passwd(4) File Formats passwd(4)NAMEpasswd - password file
SYNOPSIS
/etc/passwd
DESCRIPTION
The file /etc/passwd is a local source of information about users'
accounts. The password file can be used in conjunction with other nam‐
ing sources, such as the NIS maps passwd.byname and passwd.bygid, data
from the NIS+ passwd table, or password data stored on an LDAP server.
Programs use the getpwnam(3C) routines to access this information.
Each passwd entry is a single line of the form:
username:password:uid:
gid:gcos-field:home-dir:
login-shell
where
username is the user's login name.
The login (login) and role (role) fields accept a
string of no more than eight bytes consisting of
characters from the set of alphabetic characters,
numeric characters, period (.), underscore (_), and
hyphen (-). The first character should be alpha‐
betic and the field should contain at least one
lower case alphabetic character. A warning message
is displayed if these restrictions are not met.
The login and role fields must contain at least one
character and must not contain a colon (:) or a
newline (\n).
password is an empty field. The encrypted password for the
user is in the corresponding entry in the
/etc/shadow file. pwconv(1M) relies on a special
value of 'x' in the password field of /etc/passwd.
If this value of 'x' exists in the password field
of /etc/passwd, this indicates that the password
for the user is already in /etc/shadow and should
not be modified.
uid is the user's unique numerical ID for the system.
gid is the unique numerical ID of the group that the
user belongs to.
gcos-field is the user's real name, along with information to
pass along in a mail-message heading. (It is called
the gcos-field for historical reasons.) An ``&''
(ampersand) in this field stands for the login name
(in cases where the login name appears in a user's
real name).
home-dir is the pathname to the directory in which the user
is initially positioned upon logging in.
login-shell is the user's initial shell program. If this field
is empty, the default shell is /usr/bin/sh.
The maximum value of the uid and gid fields is 2147483647. To maximize
interoperability and compatibility, administrators are recommended to
assign users a range of UIDs and GIDs below 60000 where possible. (UIDs
from 0-99 inclusive are reserved by the operating system vendor for use
in future applications. Their use by end system users or vendors of
layered products is not supported and may cause security related issues
with future applications.)
The password file is an ASCII file that resides in the /etc directory.
Because the encrypted passwords on a secure system are always kept in
the shadow file, /etc/passwd has general read permission on all systems
and can be used by routines that map between numerical user IDs and
user names.
Blank lines are treated as malformed entries in the passwd file and
cause consumers of the file, such as getpwnam(3C), to fail.
The password file can contain entries beginning with a `+' (plus sign)
or '-' (minus sign) to selectively incorporate entries from another
naming service source, such as NIS, NIS+, or LDAP.
A line beginning with a '+' means to incorporate entries from the nam‐
ing service source. There are three styles of the '+' entries in this
file. A single + means to insert all the entries from the alternate
naming service source at that point, while a +name means to insert the
specific entry, if one exists, from the naming service source. A +@net‐
group means to insert the entries for all members of the network group
netgroup from the alternate naming service. If a +name entry has a non-
null password, gcos, home-dir, or login-shell field, the value of that
field overrides what is contained in the alternate naming service. The
uid and gid fields cannot be overridden.
A line beginning with a `−' means to disallow entries from the alter‐
nate naming service. There are two styles of `-` entries in this file.
-name means to disallow any subsequent entries (if any) for name (in
this file or in a naming service), and -@netgroup means to disallow any
subsequent entries for all members of the network group netgroup.
This is also supported by specifying ``passwd : compat'' in nss‐
witch.conf(4). The "compat" source might not be supported in future
releases. The preferred sources are files followed by the identifier of
a name service, such as nis or ldap. This has the effect of incorporat‐
ing the entire contents of the naming service's passwd database or
password-related information after the passwd file.
Note that in compat mode, for every /etc/passwd entry, there must be a
corresponding entry in the /etc/shadow file.
Appropriate precautions must be taken to lock the /etc/passwd file
against simultaneous changes if it is to be edited with a text editor;
vipw(1B) does the necessary locking.
EXAMPLES
Example 1 Sample passwd File
The following is a sample passwd file:
root:x:0:1:Super-User:/:/sbin/sh
fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
and the sample password entry from nsswitch.conf:
passwd: files ldap
In this example, there are specific entries for users root and fred to
assure that they can login even when the system is running single-user.
In addition, anyone whose password information is stored on an LDAP
server will be able to login with their usual password, shell, and home
directory.
If the password file is:
root:x:0:1:Super-User:/:/sbin/sh
fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
+
and the password entry in nsswitch.conf is:
passwd: compat
then all the entries listed in the NIS passwd.byuid and passwd.byname
maps will be effectively incorporated after the entries for root and
fred. If the password entry in nsswitch.conf is:
passwd_compat: ldap
passwd: compat
then all password-related entries stored on the LDAP server will be
incorporated after the entries for root and fred.
The following is a sample passwd file when shadow does not exist:
root:q.mJzTnu8icf.:0:1:Super-User:/:/sbin/sh
fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
+john:
+@documentation:no-login:
+::::Guest
The following is a sample passwd file when shadow does exist:
root:##root:0:1:Super-User:/:/sbin/sh
fred:##fred:508:10:& Fredericks:/usr2/fred:/bin/csh
+john:
+@documentation:no-login:
+::::Guest
In this example, there are specific entries for users root and fred, to
assure that they can log in even when the system is running standalone.
The user john will have his password entry in the naming service source
incorporated without change, anyone in the netgroup documentation will
have their password field disabled, and anyone else will be able to log
in with their usual password, shell, and home directory, but with a
gcos field of Guest.
FILES
/etc/nsswitch.conf
/etc/passwd
/etc/shadow
SEE ALSOchgrp(1), chown(1), finger(1), groups(1), login(1), newgrp(1), nis‐
passwd(1), passwd(1), sh(1), sort(1), domainname(1M), getent(1M),
in.ftpd(1M), passmgmt(1M), pwck(1M), pwconv(1M), su(1M), useradd(1M),
userdel(1M), usermod(1M), a64l(3C), crypt(3C), getpw(3C), getpwnam(3C),
getspnam(3C), putpwent(3C), group(4), hosts.equiv(4), nsswitch.conf(4),
shadow(4), environ(5), unistd.h(3HEAD)SunOS 5.10 21 Apr 2010 passwd(4)
