SH
SHELL
AI Powered Learning Portal
The Identity Database: /etc/passwd and /etc/shadow
·TechSoftware Development

The Identity Database: /etc/passwd and /etc/shadow

Deconstruct the core files that define who can access your system. Learn to read the colon-separated fields of /etc/passwd and understand the cryptographic secrets hidden in /etc/shadow. Explore the group definitions in /etc/group.

linuxsecurityetc-passwdetc-shadowpasswordscryptography

/etc/passwd and /etc/shadow: The Heart of Linux Identity

Whenever you log into a Linux machine, the system doesn't call a remote database (usually) to verify you. It looks at three local text files. If these files are ever deleted or corrupted, the system is essentially locked and useless.

To an outsider, these files look like gibberish. But to a master, they are a well-structured database that tells the story of every user and service on the machine.

In this lesson, we will perform a field-by-field breakdown of the Linux identity database.

1. /etc/passwd: The User Registry

Despite the name, this file does not contain passwords. It used to, in the 1970s, but for security reasons, passwords were moved to a secret file (shadow) that only root can read.

The 7 Fields:

Every line in /etc/passwd follows this format: root:x:0:0:root:/root:/bin/bash

FieldMeaningDescription
1. UsernamerootThe login name.
2. PasswordxThe 'x' means the password is in the /etc/shadow file.
3. UID0The unique User ID number.
4. GID0The primary Group ID number.
5. GECOSrootDescriptive info (Full name, room number, etc).
6. Home Dir/rootThe user's starting location after login.
7. Shell/bin/bashThe program that runs when they log in.

2. /etc/shadow: The Vault of Secrets

This file can only be read by the Root user. It contains the encrypted passwords and expiration information.

sudeep:$6$zYj...:19820:0:99999:7:::

Key Fields:

  • Encrypted Password: A long string starting with $6$ (meaning it uses SHA-512 hashing).
  • Last Change Date: Number of days since Jan 1, 1970.
  • Expiration Policy: How many days until the user MUST change their password.
graph LR
    Login[User Logs In] --> Passwd[/etc/passwd: Finds UID & Shell]
    Passwd --> Shadow[/etc/shadow: Compares Encrypted Hashes]
    Shadow -- Success --> Shell[Login Successful]
    Shadow -- Fail --> Reject[Login Denied]

3. /etc/group: The Club List

This file defines the groups and lists which users belong to them.

sudo:x:27:sudeep,alice

  • Group Name: sudo
  • Group ID (GID): 27
  • Members: sudeep and alice.

4. Practical: Safely Editing the Database

NEVER edit /etc/passwd with a normal text editor like vim or nano. If you make a typo and save the file, you might accidentally invalidate the root user, and you will never be able to log in again.

The 'VIP' Way:

Use the specialized tools that perform syntax checking before saving:

# Safely edit the password file
sudo vipw

# Safely edit the group file
sudo vigr

5. Identifying Inactive Users

As an admin, you should regularly check for users who haven't changed their passwords in a long time.

# See the password aging status for a user
sudo chage -l sudeep

6. Example: A User Database Parser (Python)

If you are building a custom user-management dashboard, you can parse these files directly. Here is a Python script that generates a report of all human users and their default shells.

def parse_linux_users():
    """
    Manually parses /etc/passwd without using the pwd module.
    """
    human_users = []
    
    try:
        with open("/etc/passwd", "r") as f:
            for line in f:
                # Skip comments and empty lines
                if line.startswith("#") or not line.strip():
                    continue
                    
                fields = line.strip().split(":")
                
                # UID is field 3
                uid = int(fields[2])
                
                # Check for Human range (>= 1000)
                if uid >= 1000 and uid < 65534:
                    human_users.append({
                        "username": fields[0],
                        "uid": uid,
                        "home": fields[5],
                        "shell": fields[6]
                    })
                    
        return human_users
    except Exception as e:
        print(f"Error: {e}")
        return []

if __name__ == "__main__":
    users = parse_linux_users()
    print(f"{'User':15} | {'Shell':15} | {'Home Directory'}")
    print("-" * 50)
    for u in users:
        print(f"{u['username']:15} | {u['shell']:15} | {u['home']}")

7. Professional Tip: Why the 'x'?

If you ever see a line in /etc/passwd that has a password hash directly in the second field (instead of an x), your system is extremely insecure. That hash is readable by anyone on the system, who can then take it home and "crack" it using their own GPU. Modern Linux prevents this by using the x as a "shadow" redirect.

8. Summary

The Linux identity system is simple, text-based, and modular.

  • /etc/passwd: User profile and login settings.
  • /etc/shadow: Encrypted passwords and aging logic.
  • /etc/group: Group membership list.
  • vipw: The only safe way to edit these files manually.

In the next lesson, we will move back to permissions as we explore Advanced Permissions and Access Control Lists (ACLs) for more granular security.

Quiz Questions

  1. Which field in /etc/passwd determines which program starts when you log in?
  2. Why is it dangerous to edit the password file with a regular text editor?
  3. What does the leading $6$ in a password hash in /etc/shadow tell you?

Continue to Lesson 4: Advanced Permissions and ACLs—Granular Access Control.

Previous LessonStaffing the Server: useradd, usermod, and groupadd
Next LessonBeyond rwx: Advanced Permissions and ACLs

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn