Home arrow Site Administration arrow Page 5 - Managing Users Part 1

The /etc/shadow File and The /etc/group File - Administration

This first part of chapter 5 "Module 5: Managing Users" covers understanding user properties and user databases. It also examines the technique of managing users for a single host. It starts by exploring the actual database files that contain information about users and moves on to the system tools available to manage the files automatically. (from the book Linux Administration, A Beginner's Guide, third edition by Steven Graham and Steve Shah, McGraw-Hill/Osborne, ISBN:0072225629, 2002).

  1. Managing Users Part 1
  2. Critical Skill 1 - Understand User Properites
  3. Shells, Startup Scripts and Mail
  4. Critical Skill 2 - Understand the User Databases
  5. The /etc/shadow File and The /etc/group File
By: McGraw-Hill/Osborne
Rating: starstarstarstarstar / 7
June 23, 2004

print this article



The speed of home computers began making dictionary attacks against password lists easier for hackers to accomplish. This led to the separation of the encrypted passwords from the /etc/passwd file. The /etc/passwd file would remain readable by all users, but the passwords kept in the /etc/shadow file would be readable only by those programs with root privileges, such as the login program.

In addition to the encrypted password field, the /etc/shadow file contains information about password expiration and whether the account is disabled. The format of each line in the /etc/shadow file contains the following:

  • Login name
  • Encrypted password
  • Days since January 1, 1970, that the password has been changed
  • Days before the password may be changed
  • Days after which the password must be changed
  • Days before the password is about to expire that the user is warned
  • Days after the password is expired that the account is disabled
  • Days since January 1, 1970, that the account has been disabled
  • Reserved field

Each user has a one-line entry with a colon delimiter. Hereís an example:


Entries with a -1 imply infinity. In the case where a -1 appears in the field indicating the number of days before a password expires, you are effectively tagging a user as never having to change their password.

The /etc/group File

As you know, each user belongs to at least one group, that being their default group. Users may then be assigned to additional groups if needed. The /etc/passwd file contains each userís default GID. This GID is mapped to the groupís name and other members of the group in the /etc/group file. The format of each line in the /etc/group file is

  • Group name
  • Encrypted password for the group
  • GID number
  • Comma-separated list of member users

Again, each field is separated by a colon. An entry looks similar to this:


Also like the /etc/passwd file, the group file must be world-readable so that applications can test for associations between users and groups. Group names should not exceed eight characters, and the GID should be unique for each group. Finally, the comma-separated list of users is used only for users for whom particular groups are not their default group.

If you want to include a group that does not have a password, you can set the entry like this:


If you want a group to exist, but you donít want to allow anyone to change their working group to this group (good for applications that need their own group but no valid reason exists for a user to be working inside that group), use an asterisk in the password field. For example:


Progress Check

1. What file does BASH use to read a userís settings?
2. Is the password stored in clear text in /etc/passwd?

Answer 1. ~/.bashrc
Answer 2. No, it is stored encrypted in either DES or MD5.

This chapter is from Linux Administration, A Beginner's Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today. Buy this book now.

>>> More Site Administration Articles          >>> More By McGraw-Hill/Osborne

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates


Dev Shed Tutorial Topics: