-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-8.8.0
-
None
-
Major
-
sst_cs_plumbers
-
ssg_core_services
-
5
-
False
-
-
Red Hat Enterprise Linux
Resolution of [ lslogins reports incorrect "Password is locked" status|https://bugzilla.redhat.com/show_bug.cgi?id=2093166] caused an inconsistency.
The field "Login by password disabled:" is confusing and misnamed.
For example, after the correction above it will print:
Login by password disabled: no
for a locked login. It is expected that it prints:
Login by password disabled: yes
This happens because it is a locked, but valid password. This can be followed in the source code:
case COL_PWDDENY:
if (shadow) {
const char *p = shadow->sp_pwdp;while (p && (p == '!' || *p == ''))
p++;if (p && *p && p != shadow->sp_pwdp && !valid_pwd(p))
user->pwd_deny = STATUS_TRUE;
} else
user->pwd_deny = STATUS_UNKNOWN;
break;
- p will move forward as it starts with '!!'.
- p is not shadow->sp_pwdp because the pointer was increased.
- valid_pwd(p) will return 1.
What we can understand is that "Login by password disabled" might need a
different string, probably something like "Password is not empty and valid";
this would make it easier to understand that if "Password is locked" says
"yes", that entry value can be ignored.