[Pkg-shadow-commits] r3390 - in upstream/trunk: . man src
Nicolas FRANÇOIS
nekral-guest at alioth.debian.org
Thu Jul 14 13:29:38 UTC 2011
Author: nekral-guest
Date: 2011-07-14 13:29:37 +0000 (Thu, 14 Jul 2011)
New Revision: 3390
Modified:
upstream/trunk/ChangeLog
upstream/trunk/NEWS
upstream/trunk/man/usermod.8.xml
upstream/trunk/src/usermod.c
Log:
* NEWS, src/usermod.c; man/usermod.8.xml: When the shadow file
exists but there are no shadow entries, an entry has to be created
if the password is changed and passwd requires a shadow entry, or
if aging features are used (-e or -f). Document this and also that
-e and -f require a shadow file.
Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog 2011-07-14 13:29:32 UTC (rev 3389)
+++ upstream/trunk/ChangeLog 2011-07-14 13:29:37 UTC (rev 3390)
@@ -16,6 +16,11 @@
* src/usermod.c (update_group, update_gshadow): Reduce complexity
and document checks. Some checks were always true/false within
their call context.
+ * NEWS, src/usermod.c; man/usermod.8.xml: When the shadow file
+ exists but there are no shadow entries, an entry has to be created
+ if the password is changed and passwd requires a shadow entry, or
+ if aging features are used (-e or -f). Document this and also that
+ -e and -f require a shadow file.
2011-07-08 Nicolas François <nicolas.francois at centraliens.net>
Modified: upstream/trunk/NEWS
===================================================================
--- upstream/trunk/NEWS 2011-07-14 13:29:32 UTC (rev 3389)
+++ upstream/trunk/NEWS 2011-07-14 13:29:37 UTC (rev 3390)
@@ -61,6 +61,9 @@
this group isn't the user's primary group.
- usermod
* Accept options in any order (username not necessarily at the end)
+ * When the shadow file exists but there are no shadow entries, an entry
+ is created if the password is changed and passwd requires a
+ shadow entry, or if aging features are used (-e or -f).
*** translation
* Updated Brazilian Portuguese translation.
Modified: upstream/trunk/man/usermod.8.xml
===================================================================
--- upstream/trunk/man/usermod.8.xml 2011-07-14 13:29:32 UTC (rev 3389)
+++ upstream/trunk/man/usermod.8.xml 2011-07-14 13:29:37 UTC (rev 3390)
@@ -127,6 +127,11 @@
The date on which the user account will be disabled. The date is
specified in the format <emphasis remap='I'>YYYY-MM-DD</emphasis>.
</para>
+ <para>
+ This option requires a <filename>/etc/shadow</filename> file.
+ A <filename>/etc/shadow</filename> entry will be created if
+ there were none.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
@@ -144,6 +149,11 @@
as the password has expired, and a value of -1 disables the
feature.
</para>
+ <para>
+ This option requires a <filename>/etc/shadow</filename> file.
+ A <filename>/etc/shadow</filename> entry will be created if
+ there were none.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
Modified: upstream/trunk/src/usermod.c
===================================================================
--- upstream/trunk/src/usermod.c 2011-07-14 13:29:32 UTC (rev 3389)
+++ upstream/trunk/src/usermod.c 2011-07-14 13:29:37 UTC (rev 3390)
@@ -417,7 +417,13 @@
pwent->pw_name, user_newname));
pwent->pw_name = xstrdup (user_newname);
}
- if (!is_shadow_pwd) {
+ /* Update the password in passwd if there is no shadow file or if
+ * the password is currently in passwd (pw_passwd != "x").
+ * We do not force the usage of shadow passwords if they are not
+ * used for this account.
+ */
+ if ( (!is_shadow_pwd)
+ || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {
pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);
}
@@ -522,12 +528,23 @@
spent->sp_namp, old_exp, new_exp));
spent->sp_expire = user_newexpire;
}
+
+ /* Always update the shadowed password if there is a shadow entry
+ * (even if shadowed passwords might not be enabled for this
+ * account (pw_passwd != "x")).
+ * It seems better to update the password in both places in case a
+ * shadow and a non shadow entry exist.
+ * This might occur if:
+ * + there were already both entries
+ * + aging has been requested
+ */
spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
+
if (pflg) {
spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE;
if (0 == spent->sp_lstchg) {
/* Better disable aging than requiring a password
- * change */
+ * change. */
spent->sp_lstchg = -1;
}
}
@@ -1380,13 +1397,46 @@
new_pwent (&pwent);
- /*
- * Locate the entry in /etc/shadow. It doesn't have to exist, and
- * won't be created if it doesn't.
- */
- if (is_shadow_pwd && ((spwd = spw_locate (user_name)) != NULL)) {
- spent = *spwd;
- new_spent (&spent);
+ /* If the shadow file does not exist, it won't be created */
+ if (is_shadow_pwd) {
+ spwd = spw_locate (user_name);
+ if (NULL != spwd) {
+ /* Update the shadow entry if it exists */
+ spent = *spwd;
+ new_spent (&spent);
+ } else if ( ( pflg
+ && (strcmp (pwent.pw_passwd, SHADOW_PASSWD_STRING) == 0))
+ || eflg || fflg) {
+ /* In some cases, we force the creation of a
+ * shadow entry:
+ * + new password requested and passwd indicates
+ * a shadowed password
+ * + aging information is requested
+ */
+ memset (&spent, 0, sizeof spent);
+ spent.sp_namp = user_name;
+
+ /* The user explicitly asked for a shadow feature.
+ * Enable shadowed passwords for this new account.
+ */
+ spent.sp_pwdp = xstrdup (pwent.pw_passwd);
+ pwent.pw_passwd = xstrdup (SHADOW_PASSWD_STRING);
+
+ spent.sp_lstchg = (long) time ((time_t *) 0) / SCALE;
+ if (0 == spent.sp_lstchg) {
+ /* Better disable aging than
+ * requiring a password change */
+ spent.sp_lstchg = -1;
+ }
+ spent.sp_min = getdef_num ("PASS_MIN_DAYS", -1);
+ spent.sp_max = getdef_num ("PASS_MAX_DAYS", -1);
+ spent.sp_warn = getdef_num ("PASS_WARN_AGE", -1);
+ spent.sp_inact = -1;
+ spent.sp_expire = -1;
+ spent.sp_flag = SHADOW_SP_FLAG_UNSET;
+ new_spent (&spent);
+ spwd = &spent; /* entry needs to be committed */
+ }
}
if (lflg || uflg || gflg || cflg || dflg || sflg || pflg
More information about the Pkg-shadow-commits
mailing list