On Sun, Dec 28, 2025 at 01:27:22PM +0100, Chris Hofstaedtler wrote:
On Sun, Dec 28, 2025 at 10:45:31AM +0100, Jochen Sprickerhof wrote:
* Chris Hofstaedtler <[email protected]> [2025-12-28 10:00]:
> Well, but where. base-passwd?
I think that would make sense. base-passwd would need to:
sed -i 's/\*/+/' passwd.master group.master
And also ship a shadow.master and gshadow.master or generate it with
something like:
sed 's/\([^:]*\):.*/\1:*::/' passwd.master > shadow.master
sed 's/\([^:]*\):.*/\1:*::/' group.master > gshadow.master
I would assume that represents most of the Debian systems anyhow so it makes
sense to ship it by default.
> Also not so useful if there is no
> chance of having *passwords* at all (because there are no tools
> to write a password without `passwd`).
Not sure I understand, can you explain?
My point is: on a system without "passwd" installed, there are no
actual passwords to "shadow" (protect), and thus you don't need
shadow passwords at all.
But if for base-passwd it is easy to make sure all systems start out
as shadow-enabled, that would also seem good. At least it would
reduce the number of states a Debian system can be in.
@Colin: what do you think about this? Would you be willing to
include this in base-passwd?
(For context: currently installing passwd turns on shadow passwords,
and that leaves the password database lockfile around.)
I'm not exactly sure of the best implementation, but I'm generally in
favour of having base-passwd turn on shadow passwords if that's also
what you'd prefer.
There should be no need for shadow.master etc. though. update-passwd
already handles updating /etc/shadow, and if it needs to be changed to
update /etc/gshadow as well in a similar way then that's something we
could do.
--
Colin Watson (he/him) [[email protected]]
