Red Hat Bugzilla – Bug 52746
useradd -p doesn't hash passwords in /etc/shadow
Last modified: 2007-04-18 12:36:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 95;
Description of problem:
I noticed that creating a user with 'useradd' and the '-p' option (which
gives the new user a default password) does not hash the password
root@hogs /# useradd -p h4x0r lordspankatron
root@hogs /# tail -2 /etc/shadow
This bug doesn't seem exploitible for two reasons:
1.) The user cannot log in with the supplied password because
MD5( password_supplied_at_login_prompt ) !=
2.) /etc/shadow exists in mode 0400, so no one besides the super-user
can read it anyway.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. useradd -p aDefaultPassword aNewUser
2. tail -1 /etc/shadow
3. Look at the password field.
Actual Results: The password is not hashed -- it is stored in plain-text.
Expected Results: The password should have been hashed.
This doesn't really seem like a bug; useradd states in the man page that it
expects the crypt(3) or MD5-hash returned string as an argument to the -p
option, not the password in plaintext. RTFM.