The Linux password file, /etc/passwd

The /etc/passwd file stores crucial information which is required during login on Linux systems.

Fields

A line in /etc/passwd is one entry for a user account. The fields are separated by a colon (:).

The format is as follows (note that for the purpose of formatting the display, the line is split. A real /etc/passwd file would have all the data on one line).

newusername:x:1050:1001
     1      2   3    4   
 :NewUser,Roomnr,123,456,user@newdomain.com
        5
 :/home/newusername:/bin/sh
        6               7

 1: username
 2: password 
 3: the user id
 4: the group id
 5: user information (display with 'finger')
 6: the home directory
 7: the shell 

If the password field (2) contains an X then the encrypted password is stored in /etc/shadow.
If it contains an * then the account is disabled.

User IDs

Every user on a system must have an ID, called an UID (field 3). The super user, or root user, is assigned UID 0. UIDs of 1 to 99 are reserved for predefined accounts. The IDs from 100 to 999 are reserved for system accounts.

If you spot a user account with UID of 0 and it’s not root then this might be the sign of a break-in.
An easy way to look for UID 0 accounts is with

egrep ':0+:' /etc/passwd

Shadow file

Typically the passwd file is readable by world. This would mean that if passwords would also be stored in the passwd file these passwords are accessible by every account. To avoid this, passwords are stored in another file /etc/shadow that is only accessible by the root user.

Similarly to the passwd file, this file contains one entry per account and all fields are separated by a colon (:). The format is as follows

newusername:$verylongstrong$:15086:0:99999:7:::
   1              2             3  4   5   6

 1: username
 2: encrypted password 
 3: number of days since last change
 4: minimum of days required between password changes
 5: the maximum of days a password is valid
 6: the number of days, before the expiration of a password, that a user is warned  

If the encrypted password field starts with $ then this means it was generated with something else than DES. For example $1$ indicates it is generated with MD5, $6$ is SHA-512.

Edit the password or shadow file

Do not edit the passwd file or shadow file directly with vi.
You should use the special purpose tools as vipw or vigr to change these files.

2 thoughts on “The Linux password file, /etc/passwd

Leave a Reply

Your email address will not be published. Required fields are marked *