User and Group Data Files

Previous page
Table of content
Next page

Linux stores local user and group information in text files in the /etc directory. Traditionally, user information (including passwords) is stored in the /etc/passwd file, and group information is found in the /etc/group file. However, the /etc/passwd file contains information (such as the comment field, which generally contains the user's full name and the UID of a user) that has to be readable by anyone. At the same time, you don't want passwords world-readable because this capability gives would-be crackers a good place to start (for example, using a password-cracking tool as discussed in the "Be a Cracker Jack" section later in this chapter). So the passwords in newer implementations of Linux (such as SLES) are kept in the shadow file (/etc/shadow), which is readable only by root, and everyone's password is entered into the /etc/passwd file as "x."

WARNING

You should not directly edit any of the /etc/passwd, /etc/group, and /etc/shadow filesespecially /etc/shadow. Any error in these files may lead to the affected user, including root, no longer being able to log in. Instead, you should use the supplied system tools, such as YaST and the user* utilities (such as useradd) discussed later in this chapter.


NOTE

The three files discussed in this section are used only for users and groups that are local to the system. If you use LDAP or NIS authentication methods, users and groups created under these protocols are not stored in these three /etc files, but in the LDAP or NIS database instead.


Next, we examine the record structure of each of these three data files.

The /etc/passwd File

Each line in the /etc/passwd file corresponds to an entry for one person, and fields on each line are separated by a colon. The following is a sample record:

 eric:x:1000:100:Eric the Webmaster, Room 215a, 555-1212, N/A, other info:/home/eric:/bin/bash

The fields, from left to right, are the login name, hashed password, user ID, primary group ID, comment field (officially referred to as the GCOS field), home directory, and default or login shell. The presence of an "x" in the password field indicates that the shadow password file is used; some implementations use an asterisk (*) instead.

WHAT IS THE GCOS FIELD?

The GCOS field has no defined syntax and is generally used for personal information about the user, such as full name, phone number, room number, and so on. Often, the finger utility uses the information stored in this field.

Delimited by commas, finger interprets the information in the GCOS field as follows: user's full name, office location, office telephone number, home phone number. Any additional fields are considered as "other information," and this Other field is not displayed by finger. The following is sample output from finger for user eric:

 Athena:/home/admin # finger eric Login: eric                             Name: Eric the Webmaster Directory: /home/eric                   Shell: /bin/bash Office: Room 215a, 555-1212             Home Phone: N/A Last login Mon Sep 20 23:10 (EDT) on :0 from console No Mail. No Plan.

The acronym GCOS comes from GECOS, or General Electric Comprehensive Operating System, a mainframe operating system. This was later changed to General Comprehensive Operating System (GCOS) when GE's large systems division was sold to Honeywell. The name is mostly a nostalgic residue from using the comment field in the /etc/passwd file to store identification data for submitting print jobs or batch jobs from Unix to GCOS machines.


As a security measure, some sites populate the GCOS field with the user's full name and phone numbers but disable the finger daemon (see Chapter 8, "Network Services," on how to enable/disable various services). Or, TCP/UPD port 79 is blocked at the perimeter firewall so the GCOS information is only available internally but not to an external query. In most cases, only the user's real name is listed in the GCOS field.

CAUTION

For backward compatibility with older applications and Linux/Unix implementations, the login name should be eight or fewer characters even though Linux can handle longer names.


The /etc/passwd file can contain a line (usually the last line in the file) beginning with a plus (+), which means to incorporate entries from Network Information Services (NIS). There are two styles of + enTRies. A single + means to insert the entire contents of an NIS passwd file at that point:

 +::::::

A line of the form +name means to insert the NIS entry (if any) for that username. If a + entry has a non-null field (such as the default shell), the data in that field overrides what is contained in NIS. In the following example, user ted's UID, primary GID, GCOS data, and home directory information will come from NIS, but he will be assigned a default shell of /bin/csh regardless of the setting in NIS:

 +ted::::::/bin/csh

NOTE

All fields in the + entry may be overridden except for the user ID.


The /etc/passwd file can also contain lines beginning with a minus (-). These entries are used to disallow user entries. There is only one style of - entry; an entry that consists of -name means to disallow any subsequent entry (if any) for name. These entries would disallow the specified users from logging in to the machine. For example,

 -jacques::::::

does not allow user jacques to log in to the local system.

You can also use +@netgroup or -@netgroup to specify entries for all members of the (NIS) network group netgroup into /etc/passwd.

CAUTION

The /etc/passwd file must not contain any blank lines. Blank lines can cause unpredictable behavior in system administration software that uses the file.


For more information about the /etc/passwd file, use the man 5 passwd command.

The /etc/shadow File

Similar to the /etc/passwd file, each line in the /etc/shadow file is an entry for one person, and the fields are separated by colons. The following is a sample record:

 eric:$1$w1bsw/N4$UWLu2bRET6YyBS.CAEp7R.:12794:0:90:5:30:12989:

This record has the following nine fields:

  • Login name.

  • Hashed password. By default, passwords are hashed using the crypt function that is based on the Data Encryption Standard (DES) algorithm. (For more information about the crypt function, use the man 3 crypt command.) The resulting DES-hashed password is always 13 characters in size. You can change the encryption method to use either MD5 (Message Digest number 5) or Blowfish; see Chapter 11, "Network Security Concepts," for more details.

  • Date that the password was last changed. This is given in number of days since the Epoch (January 1, 1970).

  • Minimum number of days that a password must be in existence before it can be changed.

