# Understanding /etc/passwd/ and /etc/shadow/ files in Linux

The `/etc/passwd` and `/etc/shadow` files are the backbone of Linux user management. Together, they store user account information and handle authentication securely. This article provides a hands-on guide to understanding these files, their structure, and their role in Linux user management.

## `/etc/passwd/` explained

The `/etc/passwd` file stores basic information about user and system accounts. It is a text file that resides in the `/etc` directory. `/etc/passwd` has general read permission on all systems because it does not include hashed passwords and many command utilities use it to map user IDs to user names.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1732090522229/e38fb492-eb0f-43da-a53b-7d61e58a9e6d.png align="center")

Each line within this file corresponds to the user account and each entry is split into columns, separated by a colon (:).

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1732371123511/508b87b2-f197-4557-bab7-e921a671d944.png align="center")

Image credits: [Cyberciti.biz](https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/#google_vignette)

1. Type the following command to look at the content of the `passwd` file:
    
    ```bash
    cat /etc/passwd | tail -5
    ```
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1731913742882/375d5e60-651c-4f50-9f4f-5116c7b553fe.png align="center")
    

#### **Explanation of Fields**

1. `username`: The user’s login name.
    
2. `x`: A placeholder indicating that the password is stored in `/etc/shadow`.
    
3. `UID`: The user's unique numerical ID. To the Linux system, each time when we reference user `jdoe`, we are actually referencing UID 1002. When a user is created, the system by default automatically assigns the next available UID.
    
4. `GID`: The unique numerical ID of the primary group that the user belongs to. Creating groups works in a similar way to creating users, in the sense that the group is assigned the next available GID.
    
5. `gecos-field`: The comment field. It allows you to add extra information about the users such as full name, phone number etc.
    
6. `home_directory`: Path to the user’s home directory.
    
7. `shell`: Default shell for the user (e.g., `/bin/bash`).
    

<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">In case of a security issue and it is required to disable an account quickly, we could change the user’s shell to something invalid (e.g. <code>/sbin/nologin</code>) to prevent the user from logging in at all.</div>
</div>

## `/etc/shadow/` explained

The `/etc/shadow` file stores password-related information securely. Unlike the `/etc/passwd` file, `/etc/shadow` does not have general read permission.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1732172901651/808475c3-f84d-4e68-a124-f6dfe512f567.png align="center")

Since the `/etc/shadow` file contains sensitive hashed password information only the **root user** has full control over the file. Members of the **shadow group** (e.g., system processes or utilities that require access) can read it but not modify it while **others** (regular users) cannot access the file at all.

Type the following command to look at the content of the `shadow` file:

```bash
sudo cat /etc/shadow | tail -4
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1732172181305/934466a6-d1b2-4cf5-b72b-ac8d7b2e6779.png align="center")

Each line within this file corresponds to the user and contains password hashes and other security information.

#### **Explanation of Fields**

1. `username`: The login name.
    
2. `password`: The hashed password. In practice placing `!`/`*` signs is one way to lock out an account. The restriction is that we cannot directly log in as `root` account from the shell or over the network. We have to log in to the system as a normal user account first. Usually, the password format is set to <kbd>$id$salt$hashed</kbd>, The <kbd>$id</kbd> is the algorithm prefix used On GNU/Linux as follows:
    
    1. **<kbd>$1$</kbd>** is MD5
        
    2. **<kbd>$2a$</kbd>** is Blowfish
        
    3. **<kbd>$2y$</kbd>** is Blowfish
        
    4. **<kbd>$5$</kbd>** is SHA-256
        
    5. **<kbd>$6$</kbd>** is SHA-512
        
    6. **<kbd>$y$</kbd>** is yescrypt
        
3. `lastchanged`: Days since Unix Epoch (January 1, 1970) when the password was last changed. 0 means the password **must be changed immediately** upon the user's next login. Empty field means the system treats it as no password change tracking, potentially indicating a misconfigured or unused account.
    
4. `min`: Minimum days between password changes. 0 means the password can be changed anytime.
    
5. `max`: Maximum days a password is valid. After that, the user is forced to change her password again.
    
6. `warn`: Days before expiration to warn the user.
    
7. `inactive`: Days after expiration before the account is disabled.
    
8. `expire`: Days since Unix Epoch when the account will be disabled.
    

<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">Use the <code>chage</code> command to setup password aging.</div>
</div>

Unfortunately, this file is neither readable nor writable to regular Linux users. However, a small set of commands allows modifying `/etc/shadow` files for a standard user account. For example, the `passwd` command enables users to change their passwords.

## References

1. [Understanding /etc/passwd File Format](https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/#google_vignette)
    
2. [Understanding /etc/shadow file format on Linux](https://www.cyberciti.biz/faq/understanding-etcshadow-file/)
