shadow-4.0.5 has fixed securirty bug in libmisc/pwdcheck.c which allow
unauthorized account properties modification. Affected tools: chfn and
chsh. See URL for changelog.
Please consider updating shadow-utils to 4.0.7 version (as I know this
is how bugs are fixed in FC, package is updated to newer version
instead of backporting patch to old version), the newer version can
and probably will fix some open bugs on bugzilla.