* NEWS, src/groupmod.c: When the gshadow file exists but there are

no gshadow entries, an entry is created if the password is changed and group requires a shadow entry.
2011-07-14 13:30:05 +00:00 · 2011-07-14 13:30:05 +00:00 · a7fee9db00
commit a7fee9db00
parent d4e630b8cc
3 changed files with 43 additions and 5 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2011-07-14  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/groupmod.c: When the gshadow file exists but there are
+	no gshadow entries, an entry is created if the password is changed
+	and group requires a shadow entry.
+
 2011-07-14  Nicolas François  <nicolas.francois@centraliens.net>

 	* src/usermod.c: Fix typo in comment.
--- a/3
+++ b/3
@ -25,6 +25,9 @@ shadow-4.1.4.3 -> shadow-4.1.5					UNRELEASED
    specified.
 - groupmod
  * Fixed groupmod when configured with --enable-account-tools-setuid.
+  * When the gshadow file exists but there are no gshadow entries, an entry
+    is created if the password is changed and group requires a
+    shadow entry.
 -login
  * Fixed limits support (non PAM enabled versions only)
  * Added support for infinite limits and group based limits (non PAM
--- a/src/groupmod.c
+++ b/src/groupmod.c
@ -2,7 +2,7 @@
 * Copyright (c) 1991 - 1994, Julianne Frances Haugh
 * Copyright (c) 1996 - 2000, Marek Michałkiewicz
 * Copyright (c) 2000 - 2006, Tomasz Kłoczko
- * Copyright (c) 2007 - 2009, Nicolas François
+ * Copyright (c) 2007 - 2011, Nicolas François
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -147,7 +147,17 @@ static void new_grent (struct group *grent)
 		grent->gr_gid = group_newid;
 	}

-	if (pflg) {
+	if (   pflg
+#ifdef SHADOWGRP
+	    && (   (!is_shadow_grp)
+	        || (strcmp (grent->gr_passwd, SHADOW_PASSWD_STRING) != 0))
+#endif
+		) {
+		/* Update the password in group if there is no gshadow
+		 * file or if the password is currently in group
+		 * (gr_passwd != "x").  We do not force the usage of
+		 * shadow passwords if it was not the case before.
+		 */
 		grent->gr_passwd = group_passwd;
 	}
 }
@ -165,6 +175,13 @@ static void new_sgent (struct sgrp *sgent)
 		sgent->sg_name = xstrdup (group_newname);
 	}

+	/* Always update the shadowed password if there is a shadow entry
+	 * (even if shadowed passwords might not be enabled for this group
+	 * (gr_passwd != "x")).
+	 * It seems better to update the password in both places in case a
+	 * shadow and a non shadow entry exist.
+	 * This might occur only if there were already both entries.
+	 */
 	if (pflg) {
 		sgent->sg_passwd = group_passwd;
 	}
@ -205,9 +222,21 @@ static void grp_update (void)
 		if (NULL != osgrp) {
 			sgrp = *osgrp;
 			new_sgent (&sgrp);
-			if (pflg) {
-				grp.gr_passwd = SHADOW_PASSWD_STRING;
-			}
+		} else if (   pflg
+		           && (strcmp (grp.gr_passwd, SHADOW_PASSWD_STRING) == 0)) {
+			static char *empty = NULL;
+			/* If there is a gshadow file with no entries for
+			 * the group, but the group file indicates a
+			 * shadowed password, we force the creation of a
+			 * gshadow entry when a new password is requested.
+			 */
+			memset (&sgrp, 0, sizeof sgrp);
+			sgrp.sg_name   = xstrdup (grp.gr_name);
+			sgrp.sg_passwd = xstrdup (grp.gr_passwd);
+			sgrp.sg_adm    = &empty;
+			sgrp.sg_mem    = dup_list (grp.gr_mem);
+			new_sgent (&sgrp);
+			osgrp = &sgrp; /* entry needs to be committed */
 		}
 	}
 #endif				/* SHADOWGRP */