pwunconv

pwunconv [ -r root_directory ]

-r root_directory
    Specify an alternate root directory to operate on. This is useful when working on a chroot environment or for system recovery, allowing pwunconv to modify files within a different filesystem hierarchy than the current running system.

The pwunconv command reverts the system's password and group configuration from using shadow files (/etc/shadow and /etc/gshadow) back to storing all information, including encrypted password hashes, directly within /etc/passwd and /etc/group. It essentially undoes the actions of the pwconv and grpconv commands.

When executed, pwunconv reads the encrypted password entries from /etc/shadow and merges them into the corresponding user entries in /etc/passwd. Similarly, it takes encrypted group password entries from /etc/gshadow and merges them into /etc/group. After successfully merging the data, it removes the /etc/shadow and /etc/gshadow files. This operation requires root privileges.

While it can be useful for compatibility with very old systems that do not support shadow passwords or for certain system recovery scenarios, its use is strongly discouraged in modern Linux environments due to significant security implications. Storing password hashes in world-readable /etc/passwd makes them vulnerable to brute-force or dictionary attacks, compromising system security.

Security Risk: The primary and most significant caveat is the severe security risk. By moving password hashes from /etc/shadow (which is only readable by root) to /etc/passwd (which is world-readable), pwunconv makes it much easier for unprivileged users or attackers to obtain and crack password hashes. This significantly weakens system security.

Loss of Shadow Files: After execution, /etc/shadow and /etc/gshadow are deleted. Reverting to shadow passwords with pwconv and grpconv would then regenerate new shadow files based on the (now potentially less secure) /etc/passwd and /etc/group content.

Compatibility: While designed for compatibility with older systems, almost all modern Linux distributions and applications expect and rely on shadow passwords. Using pwunconv might lead to unexpected behavior or incompatibilities with certain services or utilities.

Due to the severe security implications, pwunconv should generally not be used on production systems. It is primarily a utility for very specific troubleshooting, recovery, or compatibility needs with extremely old systems. Always ensure a full backup of /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow before attempting to use this command.

After pwunconv completes, /etc/passwd will contain all user information, including password hashes, in its second field, and /etc/group will contain group passwords (if any) in its second field. The 'x' placeholder in /etc/passwd (indicating a shadowed password) will be replaced by the actual hash. The /etc/shadow and /etc/gshadow files will be removed.

The pwunconv command is part of the shadow-utils package, which provides tools for managing user and group accounts and their associated password and group files. The concept of shadow passwords emerged in Unix-like systems during the late 1980s and early 1990s as a critical security enhancement. Prior to this, password hashes were stored directly in /etc/passwd, making them readable by all users and thus susceptible to offline cracking attacks.

The 'shadow' mechanism separated the sensitive password hash information into a dedicated file (/etc/shadow) readable only by the root user, significantly improving security. pwunconv was included as a utility to revert this configuration, primarily for legacy compatibility or specific recovery scenarios, though its usage has become increasingly rare and discouraged as shadow passwords are now the universal standard.

pwconv(8), grpconv(8), grpunconv(8), passwd(5), shadow(5), group(5), gshadow(5)