Bug#308881: --disabled-password writes ! in /etc/shadow
On Fri, May 13, 2005 at 08:49:29PM +0300, Shaul Karl wrote:
> On Fri, May 13, 2005 at 01:43:25PM +0200, Marc Haber wrote:
> > --system always uses --disabled-login implicitly. This is clearly
> > documented.
> >
> > > Is that the intended behavior?
> >
> > For system users, yes.
> >
> > > In this case there is no distinction between
> > > --{disabled-password,disabled-login}, is there?
> >
> > For system users, there isn't.
>
>
> This is not clearly documented.
I beg to differ
| Add a system user
| If called with one non-option argument and the --system option, adduser
| will add a system user. If an user with an uid in the system range (or
| if the uid is specified, with that) does already exist, adduser will
| exit with a warning.
|
| adduser will choose the first available UID from the range specified
| for system users in the configuration file. The UID can be overridden
| with the --uid option.
|
| By default, system users are placed in the nogroup group. To place the
| new system user in an already existing group, use the --gid or
| --ingroup options. To place the new system user in a new group with
| the same ID, use the --group option.
|
| A home directory is created by the same rules as for normal users. The
| new system user will have the shell /bin/false (unless overridden with
>>> the --shell option), and have a disabled password. Skeletal
>>> configura-
| tion files are not copied.
see the marked line.
> I propose the following:
>
>
> --- adduser.8 2005-05-13 13:37:10.0 +0300
> +++ adduser.8 2005-05-13 20:33:33.0 +0300
> @@ -177,8 +177,10 @@
> her account until the password is set.
> .TP
> .B \-\-disabled-password
> -Like \-\-disabled-login, but logins are still possible for example through
> -SSH RSA keys, but not using password authentication.
> +For a normal user, this is like \-\-disabled-login, but logins are still
> +possible for example through SSH RSA keys, but not using password
> +authentication. For a system user, \-\-disabled-password has the same
> +effect as \-\-disabled-login.
> .TP
> .B \-\-force\-badname
> By default, user and group names are checked against a configurable
This will clutter up the docs with redundant information. I am
strongly opposed.
Greetings
Marc
--
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
On Fri, May 13, 2005 at 01:43:25PM +0200, Marc Haber wrote:
> --system always uses --disabled-login implicitly. This is clearly
> documented.
>
> > Is that the intended behavior?
>
> For system users, yes.
>
> > In this case there is no distinction between
> > --{disabled-password,disabled-login}, is there?
>
> For system users, there isn't.
This is not clearly documented. I propose the following:
--- adduser.8 2005-05-13 13:37:10.0 +0300
+++ adduser.8 2005-05-13 20:33:33.0 +0300
@@ -177,8 +177,10 @@
her account until the password is set.
.TP
.B \-\-disabled-password
-Like \-\-disabled-login, but logins are still possible for example through
-SSH RSA keys, but not using password authentication.
+For a normal user, this is like \-\-disabled-login, but logins are still
+possible for example through SSH RSA keys, but not using password
+authentication. For a system user, \-\-disabled-password has the same
+effect as \-\-disabled-login.
.TP
.B \-\-force\-badname
By default, user and group names are checked against a configurable
>
> > The way I interpret the OPTIONS sections of the man page,
> > --disabled-login should have a stronger effect then --disabled-password:
>
> Yes, for normal users.
>
> > Shouldn't --disabled-login use '!' and --disabled-password use '*'?
>
> It does. For normal users.
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
On Fri, May 13, 2005 at 01:54:53PM +0300, Shaul Karl wrote:
> On Fri, May 13, 2005 at 07:44:19AM +0200, Marc Haber wrote:
> > severity #308881 minor
> > tags #308881 confirmed pending
> > thanks
> >
> > Hi,
> >
> > On Fri, May 13, 2005 at 02:19:47AM +0300, Shaul Karl wrote:
> > > adduser --system --disabled-password testuser
> > >
> > > writes ! in the encrypted password field of /etc/shadow
> >
> > This is the intended behavior
>
>
> adduser --system --disabled-password testuser
>
> and
>
> adduser --system --disabled-login testuser
>
> both writes ! in the encrypted password field of /etc/shadow.
