* NEWS, src/groupmod.c: When the gshadow file exists but there are

	no gshadow entries, an entry is created if the password is changed
	and group requires a shadow entry.

diff --git a/ChangeLog b/ChangeLog
index 4e31be1b9781a7e28a3e2c2f5e8e587f80cefd88..a9a51af541f5a612ac6b11ca60c15902fa854a53 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2011-07-14  Nicolas François  <nicolas.francois@centraliens.net>
+
+       * NEWS, src/groupmod.c: When the gshadow file exists but there are
+       no gshadow entries, an entry is created if the password is changed
+       and group requires a shadow entry.
+
 2011-07-14  Nicolas François  <nicolas.francois@centraliens.net>
 
        * src/usermod.c: Fix typo in comment.

diff --git a/NEWS b/NEWS
index 87ba9cb56835d057b7a1ab17a37b2fb3a7bcb403..e7c6d0af91a44cf9e466f3af37448e21b0f1656f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,9 @@ shadow-4.1.4.3 -> shadow-4.1.5                                        UNRELEASED
     specified.
 - groupmod
   * Fixed groupmod when configured with --enable-account-tools-setuid.
+  * When the gshadow file exists but there are no gshadow entries, an entry
+    is created if the password is changed and group requires a
+    shadow entry.
 -login
   * Fixed limits support (non PAM enabled versions only)
   * Added support for infinite limits and group based limits (non PAM

diff --git a/src/groupmod.c b/src/groupmod.c
index 65d50bec59d7743beb916f29d05244271a1004c8..5cccc94cfb8497bee99ff09784860e666da645ce 100644 (file)
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -2,7 +2,7 @@
  * Copyright (c) 1991 - 1994, Julianne Frances Haugh
  * Copyright (c) 1996 - 2000, Marek Michałkiewicz
  * Copyright (c) 2000 - 2006, Tomasz Kłoczko
- * Copyright (c) 2007 - 2009, Nicolas François
+ * Copyright (c) 2007 - 2011, Nicolas François
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -147,7 +147,17 @@ static void new_grent (struct group *grent)
                grent->gr_gid = group_newid;
        }
 
-       if (pflg) {
+       if (   pflg
+#ifdef SHADOWGRP
+           && (   (!is_shadow_grp)
+               || (strcmp (grent->gr_passwd, SHADOW_PASSWD_STRING) != 0))
+#endif
+               ) {
+               /* Update the password in group if there is no gshadow
+                * file or if the password is currently in group
+                * (gr_passwd != "x").  We do not force the usage of
+                * shadow passwords if it was not the case before.
+                */
                grent->gr_passwd = group_passwd;
        }
 }
@@ -165,6 +175,13 @@ static void new_sgent (struct sgrp *sgent)
                sgent->sg_name = xstrdup (group_newname);
        }
 
+       /* Always update the shadowed password if there is a shadow entry
+        * (even if shadowed passwords might not be enabled for this group
+        * (gr_passwd != "x")).
+        * It seems better to update the password in both places in case a
+        * shadow and a non shadow entry exist.
+        * This might occur only if there were already both entries.
+        */
        if (pflg) {
                sgent->sg_passwd = group_passwd;
        }
@@ -205,9 +222,21 @@ static void grp_update (void)
                if (NULL != osgrp) {
                        sgrp = *osgrp;
                        new_sgent (&sgrp);
-                       if (pflg) {
-                               grp.gr_passwd = SHADOW_PASSWD_STRING;
-                       }
+               } else if (   pflg
+                          && (strcmp (grp.gr_passwd, SHADOW_PASSWD_STRING) == 0)) {
+                       static char *empty = NULL;
+                       /* If there is a gshadow file with no entries for
+                        * the group, but the group file indicates a
+                        * shadowed password, we force the creation of a
+                        * gshadow entry when a new password is requested.
+                        */
+                       memset (&sgrp, 0, sizeof sgrp);
+                       sgrp.sg_name   = xstrdup (grp.gr_name);
+                       sgrp.sg_passwd = xstrdup (grp.gr_passwd);
+                       sgrp.sg_adm    = ∅
+                       sgrp.sg_mem    = dup_list (grp.gr_mem);
+                       new_sgent (&sgrp);
+                       osgrp = &sgrp; /* entry needs to be committed */
                }
        }
 #endif                         /* SHADOWGRP */