Bug 1686440
| Summary: | clarify behavior of chage in the manual page | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | amitkuma | |
| Component: | shadow-utils | Assignee: | Tomas Mraz <tmraz> | |
| Status: | CLOSED ERRATA | QA Contact: | Martin Zelený <mzeleny> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.6 | CC: | daniele, dapospis, mzeleny, tjaros, tmraz | |
| Target Milestone: | rc | Keywords: | Documentation, ManPageChange, Reopened | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | shadow-utils-4.6-3.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1691751 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 12:47:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
amitkuma
2019-03-07 13:18:48 UTC
Removal of x from /etc/passwd is simply indication that the given user does not use /etc/shadow anymore. Do not do that if that is the intention. This is one of the most basic things about unix account system and I do not think it is chage role to educate sys admins about such stuff. Human errors may exists unfortunately. And i have faced it. That said, if pam_unix would not be standard for nullok on RHEL, i may eventually agree with you, but unfortunately: nullok is still the standard in RHEL8, but can be disabled: https://bugzilla.redhat.com/show_bug.cgi?id=1637936 nullok is and will remain the standard in RHEL7: https://bugzilla.redhat.com/show_bug.cgi?id=1640731 Given that behavior, and given the interconnection with * chage (this bug) * passwd(1) -S (https://bugzilla.redhat.com/show_bug.cgi?id=1686436) Both tools report that a password is set, and this is true, but do not report that a null password can be used. Moreover, even if i fully agree that 2nd field of passwd must not be empty, passwd(5) say that this is allowed: """ If the encrypted password, whether in /etc/passwd or in /etc/shadow, is an empty string, login is allowed without even asking for a password. Note that this functionality may be intentionally disabled in applications, or configurable (for example using the "nullok" or "nonull" arguments to pam_unix.so). """ Therefore, i think that both passwd(1) and chage(1) must be modified in order to inform the OS Admin of what is happening. Worst then having a server not secure, is to think that the server is secure, while it is not. No, chage is not the tool. pwck is the tool that reports such inconsistencies. I am sorry but this will not be changed. given this test: test ~ # pwck /etc/passwd user 'avahi-autoipd': directory '/var/lib/avahi-autoipd' does not exist pwck: no changes test ~ # grep ^root /etc/passwd root::0:0:root:/root:/bin/bash test ~ # Do you agree on opening a bug against pwck? Nevertheless, according to passwd(5), this not an inconsistency, so i am curious on why you are suggesting to have pwck as tool that reports such inconsistencies. Mind to provide some more explanation? About chage, my feeling is that chage is potentially reporting wrong informations. chage(1) """ chage - change user password expiry information [...] The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. """ Let me focus on: "This information is used by the system to determine when a user must change his/her password." lack of 2nd field of passwd, would result in chage is reporting wrong information, because the password must not be changed as not validated. Would you agree on that? Dear Tomas Mraz, Can you kindly find some time to address Daniele's questions in Comment7,8. Thanks Inconsistent situation is when you do not have x in /etc/passwd entry and there is entry in /etc/shadow. The 'Password inactive' field does not mean whether password is removed but it marks date when user won't be able to change his password anymore after the password expiration. This is what I see: # grep testsha /etc/shadow testsha:$6$GLlQc1.d$gWZ4c45eebhOTQ9gQc44KWplMba5I/HhT78bBrFLNORK/rfAISxNQlR.0jmt2lCKT6xe5ZQ4aSinWiKTdDmtz.:17973:0:99999:7::: # grep testsha /etc/passwd testsha::1000:1000::/home/testsha:/bin/bash # pwck user testsha has an entry in /etc/shadow, but its password field in /etc/passwd is not set to 'x' chage report is correct as it reports things from the /etc/shadow. On the other hand I see a problem with pam_unix that it ignores the /etc/shadow for the password expiration check if the x is missing in /etc/passwd entry. I cannot reproduce the issue with passwd having no effect when changing the password of such user - it properly updates /etc/passwd and adds x in the password hash field. Dear tomas, I have furnished system-auth, password-auth, passwd, sshd on case 1689860. I still do not see any problem with chage here. Tomas,
i understand your comment, really.
But i feel that the implication of a lack of more verbose output are not considered.
And given that sys admins should not be educated, but neither getting misleading information, chage manual is not reflecting what you are writing in that bz.
From RHEL7 man
"""
NOTE
The chage program requires a shadow password file to be available. <--- man does not say that it takes information out only from shadow file
The chage command is restricted to the root user, except for the -l option, which may be used by an unprivileged user to determine when
his/her password or account is due to expire.
CONFIGURATION
The following configuration variables in /etc/login.defs change the behavior of this tool:
FILES
/etc/passwd <--- here the file is required, and clear that this is not for x (or lack of) but is not specified.
User account information.
/etc/shadow
Secure user account information.
EXIT VALUES
The chage command exits with the following values:
0
success
1
permission denied
2
invalid command syntax
15 <--- a valid exit code in case of
can't find the shadow password file
SEE ALSO
passwd(5), shadow(5). <--- both files are referred
"""
To get out of the problem, i would suggest either to:
a) say in the output, as pwck do, that password is set but x is not set in the passwd file
b) man change in order to reflect the fact that chage does not consider at all if the password is looked up.
e.g. in NOTE (even if i feel this to be more DESCRIPTION), in place of:
"""
The chage program requires a shadow password file to be available.
The chage command is restricted to the root user, except for the -l option, which may be used by an unprivileged user to
determine when his/her password or account is due to expire.
"""
Insert the following:
"""
The chage program will report only the information from the shadow password information. This imply that a configuration
that block a user login (e.g.: "*" or empty second field of passwd(5)) or other authentication source
(e.g.: LDAP) will not be looked up.
The chage command is restricted to the root user, except for the -l option, which may be used by an unprivileged user to
determine when his/her password or account is due to expire.
The chage programm will not report any inconsistency or skip. pwck(1) may be useful to verify such events.
"""
Of course this is a suggestion, feel free to change it as your willing.
HTH
OK, the manual page improvement can be done. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2102 |