From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)

Description of problem:
When a user changes their password with the passwd utility as shipped with 
RedHat 7.0 the permissions on /etc/shadow are reset to be owned by root, 
group root, and mode 0600 rather than preserving the permissions of the 
old shadow file.  The permissions are actually changed by the pam_unix 
module which is called via the /etc/pam.d/passwd which uses service=system-
auth which contains the line:

password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow

Looking at the code for pam_unix.so, specifically the source file 
pam_unix_passwd.c, clearly the permissions for the updated /etc/passwd 
and /etc/shadow files are hardcoded.  Simply replacing the hardcoded 
values with information taken from stats of the existing files should fix 
the problem.


How reproducible:
Always

Steps to Reproduce:
1.Change default permissions on /etc/shadow from the default 0600 to 0640
2.successfully change any user password using passwd
3.check the permissions on /etc/shadow, they will be reset to the default


Additional info: