Guide To Understanding (etc/passwd & etc/shadow) In [Linux/Ubuntu]

In our last guide, I discussed managing users, switching users, and managing user groups, what I didn’t tell you is where the user’s information is stored, such as User ID, Group ID, passwords and the likes.

This informations are stored in two files on our system, which are the /etc/passwd and /etc/shadow.

While this content would show you user info, I want you to note that any users can have access to the \etc\password file, while on the other hand, the \etc\shadow requires a root privilege or a sudo user that has a root privilege to access the file.

Understanding The Contents In The /etc/passwd

That out of the way, let’s try to understand the contents of the /etc/passwd:

cat /etc/passwd

The cat command helps in displaying the content of the /etc/passwd file, but before we view the content of that file, let’s create a new user as an illustration:

sudo adduser thisisme

I am creating a user account for the user “thisisme”

1. Adding user thisisme

The command added the ‘/home/thisisme’ directory for us and added the necessary file. it added Group ID(GID) of 1003 and User ID(UID) of 1002, which we are going to discuss in a bit.

Go ahead and input your new password, you’ll be asked for your full name, and other info, you can enter your full name or just a random name for illustration, leave other fields as default by Pressing the Enter Key. The system would ask if the info is correct, just type Y and hit Enter, and your new user should be in place.

Now, let’s display the content of the /etc/passwd file using cat /etc/passwd you would notice the file contains tons of entries of lots of user account including the new user we just created.

This is normal, as Linux uses various user accounts for a different task in the background, so you won’t have any encounter with such users.

What I want you to do is to focus on the last line or the line that shows the user info we just created in the /etc/passwd file, the concept is the same regardless of any user in that file.

I have the following :

2. Last line of the user thisisme in the etc-passwd file
Each line in the /etc/passwd file corresponds to a user account on the system, for example, the line above corresponds to the new user we just created.

The entries are separated by a colon (:).

The username is in the first entry of each line, you can see the user “thisisme” is the first entry of that line.

The 2nd entry on the line is an “x” – this is the password of the user and if you remember carefully, I said any user can see the content of the /etc/passwd, this is the reason the password is shown, it is denoting that the password is stored and encrypted into the file /etc/shadow, I will cover that later, let’s continue with the other entries

The 3rd and 4th entries are the UID (User ID) and the GID(Group ID), I explained this in my other guide about managing user and I will explain it again. Linux system reference user or group by ID. While it is easier for humans to manage users by their name, those names aren’t easily understood by the system, so, it maps the username to the ID, this way, the system can identify which system resources a user or group can access.

Each time I reference the user “thisisme” I am actually referencing the UID 1002, I guess that makes sense. You can learn more about managing groups in Linux

The 5th entry is for the user info, when I was creating the new user, you would notice I added the first and last name, which is why you saw “Mr. Chicken“, the three commas next to the name, means I skipped the other fields when I was creating the user account. If you are curious, these are the fields I skipped:

3. Skipped fields when creating a user account

The 6th entry is the home directory for our new user, in my case, it is set as /home/thisisme

and the 7th entry is the user shell, in my case, the user shell is bin/bash.

The shell is a program that executes other programs, it provides like a wrapper to the Linux system, this way the user can run different commands or util/tools with some input data. There are different types of shell you can utilize, but this is beyond the scope of this guide, so, let’s get to understand the /etc/shadow file.

Understanding The Contents In The /etc/shadow

You remember I said the second entry in the /etc/passwd that contains the “x” symbol means that the password is encrypted in the /etc/shadow, now, let’s try to understand the contents of the shadow file.

sudo cat /etc/shadow

I am using the sudo command because the root user and, the sudo users that have the root privilege are the only ones allowed to access the file, so, let’s skip to the last line of the /etc/shadow file:

thisisme:$6$lwBZo64H$iF7P8rXXobZf8kNrxD5IEsr7tvPjMdbffq8zxjhDcLOSHmqsTzgtkh1zvrW1vPKn0g/7Qw6Pa/UNCF7LczKNX0:18280:0:99999:7:::

There are 9 entries in the /etc/shadow file, let’s take a deep look:

Note: Each entry is seprated by a colon (:)

1) Username The first entry contains the username, nothing new here, you can see the user “thisisme” been listed as the username. Well, you might be surprised the UID and GID of the user aren’t listed. The reason for that is because the system uses the username to determine the ID’s in the /etc/passwd, so, no need to repeat it in the /etc/shadow file.

2) Password(Hash) The second entry contains the hash for the user’s password. if you remember, I said, the x in the /etc/passwd means the password is been encrypted in the /etc/shadow, this is the encryption in action.

If you are new to this, you might be curious of the reason the password is hashed and not in plain text, hashing password is a good way to store password securely, it like storing a file inside a golden egg, this way it would be harder for an intruder to break in easily, you get the idea 😉

3) Last password change – This is the days the passwords have been last changed since the Unix Epoch, which in our case is “18280”. I’ll show you two ways you can convert the date, but let’s try to understand how time works in the Unix system.

If you know about the Unix Epoch, please skip to the next number, and if no, continue reading:

The Unix Epoch is the “Zero” of where the system starts counting the time, the zero is the start of Unix Epoch or January 1st of 1970 at 00:00:00 UT (Universal Time). The number “i8280” is the Unix timestamp; the number of seconds passed/elapsed since the Unix Epoch.

It’s a little bit confusing at first and I should probably write a new guide on Unix Epoch, but basically, computers are good in adding bits, which is why time is stored in a number of bits, so, when you add to this bit, the time goes on.

The 01/01/1997 is the default date or when the time started for Unix computer, which is why it is marked “0”.

The value “18280” is the number of days since the Unix Epoch that the password was last change, and since the time is calculated based on the number of seconds, you multiply:

18280 x 86,400 (Number of seconds in a day)

Which would give use the timestamp: 1579392000

Format the date using date -d @1579392000 which would give us = Sun  Jan 19, 2020

If you don’t wanna go that route, you can use the command  sudo passwd -S <username> to output the actual date of the last password change for the user, I just gave you two methods choose your preferred one.

The output of the /etc/shadow again, so you won’t scroll back up:

thisisme:$6$lwBZo64H$iF7P8rXXobZf8kNrxD5IEsr7tvPjMdbffq8zxjhDcLOSHmqsTzgtkh1zvrW1vPKn0g/7Qw6Pa/UNCF7LczKNX0:18280:0:99999:7:::

4) Minimum password age – The 4th entry is used to set the number of days before a user can change their password again. In this case, the number is set to zero (0), so, user “thisisme” can change the password anytime and any day.

5) Maximum password age – This is used to set the maximum allowed day between password changes. Don’t get it confused with the 4th entry, the 4th entry is the number of days before a user can change a password and the 5th entry means the max day a user can use a password. By default, it is set to 99,999 days, which is approximately 274 years, so this is more of an infinite number.

6) Warning period of Passwd Expiration – This is the days in advance to display password expire message

7) Inactivity period – This entry is used for setting the number of days that can pass after the password expires, the account would be disabled if the number elapses. This is not set by default

8) Expiration date – This would contain the number of days since the Unix Epoch before the account is disabled, a user is not allowed to login after the date in this entry passes, this is disabled by default

9) Reserved Field – This is an unused field or a reserved field by the system, so we have nothing to do we that.

I hope you enjoyed the guide, and I should also note that the /etc/shadow file should not be edited manually if you don’t know what you are doing, there are commands that allow you to change a password without going into the file, see you some other time 😉

Comment policy: Respectful and beneficial comments are welcome with full open hands. However, all comments are manually moderated and those that doesn't relate with what the passage is saying or offensive comments would be deleted. Thanks for understanding!

Leave a Reply

Your email address will not be published. Required fields are marked *