dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1127
share rss forum feed


nil
Java Geek
join:2000-11-27
kudos:2

Keeping the passwd and shadow files in synch

Checking Passwd and Shadow Files
By Sandra Henry-Stocker

If you've ever had problems keeping the /etc/passwd and /etc/shadow files in sync on a system, then you probably know how annoying it can be to figure out why one of the files has 122 lines and the other 124. Determining what records are included in one file and not the other, or which entries are duplicated, can take a lot of time. There are various ways to make the job easier.

You can locate duplicate entries with commands such as these:


# echo passwd "-----"
# cat /etc/passwd | awk -F: '{print $1}' | sort | uniq -c | grep -v 1
# echo shadow "-----"
# cat /etc/shadow | awk -F: '{print $1}' | sort | uniq -c | grep -v 1

If you have any duplicate entries, the output will look something like this:

passwd -----
gumby 2
shadow -----

In this example, gumby seems to have two entries in the /etc/passwd file. By removing all of the lines with only 1 record, we reduce the output to only what we're concerned about -- the duplicate records. Of course, we'd overlook gumby's duplicated records if gumby had 10 of them, but this is extremely unlikely.

Another approach is to look through each of the /etc/passwd and /etc/shadow files and check it against the other. In other words, we would first look through the passwd file and make sure that every user defined it in also had a record in the shadow file. We would then look through the shadow file and make sure that every user defined in it had a record in the passwd file. By doing this, we would pick out any user who was defined in one file and not the other.

The script at the bottom of this column does this checking. The only tricky part (and it's not all that tricky) is making sure that you don't confuse user names with substrings. If you employ one person with the username gumby and another named biggumby, then you don't want to confuse the two. Delimiting the names in your search by using the special beginning of line character (^) and the delimiter used in each of these files (":"), you constrain your matches to the username and nothing but the username. The string "^gumby:" will not match any name but "gumby".

#!/bin/csh

echo problems in /etc/passwd
echo "====================="
foreach U (`cat /etc/shadow | awk -F: '{print $1}'`)
set OK = `grep ^$U":" /etc/passwd | wc -l`
if ($OK != 1) then
echo $U
endif
end
echo ""

echo problems in /etc/shadow
echo "====================="
foreach U (`cat /etc/passwd | awk -F: '{print $1}'`)
set OK = `grep ^$U":" /etc/shadow | wc -l`
if ($OK != 1) then
echo $U
endif
end

--
Life is too short to be boring