grpconv

grpconv [OPTION…]

-p, --preview
    preview mode; do not change any files

-r, --root CHROOT_DIR
    set chroot directory to CHROOT_DIR

-h, --help
    display this help message and exit

-V, --version
    output version information and exit

grpconv is a utility from the shadow-utils package that converts the traditional /etc/group file to the shadow group format by creating /etc/gshadow. This moves sensitive group password data from the world-readable /etc/group to the root-only-readable /etc/gshadow, improving security.

It processes each group entry: if the password field in /etc/group is not already *, it replaces it with * and adds a matching entry to /etc/gshadow with password !, empty admin list, and empty members list. Already-converted entries are skipped.

The command uses advisory locking with /etc/.group.lock and /etc/.gshadow.lock to prevent concurrent modifications. It must run as root (superuser).

Typically invoked once during shadow password suite setup or upgrades. Group passwords are rarely used today, but shadow groups ensure consistency with user shadows and support tools like gpasswd. Preview mode allows testing without changes.

Requires root privileges. Backup /etc/group and /etc/gshadow first. Does not merge or validate existing /etc/gshadow; intended for initial conversion. Fails if files are locked or unwritable.

/etc/group (input/output), /etc/gshadow (output), /etc/.group.lock, /etc/.gshadow.lock

0 on success, non-zero on failure (e.g., permission denied, lock fail)

Part of Shadow Password Suite, developed by Julianne Frances Haugh in early 1990s. Evolved with shadow-utils in Linux distributions for secure password separation.

pwconv(8), grpunconv(8), gpasswd(8), groupadd(8), shadowconfig(8)