Would appreciate your thoughts on this.

My first thought is that from your description you seem to be going to a lot of effort to accomplish a simple task. In fact, IMHO you are going abou this backwards.

First I'd come up with the list of authorized users. Secondly I'd leave the Unix passwords out of the equation and use another repository to store authentication tokens other than /etc/password and/or /etc/shadow. In fact, if your Unix system has implemented shadow files (and most these days do) then you shouldn't be able to access /etc/shadow from your web application. If you can then you are introducing other security issues that I believe are beyond the scope of this discussion.

If you want the userids and passwords to match the account ids and passwords issued for Unix accounts then I'd say import them into another repository from Unix and let your application access them from there. Keeping your list of authorized uers then becomes just an excercise of importing just the users you need and leaving out the rest.

What repository you ask? Investigate .htpassword files for one, LDAP is a good solution and so might be putting the account data in a relational database.

The major drawback to importing the Unix account information that I can think of (besides wire snooping and other evil things) is password synchronization becomes an issue. So does user administration from the perspective of adds/changes/deletes.

If you are lucky enough that your company has standardized on something like LDAP for user authentication then your application should be able to access account logins from there. In fact whoever your LDAP administrator is can set up an ACL and group tailored to the list of who is authorized to use your application relieving you of that burden.

Just my US$0.02 worth.. HTH...