Login Files

/etc/passwd File
Purpose
Contains basic user attributes.

Description
The /etc/passwd file contains basic user attributes. This is an ASCII file that contains an entry for each user. Each entry defines the basic attributes applied to a user. When you use the mkuser command to add a user to your system, the command updates the /etc/passwd file.

Note: Certain system-defined group and user names are required for proper installation and update of the system software. Use care before replacing this file to ensure that no system-supplied groups or users are removed.
An entry in the /etc/passwd file has the following form:

Name:Password: UserID:PrincipleGroup:Gecos: HomeDirectory:Shell

Attributes in an entry are separated by a : (colon). For this reason, you should not use a : (colon) in any attribute. The attributes are defined as follows:

Name Specifies the user's login name. The user name must be a unique string of 8 bytes or less. There are a number of restrictions on naming users. See the mkuser command for more information.
Password Contains an * (asterisk) indicating an invalid password or an ! (exclamation point) indicating that the password is in the /etc/security/passwd file. Under normal conditions, the field contains an !. If the field has an * and a password is required for user authentication, the user cannot log in.
UserID Specifies the user's unique numeric ID. This ID is used for discretionary access control. The value is a unique decimal integer.
PrincipleGroup Specifies the user's principal group ID. This must be the numeric ID of a group in the user database or a group defined by a network information service. The value is a unique decimal integer.
Gecos Specifies general information about the user that is not needed by the system, such as an office or phone number. The value is a character string. The Gecos field cannot contain a colon.
HomeDirectory Specifies the full path name of the user's home directory. If the user does not have a defined home directory, the home directory of the guest user is used. The value is a character string.
Shell Specifies the initial program or shell that is executed after a user invokes the login command or su command. If a user does not have a defined shell, /usr/bin/sh, the system shell, is used. The value is a character string that may contain arguments to pass to the initial program.

Users can have additional attributes in other system files. See the "Files" section for additional information.

Changing the User File
You should access the user database files through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases. Use the following commands to access user database files:

chfn
chsh
chuser
lsuser
mkuser
rmuser
The mkuser command adds new entries to the /etc/passwd file and fills in the attribute values as defined in the /usr/lib/security/mkuser.default file.

The Password attribute is always initialized to an * (asterisk), an invalid password. You can set the password with the passwd or pwdadm command. When the password is changed, an ! (exclamation point) is added to the /etc/passwd file, indicating that the encrypted password is in the /etc/security/passwd file.

Use the chuser command to change all user attributes except Password. The chfn command and the chsh command change the Gecos attribute and Shell attribute, respectively. To display all the attributes in this file, use the lsuser command. To remove a user and all the user's attributes, use the rmuser command.

To write programs that affect attributes in the /etc/passwd file, use the subroutines listed in Related Information .

Security
Access Control: This file should grant read (r) access to all users and write (w) access only to the root user and members of the security group.

Examples
Typical records that show an invalid password for smith and guest follow:
smith:*:100:100:8A-74(office):/home/smith:/usr/bin/shguest:*:200:0::/home/guest:/usr/bin/sh
The fields are in the following order: user name, password, user ID, primary group, general (gecos) information, home directory, and initial program (login shell). The * (asterisk) in the password field indicates that the password is invalid. Each attribute is separated by a : (colon).
If the password for smith in the previous example is changed to a valid password, the record will change to the following:
smith:!:100:100:8A-74(office):/home/smith:/usr/bin/sh
The ! (exclamation point) indicates that an encrypted password is stored in the /etc/security/passwd file.
Implementation Specifics
This file is part of Base Operating System (BOS) Runtime.



/etc/group File
Purpose
Contains basic group attributes.

Description
The /etc/group file contains basic group attributes. This is an ASCII file that contains records for system groups. Each record appears on a single line and is the following format:

Name:Password:ID:User1,User2,...,Usern

You must separate each attribute with a colon. Records are separated by new-line characters. The attributes in a record have the following values:

Name Specifies a group name that is unique on the system. The name is a string of 8 bytes or less. See the mkgroup command for information on the restrictions for naming groups.
Password Not used. Group administrators are provided instead of group passwords. See the /etc/security/group file for more information.
ID Specifies the group ID. The value is a unique decimal integer string.
User1,User2,...,Usern
Identifies a list of one or more users. Separate group member names with commas. Each user must already be defined in the local database configuration files.

