fix: set shadow file to root:shadow 0640 in mutable mode

[jfroche]

When mutable users are enabled, tools like passwd need to read /etc/shadow, which requires the file to be accessible to the shadow group.

In mutable mode, set the shadow file to mode 0640 with the shadow group.

In immutable mode the existing 0000 behavior is preserved.

[nikstur]

Can you please check whether this is also true with the passwd from util-linux? In nixpkgs we weirdly use these tools from shadow and not from util-linux. If util-linux works, I'd prefer we switch upstream Nixpkgs to use util-linux instead of shadow.

Edit: please ignore.

[kanashimia]

Why do it only in mutable mode? It should always be root shadow.
Tools like unix_chkpwd use setgid shadow permission to access /etc/shadow
Just that NixOS has broken insecure permissions on unix_chkpwd and assigns setuid root instead, so the current behaviour of userborn works there (and it shouldn't).
https://github.com/NixOS/nixpkgs/blob/f48cce8648b6a0c331f54073a459c97f67ed72ea/nixos/modules/config/update-users-groups.pl#L317-L323
update-users-groups.pl always sets permissions to root:shadow 0640

[nikstur]

Userborn follows the semantics of systemd-sysusers which uses these exact file permissions.

[kanashimia]

Userborn follows the semantics of systemd-sysusers

Well, you don't though? sysusers preserves existing permissions, it never overrides them, permissions it creates are relevant only when it creates a file that doesn't exist. Where as userborn and update-users-groups.pl always override permissions as it seems. So for systemd-sysusers you can create a file using systemd-tmpfiles and set whatever permissions you like.

Well, that is a different issue though.

[r-vdp]

I took a slightly different approach in #46, before seeing this PR.

My main motivation is to remove setuid from unixchk_pwd and have only setgid instead.