On Sat, Oct 11, 2008 at 10:31:47AM +0800, [EMAIL PROTECTED] wrote: > > Please document on the passwd(1) man page or better yet fix somehow: > > If a line in /etc/passwd has been changed by hand and not with > passwd(1) or vipw(1), then from then on any users who change their > passwords using passwd(1) will cause their encrypted password to be > visible in /etc/passwd, until the day the administrator runs pwconv(8). > > E.g., > # ed /etc/passwd #e.g. forgot passwd, rescue from grub "rw init=/bin/sh" > /root/s/:x:/::/ > w > q > # passwd #then after rebooting and logging in, set a passwd > # grep root /etc/passwd > root:$1$cBD...
This is not under control of passwd(1). passwd uses PAM to change the password. Hence, the password might not even be written in /etc/passwd or /etc/shadow, depending on the configured PAM password module. In your case, you can change the above behavior by adding the "shadow" option to the pam_unix line. I will add a note indicating that on PAM enabled passwd(1), PAM is used to authenticate and to change the password in the password database. > P.S., also you might want to mention on the pwck(8) man page that it > doesn't check that shadow information might be sitting exposed in > /etc/passwd. I would prefer to add a check/warn when a password is specified in /etc/passwd and in /etc/shadow, or when a password is specified in /etc/passwd and /etc/shadow exists. > Also warn to not run pwck on /etc/group. I don't see the need for this. pwck clearly indicate that it should be run on the passwd and shadow files. > Also you might want to add SEE ALSO pwck(8) to passwd(1) and > shadow(5). I've added pwck(8) to passwd(5) and shadow(5). I don't see why it should be on passwd(1). > Also add SEE ALSO gshadow(5) to shadow(5). In fact there are lots more > see also connections that should be made between the members of > $(dlocate -man passwd), e.g., pwck<->grpck... Or perhaps give all on > each page... I've added pwck<->grpck, but I don't see why other pages should be linked. For example gshadow(5) and shadow(5) describe 2 different file formats which are not directly linked to each other. Best Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
