Security of using sudo rather than su?

Alan McKinnon alan at
Fri Sep 15 10:30:56 UTC 2006

On Friday 15 September 2006 11:46, Adam Funk wrote:
> In /etc/shadow I find bin's password field is '*' but cupsys
> has '!'. `passwd -S` for both of them gives a status of 'L'
> (locked).  `man passwd` says there are three possibilities:
> "the account is locked (L), has no password (NP), or has a
> usable password (P)".
> So now I'm wondering:
> * Does `passwd -d` produce status NP?

Dunno. Why don't you try it and tell us what happened?

> * What's the difference between '*' and '!' in the encrypted
> password field?

from man passwd:
   -l, --lock
      Lock the named account. This option disables an account by
      changing the password to a value which matches no possible
      encrypted value.

neither * nor ! is an encrypted hash, so both fulfil the 
requirements. Don't get hung up on what these things mean, it's 
just an arbitrary symbol so that you a) can't login with that 
account and b) the passwd isn't empty
> * Why are the daemon-ish accounts L rather than NP, since you
>   shouldn't want to unlock them?  And what would happen if
> you tried `passwd -u`, since they haven't had passwords yet?

The account is locked, so you can't run a login session as that 
user. But the uid is still valid, the account can own files, 
and root can start a daemon and drop priviledges to that user.

I dunno about passwd -u, but even if you managed to get a valid 
password into a system account (uid < 500), and the shadow 
system recognised a valid login account, pam would still 
disallow the login as it's a system uid


More information about the ubuntu-users mailing list