* NEWS, src/passwd.c: For compatibility with other passwd version,

the --lock an --unlock options do not lock or unlock the user
	account anymore.  They only lock or unlock the user's password.
	* man/passwd.1.xml: Document above change. Document how an account
	can be locked and what a password lock means.
This commit is contained in:
nekral-guest 2008-08-22 02:16:21 +00:00
parent fa33bb9d0e
commit 1355d5d3eb
4 changed files with 44 additions and 24 deletions

View File

@ -1,3 +1,11 @@
2008-08-17 Nicolas François <nicolas.francois@centraliens.net>
* NEWS, src/passwd.c: For compatibility with other passwd version,
the --lock an --unlock options do not lock or unlock the user
account anymore. They only lock or unlock the user's password.
* man/passwd.1.xml: Document above change. Document how an account
can be locked and what a password lock means.
2008-08-15 Nicolas François <nicolas.francois@centraliens.net> 2008-08-15 Nicolas François <nicolas.francois@centraliens.net>
* man/groupadd.8.xml: Fix the regular expression for group policy. * man/groupadd.8.xml: Fix the regular expression for group policy.

4
NEWS
View File

@ -17,6 +17,10 @@ shadow-4.1.2.1 -> shadow-4.1.3 UNRELEASED
* /etc/group is open readonly when one just wants to list the users of a * /etc/group is open readonly when one just wants to list the users of a
group. group.
* Added syslog support. * Added syslog support.
- passwd
* For compatiobility with other passwd version, the --lock an --unlock
options do not lock or unlock the user account anymore. They only
lock or unlock the user's password.
shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008 shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008

View File

@ -196,9 +196,21 @@
</term> </term>
<listitem> <listitem>
<para> <para>
Lock the named account. This option disables an account by changing Lock the password of the named account. This option disables a
the password to a value which matches no possible encrypted value, password by changing it to a value which matches no possible
and by setting the account expiry field to 1. encrypted value (it adds a ´!´ at the beginning of the
password).
</para>
<para>
Note that this does not disable the account. The user may
still be able to login using another authentication token
(e.g. an SSH key). To disable the account, administrators
should use <command>usermod --expiredate 1</command> (this set
the account's expire date to Jan 2, 1970).
</para>
<para>
Users with a locked password are not allowed to change their
password.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -242,7 +254,8 @@
<para> <para>
Display account status information. The status information Display account status information. The status information
consists of 7 fields. The first field is the user's login name. consists of 7 fields. The first field is the user's login name.
The second field indicates if the user account is locked (L), The second field indicates if the user account has a locked
password (L),
has no password (NP), or has a usable password (P). The third has no password (NP), or has a usable password (P). The third
field gives the date of the last password change. The next four field gives the date of the last password change. The next four
fields are the minimum age, maximum age, warning period, and fields are the minimum age, maximum age, warning period, and
@ -257,9 +270,10 @@
</term> </term>
<listitem> <listitem>
<para> <para>
Unlock the named account. This option re-enables an account by Unlock the password of the named account. This option
changing the password back to its previous value (to value before re-enables a password by changing the password back to its
using <option>-l</option> option), and by resetting the account previous value (to the value before using the
<option>-l</option> option), and by resetting the account
expiry field. expiry field.
</para> </para>
</listitem> </listitem>
@ -402,6 +416,9 @@
<citerefentry> <citerefentry>
<refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum> <refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>. </citerefentry>.
<citerefentry>
<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para> </para>
</refsect1> </refsect1>
</refentry> </refentry>

