Bug#389183: passwd: 'passwd -l/-u' should edit the shadow account expiry field *in addition* to editing the password field as they do know
Package: shadow,libpam-modules Followup-For: Bug #389183 A note to software archeologists: this was reverted in June 2007 by shadow 1:4.1.1-3, with the following remarks in the changelog: * debian/patches/494_passwd_lock-no_account_lock: Restore the previous behavior of passwd -l (which changed in #389183): only lock the user's password, not the user's account. Also explicitly document the differences. This restores a behavior common with the previous versions of passwd and with other implementations. Closes: #492307 The changelog shipped by the package doesn't go back that far. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (530, 'testing'), (520, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.19.0-2-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#389183: passwd: 'passwd -l/-u' should edit the shadow account expiry field *in addition* to editing the password field as they do know
tags 389183 wontfix thanks This bug is indeed not fixed since its patch was reverted. I decided to revert it because it breaks some expectations from users used to passwd -l only locking the passwd. I could have a look at 3 different sources: * pwdutils (provides passwd on Suse) passwd -l is documented as locking the account but only locks the user's account (as documented by the usage string) * OpenSolaris locks the user's password * fedora's passwd package passwd -l is documented as locking the account but only locks the user's account The reversion was done after 492307, which was triggered by Ubuntu bugs: * https://bugs.launchpad.net/bugs/185767 * https://bugs.launchpad.net/bugs/238755 * https://bugs.launchpad.net/bugs/251696 These bugs were caused by users expecting passwd -l to only lock the password / users being recommended to use passwd -l: https://help.ubuntu.com/community/RootSudo I currently think that passwd should only touch the password. (I would also prefer usermod --lock to locks the account) Together with the reversion of the patch, I documented passwd -l to actually mention what it really does: -l, --lock Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password. Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account´s expire date to Jan 2, 1970). Users with a locked password are not allowed to change their password. Best Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
