Adduser devel - May 2005 - Bug#308881: --disabled-password writes ! in /etc/shadow

Package: adduser
Version: 3.63
Severity: normal
File: /usr/sbin/adduser

*** Please type your report below this line ***

    adduser --system --disabled-password testuser

writes ! in the encrypted password field of /etc/shadow despite having
the following lines in the source:

    } elsif ($arg eq "--disabled-password") {
	$ask_passwd = 0;
	$disabled_login = 0;
	} elsif ($arg eq "--disabled-login") {
	$ask_passwd = 0;
	$disabled_login = 1;
	}

	
    if ($ask_passwd) {
	&systemcall(''/usr/bin/passwd'', $new_name);
    } else {
	if(!$disabled_login) {
	    &systemcall(''/usr/sbin/usermod'',
''-p'', ''*'', $new_name);
	}


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, ''testing''), (50,
''unstable'')
Architecture: i386 (i586)
Kernel: Linux 2.6.11-1.pentium1.1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages adduser depends on:
ii  debconf                 1.4.30.13        Debian configuration management sy
ii  passwd                  1:4.0.3-31sarge3 change and administer password and
ii  perl-base               5.8.4-8          The Pathologically Eclectic Rubbis

-- debconf information:
* adduser/homedir-permission: true

severity #308881 minor
tags #308881 confirmed pending
thanks

Hi,

On Fri, May 13, 2005 at 02:19:47AM +0300, Shaul Karl
wrote:
>     adduser --system --disabled-password testuser
> 
> writes ! in the encrypted password field of /etc/shadow
This is the intended behavior, which is misdocumented in the manpage:

"The new system user will have the shell /bin/false (unless overridden
with the --shell option), and have a disabled password."

The new manpage now says:
"... and have logins disabled."

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Processing commands for control@bugs.debian.org:
> severity #308881 minor
Bug#308881: --disabled-password writes ! in /etc/shadow
Severity set to `minor''.
> tags #308881 confirmed pending
Bug#308881: --disabled-password writes ! in /etc/shadow
There were no tags set.
Tags added: confirmed, pending
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

On Fri, May 13, 2005 at 07:44:19AM +0200, Marc Haber
wrote:
> severity #308881 minor
> tags #308881 confirmed pending
> thanks
> 
> Hi,
> 
> On Fri, May 13, 2005 at 02:19:47AM +0300, Shaul Karl wrote:
> >     adduser --system --disabled-password testuser
> > 
> > writes ! in the encrypted password field of /etc/shadow
> 
> This is the intended behavior

  adduser --system --disabled-password testuser

    and

  adduser --system --disabled-login testuser

both writes ! in the encrypted password field of /etc/shadow. Is that
the intended behavior? In this case there is no distinction between
--{disabled-password,disabled-login}, is there?

  The way I interpret the OPTIONS sections of the man page,
--disabled-login should have a stronger effect then --disabled-password:


    --disabled-login 
        Do not run passwd to set the password. The user won''t be able
        to use her account until the password is set. 
    --disabled-password 
        Like --disabled-login, but logins are still possible for example
        through SSH RSA keys, but not using password authentification. 


  Shouldn''t --disabled-login use ''!'' and
--disabled-password use ''*''?


  As an aside,

--- adduser.8	2005-05-13 13:35:19.000000000 +0300
+++ adduser.8	2005-05-13 13:37:10.000000000 +0300
@@ -178,7 +178,7 @@
 .TP
 .B \-\-disabled-password
 Like \-\-disabled-login, but logins are still possible for example through
-SSH RSA keys, but not using password authentification.
+SSH RSA keys, but not using password authentication.
 .TP
 .B \-\-force\-badname
 By default, user and group names are checked against a configurable

On Fri, May 13, 2005 at 01:54:53PM +0300, Shaul Karl
wrote:
> On Fri, May 13, 2005 at 07:44:19AM +0200, Marc Haber wrote:
> > severity #308881 minor
> > tags #308881 confirmed pending
> > thanks
> > 
> > Hi,
> > 
> > On Fri, May 13, 2005 at 02:19:47AM +0300, Shaul Karl wrote:
> > >     adduser --system --disabled-password testuser
> > > 
> > > writes ! in the encrypted password field of /etc/shadow
> > 
> > This is the intended behavior
> 
> 
>   adduser --system --disabled-password testuser
> 
>     and
> 
>   adduser --system --disabled-login testuser
> 
> both writes ! in the encrypted password field of /etc/shadow.
--system always uses --disabled-login implicitly. This is clearly
documented.
> Is that the intended behavior?
For system users, yes.
> In this case there is no distinction between
> --{disabled-password,disabled-login}, is there?
For system users, there isn''t.
>   The way I interpret the OPTIONS sections of the man page,
> --disabled-login should have a stronger effect then --disabled-password:
Yes, for normal users.
>   Shouldn''t --disabled-login use ''!'' and
--disabled-password use ''*''?
It does. For normal users.
> -SSH RSA keys, but not using password authentification.
> +SSH RSA keys, but not using password authentication.
Committed to svn, thanks.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

On Fri, May 13, 2005 at 01:43:25PM +0200, Marc Haber
wrote:
> --system always uses --disabled-login implicitly. This is clearly
> documented.
> 
> > Is that the intended behavior?
> 
> For system users, yes.
> 
> > In this case there is no distinction between
> > --{disabled-password,disabled-login}, is there?
> 
> For system users, there isn''t.

  This is not clearly documented. I propose the following:


--- adduser.8	2005-05-13 13:37:10.000000000 +0300
+++ adduser.8	2005-05-13 20:33:33.000000000 +0300
@@ -177,8 +177,10 @@
 her account until the password is set.
 .TP
 .B \-\-disabled-password
-Like \-\-disabled-login, but logins are still possible for example through
-SSH RSA keys, but not using password authentication.
+For a normal user, this is like \-\-disabled-login, but logins are still
+possible for example through SSH RSA keys, but not using password
+authentication. For a system user, \-\-disabled-password has the same
+effect as \-\-disabled-login.
 .TP
 .B \-\-force\-badname
 By default, user and group names are checked against a configurable

> 
> >   The way I interpret the OPTIONS sections of the man page,
> > --disabled-login should have a stronger effect then
--disabled-password:
> 
> Yes, for normal users.
> 
> >   Shouldn''t --disabled-login use ''!'' and
--disabled-password use ''*''?
> 
> It does. For normal users.
>

On Fri, May 13, 2005 at 08:49:29PM +0300, Shaul Karl
wrote:
> On Fri, May 13, 2005 at 01:43:25PM +0200, Marc Haber wrote:
> > --system always uses --disabled-login implicitly. This is clearly
> > documented.
> > 
> > > Is that the intended behavior?
> > 
> > For system users, yes.
> > 
> > > In this case there is no distinction between
> > > --{disabled-password,disabled-login}, is there?
> > 
> > For system users, there isn''t.
> 
> 
>   This is not clearly documented.
I beg to differ

|   Add a system user
|       If called with one non-option argument and the --system option, adduser
|       will add a system user. If an user with an uid in the system range  (or
|       if  the  uid  is specified, with that) does already exist, adduser will
|       exit with a warning.
|
|       adduser will choose the first available UID from  the  range specified
|       for  system users in the configuration file.  The UID can be overridden
|       with the --uid option.
|
|       By default, system users are placed in the nogroup group.  To place the
|       new  system  user  in  an  already  existing  group,  use  the --gid or
|       --ingroup options.  To place the new system user in a  new group  with
|       the same ID, use the --group option.
|
|       A home directory is created by the same rules as for normal users.  The
|       new system user will have the shell /bin/false (unless overridden 
with
>>>       the --shell option), and have a disabled password.  Skeletal
configura-
|       tion files are not copied.

see the marked line.
> I propose the following:
> 
> 
> --- adduser.8	2005-05-13 13:37:10.000000000 +0300
> +++ adduser.8	2005-05-13 20:33:33.000000000 +0300
> @@ -177,8 +177,10 @@
>  her account until the password is set.
>  .TP
>  .B \-\-disabled-password
> -Like \-\-disabled-login, but logins are still possible for example through
> -SSH RSA keys, but not using password authentication.
> +For a normal user, this is like \-\-disabled-login, but logins are still
> +possible for example through SSH RSA keys, but not using password
> +authentication. For a system user, \-\-disabled-password has the same
> +effect as \-\-disabled-login.
>  .TP
>  .B \-\-force\-badname
>  By default, user and group names are checked against a configurable
This will clutter up the docs with redundant information. I am
strongly opposed.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Your message dated Sat, 18 Jun 2005 14:32:08 -0400
with message-id <E1Dji6y-00049u-00@newraff.debian.org>
and subject line Bug#308881: fixed in adduser 3.64
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 12 May 2005 23:20:56
+0000
>From shaulk@013.net Thu May 12 16:20:56 2005
Return-path: <shaulk@013.net>
Received: from mtaout1.barak.net.il [212.150.49.171] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DWMyZ-0003Sq-00; Thu, 12 May 2005 16:20:20 -0700
Received: from rakefet ([85.64.60.223])
 by mtaout1.barak.net.il (Sun Java System Messaging Server 6.1 HotFix 0.02
 (built Aug 25 2004)) with ESMTP id
<0IGE00L5SGYYV3L0@mtaout1.barak.net.il> for
 submit@bugs.debian.org; Fri, 13 May 2005 02:23:22 +0300 (IDT)
Received: from shaul by rakefet with local (Exim 4.50)
	id 1DWMy3-00049c-E7	for submit@bugs.debian.org; Fri, 13 May 2005 02:19:47 +0300
Date: Fri, 13 May 2005 02:19:47 +0300
From: Shaul Karl <shaulk@013.net>
Subject: --disabled-password writes ! in /etc/shadow
To: submit@bugs.debian.org
Message-id: <20050512231947.GM27213@rakefet>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: adduser
Version: 3.63
Severity: normal
File: /usr/sbin/adduser

