Managing Users Part 1 - The /etc/shadow File and The /etc/group File (Page 5 of 5 )
The speed of home computers began making dictionary attacks against password lists easier for hackers to accomplish. This led to the separation of the encrypted passwords from the /etc/passwd file. The /etc/passwd file would remain readable by all users, but the passwords kept in the /etc/shadow file would be readable only by those programs with root privileges, such as the login program.
In addition to the encrypted password field, the /etc/shadow file contains information about password expiration and whether the account is disabled. The format of each line in the /etc/shadow file contains the following:
- Login name
- Encrypted password
- Days since January 1, 1970, that the password has been changed
- Days before the password may be changed
- Days after which the password must be changed
- Days before the password is about to expire that the user is warned
- Days after the password is expired that the account is disabled
- Days since January 1, 1970, that the account has been disabled
- Reserved field
Each user has a one-line entry with a colon delimiter. Here’s an example:
sshah:boQavhhaCKaXg:10750:0:99999:7:-1:-1:134529868
Entries with a -1 imply infinity. In the case where a -1 appears in the field indicating the number of days before a password expires, you are effectively tagging a user as never having to change their password.
The /etc/group File
As you know, each user belongs to at least one group, that being their default group. Users may then be assigned to additional groups if needed. The /etc/passwd file contains each user’s default GID. This GID is mapped to the group’s name and other members of the group in the /etc/group file. The format of each line in the /etc/group file is
- Group name
- Encrypted password for the group
- GID number
- Comma-separated list of member users
Again, each field is separated by a colon. An entry looks similar to this:
project:baHrE1KPNjrPE:102:sshah,hdc
Also like the /etc/passwd file, the group file must be world-readable so that applications can test for associations between users and groups. Group names should not exceed eight characters, and the GID should be unique for each group. Finally, the comma-separated list of users is used only for users for whom particular groups are not their default group.
If you want to include a group that does not have a password, you can set the entry like this:
project:baHrE1KPNjrPE:102:sshah,hdc
If you want a group to exist, but you don’t want to allow anyone to change their working group to this group (good for applications that need their own group but no valid reason exists for a user to be working inside that group), use an asterisk in the password field. For example:
project:*:102:
Progress Check
1. What file does BASH use to read a user’s settings?
2. Is the password stored in clear text in /etc/passwd?
Answer 1. ~/.bashrc
Answer 2. No, it is stored encrypted in either DES or MD5.
 This chapter is from Linux Administration, A Beginner's Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today. Buy this book now.
|
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 7 