--system always uses --disabled-login implicitly. This is clearly
documented.
> Is that the intended behavior?
For system users, yes.
> In this case there is no distinction between
> --{disabled-password,disabled-login}, is there?
For system users, there isn't.
> The way I interpret the OPTIONS sections of the man page,
> --disabled-login should have a stronger effect then --disabled-password:
Yes, for normal users.
> Shouldn't --disabled-login use '!' and --disabled-password use '*'?
It does. For normal users.
> -SSH RSA keys, but not using password authentification.
> +SSH RSA keys, but not using password authentication.
Committed to svn, thanks.
Greetings
Marc
--
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
On Fri, May 13, 2005 at 07:44:19AM +0200, Marc Haber wrote:
> severity #308881 minor
> tags #308881 confirmed pending
> thanks
>
> Hi,
>
> On Fri, May 13, 2005 at 02:19:47AM +0300, Shaul Karl wrote:
> > adduser --system --disabled-password testuser
> >
> > writes ! in the encrypted password field of /etc/shadow
>
> This is the intended behavior
adduser --system --disabled-password testuser
and
adduser --system --disabled-login testuser
both writes ! in the encrypted password field of /etc/shadow. Is that
the intended behavior? In this case there is no distinction between
--{disabled-password,disabled-login}, is there?
The way I interpret the OPTIONS sections of the man page,
--disabled-login should have a stronger effect then --disabled-password:
--disabled-login
Do not run passwd to set the password. The user won't be able
to use her account until the password is set.
--disabled-password
Like --disabled-login, but logins are still possible for example
through SSH RSA keys, but not using password authentification.
Shouldn't --disabled-login use '!' and --disabled-password use '*'?
As an aside,
--- adduser.8 2005-05-13 13:35:19.0 +0300
+++ adduser.8 2005-05-13 13:37:10.0 +0300
@@ -178,7 +178,7 @@
.TP
.B \-\-disabled-password
Like \-\-disabled-login, but logins are still possible for example through
-SSH RSA keys, but not using password authentification.
+SSH RSA keys, but not using password authentication.
.TP
.B \-\-force\-badname
By default, user and group names are checked against a configurable
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
severity #308881 minor tags #308881 confirmed pending thanks Hi, On Fri, May 13, 2005 at 02:19:47AM +0300, Shaul Karl wrote: > adduser --system --disabled-password testuser > > writes ! in the encrypted password field of /etc/shadow This is the intended behavior, which is misdocumented in the manpage: "The new system user will have the shell /bin/false (unless overridden with the --shell option), and have a disabled password." The new manpage now says: "... and have logins disabled." Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
Package: adduser
Version: 3.63
Severity: normal
File: /usr/sbin/adduser
*** Please type your report below this line ***
adduser --system --disabled-password testuser
writes ! in the encrypted password field of /etc/shadow despite having
the following lines in the source:
} elsif ($arg eq "--disabled-password") {
$ask_passwd = 0;
$disabled_login = 0;
} elsif ($arg eq "--disabled-login") {
$ask_passwd = 0;
$disabled_login = 1;
}
if ($ask_passwd) {
&systemcall('/usr/bin/passwd', $new_name);
} else {
if(!$disabled_login) {
&systemcall('/usr/sbin/usermod', '-p', '*', $new_name);
}
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i586)
Kernel: Linux 2.6.11-1.pentium1.1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages adduser depends on:
ii debconf 1.4.30.13Debian configuration management sy
ii passwd 1:4.0.3-31sarge3 change and administer password and
ii perl-base 5.8.4-8 The Pathologically Eclectic Rubbis
-- debconf information:
* adduser/homedir-permission: true
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
