pwck

pwck [options] [passwd_file [shadow_file]]

-r, --read-only
    
Perform checks but do not write any changes to the files. This is useful for auditing before making modifications.

-s, --strict-checking
    
Enable stricter checking rules. This can detect more subtle issues but might also flag minor inconsistencies that are functionally benign.

-q, --quiet
    
Suppress all output except for errors. This is useful for scripting or automated checks.

-P DIR, --prefix=DIR
    
Apply the specified DIR as a prefix to all paths for the password and shadow files. This is typically used in chroot environments.

-h, --help
    
Display a brief help message and exit.

pwck is a system utility used to verify the integrity and consistency of the system's password files, namely /etc/passwd and /etc/shadow. It checks for a variety of common errors that can compromise system security or lead to user login issues. These checks include:

Malformed or truncated entries.
Invalid or non-existent primary group IDs (GIDs).
Duplicate user IDs (UIDs) or group IDs (GIDs).
Inconsistencies between /etc/passwd and /etc/shadow, such as missing entries for a user in one file.
Users with no password or locked accounts (depending on configuration).

When errors are detected, pwck provides detailed messages and, in some cases, can interactively prompt the administrator to delete or modify the problematic entries. Running pwck regularly is a crucial part of system maintenance to ensure the integrity of user authentication data and prevent security vulnerabilities.

Root Privileges Required: pwck requires root privileges to read and potentially modify /etc/passwd and /etc/shadow.

Backup Files: Before allowing pwck to make any modifications, it is highly recommended to back up /etc/passwd and /etc/shadow to prevent data loss or system instability in case of unexpected errors.

Interactive Mode Caution: When run interactively, carefully review proposed changes. Incorrect modifications can render a system unbootable or compromise security.

Limited Scope: pwck primarily checks file format and basic consistency; it does not verify cryptographic strength of passwords or complex policy compliance.

/etc/passwd: The primary password file containing user account information.
/etc/shadow: The shadow password file containing encrypted passwords and password aging information.
/etc/login.defs: Configuration file that defines system-wide login and password policies, used by pwck for certain checks like UID/GID ranges.

pwck returns 0 on success if no inconsistencies were found or all found inconsistencies were corrected successfully.

A non-zero exit status indicates that errors were found, and not all of them could be corrected, or the command terminated due to a fatal error. Specific non-zero values may indicate different types of errors (e.g., 1 for syntax errors, 2 for invalid parameters, 3 for inconsistencies).

pwck is an integral part of the shadow-utils package, which was developed to enhance system security by separating encrypted passwords from the publicly readable /etc/passwd file into the restricted /etc/shadow file. The shadow-utils project originated in the late 1980s and early 1990s as a response to the security limitations of traditional Unix password management. pwck specifically emerged as a tool to ensure the integrity of these new shadow password files alongside the traditional passwd file, evolving with the package to address various file consistency and formatting issues over time. Its continued development ensures robust password file management on Linux systems.

grpck(8), useradd(8), usermod(8), userdel(8), passwd(5), shadow(5), pwconv(8), pwunconv(8), login.defs(5)