1 '\" te
   2 .\" Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" Copyright 1989 AT&T
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH PASSWD 4 "Jul 28, 2004"
   8 .SH NAME
   9 passwd \- password file
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fB/etc/passwd\fR
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 .sp
  18 .LP
  19 The file \fB/etc/passwd\fR is a local source of information about users'
  20 accounts. The password file can be used in conjunction with other naming
  21 sources, such as the \fBNIS\fR maps \fBpasswd.byname\fR and \fBpasswd.bygid\fR,
  22 data from the \fBNIS+\fR \fBpasswd\fR table, or password data stored on an LDAP
  23 server. Programs use the \fBgetpwnam\fR(3C) routines to access this
  24 information.
  25 .sp
  26 .LP
  27 Each \fBpasswd\fR entry is a single line of the form:
  28 .sp
  29 .in +2
  30 .nf
  31 \fIusername\fR\fB:\fR\fIpassword\fR\fB:\fR\fIuid\fR\fB:\fR
  32 \fIgid\fR\fB:\fR\fIgcos-field\fR\fB:\fR\fIhome-dir\fR\fB:\fR
  33 \fIlogin-shell\fR
  34 .fi
  35 .in -2
  36 .sp
  37 
  38 .sp
  39 .LP
  40 where
  41 .sp
  42 .ne 2
  43 .na
  44 \fB\fIusername\fR\fR
  45 .ad
  46 .RS 15n
  47 is the user's login name.
  48 .sp
  49 The login (\fBlogin\fR) and role (\fBrole\fR) fields accept a string of no more
  50 than eight bytes consisting of characters from the set of alphabetic
  51 characters, numeric characters, period (\fB\&.\fR), underscore (\fB_\fR), and
  52 hyphen (\fB-\fR). The first character should be alphabetic and the field should
  53 contain at least one lower case alphabetic character. A warning message is
  54 displayed if these restrictions are not met.
  55 .sp
  56 The \fBlogin\fR and \fBrole\fR fields must contain at least one character and
  57 must not contain a colon (\fB:\fR) or a newline (\fB\en\fR).
  58 .RE
  59 
  60 .sp
  61 .ne 2
  62 .na
  63 \fB\fIpassword\fR\fR
  64 .ad
  65 .RS 15n
  66 is an empty field. The encrypted password for the user is in the corresponding
  67 entry in the \fB/etc/shadow\fR file. \fBpwconv\fR(1M) relies on a special value
  68 of '\fBx\fR' in the password field of \fB/etc/passwd\fR. If this value
  69 of '\fBx\fR' exists in the password field of \fB/etc/passwd\fR, this indicates
  70 that the password for the user is already in \fB/etc/shadow\fR and should not
  71 be modified.
  72 .RE
  73 
  74 .sp
  75 .ne 2
  76 .na
  77 \fB\fIuid\fR\fR
  78 .ad
  79 .RS 15n
  80 is the user's unique numerical \fBID\fR for the system.
  81 .RE
  82 
  83 .sp
  84 .ne 2
  85 .na
  86 \fB\fIgid\fR\fR
  87 .ad
  88 .RS 15n
  89 is the unique numerical \fBID\fR of the group that the user belongs to.
  90 .RE
  91 
  92 .sp
  93 .ne 2
  94 .na
  95 \fB\fIgcos-field\fR\fR
  96 .ad
  97 .RS 15n
  98 is the user's real name, along with information to pass along in a mail-message
  99 heading. (It is called the gcos-field for historical reasons.) An ``\fB&\fR\&''
 100 (ampersand) in this field stands for the login name (in cases where the login
 101 name appears in a user's real name).
 102 .RE
 103 
 104 .sp
 105 .ne 2
 106 .na
 107 \fB\fIhome-dir\fR\fR
 108 .ad
 109 .RS 15n
 110 is the pathname to the directory in which the user is initially positioned upon
 111 logging in.
 112 .RE
 113 
 114 .sp
 115 .ne 2
 116 .na
 117 \fB\fIlogin-shell\fR\fR
 118 .ad
 119 .RS 15n
 120 is the user's initial shell program. If this field is empty, the default shell
 121 is \fB/usr/bin/sh\fR.
