On Wed, Jul 27, 2022 at 09:12:50AM -0400, Jason Franklin wrote: > On Wed, Jul 27, 2022 at 12:09:27PM +0200, Marc Haber wrote: > > > > > I think Jason was working on this? > > > > > 1008082/1008084/390457 --system --lock functionality > > > > > > > > I hope so, that should be the next important big step, maybe a team > > > > effort? Can this be sensibly split into work units to distribute? > > > > > > Happy to help if I can (divisible work units would help). > > > > Jason, that's your call then. > > I am currently working on the "--homeless" option, which I own in the > BTS listing.
Nice. Good! > Before I start, I want to make sure we agree on what should be done. > > I asserted that two things were sufficient: > 1. Put a '!' in front of the user's password in /etc/shadow > 2. Expire the account > > This makes it trivial to unlock an account with all of its attributes > intact, including login shell. I think that having nologin as a shell has the advantage of giving a clear error message IF somebody manages to log in to the expired account with an invalid password. I am not sure whether we actually need to save the login shell, the intended usage is a maintainer script, to have the account locked on purge. The use case for re-activation here is reinstallation of the package, with the normal postinst running as if the account didn't exist, so the package maintainer is either fine with getting the default login shell or has one specified in their adduser call. So, for a system account, we can overwrite the login shell without causing harm. For a normal user account, I am undecided whether: - leave login shell intact, leaving a possible security hole - set login shell back to the default when the account gets reenabled - save login shell somewhere to reinstate if on reenabling. I'd say, do it as you see fit, changing that at a later time would be a rather isolated change so I'm fine with going ahead either way here, while still having a personal preference for the third possibility, but I am not the one who decides that. > Not sure if we reached agreement here. See discussion.. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008082 > > Just let me know. Thanks! Cc. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
