About Ubuntu passwd, Shadow, group and other files

Source: Internet
Author: User

In the Ubuntu system,/etc directory, there are three files: passwd Shadow Group, perhaps we are already in use, but did not notice its details.

These three profiles are used for System account management, which are text files that can be opened using a text editor such as VI. /ETC/PASSWD is used to store user account information,/etc/shadow is used to store each user encrypted password,/etc/group to hold the user's group information.

1./etc/passwd

The contents of the/etc/passwd file are as follows:

Root:x:0:0:root:/root:/bin/bash
Daemon:x:1:1:daemon:/usr/sbin:/bin/sh
Bin:x:2:2:bin:/bin:/bin/sh
Sys:x:3:3:sys:/dev:/bin/sh
Sync:x:4::sync:/bin:/bin/sync
Games:x:5:60:games:/usr/games:/bin/sh
...

Each line consists of a semicolon-delimited string of characters, in the following format:

Username:password:uid:gid:gecos:homedir:shell
The Chinese descriptions for each domain are as follows:
User name: Password: User id: Group ID: User's full Name: Home directory: Login Shell
Gecos is the abbreviation for the general computer operating system and is a large mainframe in Bell Labs.

The UNIX system originally saved the password in clear text, and later, for security reasons, used the crypt () algorithm to encrypt the password and store it in the/etc/passwd file . Now, with the improvement of computer processing power, password cracking becomes more and more easy. The/etc/passwd file is accessible to all legitimate users, and everyone can see the encrypted string of the password, which poses a great security threat to the system. Modern UNIX systems use the Shadow Cryptography system, which separates passwords from/etc/pa sswd files , the real passwords are stored in/etc/shadow files , and shadow files can only be accessed by super users. This way the intruder cannot get an encrypted cipher string for the hack. With the shadow password file , the contents of the password domain for all accounts in the/etc/passwd file are "X", and if the contents of the password domain are "*", the account is deactivated. Use passwd This program to modify the user's secret.

2./etc/shadow

/etc/shadow stores the encrypted password, which can only be read and modified by Root. Here is the contents of the shadow file :

Root:$1$43zr5j08$kuduq1uh36ihquiqugi/e9::0::7:::
Daemon:*::0::7:::
Bin:*::0::7:::
Sys:*::0::7:::
Sync:*::0::7:::
...

We can use the Chage command to display the test user's account information:
debian:~# chage-l Test
Min: 0
Biggest:
Warning Day: 7
Expiry date: 1
Last modified: July 09 2005
Password Expiration: Never
Password invalidation: Never
Account Expiration: Never

The format of the/etc/shadow file is as follows:

Username:password:last_change:min_change:max_change:warm:failed_expire:expiration:reserved
A brief description of each field:
Last_change: Indicates the number of days the password has been modified since Linux was used. The chage-d command can be used to modify.
Min_change: Represents the minimum modification interval for a password. The CHAGE-M command can be used to modify.
Max_change:

It has the following format:

Groupname:password:gid:members

The password here represents the group password, which is seldom used. It allows users who were not previously in this group to temporarily inherit the group's permissions through the NEWGRP command, and a new shell is opened when the NEWGRP command is used. Password encryption is the same as the password in the passwd file , so if you need to set the group password, to use the passwd program dummy a user, and then the user password section of the encrypted password copied to the/etc/group file . The Members column represents the group members, and we can add a comma-delimited list of the users who need to join it. Members of the same group can inherit the permissions that the group has.

In this way, the user account itself is defined in/etc/passwd. The Linux system contains a companion file for/etc/passwd, called/etc/shadow. The file is not like/etc/passwd and is readable only for the root user and contains encrypted password information. Let's have a look at/etc/Shadow a sample line:

code:drobbins:$1$1234567890123456789012345678901:11664:0:-1:-1:-1:-1:0


Each line defines the password information for a special account, and the same, each field is separated by:. The first field defines a special user account associated with this shadow entry. The second field contains an encrypted password. The remaining fields are described in the following table:

