1passwd(4) File Formats passwd(4)
2
6 passwd - password file
7
9 /etc/passwd
10
13 The file /etc/passwd is a local source of information about users'
14 accounts. The password file can be used in conjunction with other nam‐
15 ing sources, such as the NIS maps passwd.byname and passwd.bygid, data
16 from the NIS+ passwd table, or password data stored on an LDAP server.
17 Programs use the getpwnam(3C) routines to access this information.
18 Each passwd entry is a single line of the form:
21 username:password:uid:
23 gid:gcos-field:home-dir:
24 login-shell
25 where
30 username is the user's login name.
32 The login (login) and role (role) fields accept a string
34 of no more than eight bytes consisting of characters
35 from the set of alphabetic characters, numeric charac‐
36 ters, period (.), underscore (_), and hyphen (-). The
37 first character should be alphabetic and the field
38 should contain at least one lower case alphabetic char‐
39 acter. A warning message is displayed if these restric‐
40 tions are not met.
41 The login and role fields must contain at least one
43 character and must not contain a colon (:) or a newline
44 (\n).
45 password is an empty field. The encrypted password for the user
48 is in the corresponding entry in the /etc/shadow file.
49 pwconv(1M) relies on a special value of 'x' in the pass‐
50 word field of /etc/passwd. If this value of 'x' exists
51 in the password field of /etc/passwd, this indicates
52 that the password for the user is already in /etc/shadow
53 and should not be modified.
54 uid is the user's unique numerical ID for the system.
57 gid is the unique numerical ID of the group that the user
60 belongs to.
61 gcos-field is the user's real name, along with information to pass
64 along in a mail-message heading. (It is called the gcos-
65 field for historical reasons.) An ``&'' (ampersand) in
66 this field stands for the login name (in cases where the
67 login name appears in a user's real name).
68 home-dir is the pathname to the directory in which the user is
71 initially positioned upon logging in.
72 login-shell is the user's initial shell program. If this field is
75 empty, the default shell is /usr/bin/sh.
76 The maximum value of the uid and gid fields is 2147483647. To maximize
80 interoperability and compatibility, administrators are recommended to
81 assign users a range of UIDs and GIDs below 60000 where possible. (UIDs
82 from 0-99 inclusive are reserved by the operating system vendor for use
83 in future applications. Their use by end system users or vendors of
84 layered products is not supported and may cause security related issues
85 with future applications.)
86 The password file is an ASCII file that resides in the /etc directory.
89 Because the encrypted passwords on a secure system are always kept in
90 the shadow file, /etc/passwd has general read permission on all systems
91 and can be used by routines that map between numerical user IDs and
92 user names.
93 Blank lines are treated as malformed entries in the passwd file and
96 cause consumers of the file , such as getpwnam(3C), to fail.
97 The password file can contain entries beginning with a `+' (plus sign)
100 or '-' (minus sign) to selectively incorporate entries from another
101 naming service source, such as NIS, NIS+, or LDAP.
102 A line beginning with a '+' means to incorporate entries from the nam‐
105 ing service source. There are three styles of the '+' entries in this
106 file. A single + means to insert all the entries from the alternate
107 naming service source at that point, while a +name means to insert the
108 specific entry, if one exists, from the naming service source. A +@net‐
109 group means to insert the entries for all members of the network group
110 netgroup from the alternate naming service. If a +name entry has a non-
111 null password, gcos, home-dir, or login-shell field, the value of that
112 field overrides what is contained in the alternate naming service. The
113 uid and gid fields cannot be overridden.
114 A line beginning with a `−' means to disallow entries from the alter‐
117 nate naming service. There are two styles of `-` entries in this file.
118 -name means to disallow any subsequent entries (if any) for name (in
119 this file or in a naming service), and -@netgroup means to disallow any
120 subsequent entries for all members of the network group netgroup.
121 This is also supported by specifying ``passwd : compat'' in nss‐
124 witch.conf(4). The "compat" source might not be supported in future
125 releases. The preferred sources are files followed by the identifier of
126 a name service, such as nis or ldap. This has the effect of incorporat‐
127 ing the entire contents of the naming service's passwd database or
128 password-related information after the passwd file.
129 Note that in compat mode, for every /etc/passwd entry, there must be a
132 corresponding entry in the /etc/shadow file.
133 Appropriate precautions must be taken to lock the /etc/passwd file
136 against simultaneous changes if it is to be edited with a text editor;
137 vipw(1B) does the necessary locking.
138
140 Example 1 Sample passwd File
141 The following is a sample passwd file:
144 root:x:0:1:Super-User:/:/sbin/sh
147 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
148 and the sample password entry from nsswitch.conf:
153 passwd: files ldap
156 In this example, there are specific entries for users root and fred to
161 assure that they can login even when the system is running single-user.
162 In addition, anyone whose password information is stored on an LDAP
163 server will be able to login with their usual password, shell, and home
164 directory.
165 If the password file is:
169 root:x:0:1:Super-User:/:/sbin/sh
172 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
173 +
174 and the password entry in nsswitch.conf is:
179 passwd: compat
182 then all the entries listed in the NIS passwd.byuid and passwd.byname
187 maps will be effectively incorporated after the entries for root and
188 fred. If the password entry in nsswitch.conf is:
189 passwd_compat: ldap
192 passwd: compat
193 then all password-related entries stored on the LDAP server will be
197 incorporated after the entries for root and fred.
198 The following is a sample passwd file when shadow does not exist:
202 root:q.mJzTnu8icf.:0:1:Super-User:/:/sbin/sh
205 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
206 +john:
207 +@documentation:no-login:
208 +::::Guest
209 The following is a sample passwd file when shadow does exist:
214 root:##root:0:1:Super-User:/:/sbin/sh
217 fred:##fred:508:10:& Fredericks:/usr2/fred:/bin/csh
218 +john:
219 +@documentation:no-login:
220 +::::Guest
221 In this example, there are specific entries for users root and fred, to
226 assure that they can log in even when the system is running standalone.
227 The user john will have his password entry in the naming service source
228 incorporated without change, anyone in the netgroup documentation will
229 have their password field disabled, and anyone else will be able to log
230 in with their usual password, shell, and home directory, but with a
231 gcos field of Guest
232
235 /etc/nsswitch.conf
236 /etc/passwd
239 /etc/shadow
242
245 chgrp(1), chown(1), finger(1), groups(1), login(1), newgrp(1), nis‐
246 passwd(1), passwd(1), sh(1), sort(1), domainname(1M), getent(1M),
247 in.ftpd(1M), passmgmt(1M), pwck(1M), pwconv(1M), su(1M), useradd(1M),
248 userdel(1M), usermod(1M), a64l(3C), crypt(3C), getpw(3C), getpwnam(3C),
249 getspnam(3C), putpwent(3C), group(4), hosts.equiv(4), nsswitch.conf(4),
250 shadow(4), environ(5), unistd.h(3HEAD)
251 System Administration Guide: Basic Administration
254SunOS 5.11 28 Jul 2004 passwd(4)