illumos2989-4 Wdiff usr/src/man/man4/passwd.4

Print this page

2989 Eliminate use of LOGNAME_MAX in ON
1166 useradd have warning with name more 8 chars

Split	Close
Expand all
Collapse all

          --- old/usr/src/man/man4/passwd.4
          +++ new/usr/src/man/man4/passwd.4
   1    1  '\" te
        2 +.\" Copyright (c) 2013 Gary Mills
   2    3  .\" Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved.
   3    4  .\" Copyright 1989 AT&T
   4    5  .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   5    6  .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   6    7  .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7      -.TH PASSWD 4 "Jul 28, 2004"
        8 +.TH PASSWD 4 "Apr 16, 2013"
   8    9  .SH NAME
   9   10  passwd \- password file
  10   11  .SH SYNOPSIS
  11   12  .LP
  12   13  .nf
  13   14  \fB/etc/passwd\fR
  14   15  .fi
  15   16  
  16   17  .SH DESCRIPTION
  17   18  .sp

  18   19  .LP
  19   20  The file \fB/etc/passwd\fR is a local source of information about users'
  20   21  accounts. The password file can be used in conjunction with other naming
  21   22  sources, such as the \fBNIS\fR maps \fBpasswd.byname\fR and \fBpasswd.bygid\fR,
  22   23  data from the \fBNIS+\fR \fBpasswd\fR table, or password data stored on an LDAP
  23   24  server. Programs use the \fBgetpwnam\fR(3C) routines to access this
  24   25  information.
  25   26  .sp
  26   27  .LP
  27   28  Each \fBpasswd\fR entry is a single line of the form:
  28   29  .sp
  29   30  .in +2
  30   31  .nf
  31   32  \fIusername\fR\fB:\fR\fIpassword\fR\fB:\fR\fIuid\fR\fB:\fR
  32   33  \fIgid\fR\fB:\fR\fIgcos-field\fR\fB:\fR\fIhome-dir\fR\fB:\fR
  33   34  \fIlogin-shell\fR
  34   35  .fi
  35   36  .in -2
  36   37  .sp
  37   38  
  38   39  .sp
  39   40  .LP

↓ open down ↓

22 lines elided

↑ open up ↑

  40   41  where
  41   42  .sp
  42   43  .ne 2
  43   44  .na
  44   45  \fB\fIusername\fR\fR
  45   46  .ad
  46   47  .RS 15n
  47   48  is the user's login name.
  48   49  .sp
  49   50  The login (\fBlogin\fR) and role (\fBrole\fR) fields accept a string of no more
  50      -than eight bytes consisting of characters from the set of alphabetic
       51 +than 32 bytes consisting of characters from the set of alphabetic
  51   52  characters, numeric characters, period (\fB\&.\fR), underscore (\fB_\fR), and
  52   53  hyphen (\fB-\fR). The first character should be alphabetic and the field should
  53   54  contain at least one lower case alphabetic character. A warning message is
  54   55  displayed if these restrictions are not met.
  55   56  .sp
  56   57  The \fBlogin\fR and \fBrole\fR fields must contain at least one character and
  57   58  must not contain a colon (\fB:\fR) or a newline (\fB\en\fR).
  58   59  .RE
  59   60  
  60   61  .sp

