On 2013-09-09 17:51 -0400, Eric Cooper wrote: > Package: base-passwd > Version: 3.5.28 > Severity: normal > > I had removed the gnats account on my system since I had no use for > it, not realizing that it was one of the "standard" ones. On the next > upgrade of base-passwd, it prompted me as follows: > > Setting up base-passwd (3.5.28) ... > > update-passwd has found some differences between your system accounts > and the current Debian defaults. It is advisable to allow update-passwd > to change your system; without those changes some packages might not work > correctly. For more documentation on the Debian account policies please > see /usr/share/doc/base-passwd/README. > > The list of proposed changes is: > > Adding group "gnats" (41) > Adding user "gnats" (41) > Would commit 2 changes > > It is highly recommended that you allow update-passwd to make these > changes > (a backup file of modified files is made with the extension .org so you > can > always restore the current settings). > > May I update your system? [Y/n] > Okay, I am going to make the necessary updates now > Adding group "gnats" (41) > Adding user "gnats" (41) > 2 changes have been made, rewriting files > Writing passwd-file to /etc/passwd > Writing shadow-file to /etc/shadow > Writing group-file to /etc/group > > But in fact no gnats entry was made to /etc/shadow: > > # pwck -q > no matching password file entry in /etc/shadow > add user 'gnats' in /etc/shadow? y > pwck: the files have been updated
Indeed. I had a look at the update-passwd source, and there are functions read_shadow and write_shadow to read and write the shadow file, but nowhere is there any code to process new/deleted/changed entries in it. So write_shadow will write back /etc/shadow with the same content read_shadow had read. There are even these comments: ,---- | /* Check if new accounts should be made on the system. Please note we don't | * add accounts to shadow here; those will be made automatically at a later | * stage where we verify the contents of the shadow database | */ `---- ,---- | /* Check if accounts should be removed. Like with process_new_accounts we | * don't update shadow here since it is verified at a later stage anyway. | * We will only remove accounts in our range (uids 0-99). | */ `---- Perhaps "at a later stage" is referring to code that needs yet to be written, because it is simply not there. Cheers, Sven