What is the `shadow` group used for?
$ find /usr/bin/ -group shadow | xargs ls -l
-rwxr-sr-x 1 root shadow 45384 2008-12-08 03:13 /usr/bin/chage
-rwxr-sr-x 1 root shadow 21424 2008-12-08 03:13 /usr/bin/expiry
There may not be any users, but there is certainly software that needs to be able to read that file. Note that passwd
itself is setuid root, and so doesn't need this.
No, shadow
group should have no users, but this group is required for shadow passwords to work.
I guess the idea here is to have the file accessible by root and root only. You may have extra users in root group, this is why the separate user group was created.
On my Ubuntu machine there are a number of commands which are set-group-id to shadow. This provides them exactly and only the privilege of reading the two shadow files (which are grouped to shadow, and only group-readable).
-rwxr-sr-x 1 root shadow 35584 Mar 16 11:45 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 35544 Mar 16 11:45 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 59224 Jul 20 2015 /usr/bin/chage
-rwxr-sr-x 1 root shadow 23424 Jul 20 2015 /usr/bin/expiry
-rw-r----- 1 root shadow 1043 Apr 2 00:27 /etc/gshadow
-rw-r----- 1 root shadow 1732 Apr 2 00:27 /etc/shadow
If you have a service which only requires to be able to read one or the other of the shadow files, just make it set-group-id to shadow. This is sort of the opposite of what's suggested above - it's not that there are lots of other people who are in group root, it's that by convention (and file permissions) this group grants you access to only these two resources.