diff --git a/ChangeLog b/ChangeLog index b671f8f1..19475c77 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2008-08-17 Nicolas François + + * NEWS, src/passwd.c: For compatibility with other passwd version, + the --lock an --unlock options do not lock or unlock the user + account anymore. They only lock or unlock the user's password. + * man/passwd.1.xml: Document above change. Document how an account + can be locked and what a password lock means. + 2008-08-15 Nicolas François * man/groupadd.8.xml: Fix the regular expression for group policy. diff --git a/NEWS b/NEWS index c6122187..69a5b362 100644 --- a/NEWS +++ b/NEWS @@ -17,6 +17,10 @@ shadow-4.1.2.1 -> shadow-4.1.3 UNRELEASED * /etc/group is open readonly when one just wants to list the users of a group. * Added syslog support. +- passwd + * For compatiobility with other passwd version, the --lock an --unlock + options do not lock or unlock the user account anymore. They only + lock or unlock the user's password. shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008 diff --git a/man/passwd.1.xml b/man/passwd.1.xml index 7d96165e..b2e165ea 100644 --- a/man/passwd.1.xml +++ b/man/passwd.1.xml @@ -196,9 +196,21 @@ - Lock the named account. This option disables an account by changing - the password to a value which matches no possible encrypted value, - and by setting the account expiry field to 1. + Lock the password of the named account. This option disables a + password by changing it to a value which matches no possible + encrypted value (it adds a ´!´ at the beginning of the + password). + + + Note that this does not disable the account. The user may + still be able to login using another authentication token + (e.g. an SSH key). To disable the account, administrators + should use usermod --expiredate 1 (this set + the account's expire date to Jan 2, 1970). + + + Users with a locked password are not allowed to change their + password. @@ -242,7 +254,8 @@ Display account status information. The status information consists of 7 fields. The first field is the user's login name. - The second field indicates if the user account is locked (L), + The second field indicates if the user account has a locked + password (L), has no password (NP), or has a usable password (P). The third field gives the date of the last password change. The next four fields are the minimum age, maximum age, warning period, and @@ -257,9 +270,10 @@ - Unlock the named account. This option re-enables an account by - changing the password back to its previous value (to value before - using option), and by resetting the account + Unlock the password of the named account. This option + re-enables a password by changing the password back to its + previous value (to the value before using the + option), and by resetting the account expiry field. @@ -402,6 +416,9 @@ shadow5 . + + usermod8 + . diff --git a/src/passwd.c b/src/passwd.c index ff3dea40..938e3d51 100644 --- a/src/passwd.c +++ b/src/passwd.c @@ -79,11 +79,11 @@ static bool eflg = false, /* -e - force password change */ iflg = false, /* -i - set inactive days */ kflg = false, /* -k - change only if expired */ - lflg = false, /* -l - lock account */ + lflg = false, /* -l - lock the user's password */ nflg = false, /* -n - set minimum days */ qflg = false, /* -q - quiet mode */ Sflg = false, /* -S - show password status */ - uflg = false, /* -u - unlock account */ + uflg = false, /* -u - unlock the user's password */ wflg = false, /* -w - set warning days */ xflg = false; /* -x - set maximum days */ @@ -163,13 +163,13 @@ static void usage (int status) " -k, --keep-tokens change password only if expired\n" " -i, --inactive INACTIVE set password inactive after expiration\n" " to INACTIVE\n" - " -l, --lock lock the named account\n" + " -l, --lock lock the password of the named account\n" " -n, --mindays MIN_DAYS set minimum number of days before password\n" " change to MIN_DAYS\n" " -q, --quiet quiet mode\n" " -r, --repository REPOSITORY change password in REPOSITORY repository\n" " -S, --status report password status on the named account\n" - " -u, --unlock unlock the named account\n" + " -u, --unlock unlock the password of the named account\n" " -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS\n" " -x, --maxdays MAX_DAYS set maximim number of days before password\n" " change to MAX_DAYS\n" @@ -487,8 +487,8 @@ static char *update_crypt_pw (char *cp) if (uflg && *cp == '!') { if (cp[1] == '\0') { fprintf (stderr, - _("%s: unlocking the user would result in a passwordless account.\n" - "You should set a password with usermod -p to unlock this user account.\n"), + _("%s: unlocking the password would result in a passwordless account.\n" + "You should set a password with usermod -p to unlock the password of this account.\n"), Prog); } else { cp++; @@ -597,15 +597,6 @@ static void update_shadow (void) if (do_update_age) { nsp->sp_lstchg = (long) time ((time_t *) 0) / SCALE; } - if (lflg) { - /* Set the account expiry field to 1. - * Some PAM implementation consider zero as a non expired - * account. - */ - nsp->sp_expire = 1; - } - if (uflg) - nsp->sp_expire = -1; /* * Force change on next login, like SunOS 4.x passwd -e or Solaris @@ -707,12 +698,12 @@ static int check_selinux_access (const char *changed_user, * -g execute gpasswd command to interpret flags * -i # set sp_inact to # days (*) * -k change password only if expired - * -l lock the named account (*) + * -l lock the password of the named account (*) * -n # set sp_min to # days (*) * -r # change password in # repository * -s execute chsh command to interpret flags * -S show password status of named account - * -u unlock the named account (*) + * -u unlock the password of the named account (*) * -w # set sp_warn to # days (*) * -x # set sp_max to # days (*) *