`sudo` version 1.8.30 behave change which breaks harbor service after password expired

[ijumps]

If you are reporting a problem, please make sure the following information are provided:

Expected behavior and actual behavior:

harbor-log set a 90 days to expire its password, sudo-1.8.20p2-6.ph2.x86_64 will ok to run sudo -u \#10000 -E 'rsyslogd' '-n', but sudo-1.8.30-2.ph2.x86_64 will require a password change.

Steps to reproduce the problem:

For old harbor image:

# Run an old image, which is ok to run `sudo` even password is expired
[root@vm ~]# docker run -it --rm goharbor/harbor-log:v1.10.1 bash
root [ / ]# chage -l root
You are required to change your password immediately (password expired)
chage: PAM: Authentication token is no longer valid; new one required
root [ / ]# sudo ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  proc  root  run  sbin  srv  sys  tmp  usr  var
root [ / ]# sudo --version | grep -i version
Sudo version 1.8.20p2
Sudoers policy plugin version 1.8.20p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.20p2

For recent harbor image:

# Run a new image, and set password to expire now, sudo will require password change
[root@vm ~]# docker run -it --rm goharbor/harbor-log:dev bash
root [ / ]# chage -d 0 root
root [ / ]# chage -l root
You are required to change your password immediately (administrator enforced)
chage: PAM: Authentication token is no longer valid; new one required
root [ / ]# sudo ls
sudo: Account or password is expired, reset your password and try again
Changing password for root.
Current password:

sudo: unable to change expired password: Authentication failure
root [ / ]#
root [ / ]# sudo --version | grep -i version
Sudo version 1.8.30
Sudoers policy plugin version 1.8.30
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.30

Versions:
Please specify the versions of following systems.

• harbor version: [v1.10.2]
• docker engine version: [y.y.y]
• docker-compose version: [z.z.z]

Note

I just test harbor-log image, this may affect other harbor images as well.

Additional context:

• Harbor config files: You can get them by packaging harbor.yml and files in the same directory, including subdirectory.
• Log files: You can get them by package the /var/log/harbor/ .

[ijumps]

By the way, sudo seems to fix a password expire not work bug, so why harbor set a 90 days password expiration time at first

[ninjadq]

Did you change the root password before? Harbor doesn't set a password expiration time, I think it's OS default value

[ijumps]

Did you change the root password before? Harbor doesn't set a password expiration time, I think it's OS default value

It's os default behave, but harbor choose to use photon as base image.

Note info in reproduce use harbor official image goharbor/harbor-log, nothing changed. If anyone use harbor official image in recently release, there will be a 90 days time bomb, since other harbor component depend on harbor-log, harbor will fail to start after 90 days.

[reasonerjt]

re-open to make sure the fix is cherry picked to 1.10.x