7

On my Ubuntu 9.10 system, there's a shadow system group. There does not appear to be any user assigned to this group at all. The only files that I can find belonging to this group are /etc/shadow and /etc/gshadow.

I'm aware that the purpose of these files is to store the passwords separately, out of reach from regular users who still might want to access passwd for other reasons.

But what is the purpose of the shadow group?

The reason I'm curious about this, is because I'm thinking about configuring nsswitch.conf to store it elsewhere, and would like to know if anything is actually trying to access the shadow database using shadow group credentials.

Shtééf
  • 1,225
  • 2
  • 12
  • 19

3 Answers3

5
$ find /usr/bin/ -group shadow | xargs ls -l
-rwxr-sr-x 1 root shadow 45384 2008-12-08 03:13 /usr/bin/chage
-rwxr-sr-x 1 root shadow 21424 2008-12-08 03:13 /usr/bin/expiry

There may not be any users, but there is certainly software that needs to be able to read that file. Note that passwd itself is setuid root, and so doesn't need this.

Phil Miller
  • 1,725
  • 1
  • 11
  • 17
2

No, shadow group should have no users, but this group is required for shadow passwords to work.

I guess the idea here is to have the file accessible by root and root only. You may have extra users in root group, this is why the separate user group was created.

solefald
  • 2,303
  • 15
  • 14
  • 1
    Do you have a reference to some kind of documentation that talks about that requirement? – Zoredache Apr 16 '10 at 21:01
  • Hm... http://www.linux.org/docs/ldp/howto/Shadow-Password-HOWTO-5.html says "None of the users on the system should actually be in the shadow group." Also https://help.ubuntu.com/community/FilePermissions "Some files are configured to have very restrictive permissions to prevent unauthorized access. For example, the /etc/shadow file (file that stores all local user passwords) does not have permissions for regular users to read or otherwise access." I guess you could change the group to anything you want, but the `shadow` group is what is have been historically – solefald Apr 16 '10 at 21:07
  • As long as the group permissions on that file are set to 0, and it's owned by root, I think it doesn't matter? But they're set to 'r' for the group. Why? – Chris Lercher Apr 16 '10 at 21:12
  • @chris_l: see my answer – Phil Miller Apr 16 '10 at 22:50
2

On my Ubuntu machine there are a number of commands which are set-group-id to shadow. This provides them exactly and only the privilege of reading the two shadow files (which are grouped to shadow, and only group-readable).

-rwxr-sr-x 1 root shadow 35584 Mar 16 11:45 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 35544 Mar 16 11:45 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 59224 Jul 20  2015 /usr/bin/chage
-rwxr-sr-x 1 root shadow 23424 Jul 20  2015 /usr/bin/expiry


-rw-r----- 1 root shadow 1043 Apr  2 00:27 /etc/gshadow
-rw-r----- 1 root shadow 1732 Apr  2 00:27 /etc/shadow

If you have a service which only requires to be able to read one or the other of the shadow files, just make it set-group-id to shadow. This is sort of the opposite of what's suggested above - it's not that there are lots of other people who are in group root, it's that by convention (and file permissions) this group grants you access to only these two resources.

Alan Robertson
  • 31
  • 3