Security of using sudo rather than su?

Adam Funk a24061 at
Fri Sep 15 09:46:19 UTC 2006

On 2006-09-15, Alan McKinnon <alan at> wrote:

> On Thursday 14 September 2006 19:45, Adam Funk wrote:
>> What's the practical difference in effect (I mean beyond what
>> appears in /etc/shadow) of passwd -d and passwd -l?  Is it
>> just that the effect of -l can be reversed back to the
>> previously valid password?
> Pretty much. Both options are provided so that root can do 
> either. 
> -d is also useful if you have a situation where a system user 
> (like bin or apache) somehow got a password. I had this with a 
> database product and the manual said to useradd a user with 
> login abilities. Later on I realised the db could run as a 
> daemon so I hacked the startup scripts and did -d on the db 
> owner account

In /etc/shadow I find bin's password field is '*' but cupsys has '!'.
`passwd -S` for both of them gives a status of 'L' (locked).  `man
passwd` says there are three possibilities: "the account is locked (L),
has no password (NP), or has a usable password (P)".

So now I'm wondering:

* Does `passwd -d` produce status NP?

* What's the difference between '*' and '!' in the encrypted password

* Why are the daemon-ish accounts L rather than NP, since you
  shouldn't want to unlock them?  And what would happen if you tried
  `passwd -u`, since they haven't had passwords yet?

More information about the ubuntu-users mailing list