 122 .RE
 123 
 124 .sp
 125 .LP
 126 The maximum value of the \fIuid\fR and \fIgid\fR fields is \fB2147483647\fR. To
 127 maximize interoperability and compatibility, administrators are recommended to
 128 assign users a range of \fBUID\fRs and \fBGID\fRs below \fB60000\fR where
 129 possible. (\fBUID\fRs from \fB0\fR-\fB99\fR inclusive are reserved by the
 130 operating system vendor for use in future applications. Their use by end system
 131 users or vendors of layered products is not supported and may cause security
 132 related issues with future applications.)
 133 .sp
 134 .LP
 135 The password file is an \fBASCII\fR file that resides in the \fB/etc\fR
 136 directory. Because the encrypted passwords on a secure system are always kept
 137 in the \fBshadow\fR file, \fB/etc/passwd\fR has general read permission on all
 138 systems and can be used by routines that map between numerical user \fBID\fRs
 139 and user names.
 140 .sp
 141 .LP
 142 Blank lines are treated as malformed entries in the \fBpasswd\fR file and cause
 143 consumers of the file , such as \fBgetpwnam\fR(3C), to fail.
 144 .sp
 145 .LP
 146 The password file can contain entries beginning with a `+' (plus sign) or '-'
 147 (minus sign) to selectively incorporate entries from another naming service
 148 source, such as NIS, NIS+, or LDAP.
 149 .sp
 150 .LP
 151 A line beginning with a '+' means to incorporate entries from the naming
 152 service source. There are three styles of the '+' entries in this file. A
 153 single + means to insert all the entries from the alternate naming service
 154 source at that point, while a +\fIname\fR means to insert the specific entry,
 155 if one exists, from the naming service source. A +@\fInetgroup\fR means to
 156 insert the entries for all members of the network group \fInetgroup\fR from the
 157 alternate naming service. If a +\fIname\fR entry has a non-null \fBpassword\fR,
 158 \fIgcos\fR, \fIhome-dir\fR, or \fIlogin-shell\fR field, the value of that field
 159 overrides what is contained in the alternate naming service. The \fIuid\fR and
 160 \fIgid\fR fields cannot be overridden.
 161 .sp
 162 .LP
 163 A line beginning with a `\(mi' means to disallow entries from the alternate
 164 naming service. There are two styles of `-` entries in this file. -\fIname\fR
 165 means to disallow any subsequent entries (if any) for \fIname\fR (in this file
 166 or in a naming service), and -@\fInetgroup\fR means to disallow any subsequent
 167 entries for all members of the network group \fInetgroup\fR.
 168 .sp
 169 .LP
 170 This is also supported by specifying ``passwd : compat'' in
 171 \fBnsswitch.conf\fR(4). The "compat" source might not be supported in future
 172 releases. The preferred sources are \fBfiles\fR followed by the identifier of a
 173 name service, such as \fBnis\fR or \fBldap\fR. This has the effect of
 174 incorporating the entire contents of the naming service's \fBpasswd\fR database
 175 or password-related information after the \fBpasswd\fR file.
 176 .sp
 177 .LP
 178 Note that in compat mode, for every \fB/etc/passwd\fR entry, there must be a
 179 corresponding entry in the \fB/etc/shadow\fR file.
 180 .sp
 181 .LP
 182 Appropriate precautions must be taken to lock the \fB/etc/passwd\fR file
 183 against simultaneous changes if it is to be edited with a text editor;
 184 \fBvipw\fR(1B) does the necessary locking.
 185 .SH EXAMPLES
 186 .LP
 187 \fBExample 1 \fRSample \fBpasswd\fR File
 188 .sp
 189 .LP
 190 The following is a sample \fBpasswd\fR file:
 191 
 192 .sp
 193 .in +2
 194 .nf
 195 root:x:0:1:Super-User:/:/sbin/sh
 196 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
 197 .fi
 198 .in -2
 199 .sp
 200 
 201 .sp
 202 .LP
 203 and the sample password entry from \fBnsswitch.conf\fR:
 204 
 205 .sp
 206 .in +2
 207 .nf
 208 passwd: files ldap
 209 .fi
 210 .in -2
 211 .sp
 212 
 213 .sp
 214 .LP
 215 In this example, there are specific entries for users \fBroot\fR and \fBfred\fR
 216 to assure that they can login even when the system is running single-user. In
 217 addition, anyone whose password information is stored on an LDAP server will be
 218 able to login with their usual password, shell, and home directory.
