shadow/debian/shadowconfig

#!/bin/sh
# turn shadow passwords on on a Debian system

set -e

shadowon () {
    set -e

    if [ -n "$DPKG_ROOT" ] \
        && cmp "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/usr/share/base-passwd/passwd.master" 2>/dev/null \
        && cmp "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/usr/share/base-passwd/group.master" 2>/dev/null; then
        # If dpkg is run with --force-script-chrootless and if /etc/passwd
        # and /etc/group are unchanged, we avoid the chroot() call by manually
        # processing the files. This produces bit-by-bit identical results
        # compared to the normal case as shown by the CI setup at
        # https://salsa.debian.org/helmutg/dpkg-root-demo/-/jobs
        for f in passwd group; do
            cp -a "${DPKG_ROOT}/etc/$f" "${DPKG_ROOT}/etc/$f-"
        done
        chmod 600 "${DPKG_ROOT}/etc/passwd-"
        sed -i 's/^\([^:]\+\):\*:/\1:x:/' "${DPKG_ROOT}/etc/group" "${DPKG_ROOT}/etc/passwd"
        [ -n "$SOURCE_DATE_EPOCH" ] && epoch=$SOURCE_DATE_EPOCH || epoch=$(date +%s)
        sed "s/^\([^:]\+\):.*/\1:*:$((epoch/60/60/24)):0:99999:7:::/" "${DPKG_ROOT}/etc/passwd" > "${DPKG_ROOT}/etc/shadow"
        sed "s/^\([^:]\+\):.*/\1:*::/" "${DPKG_ROOT}/etc/group" > "${DPKG_ROOT}/etc/gshadow"
        touch "${DPKG_ROOT}/etc/.pwd.lock"
        chmod 600 "${DPKG_ROOT}/etc/.pwd.lock"
    else
        pwck -q -r
        grpck -r
        pwconv
        grpconv
    fi
    chown root:root "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
    chmod 644 "${DPKG_ROOT}/etc/passwd" "${DPKG_ROOT}/etc/group"
    chown root:shadow "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
    chmod 640 "${DPKG_ROOT}/etc/shadow" "${DPKG_ROOT}/etc/gshadow"
}


case "$1" in
    "on")
	if shadowon ; then
	    echo Shadow passwords are now on.
	else
	    echo Please correct the error and rerun \`$0 on\'
	    exit 1
	fi
	;;
    "off")
	echo E: Turning shadow passwords off is no longer supported.
	exit 1
	;;
     *)
	echo Usage: $0 on
	;;
esac