Bug 28060

Summary: adduser script with -p option inserts plain text of password into /etc/shadow
Product: [Retired] Red Hat Linux Reporter: Richard Nolde <richard.nolde>
Component: shadow-utilsAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dr
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-02-20 10:12:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard Nolde 2001-02-16 23:24:29 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-22 i686)


When running the adduser script on Redhat 6x or 7x with shadow password
support enabled, if the -p flag is used to specify a password
on the command line, the plain text of the password is inserted into 
the /etc/shadow file instead of the MD5 hash.  Runing passwd <user>
fixes the problem, so the problem is probably in the adduser utility and
not in the shadow password mechanism.  Happens on i386 an Alpha.

Reproducible: Always
Steps to Reproduce:
1.Run "adduser -u xxx -g yyy -d /home/zzz -s /bin/bash -p <password> 
<newuser>"
2.grep <newuser> /etc/shadow 
3.passwd <newuser>  will correct the problem
	

Actual Results:  /etc/shadow contains the plaintext following <password>

Expected Results:  /etc/shadow would contain the MD5 encrypted password

Only root can read /etc/shadow, but this suggests that the adduser
script is not working properly with the shadow password option.
Comment 1 Andrew Bartlett 2001-02-20 10:12:09 UTC 
Not to be blunt but:

Please see:
 bug 19256
 bug 4035
 bug 7660
and the adduser man page, which (if you have a recent version) will state that
-p adds the *encrypted* password, ie *you* are meant to encrypt it.  

There is good reason behind this, as the command line is visable to all users it
would be a pity for sombody to just have to run 'ps -ax' to find out other users
new passwords....

BTW, there are updates and bugs related to this behaviour described in bug 7476
and bug 8923