*** Please type your report below this line ***

    adduser --system --disabled-password testuser

writes ! in the encrypted password field of /etc/shadow despite having
the following lines in the source:

    } elsif ($arg eq "--disabled-password") {
	$ask_passwd = 0;
	$disabled_login = 0;
	} elsif ($arg eq "--disabled-login") {
	$ask_passwd = 0;
	$disabled_login = 1;
	}

	
    if ($ask_passwd) {
	&systemcall(''/usr/bin/passwd'', $new_name);
    } else {
	if(!$disabled_login) {
	    &systemcall(''/usr/sbin/usermod'',
''-p'', ''*'', $new_name);
	}


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, ''testing''), (50,
''unstable'')
Architecture: i386 (i586)
Kernel: Linux 2.6.11-1.pentium1.1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages adduser depends on:
ii  debconf                 1.4.30.13        Debian configuration management sy
ii  passwd                  1:4.0.3-31sarge3 change and administer password and
ii  perl-base               5.8.4-8          The Pathologically Eclectic Rubbis

-- debconf information:
* adduser/homedir-permission: true

---------------------------------------
Received: (at 308881-close) by bugs.debian.org; 18 Jun 2005 18:38:17
+0000
>From katie@ftp-master.debian.org Sat Jun 18 11:38:17 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DjiCv-0000am-00; Sat, 18 Jun 2005 11:38:17 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1Dji6y-00049u-00; Sat, 18 Jun 2005 14:32:08 -0400
From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 308881-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#308881: fixed in adduser 3.64
Message-Id: <E1Dji6y-00049u-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sat, 18 Jun 2005 14:32:08 -0400
Delivered-To: 308881-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 8

Source: adduser
Source-Version: 3.64

We believe that the bug you reported is fixed in the latest version of
adduser, which is due to be installed in the Debian FTP archive:

adduser_3.64.dsc
  to pool/main/a/adduser/adduser_3.64.dsc
adduser_3.64.tar.gz
  to pool/main/a/adduser/adduser_3.64.tar.gz
adduser_3.64_all.deb
  to pool/main/a/adduser/adduser_3.64_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 308881@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Haber <mh+debian-packages@zugschlus.de> (supplier of updated adduser
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 18 Jun 2005 17:09:56 +0000
Source: adduser
Binary: adduser
Architecture: source all
Version: 3.64
Distribution: unstable
Urgency: low
Maintainer: Debian Adduser Developers
<adduser-devel@lists.alioth.debian.org>
Changed-By: Marc Haber <mh+debian-packages@zugschlus.de>
Description: 
 adduser    - Add and remove users and groups
Closes: 298834 298883 299489 300641 302837 303854 307599 308881 313517
Changes: 
 adduser (3.64) unstable; urgency=low
 .
   * The "bring the svn changes to unstable while not having time to
     address the other valid bug reports" release.
   * try Priority: - to avoid override disparities
   * Updated Norwegian Bokmal debconf templates and program translations.
     Thanks to Hans Fredrik Nordhaug. (mh) Closes: #298834
   * Re-generate adduser.pot, fix gettext bugs in deluser. Thanks to
     Hans Fredrik Nordhaug. (mh)
   * Now handles /etc/skel correctly even if it is not readable for a
     normal user. Thanks to Chapko Dimitrij. (mh) Closes: #299489
   * Zap program synopsis comments from the beginning.
   * Fix $ error in adduser.conf.5. Thanks to Kevin Ryde.
     (mh) Closes: #300641
   * Add Finnish debconf templates. Thanks to Matti Pöllä.
     (mh) Closes: #303854
   * Add Vietnamese debconf templates. Thanks to Clytie Siddall.
     (mh) Closes: #307599
   * Fix broken --disabled-login --disabled-password handling. Thanks
     to Tokka Hastrup. (mh) Closes: #302837
   * Use chage to override login.defs PASS_MAX_DAYS for system accounts.
     Thanks to Gerhard Schrenk. (mh) Closes: #298883
   * fix misdocumentation of system user password status.
     Thanks to Shaul Karl. (mh) Closes: #308881
   * add ubuntu patch to generate pot file during package build, and
     fix two s_print/s_printf invocations in deluser.
     Thanks to Martin Pitt. (mh) Closes: #313517
Files: 
 711979e2159409f4519768571b611c78 637 base important adduser_3.64.dsc
 1c4c53c95b37ba4c243ed6f8590e1c0b 108282 base important adduser_3.64.tar.gz
 ed92dd4399e93b53faabde61b84f081a 99822 base important adduser_3.64_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iEYEARECAAYFAkK0Z2EACgkQgZalRGu6PIRH8QCdErPp8TGAuX5EFZselB9u3FBk
GNAAmwfZDgxddj55p0gR3EMrv3W2nItw
=lJy0
-----END PGP SIGNATURE-----