关于从php访问影子密码文件的安全问题

我在php中编写了这个函数来检查linux服务器上的用户/通过帐户。它工作得很好，但是我有点担心安全问题。

/*    Need to add www-data to group shadow (and restart apache)
        $ sudo adduser www-data shadow
        $ sudo /etc/init.d/apache2 restart
      Needs whois to be installed to run mkpasswd
        $ sudo apt-get install whois
      Assumes that sha-512 is used in shadow file
*/
function authenticate($user, $pass){
  // run shell command to output shadow file, and extract line for $user
  // then split the shadow line by $ or : to get component parts
  // store in $shad as array
  $shad =  preg_split("/[$:]/",`cat /etc/shadow | grep "^$user':"`);
  // use mkpasswd command to generate shadow line passing $pass and $shad[3] (salt)
  // split the result into component parts and store in array $mkps
  $mkps = preg_split("/[$:]/",trim(`mkpasswd -m sha-512 $pass $shad[3]`));
  // compare the shadow file hashed password with generated hashed password and return
  return ($shad[4] == $mkps[3]);
}
// usage...
if(authenticate('myUsername','myPassword')){
  // logged in   
} else {
  // not valid user
}

1. 将www-data添加到组影子中是否对内网专用服务器有很大的安全风险?(我意识到在共享主机服务器上，黑客可能有机会使用盐值来破解其他用户的密码)

2. 我使用的方法还有其他安全问题吗?

3. 有什么建议让它更可靠吗?