Part 1: User Accounts
There are several text files in the /etc directory that contain the account data of the users and groups that are defined on the system. For example, if you wanted to see if a specific user account has been defined on the system, then the place to check is the /etc/passwd file.
The /etc/passwd file defines some of the account information for user accounts. Oddly enough, the passwords for the accounts are not stored in the /etc/passwdfile, as the file name implies, but rather the /etc/shadow file.
1. /etc/passwd File
Each line of the /etc/passwd file relates to a user account. The following graphic shows the first ten lines of a typical /etc/passwd file:
Each line is separated into fields by colon characters. The fields from left to right are as follows:
name:password placeholder:user id:primary group id:comment:home directory:shell
The following table describes each of these fields in detail, using the first line of the output of the previous graphic (root:x:0:0:root:/root:/bin/bash):
| Field | Example | Description |
|---|---|---|
| name | root |
This is the name of the account. This name is used by the person when they log in to the system and when file ownership is provided with the ls -l command. Typically, the system uses the user ID(see below) internally and the account name is provided to make it easiest for regular users to refer to the account.
The root account is normally a special administrative account. However, it is important to note that not all systems have a root account and that it is really the user id of 0 (zero) that provides administrative privileges on the system. |
| password placeholder | x | At one time, the password for the user was actually stored in this location, but now it is stored in the/etc/shadow file. The x in the password placeholder field indicates to the system that the password is not stored here, but rather in the/etc/shadow file. |
| user id | 0 |
Each account is assigned a user ID (UID). The UID is what really defines the account as the user name is normally not directly used by the system. For example, files are owned by UIDs, not by user names. Some UIDs are special. For example, the UID of 0 provides that user account with administrative privileges. UIDs below 500 (on some Linux distributions 1,000) are reserved for system accounts. System accounts will be covered in more detail later in this chapter. |
| primary group id | 0 |
Each file and directory is owned by a user account. Normally the person who creates the account owns the file. In addition, each file is owned by a group, normally the user‘s primary group. Groups are assigned numeric IDs just like users are. When a user creates a file, the file is owned by the user‘s UID and also owned by a group id (GID), the user‘s primary GID. This field defines which GID is the user‘s primary GID. Besides, providing default group ownership on a file, this field also indicates that the user is a member of the group, which means the user will have special permissions on any file that is owned by this group. Permissions will be covered in detail in a later chapter. |
| comment | root |
This field can contain any information about the user, including their real (full) name and other useful information. This field is also called the GECOS (General Electric Comprehensive Operating System ) field. GECOS is a rarely used predefined format for this field that defines a comma-separated list of items, including the user‘s full name, office location, phone number and additional information. An administrator can modify GECOS information with the |
| home directory | /root |
This field defines the location of the user‘s home directory. For regular users, this would normally be /home/username where username is replaced with the user‘s username. For example, a username of bob would have a home directory of /home/bob.
The root user normally has a different place for the home directory: System accounts rarely have home directories as they typically are not used to create or store files. |
| shell | /bin/bash |
This is the location of the user‘s login shell. By default, the user is "placed in" this shell whenever the user logs into a command line environment or opens a terminal window. The user could then switch to a different shell by typing the name of the shell, for example: /bin/tcsh.
The bash shell ( |
Note that while this chapter describes the contents of the user and group files, the next chapter will describe the commands and tools used to modify user and group account information.
