Hi Barbara,
Luckily I don't allow shell access so those files can't be viewed.
Good for you, but maybe not enough.If you run PHP in it's default mode, any file readable by the apache user is readable by a PHP script. Then, it *is* a (severe) security issue!
On a few of my systems, I checked /etc/shadow* just to be sure and all permissions are 400, owned by root.
This definitely needs fixing. 644 on /etc/shadow* is a Bad Thing (TM)! Good luck all... Nico