I noticed that a change was made in OpenSUSE Leap (15.5) where the login.defs default of FORCE_SHADOW was changed to “FORCE_SHADOW no” and noticed that use of gpasswd places the password hash directly into the world readable /etc/group.
There is no /etc/gshadow, and even if present, it won’t use it but will still place the password hashes in the clear in /etc/group.
Does anyone know the history as to why the change was made??
Adding. So, looks like SUSE (all?) doesn’t compile shadow tools with SHADOWGRP. So, zero support for /etc/gshadow, yet does ship gpasswd, which again, will place a nice world readable password hash into your /etc/group.
Any reason why SUSE chose to not support SHADOWGRP? Red Hat seems to.
gpasswd will use /etc/gshadow if it is present. You can force it by setting FORCE_SHADOW in login.defs. shadow upstream comes with grpconv to move passwords from /etc/group to /etc/gshadow, but openSUSE explicitly removes it from the built programs. This can be considered a bug - as gshadow is enabled, these tools are most certainly needed. I guess, it was simply forgotten.