Skip to content

Commit

Permalink
* NEWS, src/passwd.c: For compatibility with other passwd version,
Browse files Browse the repository at this point in the history
	the --lock an --unlock options do not lock or unlock the user
	account anymore.  They only lock or unlock the user's password.
	* man/passwd.1.xml: Document above change. Document how an account
	can be locked and what a password lock means.
  • Loading branch information
nekral-guest committed Aug 22, 2008
1 parent fa33bb9 commit 1355d5d
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 24 deletions.
8 changes: 8 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
2008-08-17 Nicolas François <nicolas.francois@centraliens.net>

* NEWS, src/passwd.c: For compatibility with other passwd version,
the --lock an --unlock options do not lock or unlock the user
account anymore. They only lock or unlock the user's password.
* man/passwd.1.xml: Document above change. Document how an account
can be locked and what a password lock means.

2008-08-15 Nicolas François <nicolas.francois@centraliens.net>

* man/groupadd.8.xml: Fix the regular expression for group policy.
Expand Down
4 changes: 4 additions & 0 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ shadow-4.1.2.1 -> shadow-4.1.3 UNRELEASED
* /etc/group is open readonly when one just wants to list the users of a
group.
* Added syslog support.
- passwd
* For compatiobility with other passwd version, the --lock an --unlock
options do not lock or unlock the user account anymore. They only
lock or unlock the user's password.

shadow-4.1.2 -> shadow-4.1.2.1 26-06-2008

Expand Down
31 changes: 24 additions & 7 deletions man/passwd.1.xml
Original file line number Diff line number Diff line change
Expand Up @@ -196,9 +196,21 @@
</term>
<listitem>
<para>
Lock the named account. This option disables an account by changing
the password to a value which matches no possible encrypted value,
and by setting the account expiry field to 1.
Lock the password of the named account. This option disables a
password by changing it to a value which matches no possible
encrypted value (it adds a ´!´ at the beginning of the
password).
</para>
<para>
Note that this does not disable the account. The user may
still be able to login using another authentication token
(e.g. an SSH key). To disable the account, administrators
should use <command>usermod --expiredate 1</command> (this set
the account's expire date to Jan 2, 1970).
</para>
<para>
Users with a locked password are not allowed to change their
password.
</para>
</listitem>
</varlistentry>
Expand Down Expand Up @@ -242,7 +254,8 @@
<para>
Display account status information. The status information
consists of 7 fields. The first field is the user's login name.
The second field indicates if the user account is locked (L),
The second field indicates if the user account has a locked
password (L),
has no password (NP), or has a usable password (P). The third
field gives the date of the last password change. The next four
fields are the minimum age, maximum age, warning period, and
Expand All @@ -257,9 +270,10 @@
</term>
<listitem>
<para>
Unlock the named account. This option re-enables an account by
changing the password back to its previous value (to value before
using <option>-l</option> option), and by resetting the account
Unlock the password of the named account. This option
re-enables a password by changing the password back to its
previous value (to the value before using the
<option>-l</option> option), and by resetting the account
expiry field.
</para>
</listitem>
Expand Down Expand Up @@ -402,6 +416,9 @@
<citerefentry>
<refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
<citerefentry>
<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refentry>
25 changes: 8 additions & 17 deletions src/passwd.c
Original file line number Diff line number Diff line change
Expand Up @@ -79,11 +79,11 @@ static bool
eflg = false, /* -e - force password change */
iflg = false, /* -i - set inactive days */
kflg = false, /* -k - change only if expired */
lflg = false, /* -l - lock account */
lflg = false, /* -l - lock the user's password */
nflg = false, /* -n - set minimum days */
qflg = false, /* -q - quiet mode */
Sflg = false, /* -S - show password status */
uflg = false, /* -u - unlock account */
uflg = false, /* -u - unlock the user's password */
wflg = false, /* -w - set warning days */
xflg = false; /* -x - set maximum days */

Expand Down Expand Up @@ -163,13 +163,13 @@ static void usage (int status)
" -k, --keep-tokens change password only if expired\n"
" -i, --inactive INACTIVE set password inactive after expiration\n"
" to INACTIVE\n"
" -l, --lock lock the named account\n"
" -l, --lock lock the password of the named account\n"
" -n, --mindays MIN_DAYS set minimum number of days before password\n"
" change to MIN_DAYS\n"
" -q, --quiet quiet mode\n"
" -r, --repository REPOSITORY change password in REPOSITORY repository\n"
" -S, --status report password status on the named account\n"
" -u, --unlock unlock the named account\n"
" -u, --unlock unlock the password of the named account\n"
" -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS\n"
" -x, --maxdays MAX_DAYS set maximim number of days before password\n"
" change to MAX_DAYS\n"
Expand Down Expand Up @@ -487,8 +487,8 @@ static char *update_crypt_pw (char *cp)
if (uflg && *cp == '!') {
if (cp[1] == '\0') {
fprintf (stderr,
_("%s: unlocking the user would result in a passwordless account.\n"
"You should set a password with usermod -p to unlock this user account.\n"),
_("%s: unlocking the password would result in a passwordless account.\n"
"You should set a password with usermod -p to unlock the password of this account.\n"),
Prog);
} else {
cp++;
Expand Down Expand Up @@ -597,15 +597,6 @@ static void update_shadow (void)
if (do_update_age) {
nsp->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
}
if (lflg) {
/* Set the account expiry field to 1.
* Some PAM implementation consider zero as a non expired
* account.
*/
nsp->sp_expire = 1;
}
if (uflg)
nsp->sp_expire = -1;

/*
* Force change on next login, like SunOS 4.x passwd -e or Solaris
Expand Down Expand Up @@ -707,12 +698,12 @@ static int check_selinux_access (const char *changed_user,
* -g execute gpasswd command to interpret flags
* -i # set sp_inact to # days (*)
* -k change password only if expired
* -l lock the named account (*)
* -l lock the password of the named account (*)
* -n # set sp_min to # days (*)
* -r # change password in # repository
* -s execute chsh command to interpret flags
* -S show password status of named account
* -u unlock the named account (*)
* -u unlock the password of the named account (*)
* -w # set sp_warn to # days (*)
* -x # set sp_max to # days (*)
*
Expand Down

0 comments on commit 1355d5d

Please sign in to comment.