View File

@ -79,11 +79,11 @@ static bool
eflg = false, /* -e - force password change */ eflg = false, /* -e - force password change */
iflg = false, /* -i - set inactive days */ iflg = false, /* -i - set inactive days */
kflg = false, /* -k - change only if expired */ kflg = false, /* -k - change only if expired */
lflg = false, /* -l - lock account */ lflg = false, /* -l - lock the user's password */
nflg = false, /* -n - set minimum days */ nflg = false, /* -n - set minimum days */
qflg = false, /* -q - quiet mode */ qflg = false, /* -q - quiet mode */
Sflg = false, /* -S - show password status */ Sflg = false, /* -S - show password status */
uflg = false, /* -u - unlock account */ uflg = false, /* -u - unlock the user's password */
wflg = false, /* -w - set warning days */ wflg = false, /* -w - set warning days */
xflg = false; /* -x - set maximum days */ xflg = false; /* -x - set maximum days */
@ -163,13 +163,13 @@ static void usage (int status)
" -k, --keep-tokens change password only if expired\n" " -k, --keep-tokens change password only if expired\n"
" -i, --inactive INACTIVE set password inactive after expiration\n" " -i, --inactive INACTIVE set password inactive after expiration\n"
" to INACTIVE\n" " to INACTIVE\n"
" -l, --lock lock the named account\n" " -l, --lock lock the password of the named account\n"
" -n, --mindays MIN_DAYS set minimum number of days before password\n" " -n, --mindays MIN_DAYS set minimum number of days before password\n"
" change to MIN_DAYS\n" " change to MIN_DAYS\n"
" -q, --quiet quiet mode\n" " -q, --quiet quiet mode\n"
" -r, --repository REPOSITORY change password in REPOSITORY repository\n" " -r, --repository REPOSITORY change password in REPOSITORY repository\n"
" -S, --status report password status on the named account\n" " -S, --status report password status on the named account\n"
" -u, --unlock unlock the named account\n" " -u, --unlock unlock the password of the named account\n"
" -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS\n" " -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS\n"
" -x, --maxdays MAX_DAYS set maximim number of days before password\n" " -x, --maxdays MAX_DAYS set maximim number of days before password\n"
" change to MAX_DAYS\n" " change to MAX_DAYS\n"
@ -487,8 +487,8 @@ static char *update_crypt_pw (char *cp)
if (uflg && *cp == '!') { if (uflg && *cp == '!') {
if (cp[1] == '\0') { if (cp[1] == '\0') {
fprintf (stderr, fprintf (stderr,
_("%s: unlocking the user would result in a passwordless account.\n" _("%s: unlocking the password would result in a passwordless account.\n"
"You should set a password with usermod -p to unlock this user account.\n"), "You should set a password with usermod -p to unlock the password of this account.\n"),
Prog); Prog);
} else { } else {
cp++; cp++;
@ -597,15 +597,6 @@ static void update_shadow (void)
if (do_update_age) { if (do_update_age) {
nsp->sp_lstchg = (long) time ((time_t *) 0) / SCALE; nsp->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
} }
if (lflg) {
/* Set the account expiry field to 1.
* Some PAM implementation consider zero as a non expired
* account.
*/
nsp->sp_expire = 1;
}
if (uflg)
nsp->sp_expire = -1;
/* /*
* Force change on next login, like SunOS 4.x passwd -e or Solaris * Force change on next login, like SunOS 4.x passwd -e or Solaris
@ -707,12 +698,12 @@ static int check_selinux_access (const char *changed_user,
* -g execute gpasswd command to interpret flags * -g execute gpasswd command to interpret flags
* -i # set sp_inact to # days (*) * -i # set sp_inact to # days (*)
* -k change password only if expired * -k change password only if expired
* -l lock the named account (*) * -l lock the password of the named account (*)
* -n # set sp_min to # days (*) * -n # set sp_min to # days (*)
* -r # change password in # repository * -r # change password in # repository
* -s execute chsh command to interpret flags * -s execute chsh command to interpret flags
* -S show password status of named account * -S show password status of named account
* -u unlock the named account (*) * -u unlock the password of the named account (*)
* -w # set sp_warn to # days (*) * -w # set sp_warn to # days (*)
* -x # set sp_max to # days (*) * -x # set sp_max to # days (*)
* *