2. /etc/shadow File
As previously mentioned, the /etc/shadow file contains account information related to the user‘s password. A typical /etc/shadow file would look like the following graphic:
The fields of the /etc/shadow file are:
name:password:last change:min:max:warn:inactive:expire:reserved
The following table describes the fields of the /etc/shadow file in more detail, using the following account that describes a typical user account:
sysadmin:$6$lS6WJ9O/fNmEzrIi$kO9NKRBjLJJTlZD.L1Dc2xwcuUYaYwCTS.gt4elijSQW8ZDp6GLYAx.TRNNpUdAgUXUrzDuAPsYs5YHZNAorI1:15020:5:30:7:60:15050:
| Field | Example | Description |
|---|---|---|
| name | sysadmin | This is the name of the account, which matches the account name in the /etc/passwd file. |
| password | $6$.........rI1 |
The password field contains the encrypted password for the account. This very long string (which was truncated in the example to the left of this cell) is a one-way encryption, meaning that it can‘t be "reversed" to determine the original password. While regular users have encrypted passwords in this field, system accounts will have an * character in this field. See more details about system accounts later in this chapter. |
| last change | 15020 |
This field contains a number that represents the last time the password was changed. The number 15020 is the number of days since January 1, 1970 (called the Epoch) and the last day the account password was changed. This value is automatically generated when the user‘s password is modified. This value is important as it is used by the password aging features provided by the rest of the fields of this file. |
| min | 5 |
This is one of the password aging fields; a non-zero value in this field indicates that after a user changes their password, the password can‘t be changed again for the specified number of days (5 days in this example). This field is important when the max field is used (see below). A value of zero in this field means the user can always change their password. |
| max | 5 |
This field is used to force users to change their passwords on a regular basis. A value of 30 in this field means the user must change their password at least every 30 days to avoid having their account "locked out". Note that if the min field is set to 0, the user may be able to immediately set their password back to the original value, defeating the purpose of forcing the user to change their password every 30 days. So, if the max field is set, the min field is normally set as well. For example, a min:max of 5:60 means the user must change their password every 60 days and, after changing, the user must wait 5 days before they can change their password again. If the max field is set to 99999, the maximum possible value, then the user essentially never has to change their password (because 99999 days is approximately 274 years). |
| warn | 7 |
If the max field is set, the warn field indicates that the user would be "warned" when the maxtimeframe is approaching. For example, if warn is set to 7, then any time during the 7 days before themax timeframe is reached, the user would be warned to change their password during the login processes. The user is only warned at login, so some administrators have taken the approach to set thewarn field to a higher value to provide a greater chance of having a warning issued. If the max timeframe is set to 99999, then the warnfield is essentially useless |
| inactive | 60 |
If the user ignores the warnings and they exceed the max password timeframe, their account will be locked out. In that case, the inactive field provides the user with a "grace" period in which their password can be changed, but only during the login process. If the inactive field is set to 60, the user has 60 grace days to change to a new password. If they fail to do so, then the administrator would be needed to reset the password for the user. |
| expire | 15050 |
This field represents the number of days from January 1, 1970 and the day the account will "expire". An expired account will be locked, not deleted, meaning the administrator can reset the password to unlock the account. Accounts with expiration dates are normally provided to temporary employees or contractors. The account will automatically expire after the user‘s last day of work. When an administrator sets this field, a tool is used to convert from a real date to an "Epoch" date. There are also several free converters available on the Internet. |
| reserved |
Currently not used, this field is reserved for future use. |
Regular users can‘t view the contents of the /etc/shadow file for security reasons. In order to view the contents of this file, you must log in as the administrator (the root account).
3. Viewing Account Information
A good way to view account information from the /etc/passwd file is to use the grep command to output just the line containing the account that you are interested in. For example, to see the account information for the user name named "sysadmin", use the grep sysadmin /etc/passwd command:
Another technique for retrieving user information that is normally contained in the/etc/passwd and /etc/shadow files is to use the getent command. One advantage to using the getent command is that it can retrieve account information that is defined locally (/etc/passwd and /etc/shadow) or on a network directory server.
The general syntax of a getent command is: getent database record. For example, the getent passwd sysadmin command would retrieve the passwd account information for the sysadmin user:
4. Viewing Login
When you log into different user accounts, it can be confusing as to who you are currently logged in as. To verify your identity (view whose account you are currently using) you can execute the id command.
The id command will report the current identity, both by user name and user ID. In addition to providing the user account information, the group membership is also displayed. With no argument, the id command will display your identity. Given a user name as an argument, such as id root, the command will display other account information:
The output includes Security Enhanced Linux context (the content= part of the output), a topic which is beyond the scope of this course.