
> > --------
> >
> > 128 <filename>shadow</filename> checks are enabled when a second file
> > 129 parameter is specified or when <filename>/etc/shadow</filename>
> > 130 exists on the system.
> >
> > I think "shadow" in "shadow checks" is meant in a general
> > sense. Therefore, if xml is used for mark-up, it should not be the filename element, but the replaceable element. Or write:
> >
> > 128 Checks for shadowed password information are enabled when a second
> > 129 file parameter is specified or when <filename>/etc/shadow</filename>
>
> That's all fine.
>
> > --------
> >
> > 162 checks will still be made. All other errors are warning and the user
> > 163 is encouraged to run the <command>usermod</command> command to correct
> >
> > Is "warning" here the participe present from the verb "to warn". In
> > case it is the plural of the noun "a warning", add the plural-s. Or write:
> >
> > ... All other errors warn the user and encourage him to run the <command>usermod</command>
>
> It's just meant as the plural of warning, so simplest would be to just
> say 'All other errors are warnings and..."
>
> thanks,
> -serge
> --- shadow-4.8.1/man/pwck.8.xml 2019-10-05 03:23:58.000000000 +0200
> +++ shadow-4.8.1_mh/man/pwck.8.xml 2022-02-21 12:30:25.634576331 +0100
> @@ -68,7 +68,7 @@
> </refmeta>
> <refnamediv id='name'>
> <refname>pwck</refname>
> - <refpurpose>verify integrity of password files</refpurpose>
> + <refpurpose>verify the integrity of password files</refpurpose>
> </refnamediv>
> <!-- body begins here -->
> <refsynopsisdiv id='synopsis'>
> @@ -77,11 +77,11 @@
> <arg choice='opt'>options</arg>
> <arg choice='opt'>
> <arg choice='plain'>
> - <replaceable>passwd</replaceable>
> + <replaceable>PASSWORDFILE</replaceable>
> </arg>
> <arg choice='opt'>
> <arg choice='plain'>
> - <replaceable>shadow</replaceable>
> + <replaceable>SHADOWFILE</replaceable>
> </arg>
> </arg>
> </arg>
> @@ -123,11 +123,10 @@
> <para>a valid login shell</para>
> </listitem>
> </itemizedlist>
> -
> <para>
> - <filename>shadow</filename> checks are enabled when a second file
> - parameter is specified or when <filename>/etc/shadow</filename>
> - exists on the system.
> + Checks for shadowed password information are enabled when the second
> + file parameter <replaceable>SHADOWFILE</replaceable> is specified or
> + when <filename>/etc/shadow</filename> exists on the system.
> </para>
> <para>
> These checks are the following:
> @@ -159,7 +158,7 @@
> prompted to delete the entire line. If the user does not answer
> affirmatively, all further checks are bypassed. An entry with a
> duplicated user name is prompted for deletion, but the remaining
> - checks will still be made. All other errors are warning and the user
> + checks will still be made. All other errors are warnings and the user
> is encouraged to run the <command>usermod</command> command to correct
> the error.
> </para>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> Copyright (c) 1992 , Julianne Frances Haugh
> Copyright (c) 2007 - 2011, Nicolas François
> All rights reserved.
>
> Redistribution and use in source and binary forms, with or without
> modification, are permitted provided that the following conditions
> are met:
> 1. Redistributions of source code must retain the above copyright
> notice, this list of conditions and the following disclaimer.
> 2. Redistributions in binary form must reproduce the above copyright
> notice, this list of conditions and the following disclaimer in the
> documentation and/or other materials provided with the distribution.
> 3. The name of the copyright holders or contributors may not be used to
> endorse or promote products derived from this software without
> specific prior written permission.
