On 2013-09-09 17:51 -0400, Eric Cooper wrote:

> Package: base-passwd
> Version: 3.5.28
> Severity: normal
> I had removed the gnats account on my system since I had no use for
> it, not realizing that it was one of the "standard" ones.  On the next
> upgrade of base-passwd, it prompted me as follows:
>     Setting up base-passwd (3.5.28) ...
>     update-passwd has found some differences between your system accounts
>     and the current Debian defaults. It is advisable to allow update-passwd
>     to change your system; without those changes some packages might not work
>     correctly.  For more documentation on the Debian account policies please
>     see /usr/share/doc/base-passwd/README.
>     The list of proposed changes is:
>     Adding group "gnats" (41)
>     Adding user "gnats" (41)
>     Would commit 2 changes
>     It is highly recommended that you allow update-passwd to make these 
> changes
>     (a backup file of modified files is made with the extension .org so you 
> can
>     always restore the current settings).
>     May I update your system? [Y/n] 
>     Okay, I am going to make the necessary updates now
>     Adding group "gnats" (41)
>     Adding user "gnats" (41)
>     2 changes have been made, rewriting files
>     Writing passwd-file to /etc/passwd
>     Writing shadow-file to /etc/shadow
>     Writing group-file to /etc/group
> But in fact no gnats entry was made to /etc/shadow:
>     # pwck -q
>     no matching password file entry in /etc/shadow
>     add user 'gnats' in /etc/shadow? y
>     pwck: the files have been updated

Indeed.  I had a look at the update-passwd source, and there are
functions read_shadow and write_shadow to read and write the shadow
file, but nowhere is there any code to process new/deleted/changed
entries in it.  So write_shadow will write back /etc/shadow with the
same content read_shadow had read.

There are even these comments:

| /* Check if new accounts should be made on the system. Please note we don't
|  * add accounts to shadow here; those will be made automatically at a later
|  * stage where we verify the contents of the shadow database
|  */

| /* Check if accounts should be removed. Like with process_new_accounts we
|  * don't update shadow here since it is verified at a later stage anyway.
|  * We will only remove accounts in our range (uids 0-99).
|  */

Perhaps "at a later stage" is referring to code that needs yet to be
written, because it is simply not there.


Reply via email to