Bug 28060 - adduser script with -p option inserts plain text of password into /etc/shadow
adduser script with -p option inserts plain text of password into /etc/shadow
Product: Red Hat Linux
Classification: Retired
Component: shadow-utils (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-02-16 18:24 EST by Richard Nolde
Modified: 2007-04-18 12:31 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-20 05:12:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Richard Nolde 2001-02-16 18:24:29 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-22 i686)

When running the adduser script on Redhat 6x or 7x with shadow password
support enabled, if the -p flag is used to specify a password
on the command line, the plain text of the password is inserted into 
the /etc/shadow file instead of the MD5 hash.  Runing passwd <user>
fixes the problem, so the problem is probably in the adduser utility and
not in the shadow password mechanism.  Happens on i386 an Alpha.

Reproducible: Always
Steps to Reproduce:
1.Run "adduser -u xxx -g yyy -d /home/zzz -s /bin/bash -p <password> 
2.grep <newuser> /etc/shadow 
3.passwd <newuser>  will correct the problem

Actual Results:  /etc/shadow contains the plaintext following <password>

Expected Results:  /etc/shadow would contain the MD5 encrypted password

Only root can read /etc/shadow, but this suggests that the adduser
script is not working properly with the shadow password option.
Comment 1 Andrew Bartlett 2001-02-20 05:12:09 EST
Not to be blunt but:

Please see:
 bug 19256
 bug 4035
 bug 7660
and the adduser man page, which (if you have a recent version) will state that
-p adds the *encrypted* password, ie *you* are meant to encrypt it.  

There is good reason behind this, as the command line is visable to all users it
would be a pity for sombody to just have to run 'ps -ax' to find out other users
new passwords....

BTW, there are updates and bugs related to this behaviour described in bug 7476
and bug 8923

Note You need to log in before you can comment on or make changes to this bug.