No permissions on shadow most of the time

src/freedombone-addsipuser

@@ -105,7 +105,11 @@ function add_sip_user {
     echo $line >> $NEW_CONFIG_FILE
     done < $CONFIG_FILE
     mv $NEW_CONFIG_FILE $CONFIG_FILE
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     usermod -aG sipwitch $MY_USERNAME
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 }
 
 while [[ $# > 1 ]]

src/freedombone-adduser

@@ -75,8 +75,8 @@ fi
 MINIMUM_PASSWORD_LENGTH=$(cat /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-passwords | grep 'MINIMUM_PASSWORD_LENGTH=' | head -n 1 | awk -F '=' '{print $2}')
 
 NEW_USER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
-chmod 700 /etc/shadow
-chmod 700 /etc/gshadow
+chmod 600 /etc/shadow
+chmod 600 /etc/gshadow
 useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash $ADD_USERNAME
 adduser $ADD_USERNAME sasl
 chmod 0000 /etc/shadow

src/freedombone-app-pihole

@@ -346,7 +346,11 @@ function remove_pihole {
 function install_pihole {
     apt-get -yq install dnsmasq curl
     adduser --disabled-login --gecos 'pi-hole' pihole
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     usermod -a -G www-data pihole
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     systemctl enable dnsmasq
 

src/freedombone-app-sip

@@ -77,7 +77,11 @@ function add_user_sip {
 
     # add user to the sipwitch group
     if [ -f /etc/sipwitch.conf ]; then
+        chmod 600 /etc/shadow
+        chmod 600 /etc/gshadow
         usermod -aG sipwitch $new_username
+        chmod 0000 /etc/shadow
+        chmod 0000 /etc/gshadow
     fi
 
     # add user for SIP STUN/TURN
@@ -300,7 +304,11 @@ function install_sip_main {
     sed -i 's|#PLUGINS=|PLUGINS=|g' /etc/default/sipwitch
     sed -i 's|PLUGINS=.*|PLUGINS="zeroconf subscriber forward"|g' /etc/default/sipwitch
     groupadd sipwitch
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     usermod -aG sipwitch $MY_USERNAME
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     SIP_ONION_HOSTNAME=$(add_onion_service sip ${SIP_PORT} ${SIP_PORT})
 

src/freedombone-app-tox

@@ -506,7 +506,11 @@ EOF
         chroot ${rootdir} /usr/sbin/useradd --home-dir /var/lib/tox-bootstrapd --create-home --system --shell /sbin/nologin --comment $"Account to run Tox's DHT bootstrap daemon" --user-group tox-bootstrapd
         chroot ${rootdir} /bin/chmod 700 /var/lib/tox-bootstrapd
     else
+        chmod 600 /etc/shadow
+        chmod 600 /etc/gshadow
         useradd --home-dir /var/lib/tox-bootstrapd --create-home --system --shell /sbin/nologin --comment $"Account to run Tox's DHT bootstrap daemon" --user-group tox-bootstrapd
+        chmod 0000 /etc/shadow
+        chmod 0000 /etc/gshadow
         chmod 700 /var/lib/tox-bootstrapd
     fi
 

src/freedombone-app-xmpp

@@ -363,7 +363,11 @@ function install_xmpp_main {
     fi
 
     groupadd default
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     usermod -g default prosody
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     chown root:default /etc/ssl/private/xmpp.*
     chown root:default /etc/ssl/certs/xmpp.*

src/freedombone-base-email

@@ -594,9 +594,13 @@ function create_private_mailing_list {
     update-exim4.conf.template -r
     update-exim4.conf
     systemctl restart exim4
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     useradd -d /var/schleuderlists -s /bin/false schleuder
     adduser Debian-exim schleuder
     usermod -a -G mail schleuder
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
     #exim -d -bt $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME
     mark_completed $FUNCNAME
 }
@@ -1277,8 +1281,12 @@ function configure_imap {
         fi
     fi
 
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     groupadd default
     usermod -g default dovecot
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     chown root:default /etc/ssl/certs/dovecot.*
     chown root:default /etc/ssl/private/dovecot.*

src/freedombone-config

@@ -636,7 +636,11 @@ function choose_username {
                            if [ ${#possible_username} -gt 1 ]; then
                                if [[ $possible_username != $GENERIC_IMAGE_USERNAME ]]; then
                                    MY_USERNAME=$(cat $data)
+                                   chmod 600 /etc/shadow
+                                   chmod 600 /etc/gshadow
                                    useradd -m -s /bin/bash $MY_USERNAME
+                                   chmod 0000 /etc/shadow
+                                   chmod 0000 /etc/gshadow
                                    if [ -d /home/$MY_USERNAME ]; then
                                        echo "${MY_USERNAME}:$(printf `cat $IMAGE_PASSWORD_FILE`)" | chpasswd
                                        # Add the user as a sudoer - they will be the new admin user

src/freedombone-mirrors

@@ -100,7 +100,11 @@ function create_mirrors_user {
         MY_MIRRORS_PASSWORD="$(openssl rand -base64 20 | cut -c1-18)"
     fi
 
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     useradd -m -p "$MY_MIRRORS_PASSWORD" -s /bin/bash mirrors
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     # remove any existing user files
     rm -rf /home/mirrors/*

src/freedombone-rmuser

@@ -136,8 +136,8 @@ do
     fi
 done
 
-chmod 700 /etc/shadow
-chmod 700 /etc/gshadow
+chmod 600 /etc/shadow
+chmod 600 /etc/gshadow
 userdel -r $REMOVE_USERNAME
 chmod 0000 /etc/shadow
 chmod 0000 /etc/gshadow

src/freedombone-utils-web

@@ -436,7 +436,11 @@ function install_dynamicdns {
     fi
 
     # create an unprivileged user
+    #chmod 600 /etc/shadow
+    #chmod 600 /etc/gshadow
     #useradd -r -s /bin/false debian-inadyn
+    #chmod 0000 /etc/shadow
+    #chmod 0000 /etc/gshadow
 
     # create a configuration file
     echo 'background' > /etc/inadyn.conf