Attached is a patch for doing this. This is highly Debian-specific, as I hardcoded the GID of the "shadow" group. There are maybe cleaner ways to do this.
--
--- lib/commonio.c~ 2005-10-11 23:22:22.476195984 +0200 +++ lib/commonio.c 2005-10-11 23:32:55.476598445 +0200 @@ -673,9 +673,9 @@ * Default permissions for new [g]shadow files. * (passwd and group always exist...) */ - sb.st_mode = 0400; + sb.st_mode = 0440; sb.st_uid = 0; - sb.st_gid = 0; + sb.st_gid = 42; } snprintf (buf, sizeof buf, "%s+", db->filename);