From nobody@FreeBSD.org  Sat Jun 23 16:29:24 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id CB603106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 23 Jun 2012 16:29:24 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id B5CBB8FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 23 Jun 2012 16:29:24 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q5NGTOCC064550
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 23 Jun 2012 16:29:24 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q5NGTOm3064549;
	Sat, 23 Jun 2012 16:29:24 GMT
	(envelope-from nobody)
Message-Id: <201206231629.q5NGTOm3064549@red.freebsd.org>
Date: Sat, 23 Jun 2012 16:29:24 GMT
From: Devin Teske <dteske@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: passwd(5) manual incorrectly documents password-change/account-expire features
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         169354
>Category:       docs
>Synopsis:       passwd(5) manual incorrectly documents password-change/account-expire features
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bjk
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 23 16:30:11 UTC 2012
>Closed-Date:    Fri Jul 06 04:03:00 UTC 2012
>Last-Modified:  Fri Jul 06 04:03:00 UTC 2012
>Originator:     Devin Teske
>Release:        FreeBSD 9.0-RELEASE i386
>Organization:
FIS Global, Inc.
>Environment:
FreeBSD scribe9.vicor.com 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:15:25 UTC 2012     root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
In the passwd(5) manual it states:

     The change field is the number of seconds from the epoch, UTC, until the
     password for the account must be changed.  This field may be left empty
     to turn off the password aging feature.

     The expire field is the number of seconds from the epoch, UTC, until the
     account expires.  This field may be left empty to turn off the account
     aging feature.

This, however, is an incomplete description.

The FreeBSD operating system uses a value of zero by-default (for both password-change and account-expire fields) for all default users on a vanilla/freshly-installed system.

Meanwhile, the manual says nothing about a value of zero (0) being functionally equivalent to NULL (experienced behavior). Rather, if one takes the manual literally (given above), a value of zero is taken as "number of seconds from the epoch, UTC" and therefore, one would expect that all accounts in a default install are both (a) expired (account-wise) and (b) have expired passwords.

The manual should likely be updated to say that zero is functionally equivalent to NULL.
>How-To-Repeat:
Read passwd(5). Now execute the following to see the password-change and account-expire fields for all users:

sudo awk -F: '{print $1 ":" $6 ":" $7}' /etc/master.passwd

Notice how all (or nearly all) users have a value of zero, including root and all privilege-separation users.
>Fix:
Update passwd(5) manual to mention that a value of zero is functionally equivalent to NULL.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->bjk 
Responsible-Changed-By: bjk 
Responsible-Changed-When: Sat Jun 23 17:12:45 UTC 2012 
Responsible-Changed-Why:  
take 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169354 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/169354: commit references a PR
Date: Mon, 25 Jun 2012 22:39:50 +0000 (UTC)

 Author: bjk (doc committer)
 Date: Mon Jun 25 22:39:37 2012
 New Revision: 237581
 URL: http://svn.freebsd.org/changeset/base/237581
 
 Log:
   Explicitly mention that setting the change and expiry times to zero is
   equivalent to leaving the time unset. [1]
   
   Wordsmith in the compat support section.
   
   Use a full path to nologin(8) in the context of setting it as a user's shell,
   keeping a separate cross-reference.
   
   PR:		docs/169354 [1]
   Approved by:	hrs (mentor)
   MFC after:	3 weeks
 
 Modified:
   head/share/man/man5/passwd.5
 
 Modified: head/share/man/man5/passwd.5
 ==============================================================================
 --- head/share/man/man5/passwd.5	Mon Jun 25 22:22:39 2012	(r237580)
 +++ head/share/man/man5/passwd.5	Mon Jun 25 22:39:37 2012	(r237581)
 @@ -35,7 +35,7 @@
  .\"     From: @(#)passwd.5	8.1 (Berkeley) 6/5/93
  .\" $FreeBSD$
  .\"
 -.Dd May 8, 2007
 +.Dd June 23, 2012
  .Dt PASSWD 5
  .Os
  .Sh NAME
 @@ -203,7 +203,8 @@ field is the number of seconds from the 
  .Dv UTC ,
  until the
  password for the account must be changed.
 -This field may be left empty to turn off the password aging feature.
 +This field may be left empty to turn off the password aging feature;
 +a value of zero is equivalent to leaving the field empty.
  .Pp
  The
  .Ar expire
 @@ -211,7 +212,8 @@ field is the number of seconds from the 
  .Dv UTC ,
  until the
  account expires.
 -This field may be left empty to turn off the account aging feature.
 +This field may be left empty to turn off the account aging feature;
 +a value of zero is equivalent to leaving the field empty.
  .Pp
  The
  .Ar gecos
 @@ -271,7 +273,8 @@ as it is done for system accounts,
  is to set its
  .Ar shell
  to
 -.Xr nologin 8 .
 +.Pa /sbin/nologin
 +.Pq see Xr nologin 8 .
  .Sh HESIOD SUPPORT
  If
  .Sq Li dns
 @@ -363,7 +366,7 @@ fields, the specified numbers will overr
  from the Hesiod domain or the
  .Tn NIS
  maps.
 -As well, if the
 +Likewise, if the
  .Ar gecos ,
  .Ar dir
  or
 @@ -399,7 +402,8 @@ The additional fields
  .Ar change
  and
  .Ar expire
 -are added, but are turned off by default.
 +are added, but are turned off by default
 +.Pq setting these fields to zero is equivalent to leaving them blank .
  Class is currently not implemented, but change and expire are; to set them,
  use the current day in seconds from the epoch + whatever number of seconds
  of offset you want.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: bjk 
State-Changed-When: Mon Jun 25 22:41:04 UTC 2012 
State-Changed-Why:  
In head as r237581, awaiting MFC. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169354 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/169354: commit references a PR
Date: Fri,  6 Jul 2012 03:43:54 +0000 (UTC)

