What is the `shadow` group used for?

On my Ubuntu 9.10 system, there's a shadow system group. There does not appear to be any user assigned to this group at all. The only files that I can find belonging to this group are /etc/shadow and /etc/gshadow.

I'm aware that the purpose of these files is to store the passwords separately, out of reach from regular users who still might want to access passwd for other reasons.

But what is the purpose of the shadow group?

The reason I'm curious about this, is because I'm thinking about configuring nsswitch.conf to store it elsewhere, and would like to know if anything is actually trying to access the shadow database using shadow group credentials.


Solution 1:

$ find /usr/bin/ -group shadow | xargs ls -l
-rwxr-sr-x 1 root shadow 45384 2008-12-08 03:13 /usr/bin/chage
-rwxr-sr-x 1 root shadow 21424 2008-12-08 03:13 /usr/bin/expiry

There may not be any users, but there is certainly software that needs to be able to read that file. Note that passwd itself is setuid root, and so doesn't need this.

Solution 2:

No, shadow group should have no users, but this group is required for shadow passwords to work.

I guess the idea here is to have the file accessible by root and root only. You may have extra users in root group, this is why the separate user group was created.

Solution 3:

On my Ubuntu machine there are a number of commands which are set-group-id to shadow. This provides them exactly and only the privilege of reading the two shadow files (which are grouped to shadow, and only group-readable).

-rwxr-sr-x 1 root shadow 35584 Mar 16 11:45 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 35544 Mar 16 11:45 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 59224 Jul 20  2015 /usr/bin/chage
-rwxr-sr-x 1 root shadow 23424 Jul 20  2015 /usr/bin/expiry


-rw-r----- 1 root shadow 1043 Apr  2 00:27 /etc/gshadow
-rw-r----- 1 root shadow 1732 Apr  2 00:27 /etc/shadow

If you have a service which only requires to be able to read one or the other of the shadow files, just make it set-group-id to shadow. This is sort of the opposite of what's suggested above - it's not that there are lots of other people who are in group root, it's that by convention (and file permissions) this group grants you access to only these two resources.