From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Set group and mode for [g]shadow files

Set group 'shadow' and mode 0400.

Fixes: #166793

Gbp-Topic: debian
---
 lib/commonio.c | 12 ++++++++++++
 lib/sgroupio.c |  2 +-
 lib/shadowio.c |  2 +-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/lib/commonio.c b/lib/commonio.c
index 01a26c9..72e53b0 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -21,6 +21,7 @@
 #include <errno.h>
 #include <stdio.h>
 #include <signal.h>
+#include <grp.h>
 
 #include "alloc.h"
 #include "memzero.h"
@@ -956,12 +957,23 @@ int commonio_close (struct commonio_db *db)
 		if (errors != 0)
 			goto fail;
 	} else {
+		struct group *grp;
 		/*
 		 * Default permissions for new [g]shadow files.
 		 */
 		sb.st_mode = db->st_mode;
 		sb.st_uid = db->st_uid;
 		sb.st_gid = db->st_gid;
+
+		/*
+		 * Try to retrieve the shadow's GID, and fall back to GID 0.
+		 */
+		if (sb.st_gid == 0) {
+			if ((grp = getgrnam("shadow")) != NULL)
+				sb.st_gid = grp->gr_gid;
+			else
+				sb.st_gid = 0;
+		}
 	}
 
 	if (SNPRINTF(buf, "%s+", db->filename) == -1)
diff --git a/lib/sgroupio.c b/lib/sgroupio.c
index 0297df4..107b1e5 100644
--- a/lib/sgroupio.c
+++ b/lib/sgroupio.c
@@ -209,7 +209,7 @@ static struct commonio_db gshadow_db = {
 #ifdef WITH_SELINUX
 	NULL,			/* scontext */
 #endif
-	0400,                   /* st_mode */
+	0440,                   /* st_mode */
 	0,                      /* st_uid */
 	0,                      /* st_gid */
 	NULL,			/* head */
diff --git a/lib/shadowio.c b/lib/shadowio.c
index d2c3b47..53dac0b 100644
--- a/lib/shadowio.c
+++ b/lib/shadowio.c
@@ -85,7 +85,7 @@ static struct commonio_db shadow_db = {
 #ifdef WITH_SELINUX
 	NULL,			/* scontext */
 #endif				/* WITH_SELINUX */
-	0400,                   /* st_mode */
+	0440,                   /* st_mode */
 	0,                      /* st_uid */
 	0,                      /* st_gid */
 	NULL,			/* head */