0008416: usermod -p username writes cleartext password into /etc/shadow - Rocky Linux BugTracker

ID	Project	Category	View Status	Date Submitted	Last Update

0008416	Rocky-Linux-9	passwd	public	2024-12-02 09:24	2024-12-02 09:47

Reporter	Niko L	Assigned To	Louis Abel
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	no change required

Summary	0008416: usermod -p username writes cleartext password into /etc/shadow
Description	Within a chrooted environment, the command "usermod -p newpass123 myuser" will write the password string "newpass123" into the users entry of /etc/shadow instead of the encrypted password string. Resetting the useres password using the command "passwd" as counterexample behaves as expected, the users entry within /etc/shadow contains an encrypted password string.
Steps To Reproduce	1. Boot from an UEFI bootable USB Storage "etched" with "Rocky-9.5-x86_64-minimal.iso" 2. Select Troubleshooting 3. Highlight Rescue a Rocky Linux System. 4. Access Shell (tty1 or tty2) 5. switch into chrooted env by "chroot /mnt/sysroot" 6. check existing user entry by "grep -n myuser /etc/passwd /etc/shadow" Password within /etc/shadow should be kind of a hashed string. 7. change password by "usermod -p newpw456 myuser" 8. recheck user entry by "grep -n myuser /etc/passwd /etc/shadow" Password within /etc/shadow is string "newpw456". 9. change password by "passwd myuser" and set pw to "newpw456" 10. recheck user entry by "grep -n myuser /etc/passwd /etc/shadow" Password within /etc/shadow is a hashed string.
Additional Information	The behaviour is reproduceable from within a regular linux session. The behaviour is also reproduceable by creating a user and setting the password within one step as "useradd -p newpass123 myuser".
Tags	No tags attached.

Louis Abel 2024-12-02 09:47 administrator ~0008978	Thank you for the report. What you're seeing appears to be expected behavior. The -p option takes the value as-is and places it into /etc/shadow. The man page section on this option implies as such. -p, --password PASSWORD The encrypted password, as returned by crypt(3). Note: This option is not recommended because the password (or encrypted password) will be visible by users listing the processes. You should make sure the password respects the system's password policy. Newer distributions (such as Fedora) provide a better description on the value expected. Below is says "defines", which implies that whatever you provide is exactly what will be put in /etc/shadow. -p, --password PASSWORD defines a new password for the user. PASSWORD is expected to be encrypted, as returned by crypt (3). Note below where I provide an already hashed/salted string and it places it in. [root@awx ~]# grep testuser1 /etc/shadow testuser1:newpw456:20059:7:84:7:30:: [root@awx ~]# usermod -p '$6$hP/3KrsjMHb01VXg$D5K3FvFaNqFYUUZM7H0RIaryD23Gfdlv7RkILvUk3Rd40NWv6efQ0JeWnczp24TEiF/b3MG26ymkgHs8aoR23/' testuser1 [root@awx ~]# grep testuser1 /etc/shadow testuser1:$6$hP/3KrsjMHb01VXg$D5K3FvFaNqFYUUZM7H0RIaryD23Gfdlv7RkILvUk3Rd40NWv6efQ0JeWnczp24TEiF/b3MG26ymkgHs8aoR23/:20059:7:84:7:30:: You should continue to use the standard passwd command to change local user passwords if you want the login.defs settings to be honored. Closing as not a bug. shadow-utils source: https://github.com/shadow-maint/shadow

Date Modified	Username	Field	Change
2024-12-02 09:24	Niko L	New Issue
2024-12-02 09:47	Louis Abel	Assigned To	=> Louis Abel
2024-12-02 09:47	Louis Abel	Status	new => closed
2024-12-02 09:47	Louis Abel	Resolution	open => no change required
2024-12-02 09:47	Louis Abel	Note Added: 0008978