Files Controlling User Accounts and Groups

/etc/passwd

The /etc/passwd file is world-readable, and contains a list of users, each on a separate line. On each line is a seven field, colon delimited list which contains the following information:

• Username — The name the user types when logging into the system.

• Password — This contains the encrypted password for the user (or an x if shadow passwords are being used — more on this later).

• User ID (UID) — The numerical equivalent of the username which is referenced by the system and applications when determining access privileges.

• Group ID (GID) — The numerical equivalent of the primary group name which is referenced by the system and applications when determining access privileges.

• GECOS — The GECOS[1] field is optional, and is used to store extra information (such as the user's full name). Multiple entries can be stored here in a comma delimited list. Utilities such as finger access this field to provide additional user information.

• Home directory — The absolute path to the user's home directory, such as /home/juan.

• Shell — The program automatically launched whenever a user logs in. This is usually a command interpreter (often called a shell). Under Red Hat Linux, the default value is /bin/bash. If this field is left blank, bin/sh is used. If it is set to a non-existent file, then the user will be unable to log into the system.

Here is an example of a /etc/passwd entry:

root:x:0:0:root:/root:/bin/bash

This line shows that the root user has a shadow password, as well as a UID and GID of 0. The root user has /root/ as a home directory, and uses /bin/bash for a shell.

For more information about /etc/passwd, type man 5 passwd.

/etc/shadow

The /etc/shadow file is readable only by the root user, and contains password and optional password aging information. As in the /etc/passwd file, each user's information is on a separate line. Each of these lines is a nine field, colon delimited list including the following information:

• Username — The name the user types when logging into the system. This allows the login application to retrieve the user's password (and related information).

• Encrypted password — The 13 to 24 character password. The password is encrypted using either the crypt library function, or the md5 hash algorithm. In this field, values other than a validly-formatted encrypted or hashed password are used to control user logins and to show the password status. For example, if the value is ! or * the account is locked, and the user is not allowed to log in. If the value is !! a password has never been set before (and the user, not having set a password, will not be able to log in).

• Date password last changed — The number of days since January 1, 1970 (also called the epoch) that the password was last changed. This information is used for the following password aging fields.

• Number of days before password can be changed — The minimum number of days that must pass before the password can be changed.

• Number of days before password change is required — The number of days that must pass before the password must be changed.

• Number of days warning before password change — The number of days before password expiration during which the user is warned of the impending expiration.

• Number of days before the account is disabled — The number of days after a password expires before the account will be disabled.

• Date since the account has been disabled — The date (stored as the number of days since the epoch) since the user account has been disabled.

• A reserved field — A field that is ignored in Red Hat Linux.

Here is an example line from /etc/shadow:

juan:$1$.QKDPc5E$SWlkjRWexrXYgc98F.:11956:0:90:5:30:12197:

This line shows the following information for user juan:

• The password was last changed September 25, 2002

• There is no minimum amount of time required before the password can be changed

• The password must be changed every 90 days

• The user will get a warning five days before the password must be changed.

• The account will be disabled 30 days after the password expires if no login attempt is made

• The account will expire on May 24, 2003

For more information on the /etc/shadow file, type man 5 shadow.

/etc/group

The /etc/group is world-readable, and contains a list of groups, each on a separate line. Each line is a four field, colon delimited list including the following information:

• Group name — The name of the group. Used by various utility programs to identify the group.

• Group password — If set, this allows users who are not part of the group to join the group by using the newgrp command and typing the password stored here. If a lower case x is in this field, then shadow group passwords are being used.

• Group ID (GID) — The numerical equivalent of the group name. It is used by the system and applications when determining access privileges.

• Member list — A comma delimited list of users in the group.

Here is an example line from /etc/group:

general:x:502:juan,shelley,bob

This line shows that the general group is using shadow passwords, has a GID of 502, and that juan, shelley, and bob are members.

For more information on /etc/group, type man 5 group.

/etc/gshadow

The /etc/gshadow file is readable only by the root user, and contains an encrypted password for each group, as well as group membership and administrator information. Just as in the /etc/group file, each group's information is on a separate line. Each of these lines is a four field, colon delimited list including the following information:

• Group name — The name of the group. Used by various utility programs to identify the group.

• Encrypted password — The encrypted password for the group. If set, non-members of the group can join the group by typing the password for that group using the newgrp command. If the value is of this field ! then no user is allowed to access the group using the newgrp command. A value of !! is treated the same as a value of ! only it indicates that a password has never been set before. If the value is null, only group members can log into the group.

• Group administrators — Group members listed here (in a comma delimited list) can add or remove group members using the gpasswd command.

• Group members — Group members listed here (in a comma delimited list) are regular, non-administrative members of the group.

Here is an example line from /etc/gshadow:

general:!!:shelley:juan,bob

This line shows that the general group has no password and does not allow non-members to join using the newgrp command. In addition, shelley is a group administrator, and juan and bob are regular, non-administrative members.

Since editing these files by hand raises the potential for syntax errors, it is recommended that the applications provided with Red Hat Linux for this purpose be used instead. The next section reviews the primary tools for performing these tasks.