Systemd

History

Lennart Poettering 636e72bce6 sysusers: properly mark generated accounts as locked Previously, we'd only set the shell to /usr/bin/nologin and lock the password for system users. Let's go one step further and also lock the whole account. This is a paranoid safety precaution, since neither disabling the shell like this nor disabling the password is sufficient to lock an account, since remote shell tools generally allow passing different shells, and logins into ftp or similar protocols don't know the shell concept anyway. Moreover, in times of ssh authentication by password is just one option of authentication among many. Takes inspiration from the recommendations in usermod(8)'s -L switch: "Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1."	2019-08-14 18:19:56 +02:00
..
sysusers.c	sysusers: properly mark generated accounts as locked	2019-08-14 18:19:56 +02:00

Lennart Poettering 636e72bce6 sysusers: properly mark generated accounts as locked

Previously, we'd only set the shell to /usr/bin/nologin and lock the
password for system users. Let's go one step further and also lock the
whole account.

This is a paranoid safety precaution, since neither disabling the shell
like this nor disabling the password is sufficient to lock an account,
since remote shell tools generally allow passing different shells, and
logins into ftp or similar protocols don't know the shell concept anyway.
Moreover, in times of ssh authentication by password is just one
option of authentication among many.

Takes inspiration from the recommendations in usermod(8)'s -L switch:

    "Note: if you wish to lock the account (not only access with a
    password), you should also set the EXPIRE_DATE to 1."

2019-08-14 18:19:56 +02:00

sysusers.c

sysusers: properly mark generated accounts as locked

2019-08-14 18:19:56 +02:00