What's the real meaning of "!!" in /etc/shadow on Ubuntu

Question

The stackexchange link says "it is not possible to login to the account using a password", but the baeldung link says "anyone can log in to the account without any password".

The stackexchange link:

Both "!" and "!!" being present in the password field mean it is not possible to login to the account using a password.

As it can be read from the documentation of RHEL-4, the "!!" in the shadow-password field means the account of a user has been created, but not yet given a password. The documentation states (possibly erroneously) that until being given an initial password by a sysadmin, it is locked by default.

The baeldung link:

4. !! in /etc/shadow’s Password Field

   Another symbol that we may encounter in the password field of the /etc/shadow file is the two exclamation points. !! indicates that someone has created a user account but has not given it a password. Therefore, anyone can log in to the account without any password, which is a serious risk.

Which is correct for Ubuntu system?

Answer 1

This is documented in man 5 shadow (emphases mine):

encrypted password

This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the password field is empty.

A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.

Refer to crypt(3) for details on how this string is interpreted.

If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).

So, the first ! means the password is locked and everything after that first ! is the password. Next, if the password is ! that means you can't log in with a password and no, that does not imply that you can login without a password. "Other means" refers to things like root using su to switch to that user. Root wouldn't be prompted for a password anyway, so that is one example of "other means" to log in.

We can even test it, easily enough:

terdon@oregano ~ $ sudo adduser someuser
info: Adding user `someuser' ...
info: Selecting UID/GID from range 1000 to 60000 ...
info: Adding new group `someuser' (1005) ...
info: Adding new user `someuser' (1005) with group `someuser (1005)' ...
info: Creating home directory `/home/someuser' ...
info: Copying files from `/etc/skel' ...
New password: 
Retype new password: 
No password has been supplied.
New password: 
Retype new password: 
No password has been supplied.
New password: 
Retype new password: 
No password has been supplied.
passwd: Authentication token manipulation error
passwd: password unchanged
Try again? [y/N] n
Changing finger information for someuser.
Name []: 
Office []: 
Office Phone []: 
Home Phone []: 


Finger information not changed.
Is the information correct? [Y/n] 

Here, I just ran the command sudo adduser someuser and pressed Enter to skip all the prompts and leave the password empty. The result is:

$ sudo grep someuser /etc/shadow
someuser:!:19863:0:99999:7:::

So we have a user with no password. If I try to log in as that user, I cannot:

$ su someuser -
Password: 
su: Authentication failure

So there you go, a password set to ! (or !!, since that just means a locked !) does not allow users to log in without a password. It does, however, let root switch to that user:

terdon@oregano ~ $ sudo -i
[root@oregano ~]# su someuser -
[someuser@oregano root]$ whoami
someuser