 Author: bjk (doc committer)
 Date: Fri Jul  6 03:43:33 2012
 New Revision: 238160
 URL: http://svn.freebsd.org/changeset/base/238160
 
 Log:
   MFC r237581:
     Explicitly mention that setting the change and expiry times to zero is
     equivalent to leaving the time unset. [1]
   
     Wordsmith in the compat support section.
   
     Use a full path to nologin(8) in the context of setting it as a user's shell,
     keeping a separate cross-reference.
   
   PR:		docs/169354 [1]
   Approved by:	hrs (mentor)
 
 Modified:
   stable/7/share/man/man5/passwd.5
 Directory Properties:
   stable/7/share/man/man5/   (props changed)
 
 Modified: stable/7/share/man/man5/passwd.5
 ==============================================================================
 --- stable/7/share/man/man5/passwd.5	Fri Jul  6 02:18:49 2012	(r238159)
 +++ stable/7/share/man/man5/passwd.5	Fri Jul  6 03:43:33 2012	(r238160)
 @@ -35,7 +35,7 @@
  .\"     From: @(#)passwd.5	8.1 (Berkeley) 6/5/93
  .\" $FreeBSD$
  .\"
 -.Dd May 8, 2007
 +.Dd June 23, 2012
  .Dt PASSWD 5
  .Os
  .Sh NAME
 @@ -204,7 +204,8 @@ field is the number of seconds from the 
  .Dv UTC ,
  until the
  password for the account must be changed.
 -This field may be left empty to turn off the password aging feature.
 +This field may be left empty to turn off the password aging feature;
 +a value of zero is equivalent to leaving the field empty.
  .Pp
  The
  .Ar expire
 @@ -212,7 +213,8 @@ field is the number of seconds from the 
  .Dv UTC ,
  until the
  account expires.
 -This field may be left empty to turn off the account aging feature.
 +This field may be left empty to turn off the account aging feature;
 +a value of zero is equivalent to leaving the field empty.
  .Pp
  The
  .Ar gecos
 @@ -272,7 +274,8 @@ as it is done for system accounts,
  is to set its
  .Ar shell
  to
 -.Xr nologin 8 .
 +.Pa /sbin/nologin
 +.Pq see Xr nologin 8 .
  .Sh HESIOD SUPPORT
  If
  .Sq Li dns
 @@ -364,7 +367,7 @@ fields, the specified numbers will overr
  from the Hesiod domain or the
  .Tn NIS
  maps.
 -As well, if the
 +Likewise, if the
  .Ar gecos ,
  .Ar dir
  or
 @@ -400,7 +403,8 @@ The additional fields
  .Ar change
  and
  .Ar expire
 -are added, but are turned off by default.
 +are added, but are turned off by default
 +.Pq setting these fields to zero is equivalent to leaving them blank .
  Class is currently not implemented, but change and expire are; to set them,
  use the current day in seconds from the epoch + whatever number of seconds
  of offset you want.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/169354: commit references a PR
Date: Fri,  6 Jul 2012 03:45:10 +0000 (UTC)

 Author: bjk (doc committer)
 Date: Fri Jul  6 03:44:40 2012
 New Revision: 238161
 URL: http://svn.freebsd.org/changeset/base/238161
 
 Log:
   MFC r237581:
     Explicitly mention that setting the change and expiry times to zero is
     equivalent to leaving the time unset. [1]
   
     Wordsmith in the compat support section.
   
     Use a full path to nologin(8) in the context of setting it as a user's shell,
     keeping a separate cross-reference.
   
