]>
Commit | Line | Data |
---|---|---|
3d54a910 MK |
1 | .\" Copyright (c) 1993 Michael Haardt (michael@moria.de), |
2 | .\" Fri Apr 2 11:32:09 MET DST 1993 | |
fea681da | 3 | .\" |
1dd72f9c | 4 | .\" %%%LICENSE_START(GPLv2+_DOC_FULL) |
fea681da MK |
5 | .\" This is free documentation; you can redistribute it and/or |
6 | .\" modify it under the terms of the GNU General Public License as | |
7 | .\" published by the Free Software Foundation; either version 2 of | |
8 | .\" the License, or (at your option) any later version. | |
9 | .\" | |
10 | .\" The GNU General Public License's references to "object code" | |
11 | .\" and "executables" are to be interpreted as the output of any | |
12 | .\" document formatting or typesetting system, including | |
13 | .\" intermediate and printed output. | |
14 | .\" | |
15 | .\" This manual is distributed in the hope that it will be useful, | |
16 | .\" but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | .\" GNU General Public License for more details. | |
19 | .\" | |
20 | .\" You should have received a copy of the GNU General Public | |
c715f741 MK |
21 | .\" License along with this manual; if not, see |
22 | .\" <http://www.gnu.org/licenses/>. | |
6a8d8745 | 23 | .\" %%%LICENSE_END |
fea681da MK |
24 | .\" |
25 | .\" Modified Sun Jul 25 10:46:28 1993 by Rik Faith (faith@cs.unc.edu) | |
26 | .\" Modified Sun Aug 21 18:12:27 1994 by Rik Faith (faith@cs.unc.edu) | |
27 | .\" Modified Sun Jun 18 01:53:57 1995 by Andries Brouwer (aeb@cwi.nl) | |
28 | .\" Modified Mon Jan 5 20:24:40 MET 1998 by Michael Haardt | |
29 | .\" (michael@cantor.informatik.rwth-aachen.de) | |
09b8afdc | 30 | .TH PASSWD 5 2018-04-30 "Linux" "Linux Programmer's Manual" |
fea681da MK |
31 | .SH NAME |
32 | passwd \- password file | |
33 | .SH DESCRIPTION | |
df0c9b98 MK |
34 | The |
35 | .IR /etc/passwd | |
36 | file is a text file that describes user login accounts for the system. | |
37 | It should have read permission allowed for all users (many utilities, like | |
fea681da | 38 | .BR ls (1) |
18701562 | 39 | use it to map user IDs to usernames), but write access only for the |
fea681da MK |
40 | superuser. |
41 | .PP | |
42 | In the good old days there was no great problem with this general | |
c13182ef MK |
43 | read permission. |
44 | Everybody could read the encrypted passwords, but the | |
df0c9b98 | 45 | hardware was too slow to crack a well-chosen password, and moreover the |
c13182ef MK |
46 | basic assumption used to be that of a friendly user-community. |
47 | These days many people run some version of the shadow password suite, where | |
fea681da | 48 | .I /etc/passwd |
c1b273fc | 49 | has an \(aqx\(aq character in the password field, |
30f7100e | 50 | and the encrypted passwords are in |
df0c9b98 | 51 | .IR /etc/shadow , |
fea681da MK |
52 | which is readable by the superuser only. |
53 | .PP | |
c3e1cb40 MK |
54 | If the encrypted password, whether in |
55 | .I /etc/passwd | |
56 | or in | |
57 | .IR /etc/shadow , | |
58 | is an empty string, login is allowed without even asking for a password. | |
59 | Note that this functionality may be intentionally disabled in applications, | |
60 | or configurable (for example using the "nullok" or "nonull" arguments to | |
61 | pam_unix.so). | |
62 | .PP | |
63 | If the encrypted password in | |
64 | .I /etc/passwd | |
65 | is "\fI*NP*\fP" (without the quotes), | |
66 | the shadow record should be obtained from an NIS+ server. | |
67 | .PP | |
df0c9b98 | 68 | Regardless of whether shadow passwords are used, many system administrators |
156f55f6 | 69 | use an asterisk (*) in the encrypted password field to make sure |
fea681da | 70 | that this user can not authenticate him- or herself using a |
6387216b | 71 | password. |
df0c9b98 | 72 | (But see NOTES below.) |
fea681da | 73 | .PP |
156f55f6 | 74 | If you create a new login, first put an asterisk (*) in the password field, |
fea681da MK |