>
> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
> PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> -->
> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
> "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
> <!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
> <!ENTITY PASS_MIN_DAYS SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
> <!ENTITY PASS_WARN_AGE SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
> <!ENTITY TCB_AUTH_GROUP SYSTEM "login.defs.d/TCB_AUTH_GROUP.xml">
> <!ENTITY TCB_SYMLINKS SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
> <!ENTITY USE_TCB SYSTEM "login.defs.d/USE_TCB.xml">
> <!-- SHADOW-CONFIG-HERE -->
> ]>
> <refentry id='pwck.8'>
> <!-- $Id$ -->
> <refentryinfo>
> <author>
> <firstname>Julianne Frances</firstname>
> <surname>Haugh</surname>
> <contrib>Creation, 1992</contrib>
> </author>
> <author>
> <firstname>Thomas</firstname>
> <surname>Kłoczko</surname>
> <email>kloczek at pld.org.pl</email>
> <contrib>shadow-utils maintainer, 2000 - 2007</contrib>
> </author>
> <author>
> <firstname>Nicolas</firstname>
> <surname>François</surname>
> <email>nicolas.francois at centraliens.net</email>
> <contrib>shadow-utils maintainer, 2007 - now</contrib>
> </author>
> </refentryinfo>
> <refmeta>
> <refentrytitle>pwck</refentrytitle>
> <manvolnum>8</manvolnum>
> <refmiscinfo class="sectdesc">System Management Commands</refmiscinfo>
> <refmiscinfo class="source">shadow-utils</refmiscinfo>
> <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
> </refmeta>
> <refnamediv id='name'>
> <refname>pwck</refname>
> <refpurpose>verify the integrity of password files</refpurpose>
> </refnamediv>
> <!-- body begins here -->
> <refsynopsisdiv id='synopsis'>
> <cmdsynopsis>
> <command>pwck</command>
> <arg choice='opt'>options</arg>
> <arg choice='opt'>
> <arg choice='plain'>
> <replaceable>PASSWORDFILE</replaceable>
> </arg>
> <arg choice='opt'>
> <arg choice='plain'>
> <replaceable>SHADOWFILE</replaceable>
> </arg>
> </arg>
> </arg>
> </cmdsynopsis>
> </refsynopsisdiv>
>
> <refsect1 id='description'>
> <title>DESCRIPTION</title>
> <para>
> The <command>pwck</command> command verifies the integrity of the
> users and authentication information. It checks that all entries in
> <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
> <phrase condition="tcb">(or the files in
> <filename>/etc/tcb</filename>, when <option>USE_TCB</option> is
> enabled)</phrase>
> have the proper format and contain valid data.
> The user is prompted to delete entries that are
> improperly formatted or which have other uncorrectable errors.
> </para>
>
> <para>Checks are made to verify that each entry has:</para>
> <itemizedlist mark='bullet'>
> <listitem>
> <para>the correct number of fields</para>
> </listitem>
> <listitem>
> <para>a unique and valid user name</para>
> </listitem>
> <listitem>
> <para>a valid user and group identifier</para>
> </listitem>
> <listitem>
> <para>a valid primary group</para>
> </listitem>
> <listitem>
> <para> a valid home directory</para>
> </listitem>
> <listitem>
> <para>a valid login shell</para>
> </listitem>
> </itemizedlist>
> <para>
> Checks for shadowed password information are enabled when the second
> file parameter <replaceable>SHADOWFILE</replaceable> is specified or
> when <filename>/etc/shadow</filename> exists on the system.
> </para>
> <para>
> These checks are the following:
> </para>
> <itemizedlist mark='bullet'>
> <listitem>
> <para>
> every passwd entry has a matching shadow entry, and every shadow
> entry has a matching passwd entry
> </para>
> </listitem>
> <listitem>
> <para>passwords are specified in the shadowed file</para>
> </listitem>
> <listitem>
> <para>shadow entries have the correct number of fields</para>
> </listitem>
> <listitem>
> <para>shadow entries are unique in shadow</para>
> </listitem>
> <listitem>
> <para>the last password changes are not in the future</para>
> </listitem>
> </itemizedlist>
>
> <para>
> The checks for correct number of fields and unique user name are
> fatal. If the entry has the wrong number of fields, the user will be
> prompted to delete the entire line. If the user does not answer
> affirmatively, all further checks are bypassed. An entry with a
> duplicated user name is prompted for deletion, but the remaining
> checks will still be made. All other errors are warnings and the user
> is encouraged to run the <command>usermod</command> command to correct
> the error.
> </para>
>
> <para>
> The commands which operate on the <filename>/etc/passwd</filename>
> file are not able to alter corrupted or duplicated entries.
> <command>pwck</command> should be used in those circumstances to
> remove the offending entry.
> </para>
> </refsect1>
>
> <refsect1 id='options'>
> <title>OPTIONS</title>
> <para>
> The <option>-r</option> and <option>-s</option> options cannot be
> combined.
> </para>
> <para>
> The options which apply to the <command>pwck</command> command are:
> </para>
> <variablelist remap='IP'>
> <varlistentry>
> <term>
> <option>--badname</option>
> </term>
> <listitem>
> <para>
> Allow names that do not conform to standards.
