Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 128 - Hashed passwd ends up in /etc/passwd even with shadow enabled
Summary: Hashed passwd ends up in /etc/passwd even with shadow enabled
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: distribution
Version: 5.2
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Cristian Gafton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1998-11-19 04:15 UTC by seva
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1998-11-20 12:14:25 UTC


Attachments (Terms of Use)

Description seva 1998-11-19 04:15:46 UTC
Verified on RHL 5.1 and 5.2

1. Install RHL

2. Set up shadowed passwd with 'pwconv'
   From here on /etc/passwd should not contain any
   passwd hashes (right?)

3. Add a test user ('adduser test1')
   and set a passwd ('passwd test1')
   hash is now in /etc/shadow as it is supposed to be

4. Disable the user by putting '*' in the passwd field of
   /etc/shadow (replace the hash with '*' not prepand it)

5. Enable the account by changing passwd ('passwd test1')

6. Account is valid, but the hash has ended up in world
   readable /etc/passwd (not private /etc/shadow)


If in step 4 you prepand '*' to the hash this will fail and
the passwd command will work as designed.

Is this the correct behaviour of passwd/shadow?

/Seva

Comment 1 Aleksey Nogin 1998-11-19 13:41:59 UTC
I believe this is normal behavour - by default, passwd puts the new
password in the same file, where you had the old one. In the case you
did not have any, it thinks you had it in /etc/passwd...
You can tell passwd to always put the new password into the shadow
file by changing
password   required     /lib/security/pam_pwdb.so use_authtok nullok
line in /etc/pam.d/passwd  to
password   required     /lib/security/pam_pwdb.so shadow use_authtok
nullok

Comment 2 seva 1998-11-19 14:00:59 UTC
Hmm, ok I'll try that, but may be RHS should make that default after
'pwconv' has run?

/Seva

Comment 3 seva 1998-11-19 14:20:59 UTC
ayn2@cornell.edu's suggestion does work.  I think pwconv should make
it this way by default.

But also note that if the /etc/shadow has '*HASH' or '!!' in the
passwd field then the passwd gets put there and not /etc/passwd even
w/out this change.

/Seva

Comment 4 Cristian Gafton 1998-11-20 12:14:59 UTC
/etc/pam.d/passwd should have the 'shadow' argument to pam_pwdb


Note You need to log in before you can comment on or make changes to this bug.