How to create a user and give it read permission to /etc/shadow file?

Solution 1:

Changing an owner group of such important file could even break some things, which is dangerous.

The proper secure way to achieve that is to use POSIX ACLs:

setfacl -m u:special_user:r /etc/shadow

Another problem here is that you gave this right to Nginx, a web server. Which, I suppose, runs some web application. And it is very bad idea to have direct access to /etc/shadow from web application.

This may seem counterproductive, but this is the way all serious systems do such things: they include private secure proxy service which does all security checks and web front end only can talk to this proxy service to have some access to sensitive data or do other sensitive things. For example, this is the way Proxmox VE is built: there is pvedaemon which does dangerous things, and pveproxy (a web server) only talks to pvedaemon when it needs to do such things.

The third problem is that you access this file at all. What you intend to do? This file is a part of PAM suite. What if some system authentication is modified so it is not using a shadow file, or it is moved? You should use PAM library calls which will do all that stuff for you.

How can I find the version of all Terraform providers in a workspace?

How can I attach persistent storage to an AWS Lightsail container?

Server disk full, Mysql service can't start, how can i shrink the database?

Managing IPtables efficiently with Saltstack

How to use this and that in daily conversation. For example: 'this' or 'that is a good question' [duplicate]

Passive Voice with ''to be to be and past participle'' [duplicate]

Is "must have four cats" the same as "must have got four cats"?

Word for a shop which sells materials used in making clothing

Comma or semicolon for genuine "thank you" at the end of a sentence?

The meaning of a phrase "to flip a traditional pancake over"

Why are Centennials called that?

What does "look" mean in the phrase "you don't look your age"? [closed]