[Pkg-shadow-devel] Bug#501869: Bug#501869: passwd(1) stops shadowing if /etc/passwd is edited manually

Nicolas François nicolas.francois at centraliens.net
Sat Oct 11 12:54:19 UTC 2008 

On Sat, Oct 11, 2008 at 10:31:47AM +0800, jidanni at jidanni.org wrote:
> 
> Please document on the passwd(1) man page or better yet fix somehow:
> 
> If a line in /etc/passwd has been changed by hand and not with
> passwd(1) or vipw(1), then from then on any users who change their
> passwords using passwd(1) will cause their encrypted password to be
> visible in /etc/passwd, until the day the administrator runs pwconv(8).
> 
> E.g.,
> # ed /etc/passwd #e.g. forgot passwd, rescue from grub "rw init=/bin/sh"
> /root/s/:x:/::/
> w
> q
> # passwd #then after rebooting and logging in, set a passwd
> # grep root /etc/passwd
> root:$1$cBD...

This is not under control of passwd(1). passwd uses PAM to change the
password. Hence, the password might not even be written in /etc/passwd or
/etc/shadow, depending on the configured PAM password module.

In your case, you can change the above behavior by adding the "shadow"
option to the pam_unix line.

I will add a note indicating that on PAM enabled passwd(1), PAM is used to
authenticate and to change the password in the password database.

> P.S., also you might want to mention on the pwck(8) man page that it
> doesn't check that shadow information might be sitting exposed in
> /etc/passwd.

I would prefer to add a check/warn when a password is specified in
/etc/passwd and in /etc/shadow, or when a password is specified in
/etc/passwd and /etc/shadow exists.

> Also warn to not run pwck on /etc/group.

I don't see the need for this.
pwck clearly indicate that it should be run on the passwd and shadow
files.

> Also you might want to add SEE ALSO pwck(8) to passwd(1) and
> shadow(5).

I've added pwck(8) to passwd(5) and shadow(5).
I don't see why it should be on passwd(1).

> Also add SEE ALSO gshadow(5) to shadow(5). In fact there are lots more
> see also connections that should be made between the members of
> $(dlocate -man passwd), e.g., pwck<->grpck... Or perhaps give all on
> each page...

I've added pwck<->grpck, but I don't see why other pages should be linked.
For example gshadow(5) and shadow(5) describe 2 different file formats
which are not directly linked to each other.

Best Regards,
-- 
Nekral

More information about the Pkg-shadow-devel mailing list