No /etc/gshadow, gpasswd puts password hash into world readable /etc/group

I noticed that a change was made in OpenSUSE Leap (15.5) where the login.defs default of FORCE_SHADOW was changed to “FORCE_SHADOW no” and noticed that use of gpasswd places the password hash directly into the world readable /etc/group.
There is no /etc/gshadow, and even if present, it won’t use it but will still place the password hashes in the clear in /etc/group.

Does anyone know the history as to why the change was made??

Adding. So, looks like SUSE (all?) doesn’t compile shadow tools with SHADOWGRP. So, zero support for /etc/gshadow, yet does ship gpasswd, which again, will place a nice world readable password hash into your /etc/group.

Any reason why SUSE chose to not support SHADOWGRP? Red Hat seems to.

It is enabled in Tumbleweed.

Not in mine. ??

No gshadow, gpasswd places hash into /etc/group. No grpconv (to create a gshadow), etc.

Pretend I’m from Missouri and “show me”.

gpasswd will use /etc/gshadow if it is present. You can force it by setting FORCE_SHADOW in login.defs. shadow upstream comes with grpconv to move passwords from /etc/group to /etc/gshadow, but openSUSE explicitly removes it from the built programs. This can be considered a bug - as gshadow is enabled, these tools are most certainly needed. I guess, it was simply forgotten.

You may consider bug report.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.