Understanding /etc/passwd/ and /etc/shadow/ files in Linux

The /etc/passwd and /etc/shadow files are the backbone of Linux user management. Together, they store user account information and handle authentication securely. This article provides a hands-on guide to understanding these files, their structure, and their role in Linux user management.

/etc/passwd/ explained

The /etc/passwd file stores basic information about user and system accounts. It is a text file that resides in the /etc directory. /etc/passwd has general read permission on all systems because it does not include hashed passwords and many command utilities use it to map user IDs to user names.

Each line within this file corresponds to the user account and each entry is split into columns, separated by a colon (:).

Image credits: Cyberciti.biz

  1. Type the following command to look at the content of the passwd file:

     cat /etc/passwd | tail -5
    

Explanation of Fields

  1. username: The user’s login name.

  2. x: A placeholder indicating that the password is stored in /etc/shadow.

  3. UID: The user's unique numerical ID. To the Linux system, each time when we reference user jdoe, we are actually referencing UID 1002. When a user is created, the system by default automatically assigns the next available UID.

  4. GID: The unique numerical ID of the primary group that the user belongs to. Creating groups works in a similar way to creating users, in the sense that the group is assigned the next available GID.

  5. gecos-field: The comment field. It allows you to add extra information about the users such as full name, phone number etc.

  6. home_directory: Path to the user’s home directory.

  7. shell: Default shell for the user (e.g., /bin/bash).

💡
In case of a security issue and it is required to disable an account quickly, we could change the user’s shell to something invalid (e.g. /sbin/nologin) to prevent the user from logging in at all.

/etc/shadow/ explained

The /etc/shadow file stores password-related information securely. Unlike the /etc/passwd file, /etc/shadow does not have general read permission.

Since the /etc/shadow file contains sensitive hashed password information only the root user has full control over the file. Members of the shadow group (e.g., system processes or utilities that require access) can read it but not modify it while others (regular users) cannot access the file at all.

Type the following command to look at the content of the shadow file:

sudo cat /etc/shadow | tail -4

Each line within this file corresponds to the user and contains password hashes and other security information.

Explanation of Fields

  1. username: The login name.

  2. password: The hashed password. In practice placing !/* signs is one way to lock out an account. The restriction is that we cannot directly log in as root account from the shell or over the network. We have to log in to the system as a normal user account first. Usually, the password format is set to $id$salt$hashed, The $id is the algorithm prefix used On GNU/Linux as follows:

    1. $1$ is MD5

    2. $2a$ is Blowfish

    3. $2y$ is Blowfish

    4. $5$ is SHA-256

    5. $6$ is SHA-512

    6. $y$ is yescrypt

  3. lastchanged: Days since Unix Epoch (January 1, 1970) when the password was last changed. 0 means the password must be changed immediately upon the user's next login. Empty field means the system treats it as no password change tracking, potentially indicating a misconfigured or unused account.

  4. min: Minimum days between password changes. 0 means the password can be changed anytime.

  5. max: Maximum days a password is valid. After that, the user is forced to change her password again.

  6. warn: Days before expiration to warn the user.

  7. inactive: Days after expiration before the account is disabled.

  8. expire: Days since Unix Epoch when the account will be disabled.

💡
Use the chage command to setup password aging.

Unfortunately, this file is neither readable nor writable to regular Linux users. However, a small set of commands allows modifying /etc/shadow files for a standard user account. For example, the passwd command enables users to change their passwords.

References

  1. Understanding /etc/passwd File Format

  2. Understanding /etc/shadow file format on Linux