When migrating authentication files (/etc/passwd, /etc/shadow, and /etc/group) to /home and replacing them with symbolic links, Debian's useradd and adduser utilities fail with errors like:
useradd: cannot open /etc/passwd
groupadd: cannot open /etc/group
The issue stems from how Linux's PAM (Pluggable Authentication Modules) and core utilities handle symbolic links to critical authentication files. By default, many security-conscious systems are configured to:
- Prevent following symlinks for sensitive files
- Enforce strict ownership/permissions checks
- Use O_NOFOLLOW flag when opening critical files
Option 1: Use bind mounts instead of symlinks
A more filesystem-native approach:
mkdir -p /home/system_auth
mv /etc/passwd /etc/shadow /etc/group /home/system_auth/
mount --bind /home/system_auth/passwd /etc/passwd
mount --bind /home/system_auth/shadow /etc/shadow
mount --bind /home/system_auth/group /etc/group
Option 2: Modify PAM configuration
Edit /etc/pam.d/common-session:
session required pam_unix.so
[existing_options...]
nodelay follow_symlinks
Option 3: Recompile shadow-utils with symlink support
For advanced users who need permanent symlink support:
apt-get source shadow
cd shadow-*
./configure --enable-symlinks
make
make install
After implementing any solution:
# Check symlink resolution
ls -l /etc/passwd
# Verify user creation
useradd -m testuser
getent passwd testuser
Before implementing these changes:
- Ensure
/homepartition has proper permissions (0700 root:root) - Maintain strict ownership on auth files (root:shadow with 0640/0640/0644)
- Consider using auditd to monitor access attempts
When attempting to relocate critical system files like /etc/passwd, /etc/shadow, and /etc/group to another location (e.g., /home) using symbolic links, you might encounter permission issues with user management tools:
# After creating symlinks:
ln -s /home/passwd /etc/passwd
ln -s /home/shadow /etc/shadow
ln -s /home/group /etc/group
# Attempting to add user fails:
useradd testuser
Adding user testuser' ...
Adding new group testuser' (1000) ...
groupadd: cannot open /etc/groupThis occurs because useradd and related utilities use open(O_NOFOLLOW) when accessing these sensitive files - a security measure to prevent symlink attacks. The tools explicitly refuse to follow symbolic links for critical authentication databases.
Option 1: Bind Mounts Instead of Symlinks
The proper way to relocate these files while maintaining functionality:
# First move original files
mv /etc/passwd /etc/shadow /etc/group /home/
# Create bind mounts
mount --bind /home/passwd /etc/passwd
mount --bind /home/shadow /etc/shadow
mount --bind /home/group /etc/group
# Make persistent across reboots
echo "/home/passwd /etc/passwd none bind 0 0" >> /etc/fstab
echo "/home/shadow /etc/shadow none bind 0 0" >> /etc/fstab
echo "/home/group /etc/group none bind 0 0" >> /etc/fstabOption 2: Direct File Access with Proper Permissions
For temporary testing purposes, you can copy the files back temporarily:
cp /home/passwd /etc/passwd
cp /home/shadow /etc/shadow
cp /home/group /etc/group
useradd testuser
# Remember to sync changes back to /home locationWhen relocating authentication databases:
- Ensure the new location has strict permissions (600 for shadow, 644 for others)
- Maintain proper ownership (root:root)
- Consider using SELinux/AppArmor if available
- Audit all access to these files
For advanced use cases:
# Using LDAP for centralized authentication
apt-get install libnss-ldap libpam-ldap nscd
# Configure /etc/nsswitch.conf to use ldapOr consider using systemd's tmpfiles.d mechanism for managing these files.