In-Depth Understanding Linux passwd / shadow File Entries

October 6, 2012 | By
| Reply More

On Linux systems, users accounts information including one-way encrypted passwords are kept in the text file /etc/passwd. When a user is created, it will update some system files such as /etc/passwd, /etc/shadow and /etc/group. The password files are an important cornerstone of the security of your Linux system.

/etc/passwd file stores account information in shadow password format with the password represented as a single x character while /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password. In this article, we will go through /etc/passwd and /etc/shadow files which are the most important file in Linux.

1. /etc/passwd file

This file stores local accounts information of the system. It can be read by any users but is writable only by the super-user root. It contains some lines and uses colons (:) to separate the fields where each line represents a specific user.

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
linoadmin:x:1000:1000::/home/linoadmin:/bin/bash

/etc/passwd file has seven fields which can be represented as below

passwd file linux

You can understand the role of each file with the details below:

  • Username or login: The first field defines the username of the user to login. Only local users have entries in passwd file. It should be between 1 to 32 characters.
  • Password (x): The second field identified by x character represents that the encrypted password is available in /etc/shadow file. The password file doesn’t include the password for security reasons (readable by everybody).
  • User ID (UID): It represents the third field. Every user created in a Linux machine has a unique user ID which identify them on the system. The root user is always referenced by user ID 0. UID 1 to 99 are reserved for other predefined accounts while UID 100-999 are reserved by system for administrative and system accounts/groups. UIDs for new users on some Linux system start at 1000.
  • Group ID (GID): It represent the fourth field. When a user is created using the command useradd, it will also create a primary group for the user in the same name as the username if you didn’t explicitly mention any group name. It represents the unique ID given for the primary group to which the user belongs to. A single user can be a member of multiple groups which can be found from the file /etc/group but the passwd file will contain the information of the primary group only.
  • User ID info or comment or description: The fifth field is a short comment/description/information of the user account. It allows you to add extra information about the users such as user’s full name, phone number, descriptions of the service the account was made for, etc.
  • Home Directory: The sixth field represents the absolute path to the user's home directory when they log in. For regular users, this would usually be /home/username. For root, the home directory is /root.
  • Shell: The seventh field is the absolute path of command or shell /bin/bash. Typically this field contain information about user's default shell.

a. /etc/passwd file permission

Because /etc/passwd file is very important for Linux systems, its default permission are 644 to prevent any mistaken modifications so any user can only read the file and only root user can edit it. You can the permission as below

# ls -l /etc/passwd
-rw-r--r-- 1 root root 1501 May 11 16:58 /etc/passwd

b. How passwd command works

It is possible to change your own password or the password assigned to a user with /usr/bin/passwd command. You can the permission of this command below:

 ls -l /usr/bin/passwd 
-rwsr-xr-x. 1 root root 27832 Jun 10 2014 /usr/bin/passwd

You can see that the user and group owner are root with read and executable permissions also for the other users. Although it's owned by root, you can see the SETUID bit represented by the s permission which allows users to run a program as if they were the user owner of the program (root in our case). That is why you can use this command to change your password even if your are not a root user.

To change your own password, just enter passwd command without option

$ passwd 
Changing password for user papso.
Changing password for papso.
(current) UNIX password: 
New password:

Notice that, event if you can change your own password without root privileges, you can't change a user password without it.

$ passwd patrick
passwd: Only root can specify a user name.

c. Manually operate on password files

There are few Unix systems which do not use /etc/shadow by default to manage account. During Linux server migration for another Unix system, you can need to activate it after. It may be useful to convert /etc/shadow and /etc/passwd into a unique file /etc/passwd with pwunconv command which creates a passwd file from passwd and shadow files and then removes shadow.

See below:

# pwunconv

Now that we have use the command, let see if /etc/shadow file exists again

# ls -l /etc/shadow
ls: cannot access /etc/shadow: No such file or directory

You can see that the file was removed. Now let's see the content of the new /etc/passwd file created

# cat /etc/passwd
root:$6$Q0FVxjNp$ZS7ilFmu2ILfZApk1mJz4f48X6mPNQ9bnmZPy33PSYyXT1PeticjUaeLqUxX9w6d80IWHOcO69vfKowRKjnsB1:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:/sbin/nologin
daemon:*:2:2:daemon:/sbin:/sbin/nologin
linoadmin:!!:1000:1000::/home/linoadmin:/bin/bash
patrick:!!:1001:1001::/home/patrick:/bin/bash

You can see that it displays new elements as both shadow and passwd format with UID, GID, encrypted password for example. You can use pwconv to revert the operation.

You can manually add lines (create user) by editing theses files with

  • vipw -p command for /etc/passwd file
  • vipw -s command for /etc/shadow file
  • vipw-g command for /etc/group file because each user created has an associated group created

The command uses vi editor if it is your default text editor but it is not recommended to do it

2. /etc/shadow file

Originally, the encrypted password was stored in /etc/passwd which had to be world readable so that the system could map user-ids to user names, and so that users could find out information about each other and then people realized that this was a security problem.  So a new file /etc/shadow was created to store the encrypted password which is readable only by root and also contains other information that the /etc/passwd file did not support related to the user's account and password, e.g. when the password was last changed and when it will expire. This file hides the hashes from normal users of the system while keeping them available for user authentication purposes. Look below

$ cat /etc/shadow
cat: /etc/shadow: Permission denied

You can see that we are unable to see the content of the file as normal user. You need to have privileges to see its contents. As /etc/passwd file, it also contains some lines and uses colons (:) to separate the fields where each line represents a specific user.

# cat /etc/shadow
root:$6$Q0FVxjNp$ZS7ilmu2ILfZApk1mJz4f48X6m:17262:0:14600:14::: 
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
linoadmin:!!:17289:0:99999:7:::

/etc/shadow file has nine field which can be represented as below

shadow file linux

Below the details of each field:

  • Username or login: This first field denotes the username that should be used while logging in to the system.
  • Password: The second field stores the password in encrypted format. the $xx$ initial ($6$ for the example above) just after the first field (root:) indicates the type of encryption. As noted above, the asterisk * signifies that this account cannot be used to log in and the !! means that the user doesn't have a password so he has been created without password.
  • date of last Password Change (lastchanged): The third field indicates the date of the last password change, expressed as the number of days since Jan 1, 1970. The 0 value means that the user should change his password the next time he will log in the system.
  • Minimum days: This fourth field stores the minimum number of days after which a user can change his password. You won’t be able to change the password before that.
  • Maximum days: This fifth field indicates the the maximum number of days the password is valid. After that, the user is forced to change his password.
  • Warning password period: The sixth field denotes the number of days before which the user will receive a warning notification about the password expiry and must be changed.
  • Inactivity period: The seventh field indicates the number of days after the password expiration after which the account will be disabled. When empty, this field indicates that there are no enforcement of an inactivity period.
  • Expiration date: The eighth field indicates the days since Jan 1, 1970 that account is disabled
  • Reserved: the ninth field is reserved for future use.

a. /etc/shadow file permission

This is the second important file on Linux because it store password so its access and modification can be very critical. This why its permission are 400 which gives only read permission to the owner. It is also to prevent mistaken modifications. You can see the default permissions of this file below:

# ls -l /etc/shadow
-r-------- 1 root root 1078 May 12 23:55 /etc/shadow

The password could be encrypted using different methods, which is recognized by the id present after first character which is the $ symbol. Below you can have the value of the id and the corresponding encryption technique it indicates:

  • 1: MD5
  • 2a: Blowfish
  • 5: SHA-256
  • 6: SHA-512

Conclusion

The two files /etc/passwd and /etc/shadow are very important on Linux because they keep some users accounts informations. You need to pay attention when editing theses files.

Filed Under : LINUX HOWTO, USER MANAGEMENT

Tagged With : , ,

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.