Linux Password File passwd and shadow Analysis

Introduction: two files closely related to Linux passwords

 

1. About/etc/passwd:

 

Understanding about/etc/passwd

In/etc/passwd, each row represents the information of a user. A row has seven field bits. Each field bits are separated by a number, for example, the following two lines in my system:/etc/passwd;

Beinan: x: 500: 500: beinan sun:/home/beinan:/bin/bash
Linuxsir: x: 505: 502: linuxsir open, linuxsir office, 13898667715:/home/linuxsir:/bin/bash
Beinan: x: 500: 500: beinan sun:/home/beinan:/bin/bash
Linuxsir: x: 501: 502:/home/linuxsir:/bin/bash

 

Field 1: User Name (also known as the login name); In the above example, we can see that the two user names are beinan and linuxsir;
Field 2: password. In the example, we see an x. In fact, the password has been mapped to the/etc/shadow file;
Field 3: UID. See the UID description in this article;
Field 4: GID. See the GID description in this article;
Field 5: full name of the user name. This parameter is optional and can be left unspecified. In the beinan user, the full name of the user is beinan sun, while that of linuxsir is not set;
Field 6: Location of the user's home directory;/home/beinan for beinan;/home/linuxsir for linuxsir;
Field 7: The SHELL type used by the user. beinan and linuxsir both use bash. Therefore, set it to/bin/bash;

 

UID comprehension:

 

UID is the user ID value. In the system, the UID value of each user is unique. More specifically, each user must correspond to a unique UID, the system administrator should ensure this rule. The UID value of the System user starts from 0 and is a positive integer. The maximum value can be in/etc/login. defs can be found. Generally, the Linux version is 60000. in Linux, the root UID is 0 and has the highest system permission;

UID is unique in the system. As a system administrator, this standard should be ensured. The uniqueness of UID is related to system security and deserves our attention! For example, if I change the UID of beinan to 0 in/etc/passwd, what would happen? Beinan is the root user. The beinan account can perform all root operations;

UID is the identifier used to confirm user permissions. the role a user logs on to the system is implemented by UID instead of the user name. It is dangerous to share several users with a UID, for example, as we mentioned above, changing the UID of a common user to 0 shares a UID with the root user, which in fact leads to confusion of system management permissions. If we want to use the root permission, we can implement it through su or sudo. do not share the same UID with the root user;

UID is unique and only required by the Administrator. In fact, we can modify the/etc/passwd file to 0 for any user's UID,

In general, each Linux release edition reserves a certain UID and GID for the system virtual user to use. The virtual user is generally available during system installation, users are required to complete system tasks, but virtual users cannot log on to the system, such as ftp, nobody, adm, rpm, bin, and shutdown;

In the Fedora system, the first 499 UIDs and gids are reserved. When we add a new user, the UID starts from 500, and the GID starts from 500. For other systems, some systems may reserve the first 999UID and GID. the minimum value of UID_MIN in defs prevails. The logora system login. the value of UID_MIN in defs is 500, and the value of UID_MAX is 60000. That is to say, the UID value of the user we add through adduser is between 500 and 60000 by default; slackware uses adduser to add users without specifying UID. The default UID starts from 1000;

 

Ii. About/etc/shadow

 

/Etc/shadow Overview

The/etc/shadow file is a shadow file of/etc/passwd. This file is not generated by/etc/passwd. The two files should be complementary; the shadow content includes the user and the encrypted password, and other information not included in/etc/passwd, such as the user's validity period. This file can be read and operated only with the root permission. The permissions are as follows:

 

-R --- 1 root 1.5 K October 16 09:49/etc/shadow

 

The permission of/etc/shadow cannot be changed to readable by other users, which is dangerous. If you find that the permission for this file is changed to another user group or user readable, check to prevent system security problems;

If we cannot view the file as a common user, it indicates that the permission is insufficient:

[Beinan @ localhost ~] $ More/etc/shadow
/Etc/shadow: insufficient Permissions

 

/Etc/shadow Content Analysis

The content of the/etc/shadow file contains nine segments. Each segment is separated by a comma (,). The following is an example;

 

