1

I have a requirement to change the maxdays setting of several Linux accounts to 365 and most of the accounts are locked.

Does password aging settings affect these accounts? My concern is that I'll change them to 365 (where currently many of them are 99999 or -1) and a year from now some process that uses them are not going to work or start up any more.

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
Chris M.
  • 13
  • 2

1 Answers1

0

It looks like that a service can still start if an expired user account is used. E.g.:

[vagrant@localhost ~]$ sudo usermod --lock --expiredate 1970-02-02 apache

[vagrant@localhost ~]$ sudo chage -l apache
Last password change                                    : Nov 15, 2014
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : Feb 02, 1970
Minimum number of days between password change          : -1
Maximum number of days between password change          : -1
Number of days of warning before password expires       : -1

[vagrant@localhost ~]$ sudo service httpd stop
Stopping httpd:                                            [  OK  ]

[vagrant@localhost ~]$ ps -ef | grep apache
vagrant   4444  2503  0 14:52 pts/0    00:00:00 grep apache

[vagrant@localhost ~]$ sudo service httpd start
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
                                                           [  OK  ]
[vagrant@localhost ~]$ ps -ef | grep apache
apache    4459  4457  0 14:52 ?        00:00:00 /usr/sbin/httpd
apache    4460  4457  0 14:52 ?        00:00:00 /usr/sbin/httpd
apache    4461  4457  0 14:52 ?        00:00:00 /usr/sbin/httpd
apache    4462  4457  0 14:52 ?        00:00:00 /usr/sbin/httpd
apache    4463  4457  0 14:52 ?        00:00:00 /usr/sbin/httpd
apache    4464  4457  0 14:52 ?        00:00:00 /usr/sbin/httpd
apache    4465  4457  0 14:52 ?        00:00:00 /usr/sbin/httpd
apache    4466  4457  0 14:52 ?        00:00:00 /usr/sbin/httpd
vagrant   4468  2503  0 14:52 pts/0    00:00:00 grep apache

As this has only been tested for one product it does not prove that this is applicable to all software products.

The safest solution is to check whether certain users that are going to expire are used by processes by executing ps -ef | grep username. If a user is not used by a process it seems safe to set an expiry date. Otherwise do not set an expiry date or replace the user. The latter should not be necessary if the native users are used to run processes. Why should one assign an expiry date to e.g. apache and decide to run httpd by another user than apache?

030
  • 5,901
  • 13
  • 68
  • 110
  • Thanks for the help utrecht. That sounds like a logical approach to the problem, I was just hoping for more of an ultimatum sort of answer because I don't have the ability to test some of the running processes in a lab environment, unfortunately. – Chris M. Nov 15 '14 at 18:51
  • @ChrisM. Does this answers your question or should the answer be elaborated more? – 030 Nov 16 '14 at 00:55
  • Your answer works for me, appreciate the help. – Chris M. Nov 16 '14 at 15:00