 219 
 220 .sp
 221 .LP
 222 If the password file is:
 223 
 224 .sp
 225 .in +2
 226 .nf
 227 root:x:0:1:Super-User:/:/sbin/sh
 228 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
 229 +
 230 .fi
 231 .in -2
 232 .sp
 233 
 234 .sp
 235 .LP
 236 and the password entry in \fBnsswitch.conf\fR is:
 237 
 238 .sp
 239 .in +2
 240 .nf
 241 passwd: compat
 242 .fi
 243 .in -2
 244 .sp
 245 
 246 .sp
 247 .LP
 248 then all the entries listed in the \fBNIS\fR \fBpasswd.byuid\fR and
 249 \fBpasswd.byname\fR maps will be effectively incorporated after the entries for
 250 \fBroot\fR and \fBfred\fR. If the password entry in \fBnsswitch.conf\fR is:
 251 
 252 .sp
 253 .in +2
 254 .nf
 255 passwd_compat: ldap
 256 passwd: compat
 257 .fi
 258 .in -2
 259 
 260 .sp
 261 .LP
 262 then all password-related entries stored on the LDAP server will be
 263 incorporated after the entries for \fBroot\fR and \fBfred\fR.
 264 
 265 .sp
 266 .LP
 267 The following is a sample \fBpasswd\fR file when \fBshadow\fR does not exist:
 268 
 269 .sp
 270 .in +2
 271 .nf
 272 root:q.mJzTnu8icf.:0:1:Super-User:/:/sbin/sh
 273 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
 274 +john:
 275 +@documentation:no-login:
 276 +::::Guest
 277 .fi
 278 .in -2
 279 .sp
 280 
 281 .sp
 282 .LP
 283 The following is a sample \fBpasswd\fR file when \fBshadow\fR does exist:
 284 
 285 .sp
 286 .in +2
 287 .nf
 288 root:##root:0:1:Super-User:/:/sbin/sh
 289 fred:##fred:508:10:& Fredericks:/usr2/fred:/bin/csh
 290 +john:
 291 +@documentation:no-login:
 292 +::::Guest
 293 .fi
 294 .in -2
 295 .sp
 296 
 297 .sp
 298 .LP
 299 In this example, there are specific entries for users \fBroot\fR and
 300 \fBfred\fR, to assure that they can log in even when the system is running
 301 standalone. The user \fBjohn\fR will have his password entry in the naming
 302 service source incorporated without change, anyone in the netgroup
 303 \fBdocumentation\fR will have their password field disabled, and anyone else
 304 will be able to log in with their usual password, shell, and home directory,
 305 but with a \fIgcos\fR field of \fBGuest\fR
 306 
 307 .SH FILES
 308 .sp
 309 .ne 2
 310 .na
 311 \fB\fB/etc/nsswitch.conf\fR\fR
 312 .ad
 313 .RS 22n
 314 
 315 .RE
 316 
 317 .sp
 318 .ne 2
 319 .na
 320 \fB\fB/etc/passwd\fR\fR
 321 .ad
 322 .RS 22n
 323 
 324 .RE
 325 
 326 .sp
 327 .ne 2
 328 .na
 329 \fB\fB/etc/shadow\fR\fR
 330 .ad
 331 .RS 22n
 332 
 333 .RE
 334 
 335 .SH SEE ALSO
 336 .sp
 337 .LP
 338 \fBchgrp\fR(1), \fBchown\fR(1), \fBfinger\fR(1), \fBgroups\fR(1),
 339 \fBlogin\fR(1), \fBnewgrp\fR(1), \fBnispasswd\fR(1), \fBpasswd\fR(1),
 340 \fBsh\fR(1), \fBsort\fR(1), \fBdomainname\fR(1M), \fBgetent\fR(1M),
 341 \fBin.ftpd\fR(1M), \fBpassmgmt\fR(1M), \fBpwck\fR(1M), \fBpwconv\fR(1M),
 342 \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M), \fBusermod\fR(1M),
 343 \fBa64l\fR(3C), \fBcrypt\fR(3C), \fBgetpw\fR(3C), \fBgetpwnam\fR(3C),
 344 \fBgetspnam\fR(3C), \fBputpwent\fR(3C), \fBgroup\fR(4), \fBhosts.equiv\fR(4),
 345 \fBnsswitch.conf\fR(4), \fBshadow\fR(4), \fBenviron\fR(5),
 346 \fBunistd.h\fR(3HEAD)
 347 .sp
 348 .LP
 349 \fISystem Administration Guide: Basic Administration\fR