#1128882 base-passwd: Non-matching order of entries between passwd and shadow files due to package installation order

Package:
base-passwd
Source:
base-passwd
Description:
Debian base system master password and group files
Submitter:
Date:
2026-02-24 11:53:03 UTC
Severity:
normal
#1128882#5
Date:
2026-02-23 21:17:00 UTC
From:
To:
Dear Maintainer,

No AI was used in the writing of this report.

The order in which base-passwd, systemd, and passwd packages are configured
during debian installation affects whether the /etc/passwd and /etc/shadow
files have matching order of user entries.

Create a chroot using mmdebstrap:
# SOURCE_DATE_EPOCH=0 mmdebstrap trixie /mmdebstrap-chroot http://deb.debian.org/debian

Full mmdebstrap.log attached, but these are the relevant lines:
```
...
Setting up base-passwd (3.6.7) ...
...
Setting up systemd (257.9-1~deb13u1) ...
...
Creating group 'systemd-journal' with GID 999.
Creating group 'systemd-network' with GID 998.
Creating user 'systemd-network' (systemd Network Management) with UID 998 and GID 998.
...
Setting up passwd (1:4.17.4-2) ...
no matching password file entry in /etc/shadow
add user 'root' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'daemon' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'bin' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'sys' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'sync' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'games' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'man' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'lp' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'mail' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'news' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'uucp' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'proxy' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'www-data' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'backup' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'list' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'irc' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user '_apt' in /etc/shadow? No
no matching password file entry in /etc/shadow
add user 'nobody' in /etc/shadow? No
pwck: no changes
no matching group file entry in /etc/gshadow
add group 'root' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'daemon' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'bin' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'sys' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'adm' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'tty' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'disk' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'lp' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'mail' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'news' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'uucp' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'man' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'proxy' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'kmem' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'dialout' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'fax' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'voice' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'cdrom' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'floppy' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'tape' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'sudo' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'audio' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'dip' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'www-data' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'backup' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'operator' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'list' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'irc' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'src' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'shadow' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'utmp' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'video' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'sasl' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'plugdev' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'staff' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'games' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'users' in /etc/gshadow? No
no matching group file entry in /etc/gshadow
add group 'nogroup' in /etc/gshadow? No
grpck: no changes
Shadow passwords are now on.
...
```

Observe the contents of the created /etc/passwd file:
# cat /mmdebstrap-chroot/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon:/usr/lib/dhcpcd:/bin/false

And of /etc/shadow file:
# cat /mmdebstrap-chroot/etc/shadow
systemd-network:!*:0:::::1:
root:*::0:99999:7:::
daemon:*::0:99999:7:::
bin:*::0:99999:7:::
sys:*::0:99999:7:::
sync:*::0:99999:7:::
games:*::0:99999:7:::
man:*::0:99999:7:::
lp:*::0:99999:7:::
mail:*::0:99999:7:::
news:*::0:99999:7:::
uucp:*::0:99999:7:::
proxy:*::0:99999:7:::
www-data:*::0:99999:7:::
backup:*::0:99999:7:::
list:*::0:99999:7:::
irc:*::0:99999:7:::
_apt:*::0:99999:7:::
nobody:*::0:99999:7:::
dhcpcd:!:::::::

Notice that the systemd-network user is the 2nd last entry in /etc/passwd but
1st entry in /etc/shadow. This shifts the correspondence of entries between
/etc/passwd and /etc/shadow by one line. For example, 'root' is 1st entry in
/etc/passwd but 2nd entry in /etc/shadow. It should not cause problems, but it
is ugly, fixing it helps making debian installations more reproducible, and I
recall it causing some problem under some condition that I cannot remember
(very rare issue).

When the base-passwd package is configured, it copies the master passwd file
/usr/share/base-passwd/passwd.master to /etc/passwd.

These are the contents of /usr/share/base-passwd/passwd.master file:
$ cat /usr/share/base-passwd/passwd.master
root:*:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:*:42:65534::/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

Notice that the master file uses '*' as the 2nd colon-separated entry, which
means shadow passwords are not enabled for the user.

The /etc/shadow file does not exist yet after the configuration of the
base-passwd package.

When the systemd package is configured after the base-passwd package, it adds
the systemd-network user through the systemd-sysusers mechanism. This mechanism
adds the new user to /etc/passwd, enables shadow passwords for this user
unconditionally (using the 'x' character instead of '*' character), and adds
this new user to /etc/shadow. This means that systemd-network user is the last
user in /etc/passwd at the moment of systemd package configuration, and because
/etc/shadow did not exist yet systemd-network user becomes the first user in
/etc/shadow.

When the passwd package is then configured after the systemd package, it
automatically enables shadow passwords for all users, changing the '*'
character to 'x', and appends all users that weren't in /etc/shadow to that
file, leading to the mismatched order of entries between /etc/passwd and
/etc/shadow.

There are at least 2 ways of fixing this:

The base-passwd package could by default enable shadow passwords, ship with a
master passwd that has the 'x' character instead of '*' character, and ship
with a master shadow file that corresponds to the master passwd file, with a
matching order of entries. The passwd package already enables shadow passwords
automatically by default anyway, so it is not a big change. System
administrators still retain the option to disable shadow passwords afterwards
if they want, by editing the /etc/passwd file.

The other option would be to stop shipping any master passwd or similar files,
and define users declaratively using the sysusers mechanism instead. This would
make an implementation of sysusers pseudo-essential.

As a last note, the /etc/group and /etc/gshadow files have the same issue, that
can be fixed the same way.

Bug #1125516 [1] is a little related.

[1] https://bugs.debian.org/1125516

#1128882#10
Date:
2026-02-24 11:51:30 UTC
From:
To:
I agree with that suggestion.

Greetings
Marc