Breaking changes:
- Remove support for escaped newlines in configuration files.
It never worked correctly.
b0a7ce58b924 (2025-12-05; "lib/, po/: Remove fgetsx() and fputsx()")
- Some user names and group names are too dangerous and are rejected,
even with --badname.
25aea7422615 (2025-12-25; "lib/chkname.c, src/: Strictly disallow really bad names")
Future breaking changes:
- SHA512 and SHA256 will be supported unconditionally in the next
release. The build-time flag '--with-sha-crypt' will be removed.
See <https://github.com/shadow-maint/shadow/pull/1452>.
Support:
- Several years ago, there were talks about deprecating su(1) and
login(1), back when this project was maintained as part of Debian.
However, nothing was clearly stated, and there were doubts about the
status of these programs. Let's clarify them now.
Our implementations of su(1) and login(1) are fully supported, and we
don't have any plans to remove them. They are NOT deprecated.
See <https://github.com/shadow-maint/shadow/issues/464>.
Deprecations:
- groupmems(8)
The program will be removed in a future release.
See <https://github.com/shadow-maint/shadow/issues/1343>.
- logoutd(8)
The program will be removed in the next release.
See <https://github.com/shadow-maint/shadow/issues/999>,
and <https://github.com/shadow-maint/shadow/pull/1344>.
- DES
This hashing algorithm has been deprecated for a long time,
and support for it will be removed in a future release.
See <https://github.com/shadow-maint/shadow/pull/1456>
- MD5
This hashing algorithm has been deprecated for a long time,
and support for it will be removed in a future release.
See <https://github.com/shadow-maint/shadow/pull/1457>
- login.defs(5): MD_CRYPT_ENAB
This feature had been deprecated for decades. It will be
removed in a future release.
The command-line equivalents (-m, --md5) of this feature in
chpasswd(8) and chgpasswd(8) will also be removed in a future
release.
See <https://github.com/shadow-maint/shadow/pull/1455>.
- login.defs(5): PASS_MAX_LEN
This feature is ignored except for DES. Once DES is removed,
it makes no sense keeping it. It may be removed in a future
release.
- Password aging
Scientific research shows that periodic password expiration
leads to predictable password patterns, and that even in a
theoretical scenario where that wouldn't happen the gains in
security are mathematically negligible.
<https://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf>
Modern security standards, such as NIST SP 800-63B-4 in the USA,
prohibit periodic password expiration.
<https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver>
<https://pages.nist.gov/800-63-FAQ/#q-b05>
<https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry>
To align with these, we're deprecating the ability to
periodically expire passwords. The specifics and long-term
roadmap are currently being discussed, and we invite feedback
from users, particularly from those in regulated environments.
See <https://github.com/shadow-maint/shadow/pull/1432>.
This deprecation includes the following programs and features:
expiry(1)
chage(1):
-I,--inactive (also the interactive version)
-m,--mindays (also the interactive version)
-M,--maxdays (also the interactive version)
-W,--warndays (also the interactive version)
passwd(1):
-k,--keep-tokens
-n,--mindays
-x,--maxdays
-i,--inactive
-w,--warndays
useradd(8):
-f,--inactive
usermod(8):
-f,--inactive
login.defs(5):
PASS_MIN_DAYS
PASS_MAX_DAYS
PASS_WARN_AGE
/etc/default/useradd:
INACTIVE
shadow(5):
sp_lstchg: Restrict to just the values 0 and empty.
sp_min
sp_max
sp_warn
sp_inact
We recognize that many users operate in environments with
regulatory or contractual requirements that still mandate
password aging. To minimize disruption, these features will
remain functional for a significant period. However, we
encourage administrators to review their internal policies,
talk to their regulators if appropriate, and participate in the
roadmap discussion linked above.
Co-authored-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
I don't know what this commit does, to be honest. I just
did './autogen.sh && make && make dist' and committed the
changes to .po files. Why? I don't know.
BTW, I kept out some changes that were actually bad.
Signed-off-by: Alejandro Colomar <alx@kernel.org>
I don't know what this commit does, to be honest. I just
did './autogen.sh && make && make dist' and committed the
changes to .pot files. Why? I don't know.
Signed-off-by: Alejandro Colomar <alx@kernel.org>
While the empty one is more correct, {0} will also work, and will
likely silence diagnostics in old compiler versions.
Empty compound literals are only supported in GCC since commit
gcc.git 14cfa01755a6 (2022-08-25; "c: Support C2x empty initializer braces")
Reported-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Only one opening bracket is used before two closing brackets are
encountered for "(--user)".
Drop redundant ones within the file.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Use tab instead of spaces to comply with rest of files.
Fixes: 923aeac250d0 (2025-07-04; "man/: update `--root` flag with no SELinux support")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The usage message of sg and synopsis of its manual page diverged. The
difference was even noted in a comment, instead of fixing it.
Synchronize both, add information about hidden options and document
what they do.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Use "an" in front of sg due to its pronounciation. Also, start a comment
with capital letter in its first sentence to comply with other comments.
No functional change.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
In general, empty fields in a CSV are errors. However, in some cases,
we want to allow passing empty lists, and the way to encode that is as
an empty string. This was accidentally broken in 4.17.0, when we
switched from using strtok(3) to strsep(3), without remembering to
special-case an empty CSV.
The bug affected directly groupadd(8) and groupmod(8).
The bug also affected the library function add_groups(). In systems
using PAM, that function is unused. On systems without PAM, it is
called by the library function setup_uid_gid(), with the contents of the
"CONSOLE_GROUPS" configuration (login.defs) CSV string.
setup_uid_gid() is directly called by su(1) and login(1) on systems
without PAM.
setup_uid_gid() is also called by the library function expire().
expire() is directly called by expiry(1), su(1), and login(1).
This bug is a regression introduced in the release 4.17.0, and present
in the releases 4.17.{0..4} and 4.18.0.
Fixes: 90afe61003ef (2024-12-05; "lib/, src/: Use strsep(3) instead of strtok(3)")
Link: <https://github.com/shadow-maint/shadow/issues/1420>
Reported-by: Osark Vieira <https://github.com/osark084>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Some names are bad, and some names are really bad. '--badname' should
only allow the mildly bad ones, which we can handle. Some names are too
bad, and it's not possible to deal with them. Reject them
unconditionally.
- A leading '-' is too dangerous. It breaks things like execve(2), and
almost every command.
- Spaces are used for delimiting lists of users and groups.
- '"' is special in many languages, including the shell. Having it in
user names would be unnecessarily dangerous.
- '#' is used for delimiting comments in several of our config files.
Having it in usernames could result in incorrect configuration files.
- "'" is special in many languages, including the shell. Having it in
user names would be unnecessarily dangerous.
- ',' is used for delimiting lists of users and groups.
- '/' is used for delimiting files, and thus could result in incorrect
handling of users and groups.
- ':' is the main delimiter in /etc/shadow and /etc/passwd.
- ';' is special in many languages, including the shell. Having it in
user names would be unnecessarily dangerous.
There are other characters that we should disallow, but they need more
research to make sure we don't introduce regressions. This set should
be less problematic.
Acked-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Chris Hofstaedtler <zeha@debian.org>
Cc: Marc 'Zugschlus' Haber <mh+githubvisible@zugschlus.de>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Actually log the user name as done with stderr message.
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The failing function call was wait, not waitpid.
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Duplicating name and hash is not needed here, because duplication
occurs in spw_update. You can detect the small memory leak with
tools like valgrind.
More importantly though, if xstrdup fails, it calls exit. The
update_age function is in the "criticial section" between
open_files and close_files, though. Correct error handling would
require fail_exit to release the held locks.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The gpasswd utility was segfaulting when cleanup functions were called
because these functions expect a pointer to `process_selinux` but was
being passed NULL. This caused a NULL pointer dereference.
This commits adds the pointer to `process_selinux` to clean up
functions making `gpasswd` consistent with other group utilities.
Reproduction steps:
$ useradd tuser
$ groupadd tuser
$ gpasswd -a tuser tgroup
Adding user tuser to group tgroup
Segmentation fault (core dumped)
Fixes: 4d431898bad8 (2025-10-07; "src/gpasswd.c: chroot or prefix SELinux file context")
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Unify the retrieval of PASS_MIN_LEN and PASS_MAX_LEN for output
in passwd and actual checks.
Fixes wrong output for minimum password lengths if no such
restriction is configured: 5 is printed, 0 is in effect.
How to reproduce:
1. Use passwd compiled without PAM support
2. Do not specify PASS_MIN_LEN in login.defs
3. Run passwd as a user and enter your old password, then
- you will see that 5 characters are expected
- you can just press enter twice
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The getdef_num implementation allows -1 to be specified in login.defs.
In general, -1 should be treated the same way as "not specified". In
this case, casting -1 to size_t leads to every password being "too
short."
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The check_fds function is supposed to ensure that fds 0, 1, and 2 are
opened in a well-defined state, i.e. either they are already connected
to supposed input/output files or will be connected to /dev/null if not.
Opening the audit socket before checking the fds allows the audit socket
to get one of these numbers.
Avoid this by opening the audit socket after the check.
