Comment 11 for bug 1844498

note that the build scripts for core do have an md5sum check to detect changes to /etc/passwd|group|shadow because this file is orignally readonly.
dirs created with specific UIDs/GIDs by package postinist scripts that get copied into the writable area of the rootfs during first boot would fail to be owned by the daemon users the packages set up for them during a core update...

adding a new entry to one of the readonly password db files is fine but requires changes in livecd-rootfs and an update of the expected md5sum ...

additionally to the above, since /etc/group is readonly, you can not add users to the lxd group if you add lxd there so unprivileged containers on core will become impossible, the GID of lxd should be transferred into /var/lib/extrausers/group to make it possible to add a local system user to this group.