> </para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><option>-h</option>, <option>--help</option></term>
> <listitem>
> <para>Display help message and exit.</para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><option>-q</option>, <option>--quiet</option></term>
> <listitem>
> <para>
> Report errors only. The warnings which do not require any
> action from the user won't be displayed.
> </para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><option>-r</option>, <option>--read-only</option></term>
> <listitem>
> <para>
> Execute the <command>pwck</command> command in read-only mode.
> </para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term>
> <option>-R</option>, <option>--root</option> <replaceable>CHROOT_DIR</replaceable>
> </term>
> <listitem>
> <para>
> Apply changes in the <replaceable>CHROOT_DIR</replaceable>
> directory and use the configuration files from the
> <replaceable>CHROOT_DIR</replaceable> directory.
> </para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><option>-s</option>, <option>--sort</option></term>
> <listitem>
> <para>
> Sort entries in <filename>/etc/passwd</filename> and
> <filename>/etc/shadow</filename> by UID.
> </para>
> <para condition="tcb">
> This option has no effect when <option>USE_TCB</option> is enabled.
> </para>
> </listitem>
> </varlistentry>
> </variablelist>
>
> <para>
> By default, <command>pwck</command> operates on the files
> <filename>/etc/passwd</filename> and
> <filename>/etc/shadow</filename><phrase condition="tcb"> (or the
> files in <filename>/etc/tcb</filename>)</phrase>.
> The user may select alternate files with the
> <replaceable>passwd</replaceable> and
> <replaceable>shadow</replaceable> parameters.
> </para>
> <para condition="tcb">
> Note that when <option>USE_TCB</option> is enabled, you cannot
> specify an alternative <replaceable>shadow</replaceable> file. In
> future releases, this parameter could be replaced by an alternate
> TCB directory.
> </para>
> </refsect1>
>
> <refsect1 id='configuration'>
> <title>CONFIGURATION</title>
> <para>
> The following configuration variables in
> <filename>/etc/login.defs</filename> change the behavior of this
> tool:
> </para>
> <variablelist>
> &PASS_MAX_DAYS;
> &PASS_MIN_DAYS;
> &PASS_WARN_AGE;
> &TCB_AUTH_GROUP;
> &TCB_SYMLINKS;
> &USE_TCB;
> </variablelist>
> </refsect1>
>
> <refsect1 id='files'>
> <title>FILES</title>
> <variablelist>
> <varlistentry>
> <term><filename>/etc/group</filename></term>
> <listitem>
> <para>Group account information.</para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><filename>/etc/passwd</filename></term>
> <listitem>
> <para>User account information.</para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><filename>/etc/shadow</filename></term>
> <listitem>
> <para>Secure user account information.</para>
> </listitem>
> </varlistentry>
> </variablelist>
> </refsect1>
>
> <refsect1 id='exit_values'>
> <title>EXIT VALUES</title>
> <para>
> The <command>pwck</command> command exits with the following values:
> <variablelist>
> <varlistentry>
> <term><replaceable>0</replaceable></term>
> <listitem>
> <para>success</para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><replaceable>1</replaceable></term>
> <listitem>
> <para>invalid command syntax</para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><replaceable>2</replaceable></term>
> <listitem>
> <para>one or more bad password entries</para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><replaceable>3</replaceable></term>
> <listitem>
> <para>can't open password files</para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><replaceable>4</replaceable></term>
> <listitem>
> <para>can't lock password files</para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><replaceable>5</replaceable></term>
> <listitem>
> <para>can't update password files</para>
> </listitem>
> </varlistentry>
> <varlistentry>
> <term><replaceable>6</replaceable></term>
> <listitem>
> <para>can't sort password files</para>
> </listitem>
> </varlistentry>
> </variablelist>
> </para>
> </refsect1>
>
> <refsect1 id='see_also'>
> <title>SEE ALSO</title>
> <para>
> <citerefentry>
> <refentrytitle>group</refentrytitle><manvolnum>5</manvolnum>
> </citerefentry>,
> <citerefentry>
> <refentrytitle>grpck</refentrytitle><manvolnum>8</manvolnum>
> </citerefentry>,
> <citerefentry>
> <refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum>
> </citerefentry>,
> <citerefentry>
> <refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
> </citerefentry>,
> <citerefentry>
> <refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
> </citerefentry>.
> </para>
> </refsect1>
> </refentry>
> _______________________________________________
> Pkg-shadow-devel mailing list
> Pkg-shadow-devel at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
More information about the Pkg-shadow-devel
mailing list