Field 3 number of days since 1/1/1970 the password has been modified
Field 4 The number of days before the password will be allowed to be modified (0 means "can be modified at any time")
Field 5 The number of days before the system will force the user to modify to a new password (1 means "never modify")
The number of days that the user will be warned of expiration before field 6 password expires (-1 means "no warning")
Field 7 The number of days that the system automatically disables the account after the password expires (-1 means "never disabled")
Field 8 The number of days that the account is disabled (-1 means "This account is enabled")
Field 9 reserved for future use

Shadow is a shadow file for passwd. In Linux, the password file in/etc/passwd, the earlier file directly stored encrypted password, the first two bits is the "salt" value, is a random number, followed by an encrypted password. For the sake of security, Linux now provides/etc/shadow this shadow file , the password is placed in this file , and is only the root readable. Each entry for the/etc/passwd file has 7 domains, the name: password: User id: Group ID: User information: Home directory: Shell For example: Ynguo:x:509:510::/home/ynguo:/bin/bash In the case of using the shadow file , the password is represented by an X, and no password information is visible to the ordinary user. The shadow password file holds the encrypted password, and the password in the/etc/passwd file becomes x. Shadow can only be root readable, thus ensuring security. /etc/shadow File The format of each line is as follows: User name: encrypted password: The last modified time (days from January 1, 1970): The minimum number of days that the password has been modified between two: the number of days before the password modification to warn the user: number of days after the password has been changed for the account has been disabled: the number of days since January 1, 1970 。 Example: root:$1$t4sfphbq$jxgsggvkgbdd/d7fvvbbm0:11037:0:99999:7:-1:-1:1075498172

3./etc/group

/ etc / Group   file Is the user group's configuration file , content includes user and user groups , and can show which user group or groups of users the user belongs to , because one user can belong to one or more different groups of users, users of the same user group have similar characteristics. For example, if we add a user to the root user group , then the user can browse the root user's home directory's file , if the root user file   Read and Write Execute permissions open , All users of the root user group can modify this file , If it is an executable file (such as a script) , the user of the root user group can also be executed; User group features provide a great convenience for system administrators in System Management , but security is also a concern , as a user has the most important content for system Management , It is better to have a separate user group , or to set the user's file permissions to fully private, and the root user group is generally not easy to add ordinary users.

/etc/Group content specific Analysis
/etc/Group content includes the user group (Group), user group password, GID, and the user group (user), a record of each user group, in the following format:

group_name:passwd:GID:user_list

Each record in/etc/Group is divided into four fields:
First field: User group name;
Second field: User group password;
Third field: GID
The fourth field: User list , with each user , the number is divided; This field can be empty; if the word blank represents the user name of the user group as GID; Let us give an example:

root:x:0:root,linuxsir 注:用户组rootx是密码段表示没有设置密码GID是0,root用户组下包括root、linuxsir以及GID为0的其它用户(可以通过/etc/passwd查看);
beinan:x:500:linuxsir 注:用户组beinanx是密码段表示没有设置密码GID是500,beinan用户组下包括linuxsir用户及GID为500的用户(可以通过/etc/passwd查看);
linuxsir:x:502:linuxsir 注:用户组linuxsirx是密码段表示没有设置密码GID是502,linuxsir用户组下包用户linuxsir及GID为502的用户(可以通过/etc/passwd查看);
helloer:x:503:   注:用户组helloerx是密码段表示没有设置密码GID是503,helloer用户组下包括GID为503的用户可以通过/etc/passwd查看;

and/etc/passwd corresponding related records are:

root:x:0:0:root:/root:/bin/bash
beinan:x:500:500:beinan sun:/home/beinan:/bin/bash
linuxsir:x:505:502:linuxsir open,linuxsir office,13898667715:/home/linuxsir:/bin/bash
helloer:x:502:503::/home/helloer:/bin/bash

