On Tue, Jun 28, 2011 at 5:10 PM, Mark McCullough <[email protected]>wrote:
> Anyone else noticed that Solaris 10 has changed the behavior of the passwd
> -l command?
>
> If a user is set for authentication outside of pam_unix by passwd -N so
> that their shadow entry is NP, that works fine.
>
> If the user needs to be locked (such as for eventual account deletion), the
> normal method is passwd -l. This would usually set *LK* in the front of the
> shadow entry. But if the entry was NP, there is no change made to the
> entry. Many months ago when we last checked, this worked fine.
>
> So far, we haven't figured out what change caused this behavior.
>
>
It seems that, when the password is set to "LP" or "NP", the code decides
not to lock the user account [1]. The whole /etc/shadow file gets rewritten
but with the same contents. The return message saying the password
information has been changed in unfortunate.
The additional check to see if the password was already "NP" was added to
files_attr.c in changeset 9043 [2] on Mar 2009. This was done in support
of bug *6812488 ("*account lockout needs to perform additional checks") and
delivered with OpenSolaris 2009.6. Its usual to have these changes back
ported to Solaris 10.
That bug report reads: "Account lockout functionality should not be enforced
for non-login accounts. Today, account lockout is enforced meaning that a
non-login account can be locked and thereby prevented from using scheduled
execution services (e.g., cron/at) even though the account is already
protected from brute force password guess attempts."
So it looks like you're right, it has indeed changed!
[1]
http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/passwdutil/files_attr.c#737
[2] http://hg.genunix.org/onnv-gate.hg/rev/61b7eebcfb15
--
Giovanni Tirloni
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
