Bug 2093166
| Summary: | lslogins reports incorrect "Password is locked" status | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sunny Wu <suwu> | |
| Component: | util-linux | Assignee: | Karel Zak <kzak> | |
| Status: | CLOSED ERRATA | QA Contact: | Radka Brychtova <rskvaril> | |
| Severity: | low | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.6 | CC: | kzak | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | util-linux-2.32.1-36.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2094216 (view as bug list) | Environment: | ||
| Last Closed: | 2022-11-08 10:54:48 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Good catch. It seems the lslogins code follows shadow(5) documentation rather than a real way of how passed(1) works. Fixed in upstream repository: https://github.com/util-linux/util-linux/commit/c51cba1e838ae7e36a843ec785543492bb8737cd Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (util-linux bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7783 What is the definition of "Login by password disabled"? Password hash field of shadow file of a new user account without password defined contains "!!". The user is not (and should not be able) to login with password. The status of this check item has been changed to "no" in util-linux-2.32.1-38. ========================= RHEL8.6: # rpm -qa | grep util-linux util-linux-2.32.1-35.el8.x86_64 # useradd test-user # grep test-user /etc/passwd test-user:x:1003:1003::/home/test-user:/bin/bash # grep test-user /etc/shadow test-user:!!:19349:0:99999:7::: # lslogins test-user Username: test-user UID: 1003 Gecos field: Home directory: /home/test-user Shell: /bin/bash No login: no Password is locked: no Password not required: no Login by password disabled: yes Primary group: test-user GID: 1003 Hushed: no Password expiration warn interval: 7 Password changed: 19:00 Maximum change time: 99999 Running processes: 0 Last logs: ===== RHEL8.7: # rpm -qa | grep util-linux util-linux-2.32.1-38.el8.x86_64 # useradd test-user # grep test-user /etc/passwd test-user:x:1004:1004::/home/test-user:/bin/bash # grep test-user /etc/shadow test-user:!!:19349:0:99999:7::: # lslogins test-user Username: test-user UID: 1004 Gecos field: Home directory: /home/test-user Shell: /bin/bash No login: no Password is locked: yes Password not required (empty): yes Login by password disabled: no Primary group: test-user GID: 1004 Hushed: no Password expiration warn interval: 7 Password changed: 10:00 Maximum change time: 99999 Running processes: 0 Last logs: (In reply to Sunny Wu from comment #9) > What is the definition of "Login by password disabled"? This field is pretty confusing from the beginning (sorry for that). It checks the validity of the password (and valid is also an empty password) independently on "!" or "*" prefixes in the password field. This is a mistake because it's interpreted by users as the final conclusion about the login by a password. The description is wrong. Maybe the best would be to introduce new info about the validity of the hash (independently of prefix) and keep "Login by password disabled" as real final conclusion about login. Something like: Password is locked: yes Password hash is valid: no Password not required (empty): yes Login by password disabled: yes for "!!". Does it make more sense? |
Description of problem: lslogins reports incorrect "Password is locked" status After an account is locked, `lslogins` reports incorrect "Password is locked" status. `passwd -S` reports status correctly. ~~~ # passwd -l bob Locking password for user bob. passwd: Success # passwd -S bob bob LK 2022-06-02 0 99999 7 -1 (Password locked.) # lslogins bob Username: bob UID: 1002 Gecos field: Home directory: /home/bob Shell: /bin/bash No login: no Password is locked: no <<<<<===== Password not required: no Login by password disabled: yes Primary group: bob GID: 1002 Hushed: no Password expiration warn interval: 7 Password changed: 20:00 Maximum change time: 99999 Running processes: 0 ~~~ I think the logic in lslogin.c is incorrect. When account is locked by `passwd -l`, two exclamation marks ("!!") are inserted in front of a password hash. The source code checks for the presence of one exclamation marks ("!"). ~~~ lslogins.c case COL_PWDLOCK: if (shadow) { if (*shadow->sp_pwdp == '!' && valid_pwd(shadow->sp_pwdp + 1)) user->pwd_lock = STATUS_TRUE; } else user->pwd_lock = STATUS_UNKNOWN; break; ~~~ Version-Release number of selected component (if applicable): util-linux-2.32.1-35.el8.x86_64 How reproducible: 100% Steps to Reproduce: ~~~ # useradd bob # passwd bob Changing password for user bob. New password: Retype new password: passwd: all authentication tokens updated successfully. # passwd -S bob bob PS 2022-06-02 0 99999 7 -1 (Password set, SHA512 crypt.) # lslogins bob Username: bob UID: 1002 Gecos field: Home directory: /home/bob Shell: /bin/bash No login: no Password is locked: no Password not required: no Login by password disabled: no Primary group: bob GID: 1002 Hushed: no Password expiration warn interval: 7 Password changed: 20:00 Maximum change time: 99999 Running processes: 0 Last logs: # passwd -l bob Locking password for user bob. passwd: Success # passwd -S bob bob LK 2022-06-02 0 99999 7 -1 (Password locked.) # lslogins bob Username: bob UID: 1002 Gecos field: Home directory: /home/bob Shell: /bin/bash No login: no Password is locked: no <<<<<===== Password not required: no Login by password disabled: yes <<<<<===== Primary group: bob GID: 1002 Hushed: no Password expiration warn interval: 7 Password changed: 20:00 Maximum change time: 99999 Running processes: 0 Last logs: # cat /etc/passwd | grep bob bob:x:1002:1002::/home/bob:/bin/bash # cat /etc/shadow | grep bob bob:!!$6$.18513c.OKQEXCS/$PcBAvB<...>:19146:0:99999:7::: # vi /etc/shadow # cat /etc/shadow | grep bob bob:!$6$.18513c.OKQEXCS/$PcBAvB<...>:19146:0:99999:7::: # passwd -S bob bob LK 2022-06-02 0 99999 7 -1 (Password locked.) # lslogins bob Username: bob UID: 1002 Gecos field: Home directory: /home/bob Shell: /bin/bash No login: no Password is locked: yes <<<<<===== Password not required: no Login by password disabled: no <<<<<===== Primary group: bob GID: 1002 Hushed: no Password expiration warn interval: 7 Password changed: 20:00 Maximum change time: 99999 Running processes: 0 Last logs: ~~~ Actual results: "Password is locked" shows "no" when account is locked. Expected results: "Password is locked" shows "yes" when account is locked. Additional info: