Checking Password File Integrity

There’s a lot going on in all these files (/etc/group, /etc/passwd, /etc/shadow, and /etc/gshadow), and you need some kind of password file syntax integrity checker. You don’t want to find out that you’ve made some mistake—like forgetting to give someone a password—after an attacker has broken into your system!

Use pwck for checking /etc/passwd and /etc/shadow, and use grpck for /etc/group and /etc/gshadow:

# pwck

# grpck

pwck performs a consistency check on the /etc/passwd and /etc/shadow files. It checks each user account, and verifies that it has:

  • The correct number of fields
  • A unique user name
  • A valid user and group identifier
  • A valid primary group
  • A valid home directory
  • A valid login shell

pwck will report any account that has no password.

When pwck finds an error, your choices are to delete the account or to ignore the account, in which case pwck shuts down and won’t check any more lines (with one exception: if it finds a duplicate name, it will continue checking even if you don’t delete the account)

grpck checks the /etc/group and /etc/gshadow files to verify that each group has:

  • The correct number of fields
  • A unique group name
  • A valid list of members and administrators