Beinan: $1 $ VE. Mq2Xf $2c9Qi7EQ9JP8GKF8gH7PB1: 13072: 0: 99999: 7 :::
Linuxsir: $1 $ IPDvUhXP $8r4.7/VtPXvLyXxhLWPrnt/: 13072: 0: 99999: 7: 13108:

 

Field 1: User Name (also known as the login name). in/etc/shadow, the user name is the same as/etc/passwd, in this way, passwd is associated with the user records in shadow. This field is not empty;
Field 2: Password (encrypted). If x is used in this section, the user cannot log on to the system. This field is not empty;
Field 3: The last time the password was modified. This time is the interval (days) from January 1, January 01, 1970 to the last time the password was modified. You can use passwd to modify the password, view the changes in this field in/etc/shadow;
Field 4: the minimum number of days between two password changes. If it is set to 0, this function is disabled. That is to say, the user must be able to change the password after how many days; this function is not very useful; the default value is through/etc/login. obtained in defs file definition, defined in PASS_MIN_DAYS;
Field 5: the maximum number of days between two password changes. This enhances the Administrator's timeliness of managing user passwords. It should be said that the system security is enhanced. If it is the default value of the system, is added by/etc/login. obtained in defs file definition, defined in PASS_MAX_DAYS;
Field 6: the number of days in advance to warn the user that the password will expire. After the user logs on to the system, the system logon program reminds the user that the password will be voided; if it is the default value of the system, is added by/etc/login. obtained in defs file definition, defined in PASS_WARN_AGE;
Field 7: the number of days after the password expires. This field indicates the number of days after the password expires, and the system will disable the user. That is to say, the system will not allow the user to log on again, it does not prompt that the user has expired. It is completely disabled;
Field 8: User expiration date. This field specifies the number of days the user has expired (the number of days since January 1,). If the value of this field is blank, the account is permanently available; www.2cto.com
Field 9: reserved field. It is currently empty for future development of Linux;

For more detailed information, see man shadow;
Based on the instance analysis:

 

Beinan: $1 $ VE. Mq2Xf $2c9Qi7EQ9JP8GKF8gH7PB1: 13072: 0: 99999: 7 :::
Linuxsir: $1 $ IPDvUhXP $8r4.7/VtPXvLyXxhLWPrnt/: 13072: 0: 99999: 7: 13108:

 

Field 1: User Name (also known as the login name). In this example, there are two records in the canyon, that is, two users beinan and linuxsir.
Field 2: encrypted password. If x is used in this field, the user cannot log on to the system or be considered as a virtual user, however, both virtual users and real users are opposite, and the system administrator can operate on any user at any time;
Field 3: indicates the number of days of the last password change (from January 1, January 01, 1970). The preceding example shows that beinan and linuxsir have changed the user password on the same day, of course, it was changed through the passwd command. The password change time is January 01, 1970 days from January 1, 13072;
Field 4: Disable the minimum number of days between two password changes. Set this parameter to 0.
Field 5: the maximum number of days between two password changes. In this example, the password is 99999 days. If this value is not specified when a user is added, it is through/etc/login. defs to obtain the default value, PASS_MAX_DAYS 99999; you can view/etc/login. defs to view the specific value;
Field 6: the number of days in advance to warn the user that the password will expire. After the user logs on to the system, the system logon program reminds the user that the password will be voided; if it is the default value of the system, is added by/etc/login. obtained in the defs file definition, defined in PASS_WARN_AGE; in this example, the value is 7, which indicates that the user is warned to change the password seven days before the user password expires;
Field 7: the number of days after the password expires. This field indicates the number of days after the password expires, and the system will disable the user. That is to say, the system will not allow the user to log on again, in this example, both users in this field are empty, indicating that this function is disabled;
Field 8: User expiration date. This field specifies the number of days the user has expired (the number of days since January 1,). If the value of this field is blank, the account is permanently available; in this example, we can see that the beinan user field is blank, indicating that this user is permanently available, and the linuxsir user indicates that the user expired January 01, 1970 days after January 1, 13108, that is, the user expired on January 1, November 21, 2005; haha, if you are interested, you can calculate it by yourself;
Field 9: reserved field. It is currently empty for future Linux development.