The last several times I’ve updated filesystem, .pacnew files were created for /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow. My default approach for merging .pacnew files is to use vimdiff to edit the original and new files simultaneously. Unfortunately, this doesn’t work very well for /etc/passwd and friends because they are databases, not configuration files.

My first thought was to make the files friendlier to vimdiff by sorting all the lines. That works well enough, but I decided that it would be better to use the tools provided for updating the password database to update the password database, so I wrote a Python script that reads /etc/passwd, /etc/passwd.pacnew, /etc/group, and /etc/group.pacnew and suggests useradd, usermod, groupadd, and groupmod commands to run to bring the live versions up to date.

The script looks at each user and group present in both files and users and groups present only in the .pacnew files. Users and groups existing only in the live files are ignored; these are the users that I have added or that were added by packages. If either (or both) of the .pacnew files are missing, the live copy is used instead. This allows the script to be run if only one or the other of the files was updated.

Group membership is evaluated as part of the user for two reasons. First, because usermod is used to modify group memberships, not groupmod. Second, because this avoids printing suggestions to remove all my users from the predefined groups (like systemd-journal, for instance).

You can download the script and use it yourself. It’s licensed under the 2-clause BSD license.