   PR:		docs/169354 [1]
   Approved by:	hrs (mentor)
 
 Modified:
   stable/8/share/man/man5/passwd.5
 Directory Properties:
   stable/8/share/man/man5/   (props changed)
 
 Modified: stable/8/share/man/man5/passwd.5
 ==============================================================================
 --- stable/8/share/man/man5/passwd.5	Fri Jul  6 03:43:33 2012	(r238160)
 +++ stable/8/share/man/man5/passwd.5	Fri Jul  6 03:44:40 2012	(r238161)
 @@ -35,7 +35,7 @@
  .\"     From: @(#)passwd.5	8.1 (Berkeley) 6/5/93
  .\" $FreeBSD$
  .\"
 -.Dd May 8, 2007
 +.Dd June 23, 2012
  .Dt PASSWD 5
  .Os
  .Sh NAME
 @@ -204,7 +204,8 @@ field is the number of seconds from the 
  .Dv UTC ,
  until the
  password for the account must be changed.
 -This field may be left empty to turn off the password aging feature.
 +This field may be left empty to turn off the password aging feature;
 +a value of zero is equivalent to leaving the field empty.
  .Pp
  The
  .Ar expire
 @@ -212,7 +213,8 @@ field is the number of seconds from the 
  .Dv UTC ,
  until the
  account expires.
 -This field may be left empty to turn off the account aging feature.
 +This field may be left empty to turn off the account aging feature;
 +a value of zero is equivalent to leaving the field empty.
  .Pp
  The
  .Ar gecos
 @@ -272,7 +274,8 @@ as it is done for system accounts,
  is to set its
  .Ar shell
  to
 -.Xr nologin 8 .
 +.Pa /sbin/nologin
 +.Pq see Xr nologin 8 .
  .Sh HESIOD SUPPORT
  If
  .Sq Li dns
 @@ -364,7 +367,7 @@ fields, the specified numbers will overr
  from the Hesiod domain or the
  .Tn NIS
  maps.
 -As well, if the
 +Likewise, if the
  .Ar gecos ,
  .Ar dir
  or
 @@ -400,7 +403,8 @@ The additional fields
  .Ar change
  and
  .Ar expire
 -are added, but are turned off by default.
 +are added, but are turned off by default
 +.Pq setting these fields to zero is equivalent to leaving them blank .
  Class is currently not implemented, but change and expire are; to set them,
  use the current day in seconds from the epoch + whatever number of seconds
  of offset you want.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/169354: commit references a PR
Date: Fri,  6 Jul 2012 03:57:06 +0000 (UTC)

 Author: bjk (doc committer)
 Date: Fri Jul  6 03:56:45 2012
 New Revision: 238162
 URL: http://svn.freebsd.org/changeset/base/238162
 
 Log:
   MFC r237581:
     Explicitly mention that setting the change and expiry times to zero is
     equivalent to leaving the time unset. [1]
   
     Wordsmith in the compat support section.
   
     Use a full path to nologin(8) in the context of setting it as a user's shell,
     keeping a separate cross-reference.
   
   PR:		docs/169354 [1]
   Approved by:	re (hrs), hrs (mentor)
 
 Modified:
   stable/9/share/man/man5/passwd.5
 Directory Properties:
   stable/9/share/man/man5/   (props changed)
 
 Modified: stable/9/share/man/man5/passwd.5
 ==============================================================================
 --- stable/9/share/man/man5/passwd.5	Fri Jul  6 03:44:40 2012	(r238161)
 +++ stable/9/share/man/man5/passwd.5	Fri Jul  6 03:56:45 2012	(r238162)
 @@ -35,7 +35,7 @@
  .\"     From: @(#)passwd.5	8.1 (Berkeley) 6/5/93
  .\" $FreeBSD$
  .\"
 -.Dd May 8, 2007
 +.Dd June 23, 2012
  .Dt PASSWD 5
  .Os
  .Sh NAME
 @@ -203,7 +203,8 @@ field is the number of seconds from the 
  .Dv UTC ,
  until the
  password for the account must be changed.
 -This field may be left empty to turn off the password aging feature.
 +This field may be left empty to turn off the password aging feature;
 +a value of zero is equivalent to leaving the field empty.
  .Pp
  The
  .Ar expire
 @@ -211,7 +212,8 @@ field is the number of seconds from the 
  .Dv UTC ,
  until the
  account expires.
 -This field may be left empty to turn off the account aging feature.
 +This field may be left empty to turn off the account aging feature;
 +a value of zero is equivalent to leaving the field empty.
  .Pp
  The
  .Ar gecos
 @@ -271,7 +273,8 @@ as it is done for system accounts,
  is to set its
  .Ar shell
  to
 -.Xr nologin 8 .
 +.Pa /sbin/nologin
 +.Pq see Xr nologin 8 .
  .Sh HESIOD SUPPORT
  If
  .Sq Li dns
 @@ -363,7 +366,7 @@ fields, the specified numbers will overr
  from the Hesiod domain or the
  .Tn NIS
  maps.
 -As well, if the
 +Likewise, if the
  .Ar gecos ,
  .Ar dir
  or
 @@ -399,7 +402,8 @@ The additional fields
  .Ar change
  and
  .Ar expire
 -are added, but are turned off by default.
 +are added, but are turned off by default
 +.Pq setting these fields to zero is equivalent to leaving them blank .
  Class is currently not implemented, but change and expire are; to set them,
  use the current day in seconds from the epoch + whatever number of seconds
  of offset you want.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bjk 
State-Changed-When: Fri Jul 6 04:02:06 UTC 2012 
State-Changed-Why:  
Merged to 7, 8, and 9 in r238160-238162. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169354 
>Unformatted:
