pwdb_chkpwd doesn't need to be setuid root as far as I can see. setgid `shadow' should be sufficient, just like utempter is only setgid `utmp'.
Good point, I agree completely :-)
Not all sites implement setgid shadow scheme.