[Pkg-shadow-devel] Bug#1124105: passwd leaves behind /etc/.pwd.lock upon uninstalling

[Colin Watson]

On Sun, Dec 28, 2025 at 01:27:22PM +0100, Chris Hofstaedtler wrote:
>On Sun, Dec 28, 2025 at 10:45:31AM +0100, Jochen Sprickerhof wrote:
>> * Chris Hofstaedtler <zeha at debian.org> [2025-12-28 10:00]:
>> > Well, but where. base-passwd?
>>
>> I think that would make sense. base-passwd would need to:
>>
>> sed -i 's/\*/+/' passwd.master group.master
>>
>> And also ship a shadow.master and gshadow.master or generate it with
>> something like:
>>
>> sed 's/\([^:]*\):.*/\1:*::/' passwd.master > shadow.master
>> sed 's/\([^:]*\):.*/\1:*::/' group.master > gshadow.master
>>
>> I would assume that represents most of the Debian systems anyhow so it makes
>> sense to ship it by default.
>>
>> > Also not so useful if there is no
>> > chance of having *passwords* at all (because there are no tools
>> > to write a password without `passwd`).
>>
>> Not sure I understand, can you explain?
>
>My point is: on a system without "passwd" installed, there are no
>actual passwords to "shadow" (protect), and thus you don't need
>shadow passwords at all.
>
>But if for base-passwd it is easy to make sure all systems start out
>as shadow-enabled, that would also seem good. At least it would
>reduce the number of states a Debian system can be in.
>
>@Colin: what do you think about this? Would you be willing to
>include this in base-passwd?
>(For context: currently installing passwd turns on shadow passwords,
>and that leaves the password database lockfile around.)

I'm not exactly sure of the best implementation, but I'm generally in 
favour of having base-passwd turn on shadow passwords if that's also 
what you'd prefer.

There should be no need for shadow.master etc. though.  update-passwd 
already handles updating /etc/shadow, and if it needs to be changed to 
update /etc/gshadow as well in a similar way then that's something we 
could do.

-- 
Colin Watson (he/him)                              [cjwatson at debian.org]