On 2013-09-09 17:51 -0400, Eric Cooper wrote:
> Package: base-passwd
> Version: 3.5.28
> Severity: normal
>
> I had removed the gnats account on my system since I had no use for
> it, not realizing that it was one of the "standard" ones. On the next
> upgrade of base-passwd, it prompted me as follows:
>
> Setting up base-passwd (3.5.28) ...
>
> update-passwd has found some differences between your system accounts
> and the current Debian defaults. It is advisable to allow update-passwd
> to change your system; without those changes some packages might not work
> correctly. For more documentation on the Debian account policies please
> see /usr/share/doc/base-passwd/README.
>
> The list of proposed changes is:
>
> Adding group "gnats" (41)
> Adding user "gnats" (41)
> Would commit 2 changes
>
> It is highly recommended that you allow update-passwd to make these
> changes
> (a backup file of modified files is made with the extension .org so you
> can
> always restore the current settings).
>
> May I update your system? [Y/n]
> Okay, I am going to make the necessary updates now
> Adding group "gnats" (41)
> Adding user "gnats" (41)
> 2 changes have been made, rewriting files
> Writing passwd-file to /etc/passwd
> Writing shadow-file to /etc/shadow
> Writing group-file to /etc/group
>
> But in fact no gnats entry was made to /etc/shadow:
>
> # pwck -q
> no matching password file entry in /etc/shadow
> add user 'gnats' in /etc/shadow? y
> pwck: the files have been updated
Indeed. I had a look at the update-passwd source, and there are
functions read_shadow and write_shadow to read and write the shadow
file, but nowhere is there any code to process new/deleted/changed
entries in it. So write_shadow will write back /etc/shadow with the
same content read_shadow had read.
There are even these comments:
,----
| /* Check if new accounts should be made on the system. Please note we don't
| * add accounts to shadow here; those will be made automatically at a later
| * stage where we verify the contents of the shadow database
| */
`----
,----
| /* Check if accounts should be removed. Like with process_new_accounts we
| * don't update shadow here since it is verified at a later stage anyway.
| * We will only remove accounts in our range (uids 0-99).
| */
`----
Perhaps "at a later stage" is referring to code that needs yet to be
written, because it is simply not there.
Cheers,
Sven