  61   62  .ne 2
  62   63  .na
  63   64  \fB\fIpassword\fR\fR
  64   65  .ad
  65   66  .RS 15n
  66   67  is an empty field. The encrypted password for the user is in the corresponding
  67   68  entry in the \fB/etc/shadow\fR file. \fBpwconv\fR(1M) relies on a special value
  68   69  of '\fBx\fR' in the password field of \fB/etc/passwd\fR. If this value
  69   70  of '\fBx\fR' exists in the password field of \fB/etc/passwd\fR, this indicates
  70   71  that the password for the user is already in \fB/etc/shadow\fR and should not
  71   72  be modified.
  72   73  .RE
  73   74  
  74   75  .sp
  75   76  .ne 2
  76   77  .na
  77   78  \fB\fIuid\fR\fR
  78   79  .ad
  79   80  .RS 15n
  80   81  is the user's unique numerical \fBID\fR for the system.
  81   82  .RE
  82   83  
  83   84  .sp
  84   85  .ne 2
  85   86  .na
  86   87  \fB\fIgid\fR\fR
  87   88  .ad
  88   89  .RS 15n
  89   90  is the unique numerical \fBID\fR of the group that the user belongs to.
  90   91  .RE
  91   92  
  92   93  .sp
  93   94  .ne 2
  94   95  .na
  95   96  \fB\fIgcos-field\fR\fR
  96   97  .ad
  97   98  .RS 15n
  98   99  is the user's real name, along with information to pass along in a mail-message
  99  100  heading. (It is called the gcos-field for historical reasons.) An ``\fB&\fR\&''
 100  101  (ampersand) in this field stands for the login name (in cases where the login
 101  102  name appears in a user's real name).
 102  103  .RE
 103  104  
 104  105  .sp
 105  106  .ne 2
 106  107  .na
 107  108  \fB\fIhome-dir\fR\fR
 108  109  .ad
 109  110  .RS 15n
 110  111  is the pathname to the directory in which the user is initially positioned upon
 111  112  logging in.
 112  113  .RE
 113  114  
 114  115  .sp
 115  116  .ne 2
 116  117  .na
 117  118  \fB\fIlogin-shell\fR\fR
 118  119  .ad
 119  120  .RS 15n
 120  121  is the user's initial shell program. If this field is empty, the default shell
 121  122  is \fB/usr/bin/sh\fR.
 122  123  .RE
 123  124  
 124  125  .sp
 125  126  .LP
 126  127  The maximum value of the \fIuid\fR and \fIgid\fR fields is \fB2147483647\fR. To
 127  128  maximize interoperability and compatibility, administrators are recommended to
 128  129  assign users a range of \fBUID\fRs and \fBGID\fRs below \fB60000\fR where
 129  130  possible. (\fBUID\fRs from \fB0\fR-\fB99\fR inclusive are reserved by the
 130  131  operating system vendor for use in future applications. Their use by end system
 131  132  users or vendors of layered products is not supported and may cause security
 132  133  related issues with future applications.)
 133  134  .sp
 134  135  .LP
 135  136  The password file is an \fBASCII\fR file that resides in the \fB/etc\fR
 136  137  directory. Because the encrypted passwords on a secure system are always kept
 137  138  in the \fBshadow\fR file, \fB/etc/passwd\fR has general read permission on all
 138  139  systems and can be used by routines that map between numerical user \fBID\fRs
 139  140  and user names.
 140  141  .sp
 141  142  .LP
 142  143  Blank lines are treated as malformed entries in the \fBpasswd\fR file and cause
 143  144  consumers of the file , such as \fBgetpwnam\fR(3C), to fail.
 144  145  .sp
 145  146  .LP
 146  147  The password file can contain entries beginning with a `+' (plus sign) or '-'
 147  148  (minus sign) to selectively incorporate entries from another naming service
 148  149  source, such as NIS, NIS+, or LDAP.
 149  150  .sp
 150  151  .LP
 151  152  A line beginning with a '+' means to incorporate entries from the naming
 152  153  service source. There are three styles of the '+' entries in this file. A
 153  154  single + means to insert all the entries from the alternate naming service
 154  155  source at that point, while a +\fIname\fR means to insert the specific entry,
 155  156  if one exists, from the naming service source. A +@\fInetgroup\fR means to
 156  157  insert the entries for all members of the network group \fInetgroup\fR from the
 157  158  alternate naming service. If a +\fIname\fR entry has a non-null \fBpassword\fR,
 158  159  \fIgcos\fR, \fIhome-dir\fR, or \fIlogin-shell\fR field, the value of that field
 159  160  overrides what is contained in the alternate naming service. The \fIuid\fR and
 160  161  \fIgid\fR fields cannot be overridden.
 161  162  .sp
 162  163  .LP
 163  164  A line beginning with a `\(mi' means to disallow entries from the alternate
 164  165  naming service. There are two styles of `-` entries in this file. -\fIname\fR
 165  166  means to disallow any subsequent entries (if any) for \fIname\fR (in this file
 166  167  or in a naming service), and -@\fInetgroup\fR means to disallow any subsequent
 167  168  entries for all members of the network group \fInetgroup\fR.
 168  169  .sp
 169  170  .LP
 170  171  This is also supported by specifying ``passwd : compat'' in
 171  172  \fBnsswitch.conf\fR(4). The "compat" source might not be supported in future
