grpunconv

grpunconv [OPTION]

-r root_dir
    Apply changes in the root_dir directory instead of the default root (/). This is useful for chrooted environments or system recovery.

--root root_dir
    Long form of -r option.

grpunconv (group unconvert) is a utility used to merge the contents of the /etc/gshadow (shadowed group password) file back into the /etc/group file. This effectively reverses the action of the grpconv command.

Its primary purpose is to convert a system using shadowed group passwords to a traditional setup where group passwords (or 'x' if no password) are stored directly within /etc/group.

When executed, grpunconv reads entries from both /etc/group and /etc/gshadow. For each group, it updates the /etc/group entry to include the password field (either the encrypted hash from gshadow or 'x' if gshadow indicates no password).

Upon successful completion, a new /etc/group file is created, and the /etc/gshadow file is then removed. The original files may be backed up, depending on system configuration. This command is typically used when transitioning away from shadow password management for groups, or on systems where group shadowing is not desired or supported.

This command modifies critical system configuration files (/etc/group). It is highly recommended to create manual backups of both /etc/group and /etc/gshadow before execution.

Running grpunconv will remove the /etc/gshadow file. Group password hashes will then be stored directly in /etc/group, making them potentially readable by any user who can read /etc/group.

This operation reduces the security of group password management compared to a shadowed setup. Shadowing (grpconv) was introduced specifically to protect hashed passwords from being easily readable by unprivileged users.

The command must be run with superuser privileges (e.g., root).

Upon successful execution, grpunconv typically creates backup copies of the original /etc/group and /etc/gshadow files (e.g., /etc/group- and /etc/gshadow- respectively, though exact naming can vary by system or shadow-utils version). The /etc/gshadow file is then deleted, and /etc/group is rewritten with the merged information.

The grpunconv command is part of the shadow-utils package, a suite of programs for managing user and group accounts and passwords. The shadow-utils package was developed to enhance system security by separating encrypted passwords into shadow files, making them inaccessible to regular users.

While grpconv moves group password information to a separate, restricted gshadow file, grpunconv serves the purpose of reverting this change, consolidating group data back into the main /etc/group file. This functionality has been a stable part of shadow-utils for many years, providing flexibility for system administrators to choose between shadowed and non-shadowed group password management.

grpconv(8), gpasswd(1), group(5), gshadow(5), pwconv(8), pwunconv(8)