[Pkg-shadow-devel] Bug#1124105: passwd leaves behind /etc/.pwd.lock upon uninstalling
Chris Hofstaedtler
zeha at debian.org
Tue Dec 30 12:07:18 GMT 2025
* Colin Watson <cjwatson at debian.org> [251229 21:14]:
>On Sun, Dec 28, 2025 at 01:27:22PM +0100, Chris Hofstaedtler wrote:
>>On Sun, Dec 28, 2025 at 10:45:31AM +0100, Jochen Sprickerhof wrote:
>>>* Chris Hofstaedtler <zeha at debian.org> [2025-12-28 10:00]:
>>>> Well, but where. base-passwd?
>>>
>>>I think that would make sense. base-passwd would need to:
>>>
>>>sed -i 's/\*/+/' passwd.master group.master
>>>
>>>And also ship a shadow.master and gshadow.master or generate it with
>>>something like:
>>>
>>>sed 's/\([^:]*\):.*/\1:*::/' passwd.master > shadow.master
>>>sed 's/\([^:]*\):.*/\1:*::/' group.master > gshadow.master
>>>
>>>I would assume that represents most of the Debian systems anyhow so it makes
>>>sense to ship it by default.
>>>
>>>> Also not so useful if there is no
>>>> chance of having *passwords* at all (because there are no tools
>>>> to write a password without `passwd`).
>>>
>>>Not sure I understand, can you explain?
>>
>>My point is: on a system without "passwd" installed, there are no
>>actual passwords to "shadow" (protect), and thus you don't need
>>shadow passwords at all.
>>
>>But if for base-passwd it is easy to make sure all systems start out
>>as shadow-enabled, that would also seem good. At least it would
>>reduce the number of states a Debian system can be in.
>>
>>@Colin: what do you think about this? Would you be willing to
>>include this in base-passwd?
>>(For context: currently installing passwd turns on shadow passwords,
>>and that leaves the password database lockfile around.)
>
>I'm not exactly sure of the best implementation, but I'm generally in
>favour of having base-passwd turn on shadow passwords if that's also
>what you'd prefer.
Yes, then lets please do it.
>There should be no need for shadow.master etc. though. update-passwd
>already handles updating /etc/shadow, and if it needs to be changed to
>update /etc/gshadow as well in a similar way then that's something we
>could do.
Let me know if you need any changes in src:shadow.
At least after base-passwd starts enabling shadow passwords, the
`passwd` package should stop calling `shadowconfig on`. I shall
remove that once base-passwd is ready.
Many thanks!
Chris
More information about the Pkg-shadow-devel
mailing list