]>
Commit | Line | Data |
---|---|---|
3d54a910 MK |
1 | .\" Copyright (c) 1993 Michael Haardt (michael@moria.de), |
2 | .\" Fri Apr 2 11:32:09 MET DST 1993 | |
fea681da | 3 | .\" |
1dd72f9c | 4 | .\" %%%LICENSE_START(GPLv2+_DOC_FULL) |
fea681da MK |
5 | .\" This is free documentation; you can redistribute it and/or |
6 | .\" modify it under the terms of the GNU General Public License as | |
7 | .\" published by the Free Software Foundation; either version 2 of | |
8 | .\" the License, or (at your option) any later version. | |
9 | .\" | |
10 | .\" The GNU General Public License's references to "object code" | |
11 | .\" and "executables" are to be interpreted as the output of any | |
12 | .\" document formatting or typesetting system, including | |
13 | .\" intermediate and printed output. | |
14 | .\" | |
15 | .\" This manual is distributed in the hope that it will be useful, | |
16 | .\" but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | .\" GNU General Public License for more details. | |
19 | .\" | |
20 | .\" You should have received a copy of the GNU General Public | |
c715f741 MK |
21 | .\" License along with this manual; if not, see |
22 | .\" <http://www.gnu.org/licenses/>. | |
6a8d8745 | 23 | .\" %%%LICENSE_END |
fea681da MK |
24 | .\" |
25 | .\" Modified Sun Jul 25 10:46:28 1993 by Rik Faith (faith@cs.unc.edu) | |
26 | .\" Modified Sun Aug 21 18:12:27 1994 by Rik Faith (faith@cs.unc.edu) | |
27 | .\" Modified Sun Jun 18 01:53:57 1995 by Andries Brouwer (aeb@cwi.nl) | |
28 | .\" Modified Mon Jan 5 20:24:40 MET 1998 by Michael Haardt | |
29 | .\" (michael@cantor.informatik.rwth-aachen.de) | |
c3e1cb40 | 30 | .TH PASSWD 5 2012-05-03 "Linux" "Linux Programmer's Manual" |
fea681da MK |
31 | .SH NAME |
32 | passwd \- password file | |
33 | .SH DESCRIPTION | |
df0c9b98 MK |
34 | The |
35 | .IR /etc/passwd | |
36 | file is a text file that describes user login accounts for the system. | |
37 | It should have read permission allowed for all users (many utilities, like | |
fea681da | 38 | .BR ls (1) |
18701562 | 39 | use it to map user IDs to usernames), but write access only for the |
fea681da MK |
40 | superuser. |
41 | .PP | |
42 | In the good old days there was no great problem with this general | |
c13182ef MK |
43 | read permission. |
44 | Everybody could read the encrypted passwords, but the | |
df0c9b98 | 45 | hardware was too slow to crack a well-chosen password, and moreover the |
c13182ef MK |
46 | basic assumption used to be that of a friendly user-community. |
47 | These days many people run some version of the shadow password suite, where | |
fea681da | 48 | .I /etc/passwd |
c1b273fc | 49 | has an \(aqx\(aq character in the password field, |
30f7100e | 50 | and the encrypted passwords are in |
df0c9b98 | 51 | .IR /etc/shadow , |
fea681da MK |
52 | which is readable by the superuser only. |
53 | .PP | |
c3e1cb40 MK |
54 | If the encrypted password, whether in |
55 | .I /etc/passwd | |
56 | or in | |
57 | .IR /etc/shadow , | |
58 | is an empty string, login is allowed without even asking for a password. | |
59 | Note that this functionality may be intentionally disabled in applications, | |
60 | or configurable (for example using the "nullok" or "nonull" arguments to | |
61 | pam_unix.so). | |
62 | .PP | |
63 | If the encrypted password in | |
64 | .I /etc/passwd | |
65 | is "\fI*NP*\fP" (without the quotes), | |
66 | the shadow record should be obtained from an NIS+ server. | |
67 | .PP | |
df0c9b98 | 68 | Regardless of whether shadow passwords are used, many system administrators |
156f55f6 | 69 | use an asterisk (*) in the encrypted password field to make sure |
fea681da | 70 | that this user can not authenticate him- or herself using a |
6387216b | 71 | password. |
df0c9b98 | 72 | (But see NOTES below.) |
fea681da | 73 | .PP |
156f55f6 | 74 | If you create a new login, first put an asterisk (*) in the password field, |
