8.4. User and Group Databases
The list of users is usually stored in the /etc/passwd
file, while the /etc/shadow
file stores encrypted passwords. Both are text files, in a relatively simple format, which can be read and modified with a text editor. Each user is listed there on a line with several fields separated with a colon (“:
”).
8.4.1. User List: /etc/passwd
Here is the list of fields in the /etc/passwd
file:
login, for example rhertzog
;
password: this is a password encrypted by a one-way function, either crypt
or md5
. The special value “x
” indicates that the encrypted password is stored in /etc/shadow
;
uid
: unique number identifying each user;
gid
: unique number for the user's main group (Debian creates a specific group for each user by default);
GECOS
: data field usually containing the user's full name;
login directory, assigned to the user for storage of their personal files (the environment variable $HOME
generally points here);
program to execute upon login. This is usually a command interpreter (shell), giving the user free reign. If you specify /bin/false
(which does nothing and returns control immediately), the user can not login.
8.4.2. The Hidden and Encrypted Password File: /etc/shadow
The /etc/shadow
file contains the following fields:
8.4.3. Modifying an Existing Account or Password
The following commands allow modification of the information stored in specific fields of the user databases: passwd
permits a regular user to change their password, which in turn, updates the /etc/shadow
file; chfn
(CHange Full Name), reserved for the super-user (root), modifies the GECOS
field. chsh
(CHange SHell) allows the user to change their login shell, however available choices will be limited to those listed in /etc/shells
; the administrator, on the other hand, is not bound by this restriction and can set the shell to any program of their choosing.
Finally, the chage
(CHange AGE) command allows the administrator to change the password expiration settings (the -l user
option will list the current settings). You can also force the expiration of a password using the passwd -e user
command, which will require the user to change their password the next time they log in.
8.4.4. Disabling an Account
You may find yourself needing to “disable an account” (lock out a user), as a disciplinary measure, for the purposes of an investigation, or simply in the event of a prolonged or definitive absence of a user. A disabled account means the user cannot login or gain access to the machine. The account remains intact on the machine and no files or data are deleted; it is simply inaccessible. This is accomplished by using the command passwd -l user
(lock). Re-enabling the account is done in similar fashion, with the -u
option (unlock).
8.4.5. Group List: /etc/group
Groups are listed in the /etc/group
file, a simple textual database in a format similar to that of the /etc/passwd
file, with the following fields:
group name
password (optional): This is only used to join a group when one is not a usual member (with the newgrp
or sg
commands, see sidebar);
gid
: unique group identification number
list of members: list of names of users who are members of the group, separated by commas.
The addgroup
and delgroup
commands add or delete a group, respectively. The groupmod
command modifies a group's information (its gid
or identifier). The command passwd -g group
changes the password for the group, while the passwd -r -g group
command deletes it.