Why the inode value of shadow file changes?

Question

I created a hard link for the shadow file. For removing the passwd of the user I opened the shadow file in vi editor and removed the encrypted passwd and then saved. The inode value of the shadow file was changed. Then I updated the passwd of the user and again the inode value of the shadow file changed. Why the inode of the shadow file changes when it is edited/updated?

Answer 1

The code that handles file writes creates a copy of the entire file, as it should exist on disk, before the file is written. Once the file has been written to disk and flushed, it is renamed to the proper name (/etc/shadow or /etc/gshadow, for group shadow files).

The issue isn't just data consistency. There are a small number of files which have to be present in order for the system to be usable, and the security files are some of them. The goal is to avoid having a situation in which the system can crash, or the relevant command can be suspended (the Ctrl-Z key or a SIGSTOP ...) and the files be in an insecure state. "Insecure" can also include "doesn't exist" -- non-atomically renaming a file can leave a time interval where the /etc/shadow file doesn't exist at all.

Answer 2

VI saves the data in a new file, and then either unlinks or renames the old diretory entry. The hard link is linked to the old one.

This is one of two ways for ensuring data consistency for the case saving fails.

The other way would be to copy the old file and then overwrite it. The old copy would then have a diffferent inum, and the newly saved file would have the same as before.