I was looking at the state of my system, and saw that it was degraded:
1$ systemctl list-units --state=failed
2 UNIT LOAD ACTIVE SUB DESCRIPTION
3● shadow.service loaded failed failed Verify integrity of password and group files
4
5Legend: LOAD → Reflects whether the unit definition was properly loaded.
6 ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
7 SUB → The low-level unit activation state, values depend on unit type.
8
91 loaded units listed.
I wonder why:
Jan 06 00:00:25 hwaryun systemd[1]: shadow.service: Failed with result 'exit-code'.
Jan 06 12:44:43 hwaryun systemd[1]: Started Verify integrity of password and group files.
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'bin' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'daemon' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'mail' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'ftp' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'http' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'nobody' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'dbus' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-coredump' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-network' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-oom' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-journal-remote' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-resolve' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-timesync' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'tss' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'uuidd' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'avahi' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'geoclue' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'git' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'polkitd' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'rtkit' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: pwck: no changes
Jan 06 12:44:43 hwaryun systemd[1]: shadow.service: Main process exited, code=exited, status=1/FAILURE
Jan 06 12:44:43 hwaryun systemd[1]: shadow.service: Failed with result 'exit-code'.
So checking /etc/shadow it really does seem as if I'm missing entries,
probably from when I failed to use systemd-firstboot.
So, what can we do about it?
Looking at what the failed unit does,
we find a pwck command that looks promising
1$ systemctl cat shadow
2# /usr/lib/systemd/system/shadow.service
3[Unit]
4Description=Verify integrity of password and group files
5After=systemd-sysusers.service
6
7[Service]
8CapabilityBoundingSet=CAP_DAC_READ_SEARCH
9# Always run both checks, but fail the service if either fails
10ExecStart=/bin/sh -c '/usr/bin/pwck -qr || r=1; /usr/bin/grpck -r && exit $r'
11Nice=19
12IOSchedulingClass=best-effort
13IOSchedulingPriority=7
14IPAddressDeny=any
15LockPersonality=yes
16MemoryDenyWriteExecute=yes
17NoNewPrivileges=yes
18PrivateDevices=yes
19PrivateNetwork=yes
20PrivateTmp=yes
21ProcSubset=pid
22ProtectClock=yes
23ProtectControlGroups=yes
24ProtectHome=read-only
25ProtectHostname=yes
26ProtectKernelLogs=yes
27ProtectKernelModules=yes
28ProtectKernelTunables=yes
29ProtectProc=invisible
30ProtectSystem=strict
31RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
32RestrictNamespaces=yes
33RestrictSUIDSGID=yes
34RestrictRealtime=yes
35SystemCallArchitectures=native
36SystemCallFilter=@system-service
37SystemCallFilter=~@resources
38SystemCallFilter=~@privileged
39UMask=0077
Reading the manual entry doesn't say that it will fix things,
but given it has a --read-only flag,
it's natural to assume that its default mode will modify (fix?) the files.
So we take a risk and run it,
and it prompts to fix every entry:
1$ sudo pwck
2no matching password file entry in /etc/shadow
3add user 'bin' in /etc/shadow? y
4no matching password file entry in /etc/shadow
5add user 'daemon' in /etc/shadow? y
6no matching password file entry in /etc/shadow
7add user 'mail' in /etc/shadow? y
8no matching password file entry in /etc/shadow
9add user 'ftp' in /etc/shadow? y
10no matching password file entry in /etc/shadow
11add user 'http' in /etc/shadow? y
12no matching password file entry in /etc/shadow
13add user 'nobody' in /etc/shadow? y
14no matching password file entry in /etc/shadow
15add user 'dbus' in /etc/shadow? y
16no matching password file entry in /etc/shadow
17add user 'systemd-coredump' in /etc/shadow? y
18no matching password file entry in /etc/shadow
19add user 'systemd-network' in /etc/shadow? y
20no matching password file entry in /etc/shadow
21add user 'systemd-oom' in /etc/shadow? y
22no matching password file entry in /etc/shadow
23add user 'systemd-journal-remote' in /etc/shadow? y
24no matching password file entry in /etc/shadow
25add user 'systemd-resolve' in /etc/shadow? y
26no matching password file entry in /etc/shadow
27add user 'systemd-timesync' in /etc/shadow? y
28no matching password file entry in /etc/shadow
29add user 'tss' in /etc/shadow? y
30no matching password file entry in /etc/shadow
31add user 'uuidd' in /etc/shadow? y
32no matching password file entry in /etc/shadow
33add user 'avahi' in /etc/shadow? y
34no matching password file entry in /etc/shadow
35add user 'geoclue' in /etc/shadow? y
36no matching password file entry in /etc/shadow
37add user 'git' in /etc/shadow? y
38no matching password file entry in /etc/shadow
39add user 'polkitd' in /etc/shadow? y
40no matching password file entry in /etc/shadow
41add user 'rtkit' in /etc/shadow? y
42pwck: the files have been updated