On my Ubuntu 9.10 system, there's a shadow
system group. There does not appear to be any user assigned to this group at all. The only files that I can find belonging to this group are /etc/shadow
and /etc/gshadow
.
I'm aware that the purpose of these files is to store the passwords separately, out of reach from regular users who still might want to access passwd
for other reasons.
But what is the purpose of the shadow
group?
The reason I'm curious about this, is because I'm thinking about configuring nsswitch.conf
to store it elsewhere, and would like to know if anything is actually trying to access the shadow
database using shadow
group credentials.
There may not be any users, but there is certainly software that needs to be able to read that file. Note that
passwd
itself is setuid root, and so doesn't need this.No,
shadow
group should have no users, but this group is required for shadow passwords to work.I guess the idea here is to have the file accessible by root and root only. You may have extra users in root group, this is why the separate user group was created.
On my Ubuntu machine there are a number of commands which are set-group-id to shadow. This provides them exactly and only the privilege of reading the two shadow files (which are grouped to shadow, and only group-readable).
If you have a service which only requires to be able to read one or the other of the shadow files, just make it set-group-id to shadow. This is sort of the opposite of what's suggested above - it's not that there are lots of other people who are in group root, it's that by convention (and file permissions) this group grants you access to only these two resources.