Let's build an OS: WTF is /etc/gshadow

Every now and then on my OS journey I find weird things. Today is one of those days. When implementing my login system, I was looking at the standard login files - /etc/group, /etc/passwd, and /etc/shadow. Those are all well known and normal, right? Well imagine my surprise when a file I’ve never heard of popped up: /etc/gshadow.

For the uninitiated, on Linux you have a set of groups that your user is a member. You can see them with id:

23/03/2024 12:34:29 CET❯ id 
uid=1000(colin) gid=1000(colin) groups=1000(colin),10(wheel),972(docker),1001(plugdev)

Note the seperation of gid from the rest of the groups. You see, users actually have two types of groups that they are members of: Their “primary” group (as indicated by gid), and a set of “secondary” groups (as indicated by groups). You can change your primary group with the newgrp command:

$ newgrp docker

$ id
uid=1000(colin) gid=972(docker) groups=972(docker),10(wheel),1000(colin),1001(plugdev)

You can even use newgrp to join groups that you aren’t in yet:

$ newgrp test

$ id
uid=1000(colin) gid=1002(test) groups=1002(test),10(wheel),972(docker),1000(colin),1001(plugdev)

That sounds like a gaping security hole, right? We give groups permissions on things - it’s not great if users can just join those groups themselves and get access to everything. This is where /etc/gshadow comes in.

/etc/gshadow, mirroring /etc/shadow, contains a list of groups and passwords for those groups. Most entries have ! as their password field (e.g. nginx:!::) - this completely disables using newgrp to access them, but you can set a password with gpasswd <group>. When we try and join that group with newgrp we are prompted for the password!

$ sudo gpasswd test
$ newgrp test
Password: 

Obviously this is a bit obsolete in today’s landscape. We don’t really make a distinction between primary and secondary groups so we generally just add users to groups rather than letting users move between groups on an adhoc basis. Even when we did, this idea is kind of terrible - it requires the set of users for the group to have a shared password which is a security nightmare

Anyway, hope this is interesting to someone, if only as a historical artifact. Do any of you actually use this anywhere? I’d love to know your usecase.