Adduser devel - Mar 2005 - Bug#298883: adduser --system should add users without expire period

Package: adduser
Version: 3.59
Severity: wishlist

''adduser --system'' adds apparently users with expire and warn
period
from /etc/login.defs

For example it reads the following setting in /etc/login.defs
PASS_MAX_DAYS   183
PASS_MIN_DAYS   0
PASS_WARN_AGE   183

Example: After 1/2 year after upgrading to sarge logcheck (which added a
new system user) suddenly stopped mailing its reports.

Sarge default settings are
PASS_MAX_DAYS   99999 
PASS_MIN_DAYS   0 
PASS_WARN_AGE   7

Maybe ''PASS_MAX_DAYS 0'' instead of 99999 would be the sane
setting for
_system_  users, if it would mean no expire period at all?? But this is
not documented in shadow(5) and I have not verified this value is sane.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, ''testing'')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-ow2-wjq
Locale: LANG=C, LC_CTYPE= (charmap=ANSI_X3.4-1968)

Versions of packages adduser depends on:
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  passwd                      1:4.0.3-30.7 Change and administer password and
ii  perl-base                   5.8.4-6      The Pathologically Eclectic Rubbis

-- debconf information:
* adduser/homedir-permission: false

On Thu, Mar 10, 2005 at 03:10:28PM +0100, Gerhard Schrenk
wrote:
> ''adduser --system'' adds apparently users with expire and
warn period
> from /etc/login.defs
> 
> For example it reads the following setting in /etc/login.defs
> PASS_MAX_DAYS   183
> PASS_MIN_DAYS   0
> PASS_WARN_AGE   183
> 
> Example: After 1/2 year after upgrading to sarge logcheck (which added a
> new system user) suddenly stopped mailing its reports.
Yuck.

Did the account actually have a password?

Can you please verify whether useradd -x 99999 will create an account
without that restriction?

The only possible fix for _adduser_ would be to ignore PASS_MAX_DAYS
for system account creation. Is that what you''re suggesting?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

* Marc Haber <mh+debian-packages@zugschlus.de> [2005-03-18
18:10]:
> On Thu, Mar 10, 2005 at 03:10:28PM +0100, Gerhard Schrenk wrote:
> > ''adduser --system'' adds apparently users with expire
and warn period
> > from /etc/login.defs
> > 
> > For example it reads the following setting in /etc/login.defs
> > PASS_MAX_DAYS   183
> > PASS_MIN_DAYS   0
> > PASS_WARN_AGE   183
> > 
> > Example: After 1/2 year after upgrading to sarge logcheck (which added
a
> > new system user) suddenly stopped mailing its reports.
> 
> Yuck.
> 
> Did the account actually have a password?
No password. Before I fixed it the shadow entry was 

gandalf:/.home/gandalf/gps# getent shadow logcheck
logcheck:!:12656:0:183:183:::

The system account logcheck was not in woody. It has been introduced in 
unstable/sarge. From /usr/share/doc/logcheck/NEWS.Debian.gz:

|logcheck (1.2.19-2) unstable; urgency=low
|
|  * As of version 1.2.19, logcheck no longer runs as root.  
|    Logcheck runs as user logcheck which has been created 
|    and added to group adm upon configuration.
|
|    If you have customized your configuration, 
|    you will need to be sure that your
|    logs are readable by the logcheck user.

I upgraded from woody -> sarge on 26 Aug 2004. On 26 Feb 2004 logcheck
stopped
mailing. 

