Per $subj. This was noticed by solar on cvs.gentoo.org during the most recent wave of retirements. The retirement script uses gpasswd -d to remove users from all relevant groups before the user is disabled. Using gpasswd -d removes the user from /etc/groups correctly, but the user still remains in /etc/gshadow. I suspect this might have security implications if the user is not correctly removed from the gshadow data, since he might have the group-admin rights still if he wasn't being totally disabled. Portage 2.1.2.2 (hardened/amd64/multilib, gcc-3.4.6, glibc-2.3.6-r5, 2.6.18-hardened x86_64) ================================================================= System uname: 2.6.18-hardened x86_64 Dual Core AMD Opteron(tm) Processor 280 Gentoo Base System release 1.12.9 Timestamp of tree: Wed, 11 Jul 2007 03:00:01 +0000 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.15-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -fomit-frame-pointer -fforce-addr -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -fomit-frame-pointer -fforce-addr -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildpkg distclean distlocks metadata-transfer nodoc noinfo sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LDFLAGS="-Wl,-O1 -Wl,-z,now -Wl,-z,relro" MAKEOPTS="-j4 --quiet" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://owl.gentoo.org/gentoo-portage" USE="acpi amd64 berkdb boundschecking bzip2 crypt hardened justify midi ncurses nptl nptlonly pam pic readline ssl tcpd urandom xml2 xorg zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
/etc/gshadow is just for passwords ... i dont think there's a security risk of having stale entries in there if the user was removed from /etc/groups properly
It's for group administrators as well. 2nd field is group admin password. 3rd field is group admin. 4th is a duplicate copy of the /etc/group members.
ok, this is irrelevant. It turns out that our /etc/gshadow on the infra box contained some bad lines.