Do not use a : (colon) in any of the attribute fields. For an example of a record, see the "Examples " section . Additional attributes are defined in the /etc/security/group file.

Note: Certain system-defined group and user names are required for proper installation and update of the system software. Exercise care before replacing the /etc/group file to ensure that no system-supplied groups or users are removed.
You should access the /etc/group file through the system commands and subroutines defined for this purpose. You can use the following commands to manage groups:

chgroup
chgrpmem
chuser
lsgroup
mkgroup
mkuser
rmgroup
To change the Name parameter, you first use the mkgroup command to add a new entry. Then, you use the rmgroup command to remove the old group. To display all the attributes in the file, use the lsgroup command.

You can use the chgroup, chgrpmem, or chuser command to change all user and group attributes. The mkuser command adds a user whose primary group is defined in the /usr/lib/security/mkuser.default file and the rmuser command removes a user. Although you can change the group ID with the chgroup command, this is not recommended.

Security
Access Control: This file should grant read (r) access to all users and grant write (w) access only to the root user and members of the security group.

Examples
A typical record looks like the following example for the staff group:

staff:!:1:shadow,cjf
In this example, the GroupID parameter is 1 and the users are defined to be shadow and cjf.

Implementation Specifics
This file is part of Base Operating System (BOS) Runtime.

6.6. Linux Password & Shadow File Formats
Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called ``/etc/passwd''. As this file is used by many tools (such as ``ls'') to display file ownerships, etc. by matching user id #'s with the user's names, the file needs to be world-readable. Consequentally, this can be somewhat of a security risk.

Another method of storing account information, one that I always use, is with the shadow password format. As with the traditional method, this method stores account information in the /etc/passwd file in a compatible format. However, the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.

While some other Linux distributions forces you to install the Shadow Password Suite in order to use the shadow format, Red Hat makes it simple. To switch between the two formats, type (as root):

/usr/sbin/pwconv To convert to the shadow format /usr/sbin/pwunconv To convert back to the traditional format



With shadow passwords, the ``/etc/passwd'' file contains account information, and looks like this:

smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash


Each field in a passwd entry is separated with ":" colon characters, and are as follows:

Username, up to 8 characters. Case-sensitive, usually all lowercase

An "x" in the password field. Passwords are stored in the ``/etc/shadow'' file.

Numeric user id. This is assigned by the ``adduser'' script. Unix uses this field, plus the following group field, to identify which files belong to the user.

Numeric group id. Red Hat uses group id's in a fairly unique manner for enhanced file security. Usually the group id will match the user id.

Full name of user. I'm not sure what the maximum length for this field is, but try to keep it reasonable (under 30 characters).

User's home directory. Usually /home/username (eg. /home/smithj). All user's personal files, web pages, mail forwarding, etc. will be stored here.

User's "shell account". Often set to ``/bin/bash'' to provide access to the bash shell (my personal favorite shell).

Perhaps you do not wish to provide shell accounts for your users. You could create a script file called ``/bin/sorrysh'', for example, that would display some kind of error message and log the user off, and then set this script as their default shell.

Note: Note: If the account needs to provide "FTP" transfers to update web pages, etc. then the shell account will need to be set to ``/bin/bash'' -- and then special permissions will need to be set up in the user's home directory to prevent shell logins. See Section 7.1 for details on this.

The ``/etc/shadow'' file contains password and account expiration information for users, and looks like this:

smithj:Ep6mckrOLChF.:10063:0:99999:7:::


As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows:

Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.

Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.

The number of days (since January 1, 1970) since the password was last changed.

The number of days before password may be changed (0 indicates it may be changed at any time)

The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)

The number of days to warn user of an expiring password (7 for a full week)

The number of days after password expires that account is disabled

The number of days since January 1, 1970 that an account has been disabled

A reserved field for possible future use

Files
/etc/group Contains basic group attributes.
/etc/security/group Contains the extended attributes of groups.
/etc/passwd Contains the basic attributes of users.
/etc/security/passwd Contains password information.
/etc/security/user Contains the extended attributes of users.
/etc/security/environ Contains the environment attributes of users.
/etc/security/limits Contains the process resource limits of users.
/etc/security/audit/config Contains audit system configuration information.