[Adduser-devel] Bug#625758: Bug#625758: 'adduser --disabled-login' does not behave as documented.

Stephen Gran sgran at debian.org
Mon Jul 29 16:57:42 UTC 2013 

This one time, at band camp, Sam Morris said:
> On Sat, 2013-07-27 at 08:44 +0100, Stephen Gran wrote:
> > So, I think that maybe I'm confused - I am under the impression that
> > you started by saying that there is no useful difference between the
> > two states 'locked' and 'disabled'.  I responded by saying there was.
> > In defense of your statement, you've pointed me to a bug report that
> > says that pam now looks elsewhere to distinguish between the two states,
> > and that it was a bug in shadow not to set that other flag, and that
> > that bug is now fixed.
> 
> Sorry, I meant to also draw your attention to the clone bug,
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389183#122>. The fix
> was reverted because, as it turns out, people were used to the old
> behaviour (that 'passwd -l' would lock the password, and not the entire
> account).

`passwd -l` should only lock the password, not the account.  That is
correct.  But this, again, only underlines that there is a difference
between locking the password and locking the account, right?

Look, maybe I'm being dense, but I think we're going around in circles a
bit here.  I think there is a semantic difference between these two
states.  I think it makes sense for adduser to expose that semantic
difference for the initial state of a new user.

I think that you are arguing that there is no difference between the
states, but you keep doing so by pointing at things discussing how the
two states aren't the same.  The whole discussion of passwd or shadow
fields is a red herring - adduser just uses the tools from the shadow
suite, so once they decide with PAM what combination of fields make
sense, adduser will do the right thing.

If you think that there is no difference between a password that can't
be matched and an account that cannot login, or you think that adduser
shouldn't expose this difference, please enlighten me.

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20130729/523d8a8b/attachment-0001.sig>

More information about the Adduser-devel mailing list