1 .\" Copyright (c) 1993 Michael Haardt (michael@moria.de),
2 .\" Fri Apr 2 11:32:09 MET DST 1993
4 .\" SPDX-License-Identifier: GPL-2.0-or-later
6 .\" Modified Sun Jul 25 10:46:28 1993 by Rik Faith (faith@cs.unc.edu)
7 .\" Modified Sun Aug 21 18:12:27 1994 by Rik Faith (faith@cs.unc.edu)
8 .\" Modified Sun Jun 18 01:53:57 1995 by Andries Brouwer (aeb@cwi.nl)
9 .\" Modified Mon Jan 5 20:24:40 MET 1998 by Michael Haardt
10 .\" (michael@cantor.informatik.rwth-aachen.de)
11 .TH PASSWD 5 2018-04-30 "Linux" "Linux Programmer's Manual"
13 passwd \- password file
17 file is a text file that describes user login accounts for the system.
18 It should have read permission allowed for all users (many utilities, like
20 use it to map user IDs to usernames), but write access only for the
23 In the good old days there was no great problem with this general
25 Everybody could read the encrypted passwords, but the
26 hardware was too slow to crack a well-chosen password, and moreover the
27 basic assumption used to be that of a friendly user-community.
28 These days many people run some version of the shadow password suite, where
30 has an \(aqx\(aq character in the password field,
31 and the encrypted passwords are in
33 which is readable by the superuser only.
35 If the encrypted password, whether in
39 is an empty string, login is allowed without even asking for a password.
40 Note that this functionality may be intentionally disabled in applications,
41 or configurable (for example using the "nullok" or "nonull" arguments to
44 If the encrypted password in
46 is "\fI*NP*\fP" (without the quotes),
47 the shadow record should be obtained from an NIS+ server.
49 Regardless of whether shadow passwords are used, many system administrators
50 use an asterisk (*) in the encrypted password field to make sure
51 that this user can not authenticate themself using a
53 (But see NOTES below.)
55 If you create a new login, first put an asterisk (*) in the password field,
60 Each line of the file describes a single user,
61 and contains seven colon-separated fields:
65 name:password:UID:GID:GECOS:directory:shell
69 The field are as follows:
72 This is the user's login name.
73 It should not contain capital letters.
76 This is either the encrypted user password,
77 an asterisk (*), or the letter \(aqx\(aq.
80 for an explanation of \(aqx\(aq.)
85 login account (superuser) has the user ID 0.
88 This is the numeric primary group ID for this user.
89 (Additional groups for the user are defined in the system group file; see
93 This field (sometimes called the "comment field")
94 is optional and used only for informational purposes.
95 Usually, it contains the full username.
96 Some programs (for example,
98 display information from this field.
100 GECOS stands for "General Electric Comprehensive Operating System",
101 which was renamed to GCOS when
102 GE's large systems division was sold to Honeywell.
103 Dennis Ritchie has reported: "Sometimes we sent printer output or
104 batch jobs to the GCOS machine.
105 The gcos field in the password file was a place to stash the
106 information for the $IDENTcard.
110 This is the user's home directory:
111 the initial directory where the user is placed after logging in.
112 The value in this field is used to set the
114 environment variable.
117 This is the program to run at login (if empty, use
119 If set to a nonexistent executable, the user will be unable to login
122 The value in this field is used to set the
124 environment variable.
128 If you want to create user groups, there must be an entry in
130 or no group will exist.
132 If the encrypted password is set to an asterisk (*), the user will be unable
135 but may still login using
137 run existing processes and initiate new ones through
141 or mail filters, etc.
142 Trying to lock an account by simply changing the
143 shell field yields the same result and additionally allows the use of