grpck

grpck [options]
grpck [-r] [-s] [-q] [-R CHROOT_DIR] {group_file | -}

-r
    Repair mode. grpck attempts to fix or remove erroneous entries. It prompts the user for confirmation before making changes.

-s
    Sorted mode. Causes grpck to print the list of users in each group in sorted order.

-q
    Quiet mode. Suppresses all output unless an error is detected. Useful for scripting.

-R CHROOT_DIR
    Apply changes to a chroot environment located at CHROOT_DIR instead of the default root directory. This is useful for checking filesystems of unbootable systems.

group_file
    Specifies an alternative group file to check instead of /etc/group. If - is used, grpck reads from standard input.

-
    Reads group data from standard input instead of /etc/group. Often used for piping data from other commands.

grpck is a crucial utility for maintaining the integrity of the system's group databases: /etc/group and /etc/gshadow.

It performs a series of checks to ensure the structural and semantic correctness of these files. This includes verifying that each entry has the correct number of fields, that group names and GIDs (Group IDs) are valid and unique, and that all group members listed actually exist in the /etc/passwd file.

The command helps identify common issues like corrupted entries, duplicate GIDs, or invalid usernames within group memberships. By default, grpck reports any inconsistencies found to standard output. However, with the -r option, it can attempt to automatically fix or remove erroneous entries, making it a powerful tool for system administrators to prevent security vulnerabilities and ensure proper user and group management.

Using the -r (repair) option can make irreversible changes to your group files. It is strongly recommended to back up /etc/group and /etc/gshadow before attempting any repairs.

grpck requires root privileges to access and modify the system group files. It primarily checks for structural and basic consistency issues; it does not validate group policies or complex permission schemes.

grpck typically accesses the following system files:

• /etc/group - The standard group file.
• /etc/gshadow - The secure group account information file.
• /etc/passwd - Referenced to validate user existence for group members.

grpck exits with a status of 0 on success, 1 if errors are found but not fixed, or 2 if errors are found and fixed (when -r is used). Other non-zero values indicate critical system errors.

grpck is part of the shadow-utils package, which provides a comprehensive set of programs for managing user and group accounts, including shadow passwords and group files. Its development closely mirrors that of pwck, its counterpart for password file integrity checking.

The tool became essential with the widespread adoption of shadow password and group files (/etc/shadow and /etc/gshadow) to enhance system security by separating sensitive hashed passwords and group-related information from the publicly readable /etc/passwd and /etc/group files. grpck helps ensure the integrity of these critical system files, preventing issues that could lead to security vulnerabilities or account management problems.

group(5), gshadow(5), passwd(5), pwck(8), useradd(8), groupadd(8), usermod(8), groupmod(8)