Bug 28060 - adduser script with -p option inserts plain text of password into /etc/shadow
Summary: adduser script with -p option inserts plain text of password into /etc/shadow
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: shadow-utils   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-02-16 23:24 UTC by Richard Nolde
Modified: 2007-04-18 16:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-20 10:12:12 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Richard Nolde 2001-02-16 23:24:29 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.16-22 i686)

When running the adduser script on Redhat 6x or 7x with shadow password
support enabled, if the -p flag is used to specify a password
on the command line, the plain text of the password is inserted into 
the /etc/shadow file instead of the MD5 hash.  Runing passwd <user>
fixes the problem, so the problem is probably in the adduser utility and
not in the shadow password mechanism.  Happens on i386 an Alpha.

Reproducible: Always
Steps to Reproduce:
1.Run "adduser -u xxx -g yyy -d /home/zzz -s /bin/bash -p <password> 
2.grep <newuser> /etc/shadow 
3.passwd <newuser>  will correct the problem

Actual Results:  /etc/shadow contains the plaintext following <password>

Expected Results:  /etc/shadow would contain the MD5 encrypted password

Only root can read /etc/shadow, but this suggests that the adduser
script is not working properly with the shadow password option.

Comment 1 Andrew Bartlett 2001-02-20 10:12:09 UTC
Not to be blunt but:

Please see:
 bug 19256
 bug 4035
 bug 7660
and the adduser man page, which (if you have a recent version) will state that
-p adds the *encrypted* password, ie *you* are meant to encrypt it.  

There is good reason behind this, as the command line is visable to all users it
would be a pity for sombody to just have to run 'ps -ax' to find out other users
new passwords....

BTW, there are updates and bugs related to this behaviour described in bug 7476
and bug 8923

Note You need to log in before you can comment on or make changes to this bug.