As users are added, updated, and deleted it's quite easy for the administrative files to get out of sync with each other—especially if any manual file edits have been performed. Therefore, in this last section we'll look at a few of the utilities that can be used to check and maintain the related files (/etc/passwd, /etc/shadow, and /etc/group).
We've already come across pwconv—it was used in our custom script earlier. It is used to create or update the shadow file, which it does by synchronizing it with the password file.
It uses the second field of /etc/passwd (the encrypted password field) to indicate that the password for this user can be found in /etc/shadow. It does this by moving the encrypted password into /etc/shadow and replacing the original password field in /etc/passwd with an “x.”
This means that if the field is empty, pwconv will create an entry in the shadow file and insert the required “x” into the password file. Similarly, if there is an entry in the shadow file and nothing in the password file, it will remove the shadow entry. It is intelligent enough to know that if a password exists in /etc/passwd, but there isn't an entry for the user in the /etc/shadow file, it may be an old-style password file that is being used. In this case, it will create the correct entry in the shadow file and also move the password there too.
Let's look at the following example, which uses the old-style password entry. In other words, the encrypted password is stored in /etc/passwd and the user doesn't have a /etc/shadow entry:
hydrogen# grep testuser /etc/passwd testuser:ba7btwLghQU86:500:100:Test User:/home/testuser:/bin/ksh hydrogen#
Running pwconv and looking at the two files again will give the following result:
hydrogen# grep testuser /etc/passwd testuser:x:500:100:Test User:/home/testuser:/bin/ksh hydrogen# hydrogen# grep testuser /etc/shadow testuser:ba7btwLghQU86::::::: hydrogen#
Two programs, named pwck and grpck are supplied to check the contents of /etc/passwd and /etc/group, respectively. They will look for missing passwords, incorrect fields, and so on.
To illustrate this, let's alter the testuser's shell to be something that is nonexistent, say /bin/nosuchshell. The output from pwck will report an error as shown below:
hydrogen# passmgmt -m -s /bin/nosuchshell testuser hydrogen# pwck testuser:x:500:100::/export/home/testuser:/bin/nosuchshell Optional shell file not found hydrogen#
Using grpck to check the group file may display something similar to that shown below:
hydrogen# grpck bin::2:root,bin,daemon bin - Duplicate logname entry (gid first occurs in passwd entry) sys::3:root,bin,sys,adm sys - Duplicate logname entry (gid first occurs in passwd entry) hydrogen#
We saw earlier that the passwd command can be used to display a user's details. As a further note, by running it as shown here we can display all the entries in the /etc/passwd file. From there, we can carry out tasks such as searching to locate all locked accounts (LKs) or all accounts without a valid password (NP).
hydrogen# passwd -sa root PS daemon LK bin LK sys LK adm LK lp LK smtp LK uucp LK nuucp LK listen LK nobody LK noaccess LK nobody4 LK testuser LK 12/07/99 0 60 5 hydrogen#