For sshd and sslwrap I had the same insane entries (183:183 instead of 99999:7;
without password).
> Can you please verify whether useradd -x 99999 will create an account
> without that restriction?
Um. No.

gandalf:/home/gandalf/gps# useradd -x 99999 testit
useradd: invalid option -- x
usage: useradd  [-u uid [-o]] [-g group] [-G group,...] 
                [-d home] [-s shell] [-c comment] [-m [-k template]]
                [-f inactive] [-e expire ] [-p passwd] name
       useradd  -D [-g group] [-b base] [-s shell]
                [-f inactive] [-e expire ]

Do you mean useradd -e 99999?

gandalf:/home/gandalf/gps# grep ^PASS /etc/login.defs
PASS_MAX_DAYS   183
PASS_MIN_DAYS   0
PASS_WARN_AGE   183
PASS_MAX_LEN            8
gandalf:/home/gandalf/gps# useradd -e 99999 testit
gandalf:/home/gandalf/gps# getent passwd testit
testit:x:11322:100::/home/testit:
gandalf:/home/gandalf/gps# getent shadow testit
testit:!:12863:0:183:183::17324:
> The only possible fix for _adduser_ would be to ignore PASS_MAX_DAYS
> for system account creation. Is that what you''re suggesting?
Yes. I think this should be the sane default behaviour for ''adduser
--system''.
Only adduser and adduser.conf is mentioned in debian policy section 9.2.2 (and
neither useradd nor /etc/login.defs). I suppose you should fix this independant
of what useradd ist doing. 

But maybe the right thing is to actually fix useradd?? At least its manpage
does not mention /etc/login.defs. Therefore I have cc''ed its
maintainers.

-- Gerhard

retitle #298883 PASS_MAX_DAYS in /etc/login.defs creates expiring system
accounts - on hold until #304934 is fixed
thanks

Hi,

On Mon, Mar 21, 2005 at 04:16:41PM +0100, Gerhard Schrenk
wrote:
> gandalf:/home/gandalf/gps# useradd -x 99999 testit
> useradd: invalid option -- x
> usage: useradd  [-u uid [-o]] [-g group] [-G group,...] 
>                 [-d home] [-s shell] [-c comment] [-m [-k template]]
>                 [-f inactive] [-e expire ] [-p passwd] name
>        useradd  -D [-g group] [-b base] [-s shell]
>                 [-f inactive] [-e expire ]
> 
> Do you mean useradd -e 99999?
No. I don''t know where the -x came from in my mind. But, alas, it
looks like useradd doesn''t allow the PASS_MAX_DAYS to be overridden on
the command line, making this bug unfixable within adduser.

I have thus opened a bug against useradd (#304934) to allow this, and will
implement the appropriate option as soon as useradd provides the
needed facility.
> > The only possible fix for _adduser_ would be to ignore PASS_MAX_DAYS
> > for system account creation. Is that what you''re suggesting?
> 
> Yes. I think this should be the sane default behaviour for
''adduser --system''.
> Only adduser and adduser.conf is mentioned in debian policy section 9.2.2
(and
> neither useradd nor /etc/login.defs). I suppose you should fix this
independant
> of what useradd ist doing. 
Policy 9.2.2 is right - Packages should use adduser to create system
accounts. And this doesn''t work right because the useradd backend
isn''t sufficiently flexible. 
> But maybe the right thing is to actually fix useradd??
Yes.
> At least its manpage
> does not mention /etc/login.defs.
That sounds like a documentation bug, as the login.defs manpage
clearly says that useradd reads login.defs
> Therefore I have cc''ed its maintainers.
Good ;)

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Processing commands for control@bugs.debian.org:
> retitle #298883 PASS_MAX_DAYS in /etc/login.defs creates expiring system
accounts - on hold until #304934 is fixed
Bug#298883: adduser --system should add users without expire period
Changed Bug title.
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Hi!

On Sat, Apr 16, 2005 at 07:12:54PM +0200, Marc Haber
wrote:
> No. I don''t know where the -x came from in my mind. But, alas, it
> looks like useradd doesn''t allow the PASS_MAX_DAYS to be
overridden on
> the command line, making this bug unfixable within adduser.
OK. We will elaborate on this issue. I suspect this is
fixed in upstream.
> I have thus opened a bug against useradd (#304934) to allow this, and will
> implement the appropriate option as soon as useradd provides the
> needed facility.
Would you like me to Cc the bug #298883 when adding
comments to 304934?
> > But maybe the right thing is to actually fix useradd??
> Yes.
_All_ should work as expected. I don''t think that
having "-e" option is just for using default value
anyway.

