* NEWS, src/passwd.c: For compatibility with other passwd version,

the --lock an --unlock options do not lock or unlock the user account anymore. They only lock or unlock the user's password. * man/passwd.1.xml: Document above change. Document how an account can be locked and what a password lock means.
2008-08-22 02:16:21 +00:00 · 2008-08-22 02:16:21 +00:00 · 1355d5d3eb
commit 1355d5d3eb
parent fa33bb9d0e
4 changed files with 44 additions and 24 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2008-08-17  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/passwd.c: For compatibility with other passwd version,
+	the --lock an --unlock options do not lock or unlock the user
+	account anymore.  They only lock or unlock the user's password.
+	* man/passwd.1.xml: Document above change. Document how an account
+	can be locked and what a password lock means.
+
 2008-08-15  Nicolas François  <nicolas.francois@centraliens.net>

 	* man/groupadd.8.xml: Fix the regular expression for group policy.
--- a/4
+++ b/4
@ -17,6 +17,10 @@ shadow-4.1.2.1 -> shadow-4.1.3						UNRELEASED
  * /etc/group is open readonly when one just wants to list the users of a
    group.
  * Added syslog support.
+- passwd
+  * For compatiobility with other passwd version, the --lock an --unlock
+    options do not lock or unlock the user account anymore.  They only
+    lock or unlock the user's password.

 shadow-4.1.2 -> shadow-4.1.2.1						26-06-2008

--- a/man/passwd.1.xml
+++ b/man/passwd.1.xml
@ -196,9 +196,21 @@
 	</term>
 	<listitem>
 	  <para>
-	    Lock the named account. This option disables an account by changing
-	    the password to a value which matches no possible encrypted value,
-	    and by setting the account expiry field to 1.
+	    Lock the password of the named account. This option disables a
+	    password by changing it to a value which matches no possible
+	    encrypted value (it adds a ´!´ at the beginning of the
+	    password).
+	  </para>
+	  <para>
+	    Note that this does not disable the account. The user may
+	    still be able to login using another authentication token
+	    (e.g. an SSH key). To disable the account, administrators
+	    should use <command>usermod --expiredate 1</command> (this set
+	    the account's expire date to Jan 2, 1970).
+	  </para>
+	  <para>
+	    Users with a locked password are not allowed to change their
+	    password.
 	  </para>
 	</listitem>
      </varlistentry>
@ -242,7 +254,8 @@
 	  <para>
 	    Display account status information. The status information
 	    consists of 7 fields. The first field is the user's login name. 
-	    The second field indicates if the user account is locked (L),
+	    The second field indicates if the user account has a locked
+	    password (L),
 	    has no password (NP), or has a usable password (P). The third
 	    field gives the date of the last password change. The next four
 	    fields are the minimum age, maximum age, warning period, and
@ -257,9 +270,10 @@
 	</term>
 	<listitem>
 	  <para>
-	    Unlock the named account. This option re-enables an account by
-	    changing the password back to its previous value (to value before
-	    using <option>-l</option> option), and by resetting the account
+	    Unlock the password of the named account. This option
+	    re-enables a password by changing the password back to its
+	    previous value (to the value before using the
+	    <option>-l</option> option), and by resetting the account
 	    expiry field.
 	  </para>
 	</listitem>
@ -402,6 +416,9 @@
      <citerefentry>
 	<refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>.
+      <citerefentry>
+	<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
    </para>
  </refsect1>
 </refentry>
--- a/src/passwd.c
+++ b/src/passwd.c
@ -79,11 +79,11 @@ static bool
    eflg = false,			/* -e - force password change */
    iflg = false,			/* -i - set inactive days */
    kflg = false,			/* -k - change only if expired */
-    lflg = false,			/* -l - lock account */
+    lflg = false,			/* -l - lock the user's password */
    nflg = false,			/* -n - set minimum days */
    qflg = false,			/* -q - quiet mode */
    Sflg = false,			/* -S - show password status */
-    uflg = false,			/* -u - unlock account */
+    uflg = false,			/* -u - unlock the user's password */
    wflg = false,			/* -w - set warning days */
    xflg = false;			/* -x - set maximum days */

@ -163,13 +163,13 @@ static void usage (int status)
 	         "  -k, --keep-tokens             change password only if expired\n"
 	         "  -i, --inactive INACTIVE       set password inactive after expiration\n"
 	         "                                to INACTIVE\n"
-	         "  -l, --lock                    lock the named account\n"
+	         "  -l, --lock                    lock the password of the named account\n"
 	         "  -n, --mindays MIN_DAYS        set minimum number of days before password\n"
 	         "                                change to MIN_DAYS\n"
 	         "  -q, --quiet                   quiet mode\n"
 	         "  -r, --repository REPOSITORY   change password in REPOSITORY repository\n"
 	         "  -S, --status                  report password status on the named account\n"
-	         "  -u, --unlock                  unlock the named account\n"
+	         "  -u, --unlock                  unlock the password of the named account\n"
 	         "  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS\n"
 	         "  -x, --maxdays MAX_DAYS        set maximim number of days before password\n"
 	         "                                change to MAX_DAYS\n"
@ -487,8 +487,8 @@ static char *update_crypt_pw (char *cp)
 	if (uflg && *cp == '!') {
 		if (cp[1] == '\0') {
 			fprintf (stderr,
-				 _("%s: unlocking the user would result in a passwordless account.\n"
-				   "You should set a password with usermod -p to unlock this user account.\n"),
+				 _("%s: unlocking the password would result in a passwordless account.\n"
+				   "You should set a password with usermod -p to unlock the password of this account.\n"),
 				 Prog);
 		} else {
 			cp++;
@ -597,15 +597,6 @@ static void update_shadow (void)
 	if (do_update_age) {
 		nsp->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
 	}
-	if (lflg) {
-		/* Set the account expiry field to 1.
-		 * Some PAM implementation consider zero as a non expired
-		 * account.
-		 */
-		nsp->sp_expire = 1;
-	}
-	if (uflg)
-		nsp->sp_expire = -1;

 	/*
 	 * Force change on next login, like SunOS 4.x passwd -e or Solaris
@ -707,12 +698,12 @@ static int check_selinux_access (const char *changed_user,
 *	-g	execute gpasswd command to interpret flags
 *	-i #	set sp_inact to # days (*)
 *	-k	change password only if expired
- *	-l	lock the named account (*)
+ *	-l	lock the password of the named account (*)
 *	-n #	set sp_min to # days (*)
 *	-r #	change password in # repository
 *	-s	execute chsh command to interpret flags
 *	-S	show password status of named account
- *	-u	unlock the named account (*)
+ *	-u	unlock the password of the named account (*)
 *	-w #	set sp_warn to # days (*)
 *	-x #	set sp_max to # days (*)
 *