No permissions on shadow most of the time

src/freedombone-addsipuser

     echo $line >> $NEW_CONFIG_FILE
     done < $CONFIG_FILE
     mv $NEW_CONFIG_FILE $CONFIG_FILE
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     usermod -aG sipwitch $MY_USERNAME
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 }
 
 while [[ $# > 1 ]]

src/freedombone-adduser

 MINIMUM_PASSWORD_LENGTH=$(cat /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-passwords | grep 'MINIMUM_PASSWORD_LENGTH=' | head -n 1 | awk -F '=' '{print $2}')
 
 NEW_USER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
-chmod 700 /etc/shadow
-chmod 700 /etc/gshadow
+chmod 600 /etc/shadow
+chmod 600 /etc/gshadow
 useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash $ADD_USERNAME
 adduser $ADD_USERNAME sasl
 chmod 0000 /etc/shadow

src/freedombone-app-pihole

 function install_pihole {
     apt-get -yq install dnsmasq curl
     adduser --disabled-login --gecos 'pi-hole' pihole
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     usermod -a -G www-data pihole
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     systemctl enable dnsmasq
 

src/freedombone-app-sip

 
     # add user to the sipwitch group
     if [ -f /etc/sipwitch.conf ]; then
+        chmod 600 /etc/shadow
+        chmod 600 /etc/gshadow
         usermod -aG sipwitch $new_username
+        chmod 0000 /etc/shadow
+        chmod 0000 /etc/gshadow
     fi
 
     # add user for SIP STUN/TURN
     sed -i 's|#PLUGINS=|PLUGINS=|g' /etc/default/sipwitch
     sed -i 's|PLUGINS=.*|PLUGINS="zeroconf subscriber forward"|g' /etc/default/sipwitch
     groupadd sipwitch
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     usermod -aG sipwitch $MY_USERNAME
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     SIP_ONION_HOSTNAME=$(add_onion_service sip ${SIP_PORT} ${SIP_PORT})
 

src/freedombone-app-tox

         chroot ${rootdir} /usr/sbin/useradd --home-dir /var/lib/tox-bootstrapd --create-home --system --shell /sbin/nologin --comment $"Account to run Tox's DHT bootstrap daemon" --user-group tox-bootstrapd
         chroot ${rootdir} /bin/chmod 700 /var/lib/tox-bootstrapd
     else
+        chmod 600 /etc/shadow
+        chmod 600 /etc/gshadow
         useradd --home-dir /var/lib/tox-bootstrapd --create-home --system --shell /sbin/nologin --comment $"Account to run Tox's DHT bootstrap daemon" --user-group tox-bootstrapd
+        chmod 0000 /etc/shadow
+        chmod 0000 /etc/gshadow
         chmod 700 /var/lib/tox-bootstrapd
     fi
 

src/freedombone-app-xmpp

     fi
 
     groupadd default
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     usermod -g default prosody
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     chown root:default /etc/ssl/private/xmpp.*
     chown root:default /etc/ssl/certs/xmpp.*

src/freedombone-base-email

     update-exim4.conf.template -r
     update-exim4.conf
     systemctl restart exim4
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     useradd -d /var/schleuderlists -s /bin/false schleuder
     adduser Debian-exim schleuder
     usermod -a -G mail schleuder
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
     #exim -d -bt $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME
     mark_completed $FUNCNAME
 }
         fi
     fi
 
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     groupadd default
     usermod -g default dovecot
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     chown root:default /etc/ssl/certs/dovecot.*
     chown root:default /etc/ssl/private/dovecot.*

src/freedombone-config

                            if [ ${#possible_username} -gt 1 ]; then
                                if [[ $possible_username != $GENERIC_IMAGE_USERNAME ]]; then
                                    MY_USERNAME=$(cat $data)
+                                   chmod 600 /etc/shadow
+                                   chmod 600 /etc/gshadow
                                    useradd -m -s /bin/bash $MY_USERNAME
+                                   chmod 0000 /etc/shadow
+                                   chmod 0000 /etc/gshadow
                                    if [ -d /home/$MY_USERNAME ]; then
                                        echo "${MY_USERNAME}:$(printf `cat $IMAGE_PASSWORD_FILE`)" | chpasswd
                                        # Add the user as a sudoer - they will be the new admin user

src/freedombone-mirrors

         MY_MIRRORS_PASSWORD="$(openssl rand -base64 20 | cut -c1-18)"
     fi
 
+    chmod 600 /etc/shadow
+    chmod 600 /etc/gshadow
     useradd -m -p "$MY_MIRRORS_PASSWORD" -s /bin/bash mirrors
+    chmod 0000 /etc/shadow
+    chmod 0000 /etc/gshadow
 
     # remove any existing user files
     rm -rf /home/mirrors/*

src/freedombone-rmuser

     fi
 done
 
-chmod 700 /etc/shadow
-chmod 700 /etc/gshadow
+chmod 600 /etc/shadow
+chmod 600 /etc/gshadow
 userdel -r $REMOVE_USERNAME
 chmod 0000 /etc/shadow
 chmod 0000 /etc/gshadow

src/freedombone-utils-web

     fi
 
     # create an unprivileged user
+    #chmod 600 /etc/shadow
+    #chmod 600 /etc/gshadow
     #useradd -r -s /bin/false debian-inadyn
+    #chmod 0000 /etc/shadow
+    #chmod 0000 /etc/gshadow
 
     # create a configuration file
     echo 'background' > /etc/inadyn.conf