Skip to content

NAS-135898 / 25.10 / Add special case handling of user password disable. #16508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 16, 2025
Merged

NAS-135898 / 25.10 / Add special case handling of user password disable. #16508

merged 2 commits into from
May 16, 2025

Conversation

mgrimesix
Copy link
Contributor

@mgrimesix mgrimesix commented May 16, 2025
edited
Loading

When user passwords are disabled the user can no longer manage password change requirements or any password policy restrictions. Under certain configurations, e.g. STIG, this can lead to the user account being disabled. We want to avoid this condition.

The fix for this is to special case the user shadow entry to disable all expiration type settings when the user has password authentication disabled.

The shadow entry for a password disabled user will be *:::::::. This will prevent the user getting disabled due to password requirements.

Also added a CI unit test.
Also fixed a small error in the unit test. Reporting info on an assert was missing some data.

This fixes the issue raised in NAS-135863

@mgrimesix
Add special case handling of root password disable.
fbd43aa 
The shadow entry for a password disabled root will be '*:::::::'.
This is to avoid the root user getting disabled due to password requirements.

Also added a CI unit test.
Also fixed a small error in the unit test.  Reporting info on an assert was missing some data.
@mgrimesix mgrimesix requested review from anodos325 and yocalebo May 16, 2025 00:27
@bugclerk
Copy link
Contributor

Jira label ignored, branch name already named after an existing ticket.

@bugclerk bugclerk changed the title Add special case handling of root password disable. NAS-135898 / 25.10 / Add special case handling of root password disable. May 16, 2025
@bugclerk
Copy link
Contributor

Jira URL: https://ixsystems.atlassian.net/browse/NAS-135898

creatorcary
creatorcary reviewed May 16, 2025
View reviewed changes
@truenas truenas deleted a comment from bugclerk May 16, 2025
@mgrimesix mgrimesix changed the title NAS-135898 / 25.10 / Add special case handling of root password disable. NAS-135898 / 25.10 / Add special case handling of user password disable. May 16, 2025
@mgrimesix mgrimesix requested a review from creatorcary May 16, 2025 18:27
@mgrimesix mgrimesix merged commit 7dd9287 into master May 16, 2025
2 checks passed
@mgrimesix mgrimesix deleted the NAS-135872 branch May 16, 2025 19:08
This was referenced May 16, 2025
Merged
Merged
@bugclerk
Copy link
Contributor

This PR has been merged and conversations have been locked.
If you would like to discuss more about this issue please use our forums or raise a Jira ticket.

@truenas truenas locked as resolved and limited conversation to collaborators May 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@creatorcary creatorcary creatorcary approved these changes

@anodos325 anodos325 Awaiting requested review from anodos325

@yocalebo yocalebo Awaiting requested review from yocalebo

Assignees
No one assigned
Labels
backport-25.04.1 backport-25.04.2 backported jira-high no-time-tracked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mgrimesix @bugclerk @creatorcary @yocalebo