]>
Commit | Line | Data |
---|---|---|
3d54a910 MK |
1 | .\" Copyright (c) 1993 Michael Haardt (michael@moria.de), |
2 | .\" Fri Apr 2 11:32:09 MET DST 1993 | |
fea681da | 3 | .\" |
e4a74ca8 | 4 | .\" SPDX-License-Identifier: GPL-2.0-or-later |
fea681da MK |
5 | .\" |
6 | .\" Modified Sun Jul 25 10:46:28 1993 by Rik Faith (faith@cs.unc.edu) | |
7 | .\" Modified Sun Aug 21 18:12:27 1994 by Rik Faith (faith@cs.unc.edu) | |
8 | .\" Modified Sun Jun 18 01:53:57 1995 by Andries Brouwer (aeb@cwi.nl) | |
9 | .\" Modified Mon Jan 5 20:24:40 MET 1998 by Michael Haardt | |
10 | .\" (michael@cantor.informatik.rwth-aachen.de) | |
09b8afdc | 11 | .TH PASSWD 5 2018-04-30 "Linux" "Linux Programmer's Manual" |
fea681da MK |
12 | .SH NAME |
13 | passwd \- password file | |
14 | .SH DESCRIPTION | |
df0c9b98 | 15 | The |
1ae6b2c7 | 16 | .I /etc/passwd |
df0c9b98 MK |
17 | file is a text file that describes user login accounts for the system. |
18 | It should have read permission allowed for all users (many utilities, like | |
fea681da | 19 | .BR ls (1) |
18701562 | 20 | use it to map user IDs to usernames), but write access only for the |
fea681da MK |
21 | superuser. |
22 | .PP | |
23 | In the good old days there was no great problem with this general | |
c13182ef MK |
24 | read permission. |
25 | Everybody could read the encrypted passwords, but the | |
df0c9b98 | 26 | hardware was too slow to crack a well-chosen password, and moreover the |
c13182ef MK |
27 | basic assumption used to be that of a friendly user-community. |
28 | These days many people run some version of the shadow password suite, where | |
fea681da | 29 | .I /etc/passwd |
c1b273fc | 30 | has an \(aqx\(aq character in the password field, |
30f7100e | 31 | and the encrypted passwords are in |
df0c9b98 | 32 | .IR /etc/shadow , |
fea681da MK |
33 | which is readable by the superuser only. |
34 | .PP | |
c3e1cb40 MK |
35 | If the encrypted password, whether in |
36 | .I /etc/passwd | |
37 | or in | |
38 | .IR /etc/shadow , | |
39 | is an empty string, login is allowed without even asking for a password. | |
40 | Note that this functionality may be intentionally disabled in applications, | |
41 | or configurable (for example using the "nullok" or "nonull" arguments to | |
42 | pam_unix.so). | |
43 | .PP | |
44 | If the encrypted password in | |
45 | .I /etc/passwd | |
46 | is "\fI*NP*\fP" (without the quotes), | |
47 | the shadow record should be obtained from an NIS+ server. | |
48 | .PP | |
df0c9b98 | 49 | Regardless of whether shadow passwords are used, many system administrators |
156f55f6 | 50 | use an asterisk (*) in the encrypted password field to make sure |
60ae21db | 51 | that this user can not authenticate themself using a |
6387216b | 52 | password. |
df0c9b98 | 53 | (But see NOTES below.) |
fea681da | 54 | .PP |
156f55f6 | 55 | If you create a new login, first put an asterisk (*) in the password field, |
fea681da MK |
56 | then use |
57 | .BR passwd (1) | |
58 | to set it. | |
59 | .PP | |
60017fa5 MK |
60 | Each line of the file describes a single user, |
61 | and contains seven colon-separated fields: | |
bdd915e2 MK |
62 | .PP |
63 | .in +4n | |
64 | .EX | |
60017fa5 | 65 | name:password:UID:GID:GECOS:directory:shell |
bdd915e2 MK |
66 | .EE |
67 | .in | |
68 | .PP | |
df0c9b98 | 69 | The field are as follows: |
f03743fd | 70 | .TP 12 |
60017fa5 MK |
71 | .I name |
72 | This is the user's login name. | |
c13182ef | 73 | It should not contain capital letters. |
fea681da MK |
74 | .TP |
75 | .I password | |
60017fa5 MK |
76 | This is either the encrypted user password, |
77 | an asterisk (*), or the letter \(aqx\(aq. | |
30f7100e MK |
78 | (See |
79 | .BR pwconv (8) | |
f81fb444 | 80 | for an explanation of \(aqx\(aq.) |
fea681da MK |
81 | .TP |
82 | .I UID | |
60017fa5 MK |
83 | The privileged |
84 | .I root | |
85 | login account (superuser) has the user ID 0. | |
fea681da MK |
86 | .TP |
87 | .I GID | |
60017fa5 MK |
88 | This is the numeric primary group ID for this user. |
89 | (Additional groups for the user are defined in the system group file; see | |
90 | .BR group (5)). | |
fea681da MK |
91 | .TP |
92 | .I GECOS | |
60017fa5 MK |
93 | This field (sometimes called the "comment field") |
94 | is optional and used only for informational purposes. | |
18701562 | 95 | Usually, it contains the full username. |
60017fa5 MK |
96 | Some programs (for example, |
97 | .BR finger (1)) | |
98 | display information from this field. | |
99 | .IP | |
df0c9b98 MK |
100 | GECOS stands for "General Electric Comprehensive Operating System", |
101 | which was renamed to GCOS when | |
c13182ef MK |
102 | GE's large systems division was sold to Honeywell. |
103 | Dennis Ritchie has reported: "Sometimes we sent printer output or | |
104 | batch jobs to the GCOS machine. | |
105 | The gcos field in the password file was a place to stash the | |
106 | information for the $IDENTcard. | |
107 | Not elegant." | |
fea681da MK |
108 | .TP |
109 | .I directory | |
60017fa5 MK |
110 | This is the user's home directory: |
111 | the initial directory where the user is placed after logging in. | |
112 | The value in this field is used to set the | |
113 | .B HOME | |
114 | environment variable. | |
fea681da MK |
115 | .TP |
116 | .I shell | |
60017fa5 | 117 | This is the program to run at login (if empty, use |
8478ee02 | 118 | .IR /bin/sh ). |
f74bac5d | 119 | If set to a nonexistent executable, the user will be unable to login |
fea681da MK |
120 | through |
121 | .BR login (1). | |
60017fa5 MK |
122 | The value in this field is used to set the |
123 | .B SHELL | |
124 | environment variable. | |
2b2581ee MK |
125 | .SH FILES |
126 | .I /etc/passwd | |
19c98696 | 127 | .SH NOTES |
df0c9b98 MK |
128 | If you want to create user groups, there must be an entry in |
129 | .IR /etc/group , | |
130 | or no group will exist. | |
fea681da | 131 | .PP |
156f55f6 | 132 | If the encrypted password is set to an asterisk (*), the user will be unable |
fea681da MK |
133 | to login using |
134 | .BR login (1), | |
135 | but may still login using | |
136 | .BR rlogin (1), | |
137 | run existing processes and initiate new ones through | |
138 | .BR rsh (1), | |
49ec013c | 139 | .BR cron (8), |
fea681da | 140 | .BR at (1), |
c13182ef MK |
141 | or mail filters, etc. |
142 | Trying to lock an account by simply changing the | |
fea681da MK |
143 | shell field yields the same result and additionally allows the use of |
144 | .BR su (1). | |
47297adb | 145 | .SH SEE ALSO |
64f7f61e MK |
146 | .BR chfn (1), |
147 | .BR chsh (1), | |
fea681da MK |
148 | .BR login (1), |
149 | .BR passwd (1), | |
150 | .BR su (1), | |
0ec954ee | 151 | .BR crypt (3), |
b22e49b8 MK |
152 | .BR getpwent (3), |
153 | .BR getpwnam (3), | |
fea681da | 154 | .BR group (5), |
a77696ad MK |
155 | .BR shadow (5), |
156 | .BR vipw (8) |