Tribblix: manual page: passwd.5

PASSWD(5) File Formats and Configurations PASSWD(5)

NAME

passwd - password file

SYNOPSIS

/etc/passwd

DESCRIPTION

The file /etc/passwd is a local source of information about users'
accounts. The password file can be used in conjunction with other
naming sources, such as the NIS maps passwd.byname and passwd.bygid,
or password data stored on an LDAP server. Programs use the
getpwnam(3C) routines to access this information.

Each passwd entry is a single line of the form:

username:password:uid:
gid:gcos-field:home-dir:
login-shell

where

username
is the user's login name.

The login (login) and role (role) fields accept a
string of no more than 32 bytes consisting of
characters from the set of alphabetic characters,
numeric characters, period (.), underscore (_), and
hyphen (-). The first character should be alphabetic
and the field should contain at least one lower case
alphabetic character. A warning message is displayed
if these restrictions are not met.

The login and role fields must contain at least one
character and must not contain a colon (:) or a
newline (\n).

password
is an empty field. The encrypted password for the user
is in the corresponding entry in the /etc/shadow file.
pwconv(8) relies on a special value of 'x' in the
password field of /etc/passwd. If this value of 'x'
exists in the password field of /etc/passwd, this
indicates that the password for the user is already in
/etc/shadow and should not be modified.

uid
is the user's unique numerical ID for the system.

gid
is the unique numerical ID of the group that the user
belongs to.

gcos-field
is the user's real name, along with information to
pass along in a mail-message heading. (It is called
the gcos-field for historical reasons.) An ``&''
(ampersand) in this field stands for the login name
(in cases where the login name appears in a user's
real name).

home-dir
is the pathname to the directory in which the user is
initially positioned upon logging in.

login-shell
is the user's initial shell program. If this field is
empty, the default shell is /usr/bin/sh.

The maximum value of the uid and gid fields is 2147483647. To
maximize interoperability and compatibility, administrators are
recommended to assign users a range of UIDs and GIDs below 60000
where possible. (UIDs from 0-99 inclusive are reserved by the
operating system vendor for use in future applications. Their use by
end system users or vendors of layered products is not supported and
may cause security related issues with future applications.)

The password file is an ASCII file that resides in the /etc
directory. Because the encrypted passwords on a secure system are
always kept in the shadow file, /etc/passwd has general read
permission on all systems and can be used by routines that map
between numerical user IDs and user names.

Blank lines are treated as malformed entries in the passwd file and
cause consumers of the file , such as getpwnam(3C), to fail.

The password file can contain entries beginning with a `+' (plus
sign) or '-' (minus sign) to selectively incorporate entries from
another naming service source, such as NIS or LDAP.

A line beginning with a '+' means to incorporate entries from the
naming service source. There are three styles of the '+' entries in
this file. A single + means to insert all the entries from the
alternate naming service source at that point, while a +name means to
insert the specific entry, if one exists, from the naming service
source. A +@netgroup means to insert the entries for all members of
the network group netgroup from the alternate naming service. If a
+name entry has a non-null password, gcos, home-dir, or login-shell
field, the value of that field overrides what is contained in the
alternate naming service. The uid and gid fields cannot be
overridden.

A line beginning with a `-' means to disallow entries from the
alternate naming service. There are two styles of `-` entries in this
file. -name means to disallow any subsequent entries (if any) for
name (in this file or in a naming service), and -@netgroup means to
disallow any subsequent entries for all members of the network group
netgroup.

This is also supported by specifying ``passwd : compat'' in
nsswitch.conf(5). The "compat" source might not be supported in
future releases. The preferred sources are files followed by the
identifier of a name service, such as nis or ldap. This has the
effect of incorporating the entire contents of the naming service's
passwd database or password-related information after the passwd
file.

Note that in compat mode, for every /etc/passwd entry, there must be
a corresponding entry in the /etc/shadow file.

Appropriate precautions must be taken to lock the /etc/passwd file
against simultaneous changes if it is to be edited with a text
editor; vipw(1B) does the necessary locking.

EXAMPLES

Example 1: Sample passwd File

The following is a sample passwd file:

root:x:0:1:Super-User:/:/sbin/sh
fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh

and the sample password entry from nsswitch.conf:

passwd: files ldap

In this example, there are specific entries for users root and fred
to assure that they can login even when the system is running single-
user. In addition, anyone whose password information is stored on an
LDAP server will be able to login with their usual password, shell,
and home directory.

If the password file is:

root:x:0:1:Super-User:/:/sbin/sh
fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
+

and the password entry in nsswitch.conf is:

passwd: compat

then all the entries listed in the NIS passwd.byuid and passwd.byname
maps will be effectively incorporated after the entries for root and
fred. If the password entry in nsswitch.conf is:

passwd_compat: ldap
passwd: compat

then all password-related entries stored on the LDAP server will be
incorporated after the entries for root and fred.

The following is a sample passwd file when shadow does not exist:

root:q.mJzTnu8icf.:0:1:Super-User:/:/sbin/sh
fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
+john:
+@documentation:no-login:
+::::Guest

The following is a sample passwd file when shadow does exist:

root:##root:0:1:Super-User:/:/sbin/sh
fred:##fred:508:10:& Fredericks:/usr2/fred:/bin/csh
+john:
+@documentation:no-login:
+::::Guest

In this example, there are specific entries for users root and fred,
to assure that they can log in even when the system is running
standalone. The user john will have his password entry in the naming
service source incorporated without change, anyone in the netgroup
documentation will have their password field disabled, and anyone
else will be able to log in with their usual password, shell, and
home directory, but with a gcos field of Guest

FILES