[Pkg-shadow-devel] Re: adduser --system should add users without expire period

Gerhard Schrenk gps@mittelerde.physik.uni-konstanz.de
Mon, 21 Mar 2005 16:16:41 +0100 

* Marc Haber <mh+debian-packages@zugschlus.de> [2005-03-18 18:10]:
> On Thu, Mar 10, 2005 at 03:10:28PM +0100, Gerhard Schrenk wrote:
> > 'adduser --system' adds apparently users with expire and warn period
> > from /etc/login.defs
> > 
> > For example it reads the following setting in /etc/login.defs
> > PASS_MAX_DAYS   183
> > PASS_MIN_DAYS   0
> > PASS_WARN_AGE   183
> > 
> > Example: After 1/2 year after upgrading to sarge logcheck (which added a
> > new system user) suddenly stopped mailing its reports.
> 
> Yuck.
> 
> Did the account actually have a password?
No password. Before I fixed it the shadow entry was 

gandalf:/.home/gandalf/gps# getent shadow logcheck
logcheck:!:12656:0:183:183:::

The system account logcheck was not in woody. It has been introduced in 
unstable/sarge. From /usr/share/doc/logcheck/NEWS.Debian.gz:

|logcheck (1.2.19-2) unstable; urgency=low
|
|  * As of version 1.2.19, logcheck no longer runs as root.  
|    Logcheck runs as user logcheck which has been created 
|    and added to group adm upon configuration.
|
|    If you have customized your configuration, 
|    you will need to be sure that your
|    logs are readable by the logcheck user.

I upgraded from woody -> sarge on 26 Aug 2004. On 26 Feb 2004 logcheck stopped
mailing. 

For sshd and sslwrap I had the same insane entries (183:183 instead of 99999:7; without password).

> Can you please verify whether useradd -x 99999 will create an account
> without that restriction?
Um. No.

gandalf:/home/gandalf/gps# useradd -x 99999 testit
useradd: invalid option -- x
usage: useradd  [-u uid [-o]] [-g group] [-G group,...] 
                [-d home] [-s shell] [-c comment] [-m [-k template]]
                [-f inactive] [-e expire ] [-p passwd] name
       useradd  -D [-g group] [-b base] [-s shell]
                [-f inactive] [-e expire ]

Do you mean useradd -e 99999?

gandalf:/home/gandalf/gps# grep ^PASS /etc/login.defs
PASS_MAX_DAYS   183
PASS_MIN_DAYS   0
PASS_WARN_AGE   183
PASS_MAX_LEN            8
gandalf:/home/gandalf/gps# useradd -e 99999 testit
gandalf:/home/gandalf/gps# getent passwd testit
testit:x:11322:100::/home/testit:
gandalf:/home/gandalf/gps# getent shadow testit
testit:!:12863:0:183:183::17324:

> The only possible fix for _adduser_ would be to ignore PASS_MAX_DAYS
> for system account creation. Is that what you're suggesting?

Yes. I think this should be the sane default behaviour for 'adduser --system'.
Only adduser and adduser.conf is mentioned in debian policy section 9.2.2 (and
neither useradd nor /etc/login.defs). I suppose you should fix this independant
of what useradd ist doing. 

But maybe the right thing is to actually fix useradd?? At least its manpage
does not mention /etc/login.defs. Therefore I have cc'ed its maintainers.

-- Gerhard