After an update, I was notified that my /etc/group and /etc/gshadow were inconsistent. I must have goofed during a manual update at some point, as there area two entries for the lock group.
In /etc/group, I have duplicate lines like so:
In /etc/gshadow, I have slightly different entries:
For all the googling I can muster, I can't find an up to date /etc/group example to know which one to keep in /etc/gshadow. There's some similar posts but they don't end conclusively. The wiki doesn't really explain what all the group fields mean like it does for user management; nor does it specify how to tell if a group entry should have an empty second field or a "!". My gshadow file has instances of both, so I'm not sure which lock should have.
I only have:
@litemotiv: thanks for chiming in. That's a start! Now, if someone can just explain the difference between ! and an empty string, if it matters. I went with ::: simply because other groups I assumed are similar don't have "!", while programs I've added for which there are groups (mpd, avahi, etc.) do. Figured lock was more of a system thing, and other groups like that (ftp, mem, kmem, etc.) don't have it.
You might want to check the description of the encrypted password field.
We wants it, we needs it. Must have the precious. Arch Linux.
@stewie: thanks for the tip.
Refer to crypt(3) for details on how this string is interpreted.
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, users will not be able to use a unix password to access the group (but group members do not need the password).
The password is used when an user who is not a member of the group wants to gain the permissions of this group (see newgrp(1)).
This field may be empty, in which case only the group members can gain the group permissions.
A password field which starts with a exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.
This password supersedes any password specified in /etc/group.
Having read that, it's not entirely clear how this plays out practically. An example would be awesome. My point is:
- Empty field: a password can gain access to the group-owned files by those outside the group... but the password field is empty, so what's the password it's talking about a non-group user providing?
- !: no password can gain access to the file.
Not being a *nix guru... I'm still left with my question: should the lock group have an empty or locked password field?
Last edited by jwhendy (2012-11-28 03:18:00)
I would also like input on whether to merge the lock::: or not, from the latest /etc/gshadow.pacnew file.