In general, this check is already covered by system libraries, but this
proof of concept works for root user. Note the different states of the
file descriptor 2.
In bash or another shell that interprets `2>&-` as closing stderr with
shadow + audit support, e.g. Arch Linux:
```
sg bin 'ls -l /proc/self/fd'
sg bin 'ls -l /proc/self/fd' 2>/dev/null
sg bin 'ls -l /proc/self/fd' 2>&-
```
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The `PASS_MAX_LEN` is effectively only used for DES. Do not describe it
in a way that makes it sound like `MD_CRYPT_ENAB=yes` is required to
disable it. Any other `ENCRYPT_METHOD` disables it as well.
Also, even for DES, `PASS_MAX_LEN` requires `OBSCURE_CHECKS_ENAB` to
have any effect.
Even more, `PASS_MIN_LEN` and `PASS_MAX_LEN` are only used for
user passwords. Group passwords are not checked.
Note: All of this is actually true even if compiled with PAM if command
line arguments change root. But if compiled with PAM support, this
section is not added to manual pages... Since this is true for some
more files, it's not part of this commit.
Link to source files:
- lib/obscure.c line 133 stops further checks, including max length,
if OBSCURE_CHECS_ENAB is not yes
- lib/obscure.c line 172 is only reached in case of DES
- src/passwd.c line 248 duplicates the check for output
- src/gpasswd.c has no reference to obscure
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Even though this is technically no sentence, it stays in sync with the
other file descriptions this way.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Always start a sentence with lowercase letter after 'Note:', 'Warning:',
etc. This unifies all occurrences.
No functional change.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
If password aging should not be performed, disable it properly. Just
specifying a "long enough time" is not infinity.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Shadow password files do not necessarily need aging information.
Also, passwd has no aging information.
No conversion is performed, so drop the comment entirely.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
- The total number of password change tries can be configured
- Except min length, password strength checks can be disabled
- Even the root user can have password strength checks...
- ... except in some cases (stdin, command line arguments)
In general, this code does not run for PAM, except root directory
is modified through command line arguments by root user.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The passwd tool checks if the password of a user may be changed before
locking the passwd/shadow files. This leaves a time window to perform
the same action twice (e.g. circumventing PASS_MIN_DAYS limit) or to
circumvent a locked password by an administrator.
Perform the check after the lock again. This keeps the behavior as it
is today for a user and also prevents the race condition.
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Calling fail_exit here prepares an upcoming commit to reuse the
functions when databases have been locked.
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Always use the name in shadow entry for logging. This reduces the
amount of data retrieved from password entry to bare minimum, i.e.
passing through into library call.
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Make sure that passwd and shadow are always opened in the correct
order to avoid possible dead locks with other tools:
- Lock passwd first, then shadow
- Unlock shadow first, then passwd
The passwd utility may work without a shadow entry. In that case, it
operates on the passwd file. But to figure this out, the shadow file
must have been opened and thus locked already. Unconditionally open the
passwd file first, even though it's not needed most of the time.
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
At this point, shadow might be already locked if update_noshadow is
called as fallback within update_shadow. Make sure that unlock is
called before exit.
Fixes: 45c6603cc86c (2007-10-07; "[svn-upgrade] Integrating new upstream version, shadow (19990709)")
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
No need to re-evaluate option_flags in functions. Unifies checks and
simplifies code.
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
If PASS_MAX_DAYS is not set, newusers falls back to 10000 days, which is
considered "unlimited" in some parts of the source tree. All other tools
fall back to -1, which truely implies unlimited.
Sync newusers with all other shadow tools.
How to reproduce:
1. Remove or comment out PASS_MAX_DAYS from /etc/login.defs
2. Run `newusers <<< user:pass:1234🔢:/home/user:/bin/bash`
3. Check user line in /etc/shadow
```
/etc/shadow:user:HASH:19721:0:10000:7:::
```
Max days are set to 10000. Instead, this should be:
```
/etc/shadow:user:HASH:19721:0::7:::
```
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The pwd_to_spwd routine claims that fields without corresponding
information in the password file are set to uninitialized values,
but sets some aging information. These cannot be available in
struct passwd.
Also, the code is only used in passwd to temporarily hold the
new password. All other values are copied from an existing entry
later on. If no entry exists, all values are dismissed anyway.
Clarify that everything is uninitialized except name and password.
Gets rid of magic value 10000 for sp_max.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Fixes build failure:
```
In file included from xgetgrnam.c:40:
xgetXXbyYY.c: In function ‘xgetgrnam’:
xgetXXbyYY.c:83:31: error: ‘SIZE_MAX’ undeclared (first use in this function)
83 | if (length == SIZE_MAX) {
| ^~~~~~~~
```
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
