10

I am running through some system upgrades and my package manager is showing changes between the upstream /etc/shadow and mine.

I would like to put some comments in the file for next time this happens. How would I accomplish putting comments in the /etc/shadow file without breaking things.

I am thinking default "#" would likely do it, but if I get this wrong the reboot won't be that enjoyable.

DarkSheep
  • 1,886
  • 3
  • 15
  • 18

3 Answers3

14

On Linux systems using GNU libc, lines starting with # are ignored in /etc/shadow. The parsing is done by __fgetspent_r(), and its source code explicitly handles (and documents) this behaviour.

So on the vast majority of Linux systems you can comment lines in /etc/shadow with # without causing problems.

Unfortunately comments are dropped when /etc/shadow is updated, e.g. by passwd; so storing comments isn't actually safe (from the comments' point of view).

This means you need to find somewhere else to store your comments: two good suggestions are dr01's idea of using /etc/shadow.README, or better yet Gilles' idea of using commit messages with etckeeper.

Stephen Kitt
  • 434,908
  • Just about any invalid entry appears to get lost with passwd. I tried using a bogus user entry, or a valid one and adding characters to the final entry, but all to no avail. – Otheus Jun 01 '15 at 14:38
8

Every line of /etc/shadow is considered as a user record. As written by Stephen Kitt who reviewed the parser's source code, you can put lines starting with # as comments in the file or even empty lines and they will be ignored.

However, I have never seen a /etc/shadow file with comments on it. It appears it is not common practice, and for a very good reason: editing it by hand is strongly discouraged. For this reason, I'd rather suggest you create a /etc/shadow.README file instead to store your comments. Remember to chmod 000 the file to avoid non-root users snooping on it.

Stephen Kitt
  • 434,908
dr_
  • 29,602
  • So why 000? Owned by root:root and then ug=r,o= not enough? – 0xC0000022L Jun 01 '15 at 12:00
  • 000 are the permissions of /etc/shadow (at least on Red Hat, I haven't looked in other distros) and ensure that only root has access to the file. 440, as you suggest, make the file readable by a regular user should he/she join by mistake the root group. On a properly administered machine, and for all practical purposes, they're worth the same. I think that 000 better conveys a meaning of "security critical file - keep hands off", but that's just my opinion. – dr_ Jun 01 '15 at 12:21
  • @dr01: not sure how a normal user would join the root group without a superuser doing that. And if a superuser makes such mistake, all bets are off. There's for example a good chance that person is already a sudoer then and can access the file regardless. I consider it security by obscurity, but YMMV. – 0xC0000022L Jun 01 '15 at 14:35
  • That's exactly what I meant with "regular user joins by mistake the root group". My case is that a superuser could (although chances are slim) put him/her in the root group by mistake. While a 000 permission will allow only root to access the file. I recognize that's probably a edge case, but I consider this way much cleaner also since the comment file ends up having the same permissions as /etc/shadow. – dr_ Jun 01 '15 at 15:01
3

Of course you have changes to your /etc/shadow. You don't want the account information in /etc/shadow on your server - hashed passwords, account expirations, etc - to be a byte-for-byte copy of the upstream /etc/shadow.

And I hope you're not overwriting your current /etc/shadow with whatever you're getting from your upstream data source.

Andrew Henle
  • 3,780