passwd(4)passwd(4)NAMEpasswd - password file
DESCRIPTION
/etc/passwd is an ASCII file containing entries for each user. Each
field within each user's entry is separated from the next by a colon.
Each user is separated from the next by a newline. An entry beginning
with # is ignored, and may be silently removed under some circumstances
(see passwd(1) for specific information.)
The passwd file contains the following information for each user:
name User's login name -- This can consist of alphanumeric
characters and the period, underscore and hyphen characters.
It must not be greater than eight characters long. It is
recommended that the first character not be a hyphen for
greatest portability across multiple versions of the UNIX
operating system. The pwck(1M) command checks for the greatest
possible portability on names, and therefore may complain about
user names that do not cause problems on IRIX.
password Encrypted password and optional password aging information. If
the password field is null (empty), no password is demanded
when the user logs in. If the system is configured to use
shadow passwords, this field of /etc/passwd is ignored by all
programs that do password checking. See pwconv(1M) for
information about shadow passwords.
numerical user ID
This is the user's ID in the system and it must be unique.
numerical group ID
This is the number of the default group that the user belongs
to.
user's real name
In some versions of UNIX, this field also contains the user's
office, extension, home phone, and so on. For historical
reasons this field is called the GECOS field. The finger(1)
program can interpret the GECOS field if it contains comma
(``,'') separated subfields as follows:
name user's full name
office user's office number
wphone user's work phone number
hphone user's home phone number
An & in the user's full name field stands for the login name
(in cases where the login name appears in a user's real name).
Page 1
passwd(4)passwd(4)
initial working directory
The directory that the user is positioned in when they log in;
this is known as the home directory.
shell The program to use as the command interpreter (shell) when the
user logs in. If the shell field is empty, the Bourne shell
(/bin/sh) is assumed. If the first character of this field is
an *, then the login(1) program treats the home directory field
as the directory to be used as the argument to the chroot(2)
system call, and then loops back to reading the /etc/passwd
file under the new root, reprompting for the login. This can
be used to implement secure or restricted logins, in a manner
similar to ftp(1C).
Password aging is used for a particular user if his encrypted password is
followed by a comma and a non-null string of characters from a 64-
character alphabet (.,/,0-9, A-Z, a-z) parsed left to right by a64l(3)).
The first character of the age, M say, denotes the maximum number of
weeks for which a password is valid. A user who attempts to login after
his password has expired is forced to change his password. The next
character, m say, denotes the minimum period in weeks that must expire
before the password can be changed. If the second character is omitted,
zero weeks is the default minimum. M and m have numerical values in the
range 0-63 that correspond to the 64-character alphabet shown above (/ =
1 week, z = 63 weeks). The remaining characters are the weeks since the
epoch when the password was last changed. If m = M = 0 (derived from the
string . or ..) the user is forced to change his password the next time
he logs in (and the age disappears from his entry in the password file).
If m > M only the superuser is able to change the password. The password
must have been previously changed and therefore have a valid last change
date in the aging field for this m > M mechanism to control password
manipulation. Simply putting ./ as the aging string will be interpreted
by login as an expired password (because the last changed date is 0), and
the automatic invocation of passwd by login will fail due to the m > M
mechanism.
The password file resides in the /etc directory. Because of the
encrypted passwords, it has general read permission and can be used, for
example, to map numerical user ID's to names.
NIS ENTRIES
If the NFS option is installed, the passwd file can also have lines
beginning with a `+' (plus sign) which means to incorporate entries from
the NIS. There are three styles of + entries in this file:
+ Means to insert the entire contents of the NIS password file
at that point.
+name Means to insert the entry (if any) for name from the NIS at
that point.
Page 2
passwd(4)passwd(4)
+@netgroup Means to insert the entries for all members of the network
group netgroup at that point.
If a + entry has a non-empty password, directory, GECOS, or shell field,
the value of that field overrides what is contained in the NIS. The uid
and gid fields cannot be overridden.
The passwd file can also have lines beginning with a `-' (minus sign)
which means to disallow entries from the NIS (or from local use). There
are two styles of `-' entries in this file:
-name Means to disallow any subsequent entries (if any) for name
(in this file or in the NIS).
-@netgroup Means to disallow any subsequent entries for all members of
the network group netgroup.
Password aging is not supported for NIS entries.
UID CONVENTIONS
User ID number restrictions and conventions in the UNIX community are few
and simple.
Reserved:
UID 0 The superuser (aka root).
UID -2 NFS 'nobody'. Note that because uid_t is unsigned, -2
is mapped to the special value 60001 by NFS.
UID 60001 and 60002
For historical reasons, these values correspond to the
users ``nobody'' and ``noaccess'', respectively. It
is recommended that you not allocate these values to
real users.
Conventions:
UID 1 to 10 Commonly used for system pseudo users and daemons.
UID 11 to 99 Commonly used for uucp logins and 'famous users'.
UID 100 to 2147483647 (except for 60001 and 60002)
Normal users (start at 100). For historical reasons
certain operations are restricted for uids larger than
65535. Most significantly, these users cannot own
files on an efs(4) filesystem. This also means that
they cannot run a program that allocates a pty(7M)
(for example, vi(1) and xwsh(1G)) if /dev resides on
an efs(4) filesystem.
Page 3
passwd(4)passwd(4)
For these reasons, we recommend that large uids only
be used on xfs(4) based systems.
EXAMPLE
Here is a sample /etc/passwd file:
root:q.mJzTnu8icF.:0:10:superuser:/:/bin/csh
bill:6k/7KCFRPNVXg,z/:508:10:& The Cat:/usr2/bill:/bin/csh
+john:
+@documentation:no-login:
+::::Guest
nobody:*:-2:-2::/dev/null:/dev/null
In this example, there are specific entries for users root and bill, to
assure that they can log in even when the system is running stand-alone
or when the NIS is not running. The user bill has 63 weeks of maximum
password aging and 1 week of minimum password aging. Programs that use
the GECOS field replace the & with `Bill'. The user john has his
password entry in the NIS incorporated without change; anyone in the
netgroup documentation has their password field disabled, and anyone else
is able to log in with their usual password, shell, and home directory,
but with a GECOS field of Guest. The user nobody cannot log in and is
used by the exportfs(1M) command.
FILES
/etc/passwd
SEE ALSOlogin(1), passwd(1), pwck(1M), pwconv(1M), ypchpass(1), yppasswd(1),
a64l(3C), crypt(3C), getpwent(3C), exports(4), group(4), netgroup(4),
shadow(4).
Page 4
