The /etc/shadow File and The /etc/group File - Administration
This first part of chapter 5 "Module 5: Managing Users" covers understanding user properties and user databases. It also examines the technique of managing users for a single host. It starts by exploring the actual database files that contain information about users and moves on to the system tools available to manage the files automatically. (from the book Linux Administration, A Beginner's Guide, third edition by Steven Graham and Steve Shah, McGraw-Hill/Osborne, ISBN:0072225629, 2002).
The speed of home computers began making dictionary attacks against password lists easier for hackers to accomplish. This led to the separation of the encrypted passwords from the /etc/passwd file. The /etc/passwd file would remain readable by all users, but the passwords kept in the /etc/shadow file would be readable only by those programs with root privileges, such as the login program.
In addition to the encrypted password field, the /etc/shadow file contains information about password expiration and whether the account is disabled. The format of each line in the /etc/shadow file contains the following:
Days since January 1, 1970, that the password has been changed
Days before the password may be changed
Days after which the password must be changed
Days before the password is about to expire that the user is warned
Days after the password is expired that the account is disabled
Days since January 1, 1970, that the account has been disabled
Each user has a one-line entry with a colon delimiter. Hereís an example:
Entries with a -1 imply infinity. In the case where a -1 appears in the field indicating the number of days before a password expires, you are effectively tagging a user as never having to change their password.
The /etc/group File
As you know, each user belongs to at least one group, that being their default group. Users may then be assigned to additional groups if needed. The /etc/passwd file contains each userís default GID. This GID is mapped to the groupís name and other members of the group in the /etc/group file. The format of each line in the /etc/group file is
Encrypted password for the group
Comma-separated list of member users
Again, each field is separated by a colon. An entry looks similar to this:
Also like the /etc/passwd file, the group file must be world-readable so that applications can test for associations between users and groups. Group names should not exceed eight characters, and the GID should be unique for each group. Finally, the comma-separated list of users is used only for users for whom particular groups are not their default group.
If you want to include a group that does not have a password, you can set the entry like this:
If you want a group to exist, but you donít want to allow anyone to change their working group to this group (good for applications that need their own group but no valid reason exists for a user to be working inside that group), use an asterisk in the password field. For example:
1. What file does BASH use to read a userís settings? 2. Is the password stored in clear text in /etc/passwd?
Answer 1. ~/.bashrc Answer 2. No, it is stored encrypted in either DES or MD5.
This chapter is from Linux Administration, A Beginner's Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today. Buy this book now.