Administration
pwck
Verify the integrity of the password file.
Additional Notes
pwck verifies the integrity of the system password files: /etc/passwd and optionally /etc/shadow. It checks for missing or inconsistent fields, duplicate UIDs, invalid home directories, missing login shells, and shadow file synchronization issues.
System administrators use pwck as part of routine security audits, after editing password files manually, and to detect corruption or inconsistencies introduced by software bugs or manual errors. It reports issues found and offers to remove or correct entries interactively.
Syntax
pwck [options] [passwd-file [shadow-file]]
Parameters
passwd-file: Password file to check (default:/etc/passwd).shadow-file: Shadow file to check (default:/etc/shadow).
Common Options
-r,--read-only: Check only, do not make changes.-s,--sort: Sort entries by UID.-q,--quiet: Report only serious errors.-R root: Apply changes in a chroot directory.--help: Show help and exit.--version: Show version information.
Examples
pwck
Check the integrity of /etc/passwd and /etc/shadow.
pwck -r
Read-only check; report issues without prompting for fixes.
pwck -q
Report only serious errors, suppressing warnings.
pwck -s
Check and then sort entries by UID.
pwck /etc/passwd /etc/shadow
Explicitly specify which files to check.
Practical Notes
- Run
pwckafter any manual editing of/etc/passwdor/etc/shadowfiles to catch mistakes. - Common issues detected include: duplicate UIDs, missing usernames, invalid home directories, and non-existent login shells.
- If a user has no valid shell,
pwckmay report it. You can fix it withusermod -s /bin/bash username. - Use the companion tool
grpckto verify/etc/groupand/etc/gshadowintegrity. - The
-r(read-only) option is safest for initial inspection. Make manual corrections based on the report. - In containerized environments, use
-Rto specify the chroot path for checking password files within the container.