Sun Useradd program expiration date bug

From: Chad Price (cpriceat_private)
Date: Thu Jun 10 1999 - 09:16:32 PDT

Next message: Aaron Power: "Re: Bug in WTS 4.0 on WinNT 4.0 sp4"

Previous message: ryanwat_private: "Re: [linux-security] Re: RedHat 6.0,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This has been tested and verified only on Solaris 7.

Sun has provided a useradd binary as well as the gui (admintool) for adding
new users.  This program (it's a binary in Solaris 7) allows the "-e"
parameter which purports to set the expiration date for a new account. The
man page for it says:

     -e expire Specify the expiration date  for  a  login.  After
               this  date,  no  user  will be able to access this
               login. expire is a date entered in any format  you
               like  (except  a  Julian date). If the date format
               that  you  choose  includes  spaces,  it  must  be
               quoted.  For  example,  you  may  enter 10/6/90 or
               "October 6, 1990". A null value (" ") defeats  the
               status  of the expired date. This option is useful
               for creating temporary logins.

The key here is that is says: "in any format you like".

Using the system as it ships and using the parameter as (for example)
	 "-e 6/30/2000"
(in a vain attempt to avoid Y2K confusion) results in an expiration date of
June 30, 2020, so if you are expecting the user accounts to expire soon,
you will be a little disappointed.  If expiration dates are critical, you
have a real problem - users can login for 20 years after you thought you
had expired them!

Workaround (supplied by Sun): replace /etc/datemsk with:

#ident
%m/%d/%y %I:%M:%S %p
%m/%d/%Y %I:%M:%S %p
%m/%d/%y %H:%M:%S
%m/%d/%Y %H:%M:%S
%m/%d/%y %I:%M %p
%m/%d/%Y %I:%M %p
%m/%d/%y %H:%M
%m/%d/%Y %H:%M
%m/%d/%y
%m/%d/%Y
%m/%d
%b %d, %Y %I:%M:%S %p
%b %d, %Y %H:%M:%S
%B %d, %Y %I:%M:%S %p
%B %d, %Y %H:%M:%S
%b %d, %Y %I:%M %p
%b %d, %Y %H:%M
%B %d, %Y %I:%M %p
%B %d, %Y %H:%M
%b %d, %Y
%B %d, %Y
%b %d
%m\%d\%H\%M\%y
%m\%d\%H\%M\%Y
%m\%d\%H\%M
%m\%d\%H
%m%d

Your mileage may vary. I have not tested this to make sure it works
correctly with 2-digit years (lower case 'y' in the mask above.)

Sun has been notified of this and of the posting to BUGTRAQ.

Chad

Chad Price
Systems Manager
University of Nebraska Medical Center
600 S 42nd St
Omaha, NE 68506-6495
cpriceat_private
(402) 559-9527
(402) 559-4077 (FAX)

Next message: Aaron Power: "Re: Bug in WTS 4.0 on WinNT 4.0 sp4"
Previous message: ryanwat_private: "Re: [linux-security] Re: RedHat 6.0,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:56 PDT