shadow-4.0.5 has fixed securirty bug in libmisc/pwdcheck.c which allow unauthorized account properties modification. Affected tools: chfn and chsh. See URL for changelog. Please consider updating shadow-utils to 4.0.7 version (as I know this is how bugs are fixed in FC, package is updated to newer version instead of backporting patch to old version), the newer version can and probably will fix some open bugs on bugzilla.