Friday, August 05, 2005

Unix for advanced users

2.3. Who is permitted: /etc/passwd, /etc/shadow, and /etc/group

The system needs some way of verifying that you are who you say you are when you log in. Likewise, the system needs to know what you are authorized to do, once you have gained access.

2.3.1. What is /etc/passwd?

/etc/passwd is the authentication database for a Unix machine. (It is also a file which maps usernames to user IDs or UIDs by which the Unix kernel recognizes a user.) It contains a list of users that the system recognizes. Each line in the file represents a different user account.

You can look at the password file on your machine.

cat /etc/passwd at the prompt. Entries in /etc/passwd look something like this:

arushkin:Igljf78DS:132:20:Amy Rushkin:/usr/people/arushkin:/bin/csh
trsmith:*:543:20:Trent Smith, sys adm:/usr/people/trsmith/:/bin/tcsh

Although these entries differ in terms of the way the information is presented within the fields, they are both valid /etc/passwd entries. Note how each line contains seven different fields, each separated by a colon.

  • Login name - The username of the account

  • Encrypted password - the password that has been encrypted by the system. Note that in the second example the encrypted password has been replaced by an asterisk.

    In the entry for arushkin the password has been encrypted by the system and appears as a nonsensical string of characters. In the entry for trsmith the password field is occupied by a placeholder. This can mean that the user does not have a password, or that a shadow password file is in use. In the latter case, the actual password is kept in /etc/shadow.

    If an account does not use a password, a placeholder is put in the password field rather than leaving the field blank. A blank field constitutes a security hole through which an unauthorized user could gain access to the system.

  • User ID - each user on the system is assigned a unique identification number. That number is contained here.

  • Default Group ID - The Group ID is the number of the group that the user is a member of when they log in.

  • GCOS field - this field has no defined syntax and is generally used for personal information about the user; full name, phone number, room number, etc. Sometimes this field is not used at all.

    The curious may ask what GCOS means. The acronym GCOS comes from GECOS - General Electric Comprehensive Operating System. This was later shortened to General Comprehensive Operating System while competitors at Honeywell sarcastically referred to it as God's Chosen Operating System. The name is merely nostalgic residue from a General Electric machine that spooled print jobs from one of the first UNIX machines at Bell Labs.

  • Home directory - contains the path of the user's home directory

  • Login shell - contains the path of the user's default shell after login

2.3.2. What is /etc/shadow?

/etc/passwd has to be world readable so that programs can make User ID to username translations. Using an encrypted password in that file would mean that anyone with access to the machine could use password cracking programs (such as crack) to break into the accounts of others. To fix this problem, the shadow password system was created.

The /etc/passwd file in the shadow system is world-readable but does not contain the encrypted passwords. Another file, /etc/shadow, which is readable only by root contains the passwords. SVR4 based systems support a command called pwconv, which creates and updates /etc/shadow with information from /etc/passwd. When /etc/shadow is used an 'X' is placed in the password field of each entry in /etc/passwd. This tells pwconv not to modify this field because the passwords are kept in /etc/shadow.

If /etc/shadow doesn't exist pwconv will create it using the information in the /etc/passwd file. Any password aging controls found in /etc/passwd will be copied to /etc/shadow. If the /etc/shadow file already exists, pwconv adds entries in /etc/passwd to it as well as removing entries that are not found in /etc/passwd.

Entries in /etc/shadow look something like this:


The various fields are:

  • Login name.

  • Encrypted password.

  • Date that the user's password was last changed.

  • Minimum number of days that a password must be in existence before it can be changed.

  • Password's life span. This is the maximum number of days that a password can remain unchanged. If this time elapses and the user does not change the password, the system administrator must change it for them.

  • The sixth field is used to dictate how long before the password's expiration the user will begin receiving messages about changing the password.

  • The seventh field contains the number of days that an account can remain inactive before before it is disabled and the user can no longer log in.

  • The eighth field can be used to specify an absolute date after which the account can no longer be used. This is useful for setting up temporary accounts.

  • The last field is the flag field and is not used.

Not all flavors of Unix use all of these controls. In addition, the syntax of aging controls varies from platform to platform. To find out which aging controls can be set on a particular system it is best to consult the man page for passwd, usermod, etc. On some systems aging controls can also be added to an account at the time it is created using graphic tools.

2.3.3. What is /etc/group?

/etc/group contains the names of valid groups and the usernames of their members. This file is owned by root and only root may modify it. When a new user is added information on what groups they are a member of must be added here. Group IDs (GID's) from the /etc/passwd file are mapped to the group names kept in this file.

Each user in a system belongs to at least one group. Users may belong to multiple groups, up to a limit of eight or 16. A list of all valid groups for a system are kept in /etc/group. This file contains entries like:


Each entry consists of four fields separated by a colon. The first field holds the name of the group. The second field contains the encrypted group password and is frequently not used. The third field contains the GID (group ID) number. The fourth field holds a list of the usernames of group members separated by commas.

The commands id or groups can be used to see which group(s) you belong to.

GID's, like UID's, must be distinct integers between 0 and 32767. GID's of less then 10 are reserved for system groups. These default GID's are assigned during the installation of the operating system. Typical system groups and GID's are listed below.

For Linux:

    GID 0 root
    GID 1 bin
    GID 2 daemon
    GID 3 sys
    GID 4 adm
    GID 5 tty
    GID 6 disk
    GID 7 lp
    GID 8 mem
    GID 9 kmem

For Solaris:

    GID 0 root
    GID 1 other
    GID 2 bin
    GID 3 sys
    GID 4 adm
    GID 5 uucp
    GID 6 mail
    GID 12 daemon


    GID 0 sys, root
    GID 1 daemon
    GID 2 bin
    GID 3 adm
    GID 4 mail
    GID 5 uucp
    GID 20 user

For HP-UX:

GID 0 root
GID 1 other
GID 2 bin
GID 3 sys
GID 4 adm
GID 5 uucp
GID 6 mail
GID 20 users

No comments: