Bug 2094216

Summary: lslogins reports incorrect "Password is locked" status
Product: Red Hat Enterprise Linux 9 Reporter: Karel Zak <kzak>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED ERRATA QA Contact: Radka Brychtova <rskvaril>
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.0CC: rskvaril, suwu
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: util-linux-2.37.4-6.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2093166 Environment:
Last Closed: 2022-11-15 11:23:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Zak 2022-06-07 07:21:30 UTC 
+++ This bug was initially created as a clone of Bug #2093166 +++

Description of problem:

lslogins reports incorrect "Password is locked" status

After an account is locked, `lslogins` reports incorrect "Password is locked" status. `passwd -S` reports status correctly.

~~~
# passwd -l bob
Locking password for user bob.
passwd: Success

# passwd -S bob
bob LK 2022-06-02 0 99999 7 -1 (Password locked.)

# lslogins bob
Username:                           bob                                 
UID:                                1002                                
Gecos field:                                                            
Home directory:                     /home/bob                           
Shell:                              /bin/bash                           
No login:                           no                                  
Password is locked:                 no             <<<<<=====
Password not required:              no                                  
Login by password disabled:         yes                                 
Primary group:                      bob                                 
GID:                                1002                                
Hushed:                             no                                  
Password expiration warn interval:  7                                   
Password changed:                   20:00                               
Maximum change time:                99999                               
Running processes:                  0   
~~~

I think the logic in lslogin.c is incorrect. When account is locked by `passwd -l`, two exclamation marks ("!!") are inserted in front of a password hash. The source code checks for the presence of one exclamation marks ("!").

~~~
lslogins.c

case COL_PWDLOCK:
        if (shadow) {
                if (*shadow->sp_pwdp == '!' && valid_pwd(shadow->sp_pwdp + 1))
                        user->pwd_lock = STATUS_TRUE;
        } else
                user->pwd_lock = STATUS_UNKNOWN;
        break;
~~~

Version-Release number of selected component (if applicable):
util-linux-2.32.1-35.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
~~~
# useradd bob

# passwd bob
Changing password for user bob.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

# passwd -S bob
bob PS 2022-06-02 0 99999 7 -1 (Password set, SHA512 crypt.)

# lslogins bob
Username:                           bob                                 
UID:                                1002                                
Gecos field:                                                            
Home directory:                     /home/bob                           
Shell:                              /bin/bash                           
No login:                           no                                  
Password is locked:                 no                                  
Password not required:              no                                  
Login by password disabled:         no                                  
Primary group:                      bob                                 
GID:                                1002                                
Hushed:                             no                                  
Password expiration warn interval:  7                                   
Password changed:                   20:00                               
Maximum change time:                99999                               
Running processes:                  0                                   

Last logs:

# passwd -l bob
Locking password for user bob.
passwd: Success

# passwd -S bob
bob LK 2022-06-02 0 99999 7 -1 (Password locked.)

# lslogins bob
Username:                           bob                                 
UID:                                1002                                
Gecos field:                                                            
Home directory:                     /home/bob                           
Shell:                              /bin/bash                           
No login:                           no                                  
Password is locked:                 no             <<<<<=====
Password not required:              no                                  
Login by password disabled:         yes            <<<<<=====
Primary group:                      bob                                 
GID:                                1002                                
Hushed:                             no                                  
Password expiration warn interval:  7                                   
Password changed:                   20:00                               
Maximum change time:                99999                               
Running processes:                  0                                   

Last logs:

# cat /etc/passwd | grep bob
bob:x:1002:1002::/home/bob:/bin/bash

# cat /etc/shadow | grep bob
bob:!!$6$.18513c.OKQEXCS/$PcBAvB<...>:19146:0:99999:7:::

# vi /etc/shadow

# cat /etc/shadow | grep bob
bob:!$6$.18513c.OKQEXCS/$PcBAvB<...>:19146:0:99999:7:::

# passwd -S bob
bob LK 2022-06-02 0 99999 7 -1 (Password locked.)

# lslogins bob
Username:                           bob                                 
UID:                                1002                                
Gecos field:                                                            
Home directory:                     /home/bob                           
Shell:                              /bin/bash                           
No login:                           no                                  
Password is locked:                 yes            <<<<<=====
Password not required:              no                                  
Login by password disabled:         no             <<<<<=====
Primary group:                      bob                                 
GID:                                1002                                
Hushed:                             no                                  
Password expiration warn interval:  7                                   
Password changed:                   20:00                               
Maximum change time:                99999                               
Running processes:                  0                                   

Last logs:
~~~

Actual results:
"Password is locked" shows "no" when account is locked.

Expected results:
"Password is locked" shows "yes" when account is locked.

Additional info:

--- Additional comment from Karel Zak on 2022-06-07 07:20:11 UTC ---

Good catch. It seems the lslogins code follows shadow(5) documentation rather than a real way of how passed(1) works.

Fixed in upstream repository:
https://github.com/util-linux/util-linux/commit/c51cba1e838ae7e36a843ec785543492bb8737cd
Comment 5 Karel Zak 2022-07-21 09:18:16 UTC 
Upstream:
http://github.com/util-linux/util-linux/commit/c51cba1e838ae7e36a843ec785543492bb8737cd
http://github.com/util-linux/util-linux/commit/890d4d3f236e2d28db35ea9bc9dc3e5e35db975c
http://github.com/util-linux/util-linux/commit/977f98ee34ca002cb5301c2d3a5953c754f813ec
https://github.com/redhat-plumbers/util-linux-rhel/commit/097fc3427d3221d763f0b1c41923758af2f471a3
Comment 13 errata-xmlrpc 2022-11-15 11:23:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (util-linux bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8404