About Ubuntu passwd, Shadow, group and other files

Transfer from https://yq.aliyun.com/articles/50327

In the Ubuntu system,/etc directory, there are three files: passwd Shadow Group, perhaps we are already in use, but did not notice its details.

These three profiles are used for System account management, which are text files that can be opened using a text editor such as VI. /ETC/PASSWD is used to store user account information,/etc/shadow is used to store each user encrypted password,/etc/group to hold the user's group information.

1./etc/passwd

The contents of the/etc/passwd file are as follows:

Root:x:0:0:root:/root:/bin/bash
Daemon:x:1:1:daemon:/usr/sbin:/bin/sh
Bin:x:2:2:bin:/bin:/bin/sh
Sys:x:3:3:sys:/dev:/bin/sh
Sync:x:4::sync:/bin:/bin/sync
Games:x:5:60:games:/usr/games:/bin/sh
...

Each line consists of a semicolon-delimited string of characters, in the following format:

Username:password:uid:gid:gecos:homedir:shell
The Chinese descriptions for each domain are as follows:
User name: Password: User id: Group ID: User's full Name: Home directory: Login Shell
Gecos is the abbreviation for the general computer operating system and is a large mainframe in Bell Labs.

The UNIX system originally saved the password in clear text, and later, for security reasons, used the crypt () algorithm to encrypt the password and store it in the/etc/passwd file. Now, with the improvement of computer processing power, password cracking becomes more and more easy. The/etc/passwd file is accessible to all legitimate users, and everyone can see the encrypted string of the password, which poses a great security threat to the system. Modern UNIX systems use the Shadow Cryptography system, which separates passwords from/etc/pa sswd files, the real passwords are stored in/etc/shadow files, and shadow files can only be accessed by super users. This way the intruder cannot get an encrypted cipher string for the hack. With the shadow password file, the contents of the password domain for all accounts in the/etc/passwd file are "X", and if the contents of the password domain are "*", the account is deactivated. Use passwd This program to modify the user's secret.

2./etc/shadow

/etc/shadow stores the encrypted password, which can only be read and modified by Root. Here is the contents of the shadow file:

Root:$1$43zr5j08$kuduq1uh36ihquiqugi/e9::0::7:::
Daemon:*::0::7:::
Bin:*::0::7:::
Sys:*::0::7:::
Sync:*::0::7:::
...

We can use the Chage command to display the test user's account information:
debian:~# chage-l Test
Min: 0
Biggest:
Warning Day: 7
Expiry date: 1
Last modified: July 09 2005
Password Expiration: Never
Password invalidation: Never
Account Expiration: Never

The format of the/etc/shadow file is as follows:

Username:password:last_change:min_change:max_change:warm:failed_expire:expiration:reserved
A brief description of each field:
Last_change: Indicates the number of days the password has been modified since Linux was used. The chage-d command can be used to modify.
Min_change: Represents the minimum modification interval for a password. The CHAGE-M command can be used to modify.
Max_change:

It has the following format:

Groupname:password:gid:members

The password here represents the group password, which is seldom used. It allows users who were not previously in this group to temporarily inherit the group's permissions through the NEWGRP command, and a new shell is opened when the NEWGRP command is used. Password encryption is the same as the password in the passwd file, so if you need to set the group password, to use the passwd program dummy a user, and then the user password section of the encrypted password copied to the/etc/group file. The Members column represents the group members, and we can add a comma-delimited list of the users who need to join it. Members of the same group can inherit the permissions that the group has.

In this way, the user account itself is defined in/etc/passwd. The Linux system contains a/etc/passwd companion file, called/etc/shadow. The file is not like/etc/passwd and is readable only for the root user and contains encrypted password information. Let's take a look at a sample line from/etc/shadow:

code:drobbins:$1$1234567890123456789012345678901:11664:0:-1:-1:-1:-1:0

Each line defines the password information for a special account, and the same, each field is separated by:. The first field defines a special user account associated with this shadow entry. The second field contains an encrypted password. The remaining fields are described in the following table:

Field 3 number of days since 1/1/1970 the password has been modified
Field 4 The number of days before the password will be allowed to be modified (0 means "can be modified at any time")
Field 5 The number of days before the system will force the user to modify to a new password (1 means "never modify")
The number of days that the user will be warned of expiration before field 6 password expires (-1 means "no warning")
Field 7 The number of days that the system automatically disables the account after the password expires (-1 means "never disabled")
Field 8 The number of days that the account is disabled (-1 means "This account is enabled")
Field 9 reserved for future use

Shadow is a shadow file for passwd. In Linux, the password file in/etc/passwd, the earlier file directly stored encrypted password, the first two bits is the "salt" value, is a random number, followed by an encrypted password. For the sake of security, Linux now provides/etc/shadow this shadow file, the password is placed in this file, and is only the root readable. Each entry for the/etc/passwd file has 7 domains, the name: password: User id: Group ID: User information: Home directory: Shell For example: Ynguo:x:509:510::/home/ynguo:/bin/bash In the case of using the shadow file, the password is represented by an X, and no password information is visible to the ordinary user. The shadow password file holds the encrypted password, and the password in the/etc/passwd file becomes x. Shadow can only be root readable, thus ensuring security. /etc/ The format of each line of the shadow file is as follows: User name: encrypted password: The last modified time (days from January 1, 1970): The minimum number of days that the password has been changed between two changes: number of days before password modification to warn the user: number of days after the password has been disabled the account has been deactivated: the number of days since January 1, 1970: Reserved domain 。 Example: root:$1$t4sfphbq$jxgsggvkgbdd/d7fvvbbm0:11037:0:99999:7:-1:-1:1075498172

3./etc/group

The/etc/group file is a user group profile that includes users and user groups, and can show which user group or groups of users belong to, because one user can belong to one or more different groups of users, and users of the same user group have similar characteristics. For example, if we add a user to the root user group, then the user can browse the root user's home directory files, if the root user to open the read and write permissions of a file, all users of the root user group can modify the file, if it is executable files (such as scripts), The user of the root user group is also able to execute, the user group's characteristics in the system management for the system administrator to provide a great convenience, but security is also worthy of concern, such as a user under the system management has the most important content, it is best to let users have a separate user group, Or the permissions of the file under the user are set to fully private, and the root user group is generally not easy to add ordinary users.

/etc/group Content Specific Analysis
The content of/etc/group includes user group, user group password, GID, and user group, a record of each user group, in the following format:

group_name:passwd:GID:user_list

Each record in/etc/group is divided into four fields:
First field: User group name;
Second field: User group password;
Third field: GID
The fourth field: User list, with each user, the number is divided; This field can be empty; if the word blank represents the user name of the user group as GID; Let us give an example:

root:x:0:root,linuxsir 注：用户组root，x是密码段，表示没有设置密码，GID是0,root用户组下包括root、linuxsir以及GID为0的其它用户（可以通过/etc/passwd查看）；
beinan:x:500:linuxsir 注：用户组beinan，x是密码段，表示没有设置密码，GID是500,beinan用户组下包括linuxsir用户及GID为500的用户（可以通过/etc/passwd查看）；
linuxsir:x:502:linuxsir 注：用户组linuxsir，x是密码段，表示没有设置密码，GID是502,linuxsir用户组下包用户linuxsir及GID为502的用户（可以通过/etc/passwd查看）；
helloer:x:503:   注：用户组helloer，x是密码段，表示没有设置密码，GID是503,helloer用户组下包括GID为503的用户，可以通过/etc/passwd查看；

The relevant records for/etc/passwd correspond to the following:

root:x:0:0:root:/root:/bin/bash
beinan:x:500:500:beinan sun:/home/beinan:/bin/bash
linuxsir:x:505:502:linuxsir open,linuxsir office,13898667715:/home/linuxsir:/bin/bash
helloer:x:502:503::/home/helloer:/bin/bash

It can be seen that the Helloer user group includes helloer users, so we look at the users owned by a user group, which can be obtained by comparing/etc/passwd and/etc/group;