75 | then use |
76 | .BR passwd (1) | |
77 | to set it. | |
78 | .PP | |
60017fa5 MK |
79 | Each line of the file describes a single user, |
80 | and contains seven colon-separated fields: | |
bdd915e2 MK |
81 | .PP |
82 | .in +4n | |
83 | .EX | |
60017fa5 | 84 | name:password:UID:GID:GECOS:directory:shell |
bdd915e2 MK |
85 | .EE |
86 | .in | |
87 | .PP | |
df0c9b98 | 88 | The field are as follows: |
f03743fd | 89 | .TP 12 |
60017fa5 MK |
90 | .I name |
91 | This is the user's login name. | |
c13182ef | 92 | It should not contain capital letters. |
fea681da MK |
93 | .TP |
94 | .I password | |
60017fa5 MK |
95 | This is either the encrypted user password, |
96 | an asterisk (*), or the letter \(aqx\(aq. | |
30f7100e MK |
97 | (See |
98 | .BR pwconv (8) | |
f81fb444 | 99 | for an explanation of \(aqx\(aq.) |
fea681da MK |
100 | .TP |
101 | .I UID | |
60017fa5 MK |
102 | The privileged |
103 | .I root | |
104 | login account (superuser) has the user ID 0. | |
fea681da MK |
105 | .TP |
106 | .I GID | |
60017fa5 MK |
107 | This is the numeric primary group ID for this user. |
108 | (Additional groups for the user are defined in the system group file; see | |
109 | .BR group (5)). | |
fea681da MK |
110 | .TP |
111 | .I GECOS | |
60017fa5 MK |
112 | This field (sometimes called the "comment field") |
113 | is optional and used only for informational purposes. | |
18701562 | 114 | Usually, it contains the full username. |
60017fa5 MK |
115 | Some programs (for example, |
116 | .BR finger (1)) | |
117 | display information from this field. | |
118 | .IP | |
df0c9b98 MK |
119 | GECOS stands for "General Electric Comprehensive Operating System", |
120 | which was renamed to GCOS when | |
c13182ef MK |
121 | GE's large systems division was sold to Honeywell. |
122 | Dennis Ritchie has reported: "Sometimes we sent printer output or | |
123 | batch jobs to the GCOS machine. | |
124 | The gcos field in the password file was a place to stash the | |
125 | information for the $IDENTcard. | |
126 | Not elegant." | |
fea681da MK |
127 | .TP |
128 | .I directory | |
60017fa5 MK |
129 | This is the user's home directory: |
130 | the initial directory where the user is placed after logging in. | |
131 | The value in this field is used to set the | |
132 | .B HOME | |
133 | environment variable. | |
fea681da MK |
134 | .TP |
135 | .I shell | |
60017fa5 | 136 | This is the program to run at login (if empty, use |
8478ee02 | 137 | .IR /bin/sh ). |
f74bac5d | 138 | If set to a nonexistent executable, the user will be unable to login |
fea681da MK |
139 | through |
140 | .BR login (1). | |
60017fa5 MK |
141 | The value in this field is used to set the |
142 | .B SHELL | |
143 | environment variable. | |
2b2581ee MK |
144 | .SH FILES |
145 | .I /etc/passwd | |
19c98696 | 146 | .SH NOTES |
df0c9b98 MK |
147 | If you want to create user groups, there must be an entry in |
148 | .IR /etc/group , | |
149 | or no group will exist. | |
fea681da | 150 | .PP |
156f55f6 | 151 | If the encrypted password is set to an asterisk (*), the user will be unable |
fea681da MK |
152 | to login using |
153 | .BR login (1), | |
154 | but may still login using | |
155 | .BR rlogin (1), | |
156 | run existing processes and initiate new ones through | |
157 | .BR rsh (1), | |
49ec013c | 158 | .BR cron (8), |
fea681da | 159 | .BR at (1), |
c13182ef MK |
160 | or mail filters, etc. |
161 | Trying to lock an account by simply changing the | |
fea681da MK |
162 | shell field yields the same result and additionally allows the use of |
163 | .BR su (1). | |
47297adb | 164 | .SH SEE ALSO |
64f7f61e MK |
165 | .BR chfn (1), |
166 | .BR chsh (1), | |
fea681da MK |
167 | .BR login (1), |
168 | .BR passwd (1), | |
169 | .BR su (1), | |
0ec954ee | 170 | .BR crypt (3), |
b22e49b8 MK |
171 | .BR getpwent (3), |
172 | .BR getpwnam (3), | |
fea681da | 173 | .BR group (5), |
a77696ad MK |
174 | .BR shadow (5), |
175 | .BR vipw (8) |