The /etc/passwd File
The /etc/passwd file stores information about all user accounts on the system. It is a colon-separated file that contains important information:
- Username - the name the user logs into the system with.
- Encrypted password - in the /etc/passwd file this is usually represented by an 'x,' the encrypted password is stored elsewhere.
- User ID number (UID) - the unique user ID number, the system uses this number to represent the user.
- User's group ID number (GID) - the unique group ID number that signifies the user's primary group.
- Full name of the user (GECOS) - this field was historically used to contain specific user information such as name, office, telephone number, etc.
- User home directory - the absolute path of the user's home directory.
- Login shell - the absolute path to the file that gets executed when this user logs in.
A typical /etc/passwd file is shown below. Notice: 1) the password field is an 'x' for every ID; 2) more of these users have /usr/sbin/nologin as their shell - they are NOT allowed to login using this userid 3) syslog has a login shell of /bin/false, and the root user and pbmac have /bin/bash as their login.
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin syslog:x:101:103::/home/syslog:/bin/false pbmac:x:1000:1000:pbmac,,,:/home/pbmac:/bin/bash
Looking at the userid pbmac, the entry is broken down as:
pbmac:x:1000:1000:,,,:/home/pbmac:/bin/bash [---] - [--] [--] [-] [---------] [-------] | | | | | | | | | | | | | Login shell | | | | | Home directory | | | | GECOS | | | GID | | UID | Password Username
The /etc/shadow file contains the password information for the system's accounts and optional aging information. This file must not be readable by regular users if password security is to be maintained. Each line of this file contains 9 fields, separated by colons.
Here is a brief description of each field:
- Username – the name of the user.
- Encrypted password – the password in encrypted form.
- Last password change – the date of the last password change. This date is stored as the number of days since January 1, 1970.
- Minimum – the number of days before a password change is allowed. The value of 0 means the password can be changed any time.
- Maximum – the number of days before the password must be changed. The value 99999 means the user’s password never expires.
- Warning – the number of days before a password is going to expire during which the user will be warned.
- Disabled – the number of days after a password has expired until the user account is disabled. No entry in this field means that the account is disabled immediately after the password expires.
- Disabled date – the number of days since January 1, 1970 that the account has been disabled. No entry in this field means the account is not disabled.
pbmac:$6$kgBH9Jca$6Jf7V1qc27CYSAHiSUuRGGOxT5g0VaXYZUDf5ySgDGm5.2PsNZLdqdw43jlnyGHNb/:17847:0:99999:7::: [---] [----------------------------------------------------------------------------] [---] - [---] - - - username hashed value of user's password | | | | | | | | days | | | | | | since | | | | | | last | | | | | | change | | | | | | | | | | | | days | | | | | till | | | | | it | | | | | MUST | | | | | change | | | | | | | | | | days | | | | until | | | | user | | | | is | | | | warned | | | | | | | Last 3: 1)days after password expires that account is disabled 2) Days account has been disable, 3) Unused