I have installed Leap 15.5 latest and I’ve noticed a very strange and disturbing file called shad_init on a partition.
I stated the file and it was created last year.
Is there any software that creates such a file? The file is root owned read and write only and contain a sort of a pseudo /etc/passwd file.
If anyone knows about this please let me know.
Can you provide more information about how you installed, what options you selected, and what your partition layout looks like? Are you using any encrypted filesystem options?
I’ve just checked my lab 15.5 VM image, and I don’t find that file on it.
This system in particular has been a constant upgrade from previous versions.
I think it started as a 15.0 and was successive updated to this latest Leap 15.5 version.
I do have all but the root partition Manually encrypted with Luks.
I have 2 drives:
My partitions are :
swap (encrypted )
/ (ext3 )
sdb is my “portable” home drive.
I have three partitions on /dev/sdb
/home (luks encrypted ext3)
/bcks (luks encrypted and also ext3)
/distros (luks encrypted and also ext3)
they are all Primary partitions.
A very simple setup.
The file shad_init is inside the /distros mount point.
Very very strange.
This sounds like a file created by one of the many legit shadow packages…
The worrisome part is that it is akin to /etc/passwd, but contains 8 fields all separated by : with root user on it.
Also most users/accounts of my system are not there. And some users/accounts that are on shad_init are not on my normal /etc/passwd
An example would be something like systemd-journal-remote is on that shad_init file but not on my system.
Also the worrisome part I mentioned is that the root user on that file does have a hashed password on the file. Hence my question on the forum.
The only thing worth mention on my system is that the file creation was last November. I recall that I made a hard drive change for a bigger disk since that is the storage unit not the ssd.
I only made a rsync operation to that partition from a previous hard drive I can not locate right now.
It might be not a good idea, i am not just quite sure, but, if you are really worried about it, why don’t you create a snapshot and then remove the file to see what happens latter?