About GID;
GID and UID Similar, is a positive integer or 0,gid starting from 0, GID 0 of the group let the system to pay to the root user group, the system will reserve some more than the previous GID to the system virtual users (also known as masquerading users), each system reserved GID is different, such as Fedora Reserved 500, we add a new user group, the user group is starting from 500, while Slackware is the first 100 GID reserved, the newly added user group is starting from 100; View system add user group default GID range should see gid_ in/etc/login.defs Min and Gid_max values; we can control the/etc/passwd and/etc/group two files; we will find a default user group saying that each user record in/etc/passwd will find the default GID of the user; in/etc/group, We will also find out how many users are in each user group, and the default user groups are used when creating directories and files; For example, I add Linuxsir as the root user group, and records related to/etc/passwd and/etc/group are:
Linuxsir the user's record in/etc/passwd; we see in this record that the default GID of Linuxsir user is 502, while 502 GID is Linuxsir user group in/etc/group;

linuxsir:x:505:502:linuxsir open,linuxsir office,13898667715:/home/linuxsir:/bin/bash

Linuxsir user in the/etc/group of the relevant records; Here we see Linuxsir User group GID is 502, and Linuxsir users belong to root, Beinan user group;

root:x:0:root,linuxsir
beinan:x:500:linuxsir
linuxsir:x:502:linuxsir

We use Linuxsir to create a directory to observe the Linuxsir user to create a directory of permissions attribution;

[[email protected] ~]$ mkdir testdir
[[email protected] ~]$ ls -lh
总用量 4.0K
drwxrwxr-x  2 linuxsir linuxsir 4.0K 10月 17 11:42 testdir

When we used Linuxsir to create the directory, we found that TestDir's permission attribution is still Linuxsir user and Linuxsir user group, and not belong to root and Beinan user group, but it is worth noting that when you judge the user's access rights, The default GID is not the most important, as long as a directory for the same group of users can access the permissions, then the same group of users can have access to the directory, at this time the user's default GID is not the most important;

4./etc/gshadow

/etc/gshadow commentary;

/etc/gshadow is a/etc/group encrypted information file, such as user group management password is stored in this file. /etc/gshadow and/etc/group are complementary two files; for large servers, for many users and groups, custom some relational structure more complex permissions model, set user group password is very necessary. For example, we do not want to allow some non-user group members to permanently own the user group's permissions and features, we can use the password authentication method to let some users temporarily have some user group features, then the user group password will be used;

/etc/gshadow format as follows, each user group exclusive row;

groupname:password:admin,admin,...:member,member,...

First field: User group
Second field: User group password, this segment can be empty or!, if it is empty or has!, indicates no password;
The third field: User group manager, this field can also be empty, if there are multiple user group managers, with, number segmentation;
Fourth field: Group members, if there are multiple members, with, number split;

Example:

beinan:!::linuxsir
linuxsir:oUS/q7NH75RhQ::linuxsir

First field: In this example, there are two user groups Beinan with Linuxsir
The second field: User group password, beinan user group no password; Linuxsir user group has already, has been encrypted;
The third field: User group manager, both are empty;
The fourth field: The Beinan user Group has a member of Linuxsir, and then a comparison of/etc/group and/etc/passwd to see if there are other users, generally added by default users, and sometimes also create user groups and user names with the same name; Linuxsir User group has member Linuxisir;

How do I set a password for a user group? We can do it through GPASSWD, but in general, it is not necessary to set the user group's password, but it is necessary to practice it; Here is an example of setting a password for the Linuxsir user group;

gpasswd 的用法：GPASSWD User Group

[Email protected] ~]# Gpasswdlinuxsir

正在修改 linuxsir 组的密码
新密码：
请重新输入新密码：

Newgrp

Switching between user groups should be done with NEWGRP, which is somewhat like the switch between the user su; let me give you an example:

[[email protected] ~]$ newgrp linuxsir
密码：
[[email protected] ~]$ mkdir lingroup
[[email protected] ~]$ ls -ld lingroup/
drwxr-xr-x  2 beinan linuxsir 4096 10月 18 15:56lingroup/
[[email protected] ~]$ newgrp beinan
[[email protected] ~]$ mkdir beinangrouptest
[[email protected] ~]$ ls -ld beinangrouptest
drwxrwxr-x  2 beinan beinan 4096 10月 18 15:56beinangrouptest

Description: I was the Beinan user group to switch to the Linuxsir user group, and built a directory, and then switch back to the Beinan user group, and built a directory, please observe the two directories belong to the user group of different;

About Ubuntu passwd, Shadow, group and other files