Bug 1145256

Summary: Document (passwd -S), including time zone usage
Product: Red Hat Enterprise Linux 7 Reporter: James <phongsuwan>
Component: passwdAssignee: Jiri Kucera <jkucera>
Status: CLOSED ERRATA QA Contact: Jan Houska <jhouska>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.0CC: djez, jhouska
Target Milestone: rcKeywords: Documentation, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: passwd-0.79-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:11:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James 2014-09-22 16:37:35 UTC 
Description of problem: Originally reported by Jason_P on CentOS bug forum (ID #0007603):
https://bugs.centos.org/view.php?id=7603

/etc/shadow stores the number of days since the epoch of a password change.  This equates to midnight of that day.  When `passwd -S` is invoked this number is passed through localtime_r which will add or subtract hours based on the local time zone.  If this occurs in a "minus zone", the previous day is reported.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

1) Set your /etc/localtime to any zone that is GMT-1 to GMT-12.
2) View your last password change with `passwd -S`
3) Compare the value to that of /etc/shadow

Actual results:

[james@localhost ~]$ ls -la /etc/localtime
lrwxrwxrwx. 1 root root 38 Sep 18 10:12 /etc/localtime -> ../usr/share/zoneinfo/America/New_York
[james@localhost ~]$ sudo grep james /etc/shadow
[sudo] password for james:
james:$6[removed]:16331:0:99999:7:::
[james@localhost ~]$ sudo passwd -S james
james PS 2014-09-17 0 99999 7 -1 (Password set, SHA512 crypt.)


Expected results:

16331 days * 24 hours/day * 3600 seconds/hour = 1410998400 seconds
1410998400 seconds since the epoch is "Thu, 18 Sep 2014 00:00:00 GMT" not "2014-09-17".  The correct response is 2014-09-18.


Additional info:

Based on the source RPM for passwd, maybe change libuser.c from:
319,320c319
< localtime_r(&sp_lstchg, &tm);
< strftime(date, sizeof(date), "%Y-%m-%d", &tm);
---
> strftime(date, sizeof(date), "%Y-%m-%d", &sp_lstchg);
Comment 2 Miloslav Trmač 2014-09-22 16:51:48 UTC 
Thanks for your report.

Ultimately, the /etc/shadow field’s granularity of 24 hours is just not precise enough to report the correct password change date.

If we output local time, we are relevant to the user but may be mistaken (because the cutoff happens during the local-time-measured day); if we output UTC, we are precise but irrelevant to users (users don’t measure their days in UTC).  In either case, users in most timezones will see some password change dates as incorrect.

See bug 1019850 for more detailed discussion.

The right thing to do is to replace or augment sp_lstchg with a more precise timestamp, and the sssd team I believe has this in their to-do list.

Before that happens, changing the timezone in the (passwd -S) output would be a breaking change that neither fixes the problem, nor, in my opinion, is a significant enough improvement to warrant the incompatible change in behavior.
Comment 3 James 2014-09-24 19:43:16 UTC 
While I agree that the actual solution is to use a more precise number, I feel that leaving the situation as is confuses those who wish to use the "-S" arguement.

Would you consider having the man page annotated?  It's a benign change that would help others realize why they are not seeing the expected output.
Comment 4 Miloslav Trmač 2014-09-25 13:18:54 UTC 
(In reply to James from comment #3)
> While I agree that the actual solution is to use a more precise number, I
> feel that leaving the situation as is confuses those who wish to use the
> "-S" arguement.
> 
> Would you consider having the man page annotated?  It's a benign change that
> would help others realize why they are not seeing the expected output.

Good idea.  At this point -S is completely undocumented anyway, which is also worth fixing.
Comment 5 Jiri Kucera 2019-01-30 14:54:41 UTC 
Fixed in upstream commit 02d4478318297d24799b03fa53312da5e3f14a40.
https://pagure.io/passwd/c/02d4478318297d24799b03fa53312da5e3f14a40?branch=master
Comment 7 Jan Houska 2019-06-10 16:21:54 UTC 
VERIFIED:

Output of  'man passwd' command:



NEW pass:
passwd-0.79-5.el7.x86_64


       -i, --inactive DAYS
              This will set the number of days which will pass before an expired password for this account will be taken to mean that the account is inactive and should be disabled, if
              the user's account supports password lifetimes.  Available to root only.

       -S, --status
              This will output a short information about the status of the password for a given account. The status information consists of 7 fields. The  first  field  is  the  user's
              login name. The second field indicates if the user account has a locked password (LK), has no password (NP), or has a usable password (PS). The third field gives the date
              of the last password change. The next four fields are the minimum age, maximum age, warning period, and inactivity period for the password. These ages  are  expressed  in
              days.

              Notes: The date of the last password change is stored as a number of days since epoch. Depending on the current time zone, the passwd -S username may show the date of the
              last password change that is different from the real date of the last password change by ±1 day.

              This option is available to root only.

Remember the following two principles
       Protect your password.

OLD FAIL:
passwd-0.79-4.el7.x86_64

       -i, --inactive DAYS
              This will set the number of days which will pass before an expired password for this account will be taken to mean that the account is inactive and should be disabled, if
              the user's account supports password lifetimes.  Available to root only.

       -S, --status
              This will output a short information about the status of the password for a given account. Available to root user only.

Remember the following two principles
       Protect your password.
Comment 9 errata-xmlrpc 2019-08-06 13:11:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2257