-l/-u options: edit the shadow account expiry field *in addition* to

editing the password field.  Debian patch 494_passwd_lock.

ChangeLog

@@ -1,3 +1,9 @@
+2007-11-17  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* src/passwd.c, man/passwd.1.xml: -l/-u options: edit the
+	shadow account expiry field *in addition* to editing the password
+	field.  Debian patch 494_passwd_lock.
+
 2007-11-17  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/newgrp.c: Do not request a password when a user uses newgrp

man/passwd.1.xml

@@ -214,7 +214,8 @@
 	<listitem>
 	  <para>
 	    Lock the named account. This option disables an account by changing
-	    the password to a value which matches no possible encrypted value.
+	    the password to a value which matches no possible encrypted value,
+	    and by setting the account expiry field to 1.
 	  </para>
 	</listitem>
       </varlistentry>
@@ -275,7 +276,8 @@
 	  <para>
 	    Unlock the named account. This option re-enables an account by
 	    changing the password back to its previous value (to value before
-	    using <option>-l</option> option).
+	    using <option>-l</option> option), and by resetting the account
+	    expiry field.
 	  </para>
 	</listitem>
       </varlistentry>

src/passwd.c

@@ -531,6 +531,15 @@ static void update_shadow (void)
 		nsp->sp_inact = (inact * DAY) / SCALE;
 	if (do_update_age)
 		nsp->sp_lstchg = time ((time_t *) 0) / SCALE;
+	if (lflg) {
+		/* Set the account expiry field to 1.
+		 * Some PAM implementation consider zero as a non expired
+		 * account.
+		 */
+		nsp->sp_expire = 1;
+	}
+	if (uflg)
+		nsp->sp_expire = -1;
 
 	/*
 	 * Force change on next login, like SunOS 4.x passwd -e or Solaris