Package: shadow Severity: normal *** Please type your report below this line ***
The usermod and passwd man pages wrongly suggest [1] using usermod --expiredate 1 <user> to expire accounts. Both of chage --expiredate 1 <user> and usermod --expiredate 1970-01-02 <user> do the right thing, but usermod --expiredate 1 <user> sets <user>'s account to expire TOMORROW, because "1" gets interpreted as today's date! (I don't understand why, but it's probably related to the gigantic bison grammar in getdate.y ...) Suggested fix: `change usermod --expiredate` to handle numeric arguments the same way chage does, and update the usermod man page accordingly. Here's some relevant code from usermod and chage in the most recent source I could find (ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-4.1.4.3.tar.bz). Note the isnum check in chage: shadow-4.1.4.3/src/usermod.c: 937 case 'e': 938 if ('\0' != *optarg) { 939 user_newexpire = strtoday (optarg); 940 if (user_newexpire == -1) { 941 fprintf (stderr, 942 _("%s: invalid date '%s'\n"), 943 Prog, optarg); 944 exit (E_BAD_ARG); 945 } 946 user_newexpire *= DAY / SCALE; 947 } else { 948 user_newexpire = -1; 949 } 950 eflg = true; 951 break; shadow-4.1.4.3/src/chage.c: 419 case 'E': 420 Eflg = true; 421 if (!isnum (optarg)) { 422 expdate = strtoday (optarg); 423 } else if ( (getlong (optarg, &expdate) == 0) 424 || (expdate < -1)) { 425 fprintf (stderr, 426 _("%s: invalid date '%s'\n"), 427 Prog, optarg); 428 usage (); 429 } 430 break; I experienced this problem on an Ubuntu10.10 system, but I don't think that's relevant. Thanks, -enoksrd [1] The relevant man page entries: The passwd man page says: -l, --lock Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password). Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the accounts expire date to Jan 2, 1970). Users with a locked password are not allowed to change their password. and the usermod man page says: -L, --lock Lock a users password. This puts a ! in front of the encrypted password, effectively disabling the password. You cant use this option with -p or -U. Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1. -e, --expiredate EXPIRE_DATE The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389183#122 where the incorrect suggestion was added to passwd manual page. -- System Information: Debian Release: squeeze/sid APT prefers maverick-updates APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick-backports'), (500, 'maverick') Architecture: i386 (i686) Kernel: Linux 2.6.35-28-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
