Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 128

Summary: Hashed passwd ends up in /etc/passwd even with shadow enabled
Product: [Retired] Red Hat Linux Reporter: seva
Component: distributionAssignee: Cristian Gafton <gafton>
Status: CLOSED WORKSFORME QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 5.2CC: seva
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1998-11-20 12:14:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description seva 1998-11-19 04:15:46 UTC
Verified on RHL 5.1 and 5.2

1. Install RHL

2. Set up shadowed passwd with 'pwconv'
   From here on /etc/passwd should not contain any
   passwd hashes (right?)

3. Add a test user ('adduser test1')
   and set a passwd ('passwd test1')
   hash is now in /etc/shadow as it is supposed to be

4. Disable the user by putting '*' in the passwd field of
   /etc/shadow (replace the hash with '*' not prepand it)

5. Enable the account by changing passwd ('passwd test1')

6. Account is valid, but the hash has ended up in world
   readable /etc/passwd (not private /etc/shadow)


If in step 4 you prepand '*' to the hash this will fail and
the passwd command will work as designed.

Is this the correct behaviour of passwd/shadow?

/Seva

Comment 1 Aleksey Nogin 1998-11-19 13:41:59 UTC
I believe this is normal behavour - by default, passwd puts the new
password in the same file, where you had the old one. In the case you
did not have any, it thinks you had it in /etc/passwd...
You can tell passwd to always put the new password into the shadow
file by changing
password   required     /lib/security/pam_pwdb.so use_authtok nullok
line in /etc/pam.d/passwd  to
password   required     /lib/security/pam_pwdb.so shadow use_authtok
nullok

Comment 2 seva 1998-11-19 14:00:59 UTC
Hmm, ok I'll try that, but may be RHS should make that default after
'pwconv' has run?

/Seva

Comment 3 seva 1998-11-19 14:20:59 UTC
ayn2@cornell.edu's suggestion does work.  I think pwconv should make
it this way by default.

But also note that if the /etc/shadow has '*HASH' or '!!' in the
passwd field then the passwd gets put there and not /etc/passwd even
w/out this change.

/Seva

Comment 4 Cristian Gafton 1998-11-20 12:14:59 UTC
/etc/pam.d/passwd should have the 'shadow' argument to pam_pwdb