In addition to those items mentioned elsewhere in this thread, you also have a race condition (protect against two of these processes running at the same time), don't check for write errors on the new shadow file (think of a DOS by filling the filesystem before running this), ownership issues (unless you have ownership giveaway privs (or are running as root, which it appears the script assumes), you cannot do the chown, once you do the chown, you cannot do the chgrp), not verifying system calls (open, print), and a plethora of other issues associated with this script.

I would second other suggestions to use the vendor supplied API functions (usermod as an example) to modify this information. There are many problems with your solution as provided.

Also look at prior art. anlpasswd is an example of a password shim that I have used to perform some of your requirements. Last I checked, it was dated, however, so it may not be any better than an example.

Update: Re-reading my response, I see that my response can possibly be read as "if you fix these things, then it is a good idea". Just so that there is no confusion, unless you are familiar with the deep magic, it is not a good idea to undertake this application. I would not be comfortable implementing this in a CGI script (or anywhere else) without many appropriate reviews, logging, audits, blah blah blah.