There’s a lot going on in all these files (/etc/group, /etc/passwd, /etc/shadow, and /etc/gshadow), and you need some kind of password file syntax integrity checker. You don’t want to find out that you’ve made some mistake—like forgetting to give someone a password—after an attacker has broken into your system!

Use pwck for checking /etc/passwd and /etc/shadow, and use grpck for /etc/group and /etc/gshadow:

# pwck

# grpck

pwck performs a consistency check on the /etc/passwd and /etc/shadow files. It checks each user account, and verifies that it has:

• The correct number of fields
• A unique user name
• A valid user and group identifier
• A valid primary group
• A valid home directory
• A valid login shell

pwck will report any account that has no password.

When pwck finds an error, your choices are to delete the account or to ignore the account, in which case pwck shuts down and won’t check any more lines (with one exception: if it finds a duplicate name, it will continue checking even if you don’t delete the account)

grpck checks the /etc/group and /etc/gshadow files to verify that each group has:

• The correct number of fields
• A unique group name
• A valid list of members and administrators

If you need to give users some group memberships, or delete some users from groups, edit /etc/groups manually. Just copy and paste; it’s the fastest way.

You may also use adduser and usermod, but beware of sneaky gotchas: adduser will only add a user to one group at a time, but usermod, which allows you to list several groups at once, will overwrite any existing group assignments.

If you need to create some new system groups, and you want to use addgroup, here’s how to create system groups with addgroup:

# addgroup —system
newsysgroup

You can assign the GID, overriding the default. Remember to stick with your distribution’s (or your personal) numbering scheme:

# addgroup —system —gid 300
newsysgroup

You need to know how to create system users for programs like Postfix, Apache, or Squid. These programs should have their own unique user accounts and not just all pile into “nobody.”

Both adduser and useradd can do this. adduser works like this:

# adduser —system —no-create-home —group squid
Adding system user squid…
Adding new group squid (109).
Adding new user squid (109) with group squid
Not creating home directory

Check your work:

# cat /etc/passwd | grep squid
squid:x:109:109::/home/squid:/bin/false

Even though it lists /home/squid, a home directory is not created.

Here’s how useradd does it:

# useradd -d /dev/null -g squid -s /bin/false squid

The nobody user is the default for a lot of daemons and processes that need a system account, but an increasing number of applications require their own unique users. Use a unique user whenever possible, because it’s a good security practice. The nobody account is a common cracker target, and you don’t want to expose all kinds of processes and daemons to a common point of attack.

If you need to delete a group or groups, and you want to be sure there are no orphaned files or users, first reassign the group members, if necessary, by editing /etc/group. Simply copy and paste them into another group. Then use groupdel to delete the group, and find and chgrp to locate and reassign the group’s files to another group.

To delete a group use:

# groupdel
groupname

Deleting a group tends to be messy, because there is no utility for automatically migrating or deleting any files or users belonging to the group. You’ll need to hunt these down and change the GIDs manually:

# find / -gid 750
/usr/src/include/lber.h
/usr/src/include/ldap.h
/usr/src/include/ldbm.h

You can change these one at a time:

# chgrp 800 /usr/src/include/lber.h

Or you can let find and chgrp do the work:

# find / -gid 750 -exec chgrp -v 800 { } \;