Recipe 8.16. Checking Password File Integrity

8.16.1 Problem

There's a lot going on in all these files (/etc/group, /etc/passwd, /etc/shadow, and /etc/gshadow), and you need some kind of password file syntax integrity checker. You don't want to find out that you've made some mistake—like forgetting to give someone a password—after an attacker has broken into your system!

8.16.2 Solution

Use pwck for checking /etc/passwd and /etc/shadow, and use grpck for /etc/group and /etc/gshadow:

# pwck

# grpck

If they exit silently, no errors were found. Otherwise, errors will be listed; you will have to correct the errors, or the program will exit. You can get around this, and simply view all errors, by running in read-only mode:

# pwck -r

# grpck -r

8.16.3 Discussion

pwck performs a consistency check on the /etc/passwd and /etc/shadow files. It checks each user account, and verifies that it has:

• The correct number of fields

• A unique user name

• A valid user and group identifier

• A valid primary group

• A valid home directory

• A valid login shell

pwck will report any account that has no password. I love the wording in the man page: "The checks for correct number of fields and unique user name are fatal." That's hardly an inducement to utilize this useful program! However, rest assured-you are perfectly safe and will not be harmed.

When pwck finds an error, your choices are to delete the account or to ignore the account, in which case pwck shuts down and won't check any more lines (with one exception: if it finds a duplicate name, it will continue checking even if you don't delete the account)

grpck checks the /etc/group and /etc/gshadow files to verify that each group has:

• The correct number of fields

• A unique group name

• A valid list of members and administrators

8.16.4 See Also

• pwck(8), grpck(8)