passwd(4) passwd(4) NAME passwd - password file DESCRIPTION /etc/passwd is an ASCII file containing entries for each user. Each field within each user's entry is separated from the next by a colon. Each user is separated from the next by a newline. An entry beginning with # is ignored, and may be silently removed under some circumstances (see passwd(1) for specific information.) The passwd file contains the following information for each user: name User's login name -- This can consist of alphanumeric characters and the period, underscore and hyphen characters. It must not be greater than eight characters long. It is recommended that the first character not be a hyphen for greatest portability across multiple versions of the UNIX operating system. The pwck(1M) command checks for the greatest possible portability on names, and therefore may complain about user names that do not cause problems on IRIX. password Encrypted password and optional password aging information. If the password field is null (empty), no password is demanded when the user logs in. If the system is configured to use shadow passwords, this field of /etc/passwd is ignored by all programs that do password checking. See pwconv(1M) for information about shadow passwords. numerical user ID This is the user's ID in the system and it must be unique. numerical group ID This is the number of the default group that the user belongs to. user's real name In some versions of UNIX, this field also contains the user's office, extension, home phone, and so on. For historical reasons this field is called the GECOS field. The finger(1) program can interpret the GECOS field if it contains comma (``,'') separated subfields as follows: name user's full name office user's office number wphone user's work phone number hphone user's home phone number An & in the user's full name field stands for the login name (in cases where the login name appears in a user's real name). initial working directory The directory that the user is positioned in when they log in; this is known as the home directory. shell The program to use as the command interpreter (shell) when the user logs in. If the shell field is empty, the Bourne shell (/bin/sh) is assumed. If the first character of this field is an *, then the login(1) program treats the home directory field as the directory to be used as the argument to the chroot(2) system call, and then loops back to reading the /etc/passwd file under the new root, reprompting for the login. This can be used to implement secure or restricted logins, in a manner similar to ftp(1C). Password aging is used for a particular user if his encrypted password is followed by a comma and a non-null string of characters from a 64- character alphabet (.,/,0-9, A-Z, a-z) parsed left to right by a64l(3)). The first character of the age, M say, denotes the maximum number of weeks for which a password is valid. A user who attempts to login after his password has expired is forced to change his password. The next character, m say, denotes the minimum period in weeks that must expire before the password can be changed. If the second character is omitted, zero weeks is the default minimum. M and m have numerical values in the range 0-63 that correspond to the 64-character alphabet shown above (/ = 1 week, z = 63 weeks). The remaining characters are the weeks since the epoch when the password was last changed. If m = M = 0 (derived from the string . or ..) the user is forced to change his password the next time he logs in (and the age disappears from his entry in the password file). If m > M only the superuser is able to change the password. The password must have been previously changed and therefore have a valid last change date in the aging field for this m > M mechanism to control password manipulation. Simply putting ./ as the aging string will be interpreted by login as an expired password (because the last changed date is 0), and the automatic invocation of passwd by login will fail due to the m > M mechanism. The password file resides in the /etc directory. Because of the encrypted passwords, it has general read permission and can be used, for example, to map numerical user ID's to names. NIS ENTRIES If the NFS option is installed, the passwd file can also have lines beginning with a `+' (plus sign) which means to incorporate entries from the NIS. There are three styles of + entries in this file: + Means to insert the entire contents of the NIS password file at that point. +name Means to insert the entry (if any) for name from the NIS at that point. +@netgroup Means to insert the entries for all members of the network group netgroup at that point. If a + entry has a non-empty password, directory, GECOS, or shell field, the value of that field overrides what is contained in the NIS. The uid and gid fields cannot be overridden. The passwd file can also have lines beginning with a `-' (minus sign) which means to disallow entries from the NIS (or from local use). There are two styles of `-' entries in this file: -name Means to disallow any subsequent entries (if any) for name (in this file or in the NIS). -@netgroup Means to disallow any subsequent entries for all members of the network group netgroup. Password aging is not supported for NIS entries. UID CONVENTIONS User ID number restrictions and conventions in the UNIX community are few and simple. Reserved: UID 0 The superuser (aka root). UID -2 NFS 'nobody'. Note that because uid_t is unsigned, -2 is mapped to the special value 60001 by NFS. UID 60001 and 60002 For historical reasons, these values correspond to the users ``nobody'' and ``noaccess'', respectively. It is recommended that you not allocate these values to real users. Conventions: UID 1 to 10 Commonly used for system pseudo users and daemons. UID 11 to 99 Commonly used for uucp logins and 'famous users'. UID 100 to 2147483647 (except for 60001 and 60002) Normal users (start at 100). For historical reasons certain operations are restricted for uids larger than 65535. Most significantly, these users cannot own files on an efs(4) filesystem. This also means that they cannot run a program that allocates a pty(7M) (for example, vi(1) and xwsh(1G)) if /dev resides on an efs(4) filesystem. For these reasons, we recommend that large uids only be used on xfs(4) based systems. EXAMPLE Here is a sample /etc/passwd file: root:q.mJzTnu8icF.:0:10:superuser:/:/bin/csh bill:6k/7KCFRPNVXg,z/:508:10:& The Cat:/usr2/bill:/bin/csh +john: +@documentation:no-login: +::::Guest nobody:*:-2:-2::/dev/null:/dev/null In this example, there are specific entries for users root and bill, to assure that they can log in even when the system is running stand-alone or when the NIS is not running. The user bill has 63 weeks of maximum password aging and 1 week of minimum password aging. Programs that use the GECOS field replace the & with `Bill'. The user john has his password entry in the NIS incorporated without change; anyone in the netgroup documentation has their password field disabled, and anyone else is able to log in with their usual password, shell, and home directory, but with a GECOS field of Guest. The user nobody cannot log in and is used by the exportfs(1M) command. FILES /etc/passwd SEE ALSO login(1), passwd(1), pwck(1M), pwconv(1M), ypchpass(1), yppasswd(1), a64l(3C), crypt(3C), getpwent(3C), exports(4), group(4), netgroup(4), shadow(4). Page 4