man5/passwd.5

   1 .\" Copyright (c) 1993 Michael Haardt (michael@moria.de),
   2 .\"     Fri Apr  2 11:32:09 MET DST 1993
   3 .\"
   4 .\" SPDX-License-Identifier: GPL-2.0-or-later
   5 .\"
   6 .\" Modified Sun Jul 25 10:46:28 1993 by Rik Faith (faith@cs.unc.edu)
   7 .\" Modified Sun Aug 21 18:12:27 1994 by Rik Faith (faith@cs.unc.edu)
   8 .\" Modified Sun Jun 18 01:53:57 1995 by Andries Brouwer (aeb@cwi.nl)
   9 .\" Modified Mon Jan  5 20:24:40 MET 1998 by Michael Haardt
  10 .\"  (michael@cantor.informatik.rwth-aachen.de)
  11 .TH PASSWD 5 2018-04-30 "Linux" "Linux Programmer's Manual"
  12 .SH NAME
  13 passwd \- password file
  14 .SH DESCRIPTION
  15 The
  16 .IR /etc/passwd
  17 file is a text file that describes user login accounts for the system.
  18 It should have read permission allowed for all users (many utilities, like
  19 .BR ls (1)
  20 use it to map user IDs to usernames), but write access only for the
  21 superuser.
  22 .PP
  23 In the good old days there was no great problem with this general
  24 read permission.
  25 Everybody could read the encrypted passwords, but the
  26 hardware was too slow to crack a well-chosen password, and moreover the
  27 basic assumption used to be that of a friendly user-community.
  28 These days many people run some version of the shadow password suite, where
  29 .I /etc/passwd
  30 has an \(aqx\(aq character in the password field,
  31 and the encrypted passwords are in
  32 .IR /etc/shadow ,
  33 which is readable by the superuser only.
  34 .PP
  35 If the encrypted password, whether in
  36 .I /etc/passwd
  37 or in
  38 .IR /etc/shadow ,
  39 is an empty string, login is allowed without even asking for a password.
  40 Note that this functionality may be intentionally disabled in applications,
  41 or configurable (for example using the "nullok" or "nonull" arguments to
  42 pam_unix.so).
  43 .PP
  44 If the encrypted password in
  45 .I /etc/passwd
  46 is "\fI*NP*\fP" (without the quotes),
  47 the shadow record should be obtained from an NIS+ server.
  48 .PP
  49 Regardless of whether shadow passwords are used, many system administrators
  50 use an asterisk (*) in the encrypted password field to make sure
  51 that this user can not authenticate themself using a
  52 password.
  53 (But see NOTES below.)
  54 .PP
  55 If you create a new login, first put an asterisk (*) in the password field,
  56 then use
  57 .BR passwd (1)
  58 to set it.
  59 .PP
  60 Each line of the file describes a single user,
  61 and contains seven colon-separated fields:
  62 .PP
  63 .in +4n
  64 .EX
  65 name:password:UID:GID:GECOS:directory:shell
  66 .EE
  67 .in
  68 .PP
  69 The field are as follows:
  70 .TP 12
  71 .I name
  72 This is the user's login name.
  73 It should not contain capital letters.
  74 .TP
  75 .I password
  76 This is either the encrypted user password,
  77 an asterisk (*), or the letter \(aqx\(aq.
  78 (See
  79 .BR pwconv (8)
  80 for an explanation of \(aqx\(aq.)
  81 .TP
  82 .I UID
  83 The privileged
  84 .I root
  85 login account (superuser) has the user ID 0.
  86 .TP
  87 .I GID
  88 This is the numeric primary group ID for this user.
  89 (Additional groups for the user are defined in the system group file; see
  90 .BR group (5)).
  91 .TP
  92 .I GECOS
  93 This field (sometimes called the "comment field")
  94 is optional and used only for informational purposes.
  95 Usually, it contains the full username.
  96 Some programs (for example,
  97 .BR finger (1))
  98 display information from this field.
  99 .IP
 100 GECOS stands for "General Electric Comprehensive Operating System",
 101 which was renamed to GCOS when
 102 GE's large systems division was sold to Honeywell.
 103 Dennis Ritchie has reported: "Sometimes we sent printer output or
 104 batch jobs to the GCOS machine.
 105 The gcos field in the password file was a place to stash the
 106 information for the $IDENTcard.
 107 Not elegant."
 108 .TP
 109 .I directory
 110 This is the user's home directory:
 111 the initial directory where the user is placed after logging in.
 112 The value in this field is used to set the
 113 .B HOME
 114 environment variable.
 115 .TP
 116 .I shell
 117 This is the program to run at login (if empty, use
 118 .IR /bin/sh ).
 119 If set to a nonexistent executable, the user will be unable to login
 120 through
 121 .BR login (1).
 122 The value in this field is used to set the
 123 .B SHELL
 124 environment variable.
 125 .SH FILES
 126 .I /etc/passwd
 127 .SH NOTES
 128 If you want to create user groups, there must be an entry in
 129 .IR /etc/group ,
 130 or no group will exist.
 131 .PP
 132 If the encrypted password is set to an asterisk (*), the user will be unable
 133 to login using
 134 .BR login (1),
 135 but may still login using
 136 .BR rlogin (1),
 137 run existing processes and initiate new ones through
 138 .BR rsh (1),
 139 .BR cron (8),
 140 .BR at (1),
 141 or mail filters, etc.
 142 Trying to lock an account by simply changing the
 143 shell field yields the same result and additionally allows the use of
 144 .BR su (1).
 145 .SH SEE ALSO
 146 .BR chfn (1),
 147 .BR chsh (1),
 148 .BR login (1),
 149 .BR passwd (1),
 150 .BR su (1),
 151 .BR crypt (3),
 152 .BR getpwent (3),
 153 .BR getpwnam (3),
 154 .BR group (5),
 155 .BR shadow (5),
 156 .BR vipw (8)