Linux stores local user and group information in text files in the /etc directory. Traditionally, user information (including passwords) is stored in the /etc/passwd file, and group information is found in the /etc/group file. However, the /etc/passwd file contains information (such as the comment field, which generally contains the user's full name and the UID of a user) that has to be readable by anyone. At the same time, you don't want passwords world-readable because this capability gives would-be crackers a good place to start (for example, using a password-cracking tool as discussed in the "Be a Cracker Jack" section later in this chapter). So the passwords in newer implementations of Linux (such as SLES) are kept in the shadow file (/etc/shadow), which is readable only by root, and everyone's password is entered into the /etc/passwd file as "x." WARNING You should not directly edit any of the /etc/passwd, /etc/group, and /etc/shadow filesespecially /etc/shadow. Any error in these files may lead to the affected user, including root, no longer being able to log in. Instead, you should use the supplied system tools, such as YaST and the user* utilities (such as useradd) discussed later in this chapter. NOTE The three files discussed in this section are used only for users and groups that are local to the system. If you use LDAP or NIS authentication methods, users and groups created under these protocols are not stored in these three /etc files, but in the LDAP or NIS database instead. Next, we examine the record structure of each of these three data files. The /etc/passwd FileEach line in the /etc/passwd file corresponds to an entry for one person, and fields on each line are separated by a colon. The following is a sample record: eric:x:1000:100:Eric the Webmaster, Room 215a, 555-1212, N/A, other info:/home/eric:/bin/bash The fields, from left to right, are the login name, hashed password, user ID, primary group ID, comment field (officially referred to as the GCOS field), home directory, and default or login shell. The presence of an "x" in the password field indicates that the shadow password file is used; some implementations use an asterisk (*) instead.
As a security measure, some sites populate the GCOS field with the user's full name and phone numbers but disable the finger daemon (see Chapter 8, "Network Services," on how to enable/disable various services). Or, TCP/UPD port 79 is blocked at the perimeter firewall so the GCOS information is only available internally but not to an external query. In most cases, only the user's real name is listed in the GCOS field. CAUTION For backward compatibility with older applications and Linux/Unix implementations, the login name should be eight or fewer characters even though Linux can handle longer names. The /etc/passwd file can contain a line (usually the last line in the file) beginning with a plus (+), which means to incorporate entries from Network Information Services (NIS). There are two styles of + enTRies. A single + means to insert the entire contents of an NIS passwd file at that point: +:::::: A line of the form +name means to insert the NIS entry (if any) for that username. If a + entry has a non-null field (such as the default shell), the data in that field overrides what is contained in NIS. In the following example, user ted's UID, primary GID, GCOS data, and home directory information will come from NIS, but he will be assigned a default shell of /bin/csh regardless of the setting in NIS: +ted::::::/bin/csh NOTE All fields in the + entry may be overridden except for the user ID. The /etc/passwd file can also contain lines beginning with a minus (-). These entries are used to disallow user entries. There is only one style of - entry; an entry that consists of -name means to disallow any subsequent entry (if any) for name. These entries would disallow the specified users from logging in to the machine. For example, -jacques:::::: does not allow user jacques to log in to the local system. You can also use +@netgroup or -@netgroup to specify entries for all members of the (NIS) network group netgroup into /etc/passwd. CAUTION The /etc/passwd file must not contain any blank lines. Blank lines can cause unpredictable behavior in system administration software that uses the file. For more information about the /etc/passwd file, use the man 5 passwd command. The /etc/shadow FileSimilar to the /etc/passwd file, each line in the /etc/shadow file is an entry for one person, and the fields are separated by colons. The following is a sample record: eric:$1$w1bsw/N4$UWLu2bRET6YyBS.CAEp7R.:12794:0:90:5:30:12989: This record has the following nine fields:
The previous sample record shows the following information for user eric:
TIP You can use chage -l username to examine a user's password-aging information. The output for eric looks like this: Athena:/home/admin # chage -l eric Minimum: 0 Maximum: 90 Warning: 5 Inactive: 30 Last Change: Jan 11, 2005 Password Expires: Apr 11, 2005 Password Inactive: May 11, 2005 Account Expires: Jul 25, 2005 A nonroot user will be prompted for username's password for security reasons, even if the user is querying his or her own password-aging data. NOTE You can also use passwd -S username to display the password status of a user or passwd -Sa to display status for all users. The output for user eric looks similar to this: eric PS 01/11/2005 0 90 5 30 The status follows directly after the username: PS means existing or locked password, NP means no password, and LK means the account is locked. As you can see, the output is not as descriptive as that from chage -l. Furthermore, passwd -S works only with local users; for all other types of users (such as LDAP), it returns a status of LK, regardless of the actual status. The remaining fields show the password last changed date, minimum password days, maximum password days, number of days before warning is issued, and number of days after password expiration that the account will be disabled, respectively. The /etc/group FileThe /etc/group file contains the names of valid groups and the usernames of their members. This file is owned by root and only root may modify it, but it is world-readable. When a new user is added to /etc/passwd, information on what groups that user is a member of must be added here. Group IDs (GIDs) from the /etc/passwd file are mapped to the group names kept in this file. Similar to users in the /etc/passwd file, the groups are listed one per line. For example, audio:x:17:eric,tasha,carol Each entry consists of four fields separated by a colon:
NOTE Some Linux distributions use /etc/groups to hold passwords that let a user join a group. SUSE does not use this file. The preceding sample entry from /etc/group shows the audio group is using shadow passwords; has a GID of 17; and that eric, tasha, and carol are group members. CAUTION The group members in /etc/group should be separated from each other by a single comma and no whitespaces. Otherwise, any users listed after the whitespace are not recognized as members. Similar to etc/passwd, the /etc/group file can contain a line (usually the last line in the file) beginning with a plus (+), which means to incorporate group entries from NIS. A line with a single + means to insert the entire contents of the NIS group file at that point: +::: A line with +name means to insert the group entry (if any) for name from NIS at that point. If a + entry has a non-null field (such as the group membership), the data in that field overrides what is contained in NIS. NOTE All fields in the + entry may be overridden except for the user ID. An entry of the form -name means that the group is disallowed. All subsequent entries for that group name, whether in the NIS group file or in the local /etc/group file, are ignored. CAUTION As is the case with /etc/passwd, the /etc/group file must not contain any blank lines. Blank lines can cause unpredictable behavior in system administration software that uses the file. For more tinformation on /etc/group, use the man 5 group command. |