empty fields in shadow handled wrongly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libnss-extrausers (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: libnss-extrausers
When reading shadow, integer fields are read with strtol directly. This produces 0 for an empty field. However, in many cases a -1 should be used for an empty field. This is certainly the case for account expiry, the final field. This can be seen in the code in glibc which loads these fields:
eglibc-
In the definition of INT_FIELD_
pam_unix is interpreting this 0 value as an account expiring on the 1st of January 1970 which of course is always in the past and so all accounts are appearing expired.
Other fields which default to -1 are sp_lstchg, sp_min, sp_max, sp_warn and sp_inact.
A workaround for this is to set a value in this field.
I wonder if it's actually possible to use the shadow reading code in glibc instead of doing this separately? I don't have time to look into that now anyway.
Reproduced here.