* Marc Haber <[EMAIL PROTECTED]> [2005-03-18 18:10]:
> On Thu, Mar 10, 2005 at 03:10:28PM +0100, Gerhard Schrenk wrote:
> > 'adduser --system' adds apparently users with expire and warn period
> > from /etc/login.defs
> >
> > For example it reads the following setting in /etc/login.defs
> > PASS_MAX_DAYS 183
> > PASS_MIN_DAYS 0
> > PASS_WARN_AGE 183
> >
> > Example: After 1/2 year after upgrading to sarge logcheck (which added a
> > new system user) suddenly stopped mailing its reports.
>
> Yuck.
>
> Did the account actually have a password?
No password. Before I fixed it the shadow entry was
gandalf:/.home/gandalf/gps# getent shadow logcheck
logcheck:!:12656:0:183:183:::
The system account logcheck was not in woody. It has been introduced in
unstable/sarge. From /usr/share/doc/logcheck/NEWS.Debian.gz:
|logcheck (1.2.19-2) unstable; urgency=low
|
| * As of version 1.2.19, logcheck no longer runs as root.
| Logcheck runs as user logcheck which has been created
| and added to group adm upon configuration.
|
| If you have customized your configuration,
| you will need to be sure that your
| logs are readable by the logcheck user.
I upgraded from woody -> sarge on 26 Aug 2004. On 26 Feb 2004 logcheck stopped
mailing.
For sshd and sslwrap I had the same insane entries (183:183 instead of 99999:7;
without password).
> Can you please verify whether useradd -x 99999 will create an account
> without that restriction?
Um. No.
gandalf:/home/gandalf/gps# useradd -x 99999 testit
useradd: invalid option -- x
usage: useradd [-u uid [-o]] [-g group] [-G group,...]
[-d home] [-s shell] [-c comment] [-m [-k template]]
[-f inactive] [-e expire ] [-p passwd] name
useradd -D [-g group] [-b base] [-s shell]
[-f inactive] [-e expire ]
Do you mean useradd -e 99999?
gandalf:/home/gandalf/gps# grep ^PASS /etc/login.defs
PASS_MAX_DAYS 183
PASS_MIN_DAYS 0
PASS_WARN_AGE 183
PASS_MAX_LEN 8
gandalf:/home/gandalf/gps# useradd -e 99999 testit
gandalf:/home/gandalf/gps# getent passwd testit
testit:x:11322:100::/home/testit:
gandalf:/home/gandalf/gps# getent shadow testit
testit:!:12863:0:183:183::17324:
> The only possible fix for _adduser_ would be to ignore PASS_MAX_DAYS
> for system account creation. Is that what you're suggesting?
Yes. I think this should be the sane default behaviour for 'adduser --system'.
Only adduser and adduser.conf is mentioned in debian policy section 9.2.2 (and
neither useradd nor /etc/login.defs). I suppose you should fix this independant
of what useradd ist doing.
But maybe the right thing is to actually fix useradd?? At least its manpage
does not mention /etc/login.defs. Therefore I have cc'ed its maintainers.
-- Gerhard
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
