8

I am noticing a lot of weird files appearing in my router and on my various filesystems. Files in weird places or files that have to do with security with a - sign after them.

If I do ls -l /etc/shadow*, this is what I see.

-rw-r----- 1 root shadow 1163 Aug  9 15:48 shadow
-rw------- 1 root root   1163 Aug  8 21:11 shadow-

Does that look normal? What is the 2nd shadow file used for?

PROXY NINJA
  • 477
  • 2
  • 4
  • 9

1 Answers1

11

These files are perfectly normal.

From the shadow(5) manual page:

/etc/shadow-
Backup file for /etc/shadow.

You may similarly see /etc/passwd-, /etc/group- and /etc/gshadow-.

These backup files are created all the tools in the Linux user database utility suite (shadow): both interactive tools such as vipw and automated tools such as passwd, useradd, etc. They let you easily revert the last change to the user database.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • But I didn't use vipw, and no one else is supposed to know the root password but me. So isn't this suspicious? – PROXY NINJA Aug 11 '12 at 05:36
  • 1
    @awakeFromNib Diff them - see if you recognize the change. Apparently some of the other account modification tools do it too. – Random832 Aug 11 '12 at 05:43
  • 2
    @awakeFromNib It would be surprising not to see this file, unless you manually removed it recently. It would mean you never ever added or removed an account or changed a password since your initial system installation. Installing some packages that provide daemons creates a user to run the daemon, so this file can be created even if you didn't directly manipulate accounts. – Gilles 'SO- stop being evil' Aug 11 '12 at 12:39