mismatched /etc/shadow

fixing the shadow file

SEAN K.H. LIAO

mismatched /etc/shadow

fixing the shadow file

mismatched /etc/shadow

I was looking at the state of my system, and saw that it was degraded:

1$ systemctl list-units --state=failed                
2  UNIT           LOAD   ACTIVE SUB    DESCRIPTION                                 
3● shadow.service loaded failed failed Verify integrity of password and group files
4
5Legend: LOAD   → Reflects whether the unit definition was properly loaded.
6        ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
7        SUB    → The low-level unit activation state, values depend on unit type.
8
91 loaded units listed.

I wonder why:

Jan 06 00:00:25 hwaryun systemd[1]: shadow.service: Failed with result 'exit-code'.
Jan 06 12:44:43 hwaryun systemd[1]: Started Verify integrity of password and group files.
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'bin' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'daemon' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'mail' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'ftp' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'http' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'nobody' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'dbus' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-coredump' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-network' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-oom' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-journal-remote' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-resolve' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'systemd-timesync' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'tss' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'uuidd' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'avahi' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'geoclue' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'git' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'polkitd' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: no matching password file entry in /etc/shadow
Jan 06 12:44:43 hwaryun sh[53932]: add user 'rtkit' in /etc/shadow? No
Jan 06 12:44:43 hwaryun sh[53932]: pwck: no changes
Jan 06 12:44:43 hwaryun systemd[1]: shadow.service: Main process exited, code=exited, status=1/FAILURE
Jan 06 12:44:43 hwaryun systemd[1]: shadow.service: Failed with result 'exit-code'.

So checking /etc/shadow it really does seem as if I'm missing entries, probably from when I failed to use systemd-firstboot. So, what can we do about it?

Looking at what the failed unit does, we find a pwck command that looks promising

 1$ systemctl cat shadow       
 2# /usr/lib/systemd/system/shadow.service
 3[Unit]
 4Description=Verify integrity of password and group files
 5After=systemd-sysusers.service
 6
 7[Service]
 8CapabilityBoundingSet=CAP_DAC_READ_SEARCH
 9# Always run both checks, but fail the service if either fails
10ExecStart=/bin/sh -c '/usr/bin/pwck -qr || r=1; /usr/bin/grpck -r && exit $r'
11Nice=19
12IOSchedulingClass=best-effort
13IOSchedulingPriority=7
14IPAddressDeny=any
15LockPersonality=yes
16MemoryDenyWriteExecute=yes
17NoNewPrivileges=yes
18PrivateDevices=yes
19PrivateNetwork=yes
20PrivateTmp=yes
21ProcSubset=pid
22ProtectClock=yes
23ProtectControlGroups=yes
24ProtectHome=read-only
25ProtectHostname=yes
26ProtectKernelLogs=yes
27ProtectKernelModules=yes
28ProtectKernelTunables=yes
29ProtectProc=invisible
30ProtectSystem=strict
31RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
32RestrictNamespaces=yes
33RestrictSUIDSGID=yes
34RestrictRealtime=yes
35SystemCallArchitectures=native
36SystemCallFilter=@system-service
37SystemCallFilter=~@resources
38SystemCallFilter=~@privileged
39UMask=0077

Reading the manual entry doesn't say that it will fix things, but given it has a --read-only flag, it's natural to assume that its default mode will modify (fix?) the files. So we take a risk and run it, and it prompts to fix every entry:

 1$ sudo pwck           
 2no matching password file entry in /etc/shadow
 3add user 'bin' in /etc/shadow? y
 4no matching password file entry in /etc/shadow
 5add user 'daemon' in /etc/shadow? y
 6no matching password file entry in /etc/shadow
 7add user 'mail' in /etc/shadow? y
 8no matching password file entry in /etc/shadow
 9add user 'ftp' in /etc/shadow? y
10no matching password file entry in /etc/shadow
11add user 'http' in /etc/shadow? y
12no matching password file entry in /etc/shadow
13add user 'nobody' in /etc/shadow? y
14no matching password file entry in /etc/shadow
15add user 'dbus' in /etc/shadow? y
16no matching password file entry in /etc/shadow
17add user 'systemd-coredump' in /etc/shadow? y
18no matching password file entry in /etc/shadow
19add user 'systemd-network' in /etc/shadow? y
20no matching password file entry in /etc/shadow
21add user 'systemd-oom' in /etc/shadow? y
22no matching password file entry in /etc/shadow
23add user 'systemd-journal-remote' in /etc/shadow? y
24no matching password file entry in /etc/shadow
25add user 'systemd-resolve' in /etc/shadow? y
26no matching password file entry in /etc/shadow
27add user 'systemd-timesync' in /etc/shadow? y
28no matching password file entry in /etc/shadow
29add user 'tss' in /etc/shadow? y
30no matching password file entry in /etc/shadow
31add user 'uuidd' in /etc/shadow? y
32no matching password file entry in /etc/shadow
33add user 'avahi' in /etc/shadow? y
34no matching password file entry in /etc/shadow
35add user 'geoclue' in /etc/shadow? y
36no matching password file entry in /etc/shadow
37add user 'git' in /etc/shadow? y
38no matching password file entry in /etc/shadow
39add user 'polkitd' in /etc/shadow? y
40no matching password file entry in /etc/shadow
41add user 'rtkit' in /etc/shadow? y
42pwck: the files have been updated