>
> deluser --lock => usermod -lock. Nothing else.
> deluser --system --lock => usermod -lock. Nothing else.
> adduser --unlock => usermod --unlock. Nothing else.
> adduser --system --unlock => usermod --unlock. Nothing else.
So to reiterate for the record:
- locking does nothing to expiration or login shell, crontabs, doesn't back
up or remove any files.
- locking an account reversibly invalidates the password via usermod
- any account can be locked; system accounts can be set to lock by default
in /etc/deluser.conf.
I do apologize if this has already been hashed out, but is password
invalidation enough, *especially* for system users where unpassworded
services/crons/etc are the primary use case? Those would still run unless
we change the shell. And public key authentication via ssh, for that
matter.. the more I think about it, the more I think that at the very least
we should also expire the account, ie. usermod --lock --expiredate
$last_friday_night
fwiw, this is what I had written before I saw your feedback:
&systemcall('/usr/sbin/usermod', "-e", $exp_date, "-f", 0, "-L", "-s",
"/usr/bin/nologin", $user);
mb
[1]
https://unix.stackexchange.com/questions/700826/completely-lock-user-account-on-server-including-ssh