fea681da MK |
75 | then use |
76 | .BR passwd (1) | |
77 | to set it. | |
78 | .PP | |
60017fa5 MK |
79 | Each line of the file describes a single user, |
80 | and contains seven colon-separated fields: | |
fea681da MK |
81 | .sp |
82 | .RS | |
60017fa5 | 83 | name:password:UID:GID:GECOS:directory:shell |
fea681da MK |
84 | .RE |
85 | .sp | |
df0c9b98 | 86 | The field are as follows: |
f03743fd | 87 | .TP 12 |
60017fa5 MK |
88 | .I name |
89 | This is the user's login name. | |
c13182ef | 90 | It should not contain capital letters. |
fea681da MK |
91 | .TP |
92 | .I password | |
60017fa5 MK |
93 | This is either the encrypted user password, |
94 | an asterisk (*), or the letter \(aqx\(aq. | |
30f7100e MK |
95 | (See |
96 | .BR pwconv (8) | |
f81fb444 | 97 | for an explanation of \(aqx\(aq.) |
fea681da MK |
98 | .TP |
99 | .I UID | |
60017fa5 MK |
100 | The privileged |
101 | .I root | |
102 | login account (superuser) has the user ID 0. | |
fea681da MK |
103 | .TP |
104 | .I GID | |
60017fa5 MK |
105 | This is the numeric primary group ID for this user. |
106 | (Additional groups for the user are defined in the system group file; see | |
107 | .BR group (5)). | |
fea681da MK |
108 | .TP |
109 | .I GECOS | |
60017fa5 MK |
110 | This field (sometimes called the "comment field") |
111 | is optional and used only for informational purposes. | |
18701562 | 112 | Usually, it contains the full username. |
60017fa5 MK |
113 | Some programs (for example, |
114 | .BR finger (1)) | |
115 | display information from this field. | |
116 | .IP | |
df0c9b98 MK |
117 | GECOS stands for "General Electric Comprehensive Operating System", |
118 | which was renamed to GCOS when | |
c13182ef MK |
119 | GE's large systems division was sold to Honeywell. |
120 | Dennis Ritchie has reported: "Sometimes we sent printer output or | |
121 | batch jobs to the GCOS machine. | |
122 | The gcos field in the password file was a place to stash the | |
123 | information for the $IDENTcard. | |
124 | Not elegant." | |
fea681da MK |
125 | .TP |
126 | .I directory | |
60017fa5 MK |
127 | This is the user's home directory: |
128 | the initial directory where the user is placed after logging in. | |
129 | The value in this field is used to set the | |
130 | .B HOME | |
131 | environment variable. | |
fea681da MK |
132 | .TP |
133 | .I shell | |
60017fa5 | 134 | This is the program to run at login (if empty, use |
8478ee02 | 135 | .IR /bin/sh ). |
f74bac5d | 136 | If set to a nonexistent executable, the user will be unable to login |
fea681da MK |
137 | through |
138 | .BR login (1). | |
60017fa5 MK |
139 | The value in this field is used to set the |
140 | .B SHELL | |
141 | environment variable. | |
2b2581ee MK |
142 | .SH FILES |
143 | .I /etc/passwd | |
19c98696 | 144 | .SH NOTES |
df0c9b98 MK |
145 | If you want to create user groups, there must be an entry in |
146 | .IR /etc/group , | |
147 | or no group will exist. | |
fea681da | 148 | .PP |
156f55f6 | 149 | If the encrypted password is set to an asterisk (*), the user will be unable |
fea681da MK |
150 | to login using |
151 | .BR login (1), | |
152 | but may still login using | |
153 | .BR rlogin (1), | |
154 | run existing processes and initiate new ones through | |
155 | .BR rsh (1), | |
49ec013c | 156 | .BR cron (8), |
fea681da | 157 | .BR at (1), |
c13182ef MK |
158 | or mail filters, etc. |
159 | Trying to lock an account by simply changing the | |
fea681da MK |
160 | shell field yields the same result and additionally allows the use of |
161 | .BR su (1). | |
47297adb | 162 | .SH SEE ALSO |
fea681da MK |
163 | .BR login (1), |
164 | .BR passwd (1), | |
165 | .BR su (1), | |
b22e49b8 MK |
166 | .BR getpwent (3), |
167 | .BR getpwnam (3), | |
60017fa5 | 168 | .BR crypt (3), |
fea681da MK |
169 | .BR group (5), |
170 | .BR shadow (5) |