* NEWS, src/groupmod.c: When the gshadow file exists but there are

no gshadow entries, an entry is created if the password is changed
	and group requires a shadow entry.

ChangeLog

@@ -1,3 +1,9 @@
+2011-07-14  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/groupmod.c: When the gshadow file exists but there are
+	no gshadow entries, an entry is created if the password is changed
+	and group requires a shadow entry.
+
 2011-07-14  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/usermod.c: Fix typo in comment.

NEWS

@@ -25,6 +25,9 @@ shadow-4.1.4.3 -> shadow-4.1.5					UNRELEASED
     specified.
 - groupmod
   * Fixed groupmod when configured with --enable-account-tools-setuid.
+  * When the gshadow file exists but there are no gshadow entries, an entry
+    is created if the password is changed and group requires a
+    shadow entry.
 -login
   * Fixed limits support (non PAM enabled versions only)
   * Added support for infinite limits and group based limits (non PAM

src/groupmod.c

@@ -2,7 +2,7 @@
  * Copyright (c) 1991 - 1994, Julianne Frances Haugh
  * Copyright (c) 1996 - 2000, Marek Michałkiewicz
  * Copyright (c) 2000 - 2006, Tomasz Kłoczko
- * Copyright (c) 2007 - 2009, Nicolas François
+ * Copyright (c) 2007 - 2011, Nicolas François
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -147,7 +147,17 @@ static void new_grent (struct group *grent)
 		grent->gr_gid = group_newid;
 	}
 
-	if (pflg) {
+	if (   pflg
+#ifdef SHADOWGRP
+	    && (   (!is_shadow_grp)
+	        || (strcmp (grent->gr_passwd, SHADOW_PASSWD_STRING) != 0))
+#endif
+		) {
+		/* Update the password in group if there is no gshadow
+		 * file or if the password is currently in group
+		 * (gr_passwd != "x").  We do not force the usage of
+		 * shadow passwords if it was not the case before.
+		 */
 		grent->gr_passwd = group_passwd;
 	}
 }
@@ -165,6 +175,13 @@ static void new_sgent (struct sgrp *sgent)
 		sgent->sg_name = xstrdup (group_newname);
 	}
 
+	/* Always update the shadowed password if there is a shadow entry
+	 * (even if shadowed passwords might not be enabled for this group
+	 * (gr_passwd != "x")).
+	 * It seems better to update the password in both places in case a
+	 * shadow and a non shadow entry exist.
+	 * This might occur only if there were already both entries.
+	 */
 	if (pflg) {
 		sgent->sg_passwd = group_passwd;
 	}
@@ -205,9 +222,21 @@ static void grp_update (void)
 		if (NULL != osgrp) {
 			sgrp = *osgrp;
 			new_sgent (&sgrp);
-			if (pflg) {
-				grp.gr_passwd = SHADOW_PASSWD_STRING;
-			}
+		} else if (   pflg
+		           && (strcmp (grp.gr_passwd, SHADOW_PASSWD_STRING) == 0)) {
+			static char *empty = NULL;
+			/* If there is a gshadow file with no entries for
+			 * the group, but the group file indicates a
+			 * shadowed password, we force the creation of a
+			 * gshadow entry when a new password is requested.
+			 */
+			memset (&sgrp, 0, sizeof sgrp);
+			sgrp.sg_name   = xstrdup (grp.gr_name);
+			sgrp.sg_passwd = xstrdup (grp.gr_passwd);
+			sgrp.sg_adm    = ∅
+			sgrp.sg_mem    = dup_list (grp.gr_mem);
+			new_sgent (&sgrp);
+			osgrp = &sgrp; /* entry needs to be committed */
 		}
 	}
 #endif				/* SHADOWGRP */