--- shadow-4.1.4.2/lib/commonio.c.shadow_perms 2009-05-10 15:49:05.000000000 +0200 +++ shadow-4.1.4.2/lib/commonio.c 2009-11-23 16:41:06.000000000 +0100 @@ -50,6 +50,7 @@ #endif #include "prototypes.h" #include "commonio.h" +#include <grp.h> /* local function prototypes */ static int lrename (const char *, const char *); @@ -810,6 +811,7 @@ char buf[1024]; int errors = 0; struct stat sb; + struct group *grp; #ifdef WITH_SELINUX /*@null@*/security_context_t old_context = NULL; @@ -872,9 +874,12 @@ * Default permissions for new [g]shadow files. * (passwd and group always exist...) */ - sb.st_mode = 0400; + sb.st_mode = 0440; sb.st_uid = 0; - sb.st_gid = 0; + if ((grp = getgrnam("shadow")) == NULL) + sb.st_gid = 0; + else + sb.st_gid = grp->gr_gid; } snprintf (buf, sizeof buf, "%s+", db->filename);