-- 
WBR,
xrgtn

retitle #298883 PASS_MAX_DAYS set in /etc/login.defs results in expiring system
accounts
tags #298883 confirmed pending
thanks

On Sat, Apr 16, 2005 at 07:12:54PM +0200, Marc Haber
wrote:
> No. I don''t know where the -x came from in my mind. But, alas, it
> looks like useradd doesn''t allow the PASS_MAX_DAYS to be
overridden on
> the command line, making this bug unfixable within adduser.
This is of course wrong. adduser now uses chage to set a 99999 expiry
period for passwords on system accounts, overwriting whatever default
might be.

This fix has been committed to svn.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Processing commands for control@bugs.debian.org:
> retitle #298883 PASS_MAX_DAYS set in /etc/login.defs results in expiring
system accounts
Bug#298883: PASS_MAX_DAYS in /etc/login.defs creates expiring system accounts -
on hold until #304934 is fixed
Changed Bug title.
> tags #298883 confirmed pending
Bug#298883: PASS_MAX_DAYS set in /etc/login.defs results in expiring system
accounts
There were no tags set.
Tags added: confirmed, pending
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Your message dated Sat, 18 Jun 2005 14:32:08 -0400
with message-id <E1Dji6y-00049i-00@newraff.debian.org>
and subject line Bug#298883: fixed in adduser 3.64
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at maintonly) by bugs.debian.org; 10 Mar 2005 14:10:33
+0000
>From gps@mittelerde.physik.uni-konstanz.de Thu Mar 10 06:10:33 2005
Return-path: <gps@mittelerde.physik.uni-konstanz.de>
Received: from honk1.physik.uni-konstanz.de [134.34.140.224] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D9OMz-000210-00; Thu, 10 Mar 2005 06:10:33 -0800
Received: from localhost (localhost.localnet [127.0.0.1])
	by honk1.physik.uni-konstanz.de (Postfix) with ESMTP id 41CA32BC3F
	for <maintonly@bugs.debian.org>; Thu, 10 Mar 2005 15:10:32 +0100 (CET)
Received: from honk1.physik.uni-konstanz.de ([127.0.0.1])
	by localhost (honk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
	id 17560-47 for <maintonly@bugs.debian.org>;
	Thu, 10 Mar 2005 15:10:28 +0100 (CET)
Received: from gandalf.physik.uni-konstanz.de (gandalf.physik.uni-konstanz.de
[134.34.140.5])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(No client certificate requested)
	by honk1.physik.uni-konstanz.de (Postfix) with ESMTP id 8013A2BC3E
	for <maintonly@bugs.debian.org>; Thu, 10 Mar 2005 15:10:28 +0100 (CET)
Received: by gandalf.physik.uni-konstanz.de (Postfix, from userid 504)
	id 2FC3BC; Thu, 10 Mar 2005 15:10:28 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Gerhard Schrenk <gps@mittelerde.physik.uni-konstanz.de>
To: Debian Bug Tracking System <maintonly@bugs.debian.org>
Subject: adduser --system should add users without expire period
X-Mailer: reportbug 3.2
Date: Thu, 10 Mar 2005 15:10:28 +0100
Message-Id: <20050310141028.2FC3BC@gandalf.physik.uni-konstanz.de>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at
honk.physik.uni-konstanz.de
Delivered-To: maintonly@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: adduser
Version: 3.59
Severity: wishlist

''adduser --system'' adds apparently users with expire and warn
period
from /etc/login.defs

For example it reads the following setting in /etc/login.defs
PASS_MAX_DAYS   183
PASS_MIN_DAYS   0
PASS_WARN_AGE   183

Example: After 1/2 year after upgrading to sarge logcheck (which added a
new system user) suddenly stopped mailing its reports.

