The /etc/shadow File and The /etc/group File - Administration

The speed of home computers began making dictionary attacks against password lists easier for hackers to accomplish. This led to the separation of the encrypted passwords from the /etc/passwd file. The /etc/passwd file would remain readable by all users, but the passwords kept in the /etc/shadow file would be readable only by those programs with root privileges, such as the login program.

In addition to the encrypted password field, the /etc/shadow file contains information about password expiration and whether the account is disabled. The format of each line in the /etc/shadow file contains the following:

• Login name
• Encrypted password
• Days since January 1, 1970, that the password has been changed
• Days before the password may be changed
• Days after which the password must be changed
• Days before the password is about to expire that the user is warned
• Days after the password is expired that the account is disabled
• Days since January 1, 1970, that the account has been disabled
• Reserved field

Each user has a one-line entry with a colon delimiter. Here’s an example:

sshah:boQavhhaCKaXg:10750:0:99999:7:-1:-1:134529868

Entries with a -1 imply infinity. In the case where a -1 appears in the field indicating the number of days before a password expires, you are effectively tagging a user as never having to change their password.

The /etc/group File

As you know, each user belongs to at least one group, that being their default group. Users may then be assigned to additional groups if needed. The /etc/passwd file contains each user’s default GID. This GID is mapped to the group’s name and other members of the group in the /etc/group file. The format of each line in the /etc/group file is

• Group name
• Encrypted password for the group
• GID number
• Comma-separated list of member users

Again, each field is separated by a colon. An entry looks similar to this:

project:baHrE1KPNjrPE:102:sshah,hdc

Also like the /etc/passwd file, the group file must be world-readable so that applications can test for associations between users and groups. Group names should not exceed eight characters, and the GID should be unique for each group. Finally, the comma-separated list of users is used only for users for whom particular groups are not their default group.

If you want to include a group that does not have a password, you can set the entry like this:

project:baHrE1KPNjrPE:102:sshah,hdc

If you want a group to exist, but you don’t want to allow anyone to change their working group to this group (good for applications that need their own group but no valid reason exists for a user to be working inside that group), use an asterisk in the password field. For example:

project:*:102:

Progress Check

1. What file does BASH use to read a user’s settings?
2. Is the password stored in clear text in /etc/passwd?

Answer 1. ~/.bashrc
Answer 2. No, it is stored encrypted in either DES or MD5.