Bug#308881: --disabled-password writes ! in /etc/shadow
On Fri, May 13, 2005 at 08:49:29PM +0300, Shaul Karl wrote: > On Fri, May 13, 2005 at 01:43:25PM +0200, Marc Haber wrote: > > --system always uses --disabled-login implicitly. This is clearly > > documented. > > > > > Is that the intended behavior? > > > > For system users, yes. > > > > > In this case there is no distinction between > > > --{disabled-password,disabled-login}, is there? > > > > For system users, there isn't. > > > This is not clearly documented. I beg to differ | Add a system user | If called with one non-option argument and the --system option, adduser | will add a system user. If an user with an uid in the system range (or | if the uid is specified, with that) does already exist, adduser will | exit with a warning. | | adduser will choose the first available UID from the range specified | for system users in the configuration file. The UID can be overridden | with the --uid option. | | By default, system users are placed in the nogroup group. To place the | new system user in an already existing group, use the --gid or | --ingroup options. To place the new system user in a new group with | the same ID, use the --group option. | | A home directory is created by the same rules as for normal users. The | new system user will have the shell /bin/false (unless overridden with >>> the --shell option), and have a disabled password. Skeletal >>> configura- | tion files are not copied. see the marked line. > I propose the following: > > > --- adduser.8 2005-05-13 13:37:10.0 +0300 > +++ adduser.8 2005-05-13 20:33:33.0 +0300 > @@ -177,8 +177,10 @@ > her account until the password is set. > .TP > .B \-\-disabled-password > -Like \-\-disabled-login, but logins are still possible for example through > -SSH RSA keys, but not using password authentication. > +For a normal user, this is like \-\-disabled-login, but logins are still > +possible for example through SSH RSA keys, but not using password > +authentication. For a system user, \-\-disabled-password has the same > +effect as \-\-disabled-login. > .TP > .B \-\-force\-badname > By default, user and group names are checked against a configurable This will clutter up the docs with redundant information. I am strongly opposed. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
On Fri, May 13, 2005 at 01:43:25PM +0200, Marc Haber wrote: > --system always uses --disabled-login implicitly. This is clearly > documented. > > > Is that the intended behavior? > > For system users, yes. > > > In this case there is no distinction between > > --{disabled-password,disabled-login}, is there? > > For system users, there isn't. This is not clearly documented. I propose the following: --- adduser.8 2005-05-13 13:37:10.0 +0300 +++ adduser.8 2005-05-13 20:33:33.0 +0300 @@ -177,8 +177,10 @@ her account until the password is set. .TP .B \-\-disabled-password -Like \-\-disabled-login, but logins are still possible for example through -SSH RSA keys, but not using password authentication. +For a normal user, this is like \-\-disabled-login, but logins are still +possible for example through SSH RSA keys, but not using password +authentication. For a system user, \-\-disabled-password has the same +effect as \-\-disabled-login. .TP .B \-\-force\-badname By default, user and group names are checked against a configurable > > > The way I interpret the OPTIONS sections of the man page, > > --disabled-login should have a stronger effect then --disabled-password: > > Yes, for normal users. > > > Shouldn't --disabled-login use '!' and --disabled-password use '*'? > > It does. For normal users. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
On Fri, May 13, 2005 at 01:54:53PM +0300, Shaul Karl wrote: > On Fri, May 13, 2005 at 07:44:19AM +0200, Marc Haber wrote: > > severity #308881 minor > > tags #308881 confirmed pending > > thanks > > > > Hi, > > > > On Fri, May 13, 2005 at 02:19:47AM +0300, Shaul Karl wrote: > > > adduser --system --disabled-password testuser > > > > > > writes ! in the encrypted password field of /etc/shadow > > > > This is the intended behavior > > > adduser --system --disabled-password testuser > > and > > adduser --system --disabled-login testuser > > both writes ! in the encrypted password field of /etc/shadow. --system always uses --disabled-login implicitly. This is clearly documented. > Is that the intended behavior? For system users, yes. > In this case there is no distinction between > --{disabled-password,disabled-login}, is there? For system users, there isn't. > The way I interpret the OPTIONS sections of the man page, > --disabled-login should have a stronger effect then --disabled-password: Yes, for normal users. > Shouldn't --disabled-login use '!' and --disabled-password use '*'? It does. For normal users. > -SSH RSA keys, but not using password authentification. > +SSH RSA keys, but not using password authentication. Committed to svn, thanks. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
On Fri, May 13, 2005 at 07:44:19AM +0200, Marc Haber wrote: > severity #308881 minor > tags #308881 confirmed pending > thanks > > Hi, > > On Fri, May 13, 2005 at 02:19:47AM +0300, Shaul Karl wrote: > > adduser --system --disabled-password testuser > > > > writes ! in the encrypted password field of /etc/shadow > > This is the intended behavior adduser --system --disabled-password testuser and adduser --system --disabled-login testuser both writes ! in the encrypted password field of /etc/shadow. Is that the intended behavior? In this case there is no distinction between --{disabled-password,disabled-login}, is there? The way I interpret the OPTIONS sections of the man page, --disabled-login should have a stronger effect then --disabled-password: --disabled-login Do not run passwd to set the password. The user won't be able to use her account until the password is set. --disabled-password Like --disabled-login, but logins are still possible for example through SSH RSA keys, but not using password authentification. Shouldn't --disabled-login use '!' and --disabled-password use '*'? As an aside, --- adduser.8 2005-05-13 13:35:19.0 +0300 +++ adduser.8 2005-05-13 13:37:10.0 +0300 @@ -178,7 +178,7 @@ .TP .B \-\-disabled-password Like \-\-disabled-login, but logins are still possible for example through -SSH RSA keys, but not using password authentification. +SSH RSA keys, but not using password authentication. .TP .B \-\-force\-badname By default, user and group names are checked against a configurable -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
severity #308881 minor tags #308881 confirmed pending thanks Hi, On Fri, May 13, 2005 at 02:19:47AM +0300, Shaul Karl wrote: > adduser --system --disabled-password testuser > > writes ! in the encrypted password field of /etc/shadow This is the intended behavior, which is misdocumented in the manpage: "The new system user will have the shell /bin/false (unless overridden with the --shell option), and have a disabled password." The new manpage now says: "... and have logins disabled." Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#308881: --disabled-password writes ! in /etc/shadow
Package: adduser Version: 3.63 Severity: normal File: /usr/sbin/adduser *** Please type your report below this line *** adduser --system --disabled-password testuser writes ! in the encrypted password field of /etc/shadow despite having the following lines in the source: } elsif ($arg eq "--disabled-password") { $ask_passwd = 0; $disabled_login = 0; } elsif ($arg eq "--disabled-login") { $ask_passwd = 0; $disabled_login = 1; } if ($ask_passwd) { &systemcall('/usr/bin/passwd', $new_name); } else { if(!$disabled_login) { &systemcall('/usr/sbin/usermod', '-p', '*', $new_name); } -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: i386 (i586) Kernel: Linux 2.6.11-1.pentium1.1 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages adduser depends on: ii debconf 1.4.30.13Debian configuration management sy ii passwd 1:4.0.3-31sarge3 change and administer password and ii perl-base 5.8.4-8 The Pathologically Eclectic Rubbis -- debconf information: * adduser/homedir-permission: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]