Add a "shadow" group and make the shadow passwd db readable by that

group.  This changes getpw* to always try the shadow db first and
then fall back to the db w/o password hashes.  In the future,
/usr/libexec/auth/login_passwd (and others) will be setgid shadow
instead of setuid root.  OK deraadt@
If you track -current you should do the following:
o add group shadow to /etc/group
o chgrp shadow /etc/spwd.db
o chmod 640 /etc/spwd.db
o rebuild and install src/usr.sbin/pwd_mkdb
You do not need to rebuild libc yet, but it would't hurt to do so.

src/etc/group

@@ -23,6 +23,7 @@ _fingerd:*:33:
 _sshagnt:*:34:
 _x11:*:35:
 utmp:*:45:
+shadow:*:65:
 crontab:*:66:
 www:*:67:
 network:*:69:

src/etc/mtree/special

@@ -1,4 +1,4 @@
-#	$OpenBSD: special,v 1.47 2002/10/04 23:28:38 deraadt Exp $
+#	$OpenBSD: special,v 1.48 2002/11/21 21:25:19 millert Exp $
 #	$NetBSD: special,v 1.4 1996/05/08 21:30:18 pk Exp $
 #	@(#)special	8.2 (Berkeley) 1/23/94
 #
@@ -69,7 +69,7 @@ security	type=file mode=0644 uname=root gname=wheel
 shells		type=file mode=0644 uname=root gname=wheel
 skey		type=dir mode=01730 uname=root gname=auth optional
 ..	#skey
-spwd.db		type=file mode=0600 uname=root gname=wheel
+spwd.db		type=file mode=0640 uname=root gname=shadow
 ssh		type=dir mode=0755 uname=root gname=wheel optional
 ssh_config	type=file mode=0644 uname=root gname=wheel
 ssh_host_dsa_key	type=file mode=0600 uname=root gname=wheel optional