Sarge default settings are
PASS_MAX_DAYS   99999 
PASS_MIN_DAYS   0 
PASS_WARN_AGE   7

Maybe ''PASS_MAX_DAYS 0'' instead of 99999 would be the sane
setting for
_system_  users, if it would mean no expire period at all?? But this is
not documented in shadow(5) and I have not verified this value is sane.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, ''testing'')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-ow2-wjq
Locale: LANG=C, LC_CTYPE= (charmap=ANSI_X3.4-1968)

Versions of packages adduser depends on:
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  passwd                      1:4.0.3-30.7 Change and administer password and
ii  perl-base                   5.8.4-6      The Pathologically Eclectic Rubbis

-- debconf information:
* adduser/homedir-permission: false

---------------------------------------
Received: (at 298883-close) by bugs.debian.org; 18 Jun 2005 18:38:19
+0000
>From katie@ftp-master.debian.org Sat Jun 18 11:38:19 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DjiCx-0000bk-00; Sat, 18 Jun 2005 11:38:19 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1Dji6y-00049i-00; Sat, 18 Jun 2005 14:32:08 -0400
From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 298883-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#298883: fixed in adduser 3.64
Message-Id: <E1Dji6y-00049i-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sat, 18 Jun 2005 14:32:08 -0400
Delivered-To: 298883-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 2

Source: adduser
Source-Version: 3.64

We believe that the bug you reported is fixed in the latest version of
adduser, which is due to be installed in the Debian FTP archive:

adduser_3.64.dsc
  to pool/main/a/adduser/adduser_3.64.dsc
adduser_3.64.tar.gz
  to pool/main/a/adduser/adduser_3.64.tar.gz
adduser_3.64_all.deb
  to pool/main/a/adduser/adduser_3.64_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 298883@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Haber <mh+debian-packages@zugschlus.de> (supplier of updated adduser
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 18 Jun 2005 17:09:56 +0000
Source: adduser
Binary: adduser
Architecture: source all
Version: 3.64
Distribution: unstable
Urgency: low
Maintainer: Debian Adduser Developers
<adduser-devel@lists.alioth.debian.org>
Changed-By: Marc Haber <mh+debian-packages@zugschlus.de>
Description: 
 adduser    - Add and remove users and groups
Closes: 298834 298883 299489 300641 302837 303854 307599 308881 313517
Changes: 
 adduser (3.64) unstable; urgency=low
 .
   * The "bring the svn changes to unstable while not having time to
     address the other valid bug reports" release.
   * try Priority: - to avoid override disparities
   * Updated Norwegian Bokmal debconf templates and program translations.
     Thanks to Hans Fredrik Nordhaug. (mh) Closes: #298834
   * Re-generate adduser.pot, fix gettext bugs in deluser. Thanks to
     Hans Fredrik Nordhaug. (mh)
   * Now handles /etc/skel correctly even if it is not readable for a
     normal user. Thanks to Chapko Dimitrij. (mh) Closes: #299489
   * Zap program synopsis comments from the beginning.
   * Fix $ error in adduser.conf.5. Thanks to Kevin Ryde.
     (mh) Closes: #300641
   * Add Finnish debconf templates. Thanks to Matti Pöllä.
     (mh) Closes: #303854
   * Add Vietnamese debconf templates. Thanks to Clytie Siddall.
     (mh) Closes: #307599
   * Fix broken --disabled-login --disabled-password handling. Thanks
     to Tokka Hastrup. (mh) Closes: #302837
   * Use chage to override login.defs PASS_MAX_DAYS for system accounts.
     Thanks to Gerhard Schrenk. (mh) Closes: #298883
   * fix misdocumentation of system user password status.
     Thanks to Shaul Karl. (mh) Closes: #308881
   * add ubuntu patch to generate pot file during package build, and
     fix two s_print/s_printf invocations in deluser.
     Thanks to Martin Pitt. (mh) Closes: #313517
Files: 
 711979e2159409f4519768571b611c78 637 base important adduser_3.64.dsc
 1c4c53c95b37ba4c243ed6f8590e1c0b 108282 base important adduser_3.64.tar.gz
 ed92dd4399e93b53faabde61b84f081a 99822 base important adduser_3.64_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iEYEARECAAYFAkK0Z2EACgkQgZalRGu6PIRH8QCdErPp8TGAuX5EFZselB9u3FBk
GNAAmwfZDgxddj55p0gR3EMrv3W2nItw
=lJy0
-----END PGP SIGNATURE-----