It can be seen that the Helloer user group includes helloer users, so we look at the users owned by a user group and can compare/etc/passwd and/etc/Group To get;

about GID;
GID and UID are similar,is a positive integer or 0,GID starting from 0,The group of GID 0 allows the system to be paid to the root user group, and the system will reserve some of the previous GID to the system virtual users (also known as masquerading users), each system reserved GID is different,For example, Fedora reserved 500,When we add a new user group,The user group is starting from 500, while Slackware is reserving the first 100 GID,The newly added user group is starting from 100; viewing system add user group the default GID range should be viewed/etcGid_min and Gid_max values in/login.defs; we can control/etc/PASSWD and/etc/Grouptwo files ; We will find the default user group, we will find the default GID for each user record in/etc/passwd; in/etc/Group , we will also find out how many users are under each user group, and when creating directories and files , the default user groups are used; Let's take an example: I add Linuxsir to the root user group , records related records in etc/passwd and/etc/group are :
Linuxsir the user's record in/etc/passwd; We see in this record thatthe default GID for the Linuxsir user is 502, while 502 GID is in/etc/ Group was found to be linuxsir user groups;

linuxsir:x:505:502:linuxsir open,linuxsir office,13898667715:/home/linuxsir:/bin/bash

Linuxsir the user's related records in/etc/group ; Here we see the GID of the Linuxsir user group as 502, and Linuxsir User belongs to root, Beinan user group;

root:x:0:root,linuxsir
beinan:x:500:linuxsir
linuxsir:x:502:linuxsir

We use Linuxsir to create a directory to observe the Linuxsir user to create a directory of permissions attribution;

[[email protected] ~]$ mkdir testdir
[[email protected] ~]$ ls -lh
总用量 4.0K
drwxrwxr-x  2 linuxsir linuxsir 4.0K 10月 17 11:42 testdir

By using Linuxsir to create the directory, we found thatTestDir's permissions are still Linuxsir users and linuxsir user groups, but not the root and Beinan user groups , understand it; It is worth noting , however, that the default GID is not the most important when judging a user's access rights, so that the same group of users can have access to that directory as long as a directory gives access to the same group of users , at this point the user's default GID is not the most important;

4./etc/gshadow

/etc/gshadow commentary;

/etc/gshadow is a/etc/group encrypted information file , such as user group management password is stored in this file . /etc/gshadow and/etc/group are complementary two files ; For large servers, for many users and groups, custom some relational structure more complex permissions model, set user group password is very necessary. For example, we do not want to allow some non-user group members to permanently own the user group's permissions and features, we can use the password authentication method to let some users temporarily have some user group features, then the user group password will be used;

/etc/gshadow format as follows, each user group exclusive row;

groupname:password:admin,admin,...:member,member,...

first field: user Group
second field: user group password, this segment can be empty or!, if it is empty or has!, indicates no password;
The third field: user group manager, this field can also be empty, if there are multiple user group managers, with, number segmentation;
Fourth field: group members, if there are multiple members, with, number split;

Example:

beinan:!::linuxsir
linuxsir:oUS/q7NH75RhQ::linuxsir

First field: In this example, there are two user groups Beinan with Linuxsir
The second field: User group password, beinan user group no password; Linuxsir user group has already, has been encrypted;
The third field: User group manager, both are empty;
The fourth field: The Beinan user Group has a member of Linuxsir, and then a comparison of/etc/group and/etc/passwd to see if there are other users, generally added by default users, and sometimes also create user groups and user names with the same name; Linuxsir User group has member Linuxisir;

How do I set a password for a user group? We can do it through GPASSWD, but in general, it is not necessary to set the user group's password, but it is necessary to practice it; Here is an example of setting a password for the Linuxsir user group;

gpasswd 的用法:GPASSWD User Group

[Email protected] ~]# Gpasswdlinuxsir

正在修改 linuxsir 组的密码
新密码:
请重新输入新密码:

newgrp

Switching between user groups should be done with NEWGRP, which is somewhat like the switch between the user su; let me give you an example:

[[email protected] ~]$ newgrp linuxsir
密码:
[[email protected] ~]$ mkdir lingroup
[[email protected] ~]$ ls -ld lingroup/
drwxr-xr-x  2 beinan linuxsir 4096 10月 18 15:56lingroup/
[[email protected] ~]$ newgrp beinan
[[email protected] ~]$ mkdir beinangrouptest
[[email protected] ~]$ ls -ld beinangrouptest
drwxrwxr-x  2 beinan beinan 4096 10月 18 15:56beinangrouptest

Description: I was the Beinan user group to switch to the Linuxsir user group, and built a directory, and then switch back to the Beinan user group, and built a directory, please observe the two directories belong to the user group of different;

About Ubuntu passwd, Shadow, group and other files

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.