  • Password's life span. This is the maximum number of days that a password can remain unchanged. If this time elapses and the user does not change the password, the system administrator must change it for him or her.

  • Number of days before password expiration the user will begin receiving notifications about changing the password. A value of -1 means no warning will be issued.

  • Number of days after the password expires that the account is disabled and the user can no longer log in. A value of -1 means access is allowed even if the password has expired.

  • Date after which the account is disabled. This is given in number of days since the Epoch. This information is useful for setting up temporary accounts.

  • A reserved flag field, and is not currently used.

SLES PASSWORDS: ENCRYPTED OR HASHED?

Encryption is a method of using a mathematical algorithm and a key to scramble data into gibberish. If you know the key and the algorithm used, you can decrypt the gibberish to arrive back at the original information. SUSE (and indeed all Linux and Unix distributions) converts the (cleartext) password into a scrambled text string through a mathematical algorithm called a cryptographic hash. The resulting string, in a form that is very different from the original string, is called a hash or hash value. The way these hash algorithms work is that one cannot recover the original password from the hash value. Because Linux/Unix passwords cannot be converted back into their original text, the term encrypted Linux/Unix passwords is a misnomer. The more correct term is hashed passwords, and this term is used throughout this book.


The previous sample record shows the following information for user eric:

  • The password was last changed on January 11, 2005.

  • No minimum amount of time is required before the password can be changed.

  • The password must be changed every 90 days.

  • The user will get a warning 5 days before the password must be changed.

  • The account will be disabled 30 days after the password expires if no login attempt is made.

  • The account will expire on July 25, 2005.

TIP

You can use chage -l username to examine a user's password-aging information. The output for eric looks like this:

 Athena:/home/admin # chage -l eric Minimum:    0 Maximum:    90 Warning:    5 Inactive:    30 Last Change:        Jan 11, 2005 Password Expires:   Apr 11, 2005 Password Inactive:  May 11, 2005 Account Expires:    Jul 25, 2005

A nonroot user will be prompted for username's password for security reasons, even if the user is querying his or her own password-aging data.


NOTE

You can also use passwd -S username to display the password status of a user or passwd -Sa to display status for all users. The output for user eric looks similar to this:

 eric PS 01/11/2005 0 90 5 30

The status follows directly after the username: PS means existing or locked password, NP means no password, and LK means the account is locked. As you can see, the output is not as descriptive as that from chage -l. Furthermore, passwd -S works only with local users; for all other types of users (such as LDAP), it returns a status of LK, regardless of the actual status. The remaining fields show the password last changed date, minimum password days, maximum password days, number of days before warning is issued, and number of days after password expiration that the account will be disabled, respectively.


The /etc/group File

The /etc/group file contains the names of valid groups and the usernames of their members. This file is owned by root and only root may modify it, but it is world-readable. When a new user is added to /etc/passwd, information on what groups that user is a member of must be added here. Group IDs (GIDs) from the /etc/passwd file are mapped to the group names kept in this file. Similar to users in the /etc/passwd file, the groups are listed one per line. For example,

 audio:x:17:eric,tasha,carol

Each entry consists of four fields separated by a colon:

  • Group name The name of the group, used by various utility programs to identify the group.

  • Group password If set, this allows users who are not part of the group to join the group by using the newgrp command and typing the password stored here. If a lowercase "x" is in this field, shadow group passwords (stored in /etc/gshadow) are being used. However, although earlier versions of SUSE LINUX make use of /etc/gshadow, SLES 9 and later do not and any group password hashes are stored in /etc/group.

  • Group ID (GID) The numerical equivalent of the group name. The system and applications use it when determining access privileges.

  • Member list A comma-delimited list of users in the group.

NOTE

Some Linux distributions use /etc/groups to hold passwords that let a user join a group. SUSE does not use this file.


The preceding sample entry from /etc/group shows the audio group is using shadow passwords; has a GID of 17; and that eric, tasha, and carol are group members.

CAUTION

The group members in /etc/group should be separated from each other by a single comma and no whitespaces. Otherwise, any users listed after the whitespace are not recognized as members.


Similar to etc/passwd, the /etc/group file can contain a line (usually the last line in the file) beginning with a plus (+), which means to incorporate group entries from NIS. A line with a single + means to insert the entire contents of the NIS group file at that point:

 +:::

A line with +name means to insert the group entry (if any) for name from NIS at that point. If a + entry has a non-null field (such as the group membership), the data in that field overrides what is contained in NIS.

NOTE

All fields in the + entry may be overridden except for the user ID.


An entry of the form -name means that the group is disallowed. All subsequent entries for that group name, whether in the NIS group file or in the local /etc/group file, are ignored.

CAUTION

As is the case with /etc/passwd, the /etc/group file must not contain any blank lines. Blank lines can cause unpredictable behavior in system administration software that uses the file.


For more tinformation on /etc/group, use the man 5 group command.


    Previous page
    Table of content
    Next page
    SUSE LINUX Enterprise Server 9 Administrator's Handbook
    SUSE LINUX Enterprise Server 9 Administrators Handbook
    ISBN: 067232735X
    EAN: 2147483647
    Year: 2003
    Pages: 134
    Authors: Peter Kuo, Jacques Beland
    BUY ON AMAZON
    MySQL Stored Procedure Programming
    ERP and Data Warehousing in Organizations: Issues and Challenges
    Java for RPG Programmers, 2nd Edition
    Visual C# 2005 How to Program (2nd Edition)
    Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
    FileMaker 8 Functions and Scripts Desk Reference
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy