Table of Contents
Overview
On a typical Linux system, basic information about users and groups is stored in a small set of text files under /etc. These “user information files” are read by tools like login, su, sudo, and id, and by low‑level system libraries (e.g. getpwnam(3)).
In modern systems, these files often coexist with other sources (LDAP, Active Directory, etc.) through the Name Service Switch (/etc/nsswitch.conf), but understanding the local files is essential for administration, recovery, and troubleshooting.
In this chapter you’ll focus on:
- What information is stored in:
/etc/passwd/etc/shadow/etc/group/etc/gshadow- How to read and interpret each field
- How these files work together
- Basic safety and integrity considerations
Details on creating users, managing passwords, and groups are handled in other chapters; here the focus is on the files themselves.
`/etc/passwd`: Basic User Database
Historically, /etc/passwd contained all user information, including hashed passwords. For security, modern systems store passwords in /etc/shadow instead, but /etc/passwd still holds core account data.
View it with:
cat /etc/passwd
Each line represents one account, with fields separated by colons (:):
username:x:UID:GID:gecos:home:shellExample line:
alice:x:1000:1000:Alice Example,,,:/home/alice:/bin/bashField breakdown:
- Username
- Login name (e.g.
alice,root,www-data). - Must be unique on the system.
- Password placeholder
- Typically
xon modern systems, meaning “password is stored in/etc/shadow”. - Sometimes
!or*to indicate no login via password, depending on setup. - If you ever see an actual hashed password here, the system is using an old/unsafe configuration.
- UID (User ID)
- Numeric identifier for the user (e.g.
0,1000,1001). 0is alwaysroot.- Normal user accounts generally start at some distribution‑specific value (commonly
1000). - System/service accounts typically use low UIDs (e.g.
< 1000or< 500). - GID (Primary Group ID)
- Numeric ID of the user’s primary group.
- The name for this GID is looked up in
/etc/group(or other sources). - GECOS (Comment / User Info)
- Free‑form informational field, often containing:
- Full name
- Office number
- Phone numbers
- Fields are sometimes comma‑separated, e.g.
Alice Example,Room 42,555-0100, - Used by commands like
fingerorgetent passwd. - Home directory
- Path to the user’s home directory (e.g.
/home/alice,/root). - Used as the default directory on login.
- Login shell
- Path to the user’s default shell (e.g.
/bin/bash,/bin/zsh,/usr/sbin/nologin). - A non‑interactive shell like
/usr/sbin/nologinor/bin/falseeffectively disables interactive logins for that account.
Security and integrity notes for `/etc/passwd`
- World-readable:
-rw-r--r--by default, because many programs need to map UIDs to usernames. - Do not edit blindly:
- Malformed lines or duplicate UIDs/GIDs can break logins.
- Use tools like
vipwinstead of editing directly with a standard editor. - Backups: Systems often maintain
/etc/passwd-as a backup. You can also create manual backups before changes.
`/etc/shadow`: Secure Password and Aging Data
/etc/shadow holds password hashes and password aging information. It is designed to be only readable by root and specific system processes, to protect password hashes from normal users.
Viewable only with root privileges:
sudo cat /etc/shadow
Each line corresponds to a user in /etc/passwd:
username:password_hash:last_change:min:max:warn:inactive:expire:reservedExample:
alice:$y$j9T$8m...$...:19500:0:99999:7:::Field breakdown:
- Username
- Must match an entry in
/etc/passwd. - Password hash / flags
- Typically contains a hashed password with an identifier of the algorithm, e.g.:
$y$...(yescrypt)$6$...(SHA-512)$5$...(SHA-256)$1$...(MD5 – legacy, discouraged)- Special values:
!or*as the entire field: account cannot be used for password login.!prepended to a valid hash (e.g.!$6$...): password locked (cannot be used), but hash preserved.- Empty field: password is empty (login without password) – very insecure and generally a misconfiguration.
- Last password change (days since epoch)
- Days since 1 January 1970 (
Unix epoch) when the password was last changed. - Example:
19500means “19500 days after 1 Jan 1970”. 0often means the user must change the password at next login.- Minimum days between changes
- Minimum number of days before a user is allowed to change their password again.
0means no minimum; user can change the password at any time.- Maximum days password is valid
- Number of days after which the password expires and must be changed.
- Typical default:
99999(effectively “never expires” in practice). - A smaller value enforces regular password rotation.
- Warning period
- Number of days before password expiry that the user will start receiving warnings on login.
- Example:
7means warnings begin 7 days before expiry. - Inactive period after expiry
- Number of days after password expiry that the account remains usable (with forced change) before becoming fully disabled.
- Empty field or
-1often means “no automatic disable after expiry”. - Account expiration date (days since epoch)
- Days since 1 Jan 1970 when the account itself expires (not just the password).
- After this date, the user cannot log in at all.
- Empty means “no account expiry”.
- Reserved / unused
- Currently not used on many systems; kept for future expansion.
Security characteristics of `/etc/shadow`
- Permissions: Typically
-rw-------(mode600), ownerroot. - Key role: Compromise of
/etc/shadowallows offline password-cracking attacks; protect it strictly. - Management tools:
passwdandchagemodify this file; avoid editing manually.pwconv/pwunconv: migrate password data between/etc/passwdand/etc/shadow(shadow/non‑shadow mode).
`/etc/group`: Group Definitions
/etc/group is similar in structure to /etc/passwd, but for groups. It maps group names to GIDs and lists supplementary group members.
View it with:
cat /etc/groupEach line has this format:
group_name:password_placeholder:GID:member_listExample:
wheel:x:10:alice,bobField breakdown:
- Group name
- Human‑readable name (e.g.
users,wheel,docker). - Password placeholder
- Typically
xor*. - Historically used for “group passwords”; in modern systems it’s almost never used, and actual group passwords (if any) are in
/etc/gshadow. - GID (Group ID)
- Numeric identifier for this group.
- Must be unique across groups.
- Mapped from numeric to name by tools like
ls,id, etc. - Member list
- Comma‑separated list of supplementary members of this group, e.g.
alice,bob,charlie. - The user’s primary group membership is defined by the GID in
/etc/passwd, not here. - This list is used for additional memberships that give extra permissions (e.g. access to
docker,sudo,audio).
Notes on `/etc/group` usage
- World-readable: like
/etc/passwd, typically-rw-r--r--. - Supplementary vs primary group:
- Primary group: single GID from
/etc/passwd. - Supplementary groups: any groups listed here with the user in
member_list. - Editing tools:
- Use utilities such as
vigr(safe edit),groupadd,groupmod,gpasswd, etc., instead of manual editing where possible.
`/etc/gshadow`: Secure Group Information
/etc/gshadow is to groups what /etc/shadow is to users. It stores group passwords (rare in practice), administrators, and members in a more secure form.
Viewable with root privileges:
sudo cat /etc/gshadowEach line has the format:
group_name:password_hash:administrators:membersExample:
wheel:!::alice,bobField breakdown:
- Group name
- Must match a group in
/etc/group. - Password hash / flags
- If group passwords are enabled, this would contain their hashed value.
- Common values:
!or*: group password is disabled.- Empty: usually means no group password is set.
- Group passwords allow users to temporarily join a group by running
newgrp, but this is uncommon and generally discouraged for security and manageability reasons. - Administrators
- Comma‑separated list of group administrators.
- Admins can manage the group (e.g. add/remove members) via
gpasswd. - Members
- Comma‑separated list of group members.
- Overlaps conceptually with
/etc/group’smember_listfield; they should stay in sync.
Synchronization and management
/etc/groupand/etc/gshadowentries should match 1:1 for each group.- Tools such as
grpconv,grpunconv, andgpasswdhelp keep them consistent: grpconv: creates or updates/etc/gshadowfrom/etc/group.grpunconv: removes/etc/gshadowusage (not common or recommended).- Manual editing is possible but risky; prefer
vigr(which edits both group and gshadow carefully) or dedicated group management commands.
Interactions Between the Files
These four files work together:
- User identity and basic info:
/etc/passwd - User passwords and aging:
/etc/shadow - Group identity and membership:
/etc/group - Secure group data and admin info:
/etc/gshadow
Typical flows:
- On login:
- The system looks up the username in
/etc/passwd(and other configured sources). - It finds the UID, GID, home directory, and shell.
- It retrieves the hashed password from
/etc/shadowand verifies it. - When checking group memberships:
- Primary group via GID from
/etc/passwd→ name from/etc/group. - Supplementary groups via membership lists in
/etc/group(and possibly/etc/gshadow).
Name Service Switch (/etc/nsswitch.conf) controls whether these files are the only source of information, or whether they are combined with external sources (e.g. files ldap sss).
Best Practices and Safety
- Use dedicated tools:
vipw/vigrfor safe editing of passwd/group files.pwconv,grpconvto enable/maintain shadow use.- Standard account tools (
useradd,usermod,groupadd,gpasswd) instead of hand‑editing where possible. - Protect shadow files:
- Ensure
/etc/shadowand/etc/gshadoware owned by root and not world-readable. - Check permissions if you suspect misconfiguration.
- Check consistency (for troubleshooting):
- Ensure each user in
/etc/passwdhas a corresponding/etc/shadowentry (and vice versa). - Ensure each group in
/etc/grouphas a matching/etc/gshadowentry (if gshadow is used). - Look for duplicate UIDs or GIDs, malformed lines, or missing fields.
Understanding these user information files gives you the foundation needed to diagnose account problems, recover from misconfiguration, and safely manage users and groups at the file level.