 172  173  releases. The preferred sources are \fBfiles\fR followed by the identifier of a
 173  174  name service, such as \fBnis\fR or \fBldap\fR. This has the effect of
 174  175  incorporating the entire contents of the naming service's \fBpasswd\fR database
 175  176  or password-related information after the \fBpasswd\fR file.
 176  177  .sp
 177  178  .LP
 178  179  Note that in compat mode, for every \fB/etc/passwd\fR entry, there must be a
 179  180  corresponding entry in the \fB/etc/shadow\fR file.
 180  181  .sp
 181  182  .LP
 182  183  Appropriate precautions must be taken to lock the \fB/etc/passwd\fR file
 183  184  against simultaneous changes if it is to be edited with a text editor;
 184  185  \fBvipw\fR(1B) does the necessary locking.
 185  186  .SH EXAMPLES
 186  187  .LP
 187  188  \fBExample 1 \fRSample \fBpasswd\fR File
 188  189  .sp
 189  190  .LP
 190  191  The following is a sample \fBpasswd\fR file:
 191  192  
 192  193  .sp
 193  194  .in +2
 194  195  .nf
 195  196  root:x:0:1:Super-User:/:/sbin/sh
 196  197  fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
 197  198  .fi
 198  199  .in -2
 199  200  .sp
 200  201  
 201  202  .sp
 202  203  .LP
 203  204  and the sample password entry from \fBnsswitch.conf\fR:
 204  205  
 205  206  .sp
 206  207  .in +2
 207  208  .nf
 208  209  passwd: files ldap
 209  210  .fi
 210  211  .in -2
 211  212  .sp
 212  213  
 213  214  .sp
 214  215  .LP
 215  216  In this example, there are specific entries for users \fBroot\fR and \fBfred\fR
 216  217  to assure that they can login even when the system is running single-user. In
 217  218  addition, anyone whose password information is stored on an LDAP server will be
 218  219  able to login with their usual password, shell, and home directory.
 219  220  
 220  221  .sp
 221  222  .LP
 222  223  If the password file is:
 223  224  
 224  225  .sp
 225  226  .in +2
 226  227  .nf
 227  228  root:x:0:1:Super-User:/:/sbin/sh
 228  229  fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
 229  230  +
 230  231  .fi
 231  232  .in -2
 232  233  .sp
 233  234  
 234  235  .sp
 235  236  .LP
 236  237  and the password entry in \fBnsswitch.conf\fR is:
 237  238  
 238  239  .sp
 239  240  .in +2
 240  241  .nf
 241  242  passwd: compat
 242  243  .fi
 243  244  .in -2
 244  245  .sp
 245  246  
 246  247  .sp
 247  248  .LP
 248  249  then all the entries listed in the \fBNIS\fR \fBpasswd.byuid\fR and
 249  250  \fBpasswd.byname\fR maps will be effectively incorporated after the entries for
 250  251  \fBroot\fR and \fBfred\fR. If the password entry in \fBnsswitch.conf\fR is:
 251  252  
 252  253  .sp
 253  254  .in +2
 254  255  .nf
 255  256  passwd_compat: ldap
 256  257  passwd: compat
 257  258  .fi
 258  259  .in -2
 259  260  
 260  261  .sp
 261  262  .LP
 262  263  then all password-related entries stored on the LDAP server will be
 263  264  incorporated after the entries for \fBroot\fR and \fBfred\fR.
 264  265  
 265  266  .sp
 266  267  .LP
 267  268  The following is a sample \fBpasswd\fR file when \fBshadow\fR does not exist:
 268  269  
 269  270  .sp
 270  271  .in +2
 271  272  .nf
 272  273  root:q.mJzTnu8icf.:0:1:Super-User:/:/sbin/sh
 273  274  fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
 274  275  +john:
 275  276  +@documentation:no-login:
 276  277  +::::Guest
 277  278  .fi
 278  279  .in -2
 279  280  .sp
 280  281  
 281  282  .sp
 282  283  .LP
 283  284  The following is a sample \fBpasswd\fR file when \fBshadow\fR does exist:
 284  285  
 285  286  .sp
 286  287  .in +2
 287  288  .nf
 288  289  root:##root:0:1:Super-User:/:/sbin/sh
 289  290  fred:##fred:508:10:& Fredericks:/usr2/fred:/bin/csh
 290  291  +john:
 291  292  +@documentation:no-login:
 292  293  +::::Guest
 293  294  .fi
 294  295  .in -2
 295  296  .sp
 296  297  
 297  298  .sp
 298  299  .LP
 299  300  In this example, there are specific entries for users \fBroot\fR and
 300  301  \fBfred\fR, to assure that they can log in even when the system is running
 301  302  standalone. The user \fBjohn\fR will have his password entry in the naming
 302  303  service source incorporated without change, anyone in the netgroup
 303  304  \fBdocumentation\fR will have their password field disabled, and anyone else
 304  305  will be able to log in with their usual password, shell, and home directory,
 305  306  but with a \fIgcos\fR field of \fBGuest\fR
 306  307  
 307  308  .SH FILES
 308  309  .sp
 309  310  .ne 2
 310  311  .na
 311  312  \fB\fB/etc/nsswitch.conf\fR\fR
 312  313  .ad
 313  314  .RS 22n
 314  315  
 315  316  .RE
 316  317  
 317  318  .sp
 318  319  .ne 2
 319  320  .na
 320  321  \fB\fB/etc/passwd\fR\fR
 321  322  .ad
 322  323  .RS 22n
 323  324  
 324  325  .RE
 325  326  
 326  327  .sp
 327  328  .ne 2
 328  329  .na
 329  330  \fB\fB/etc/shadow\fR\fR
 330  331  .ad
 331  332  .RS 22n
 332  333  
 333  334  .RE
 334  335  
 335  336  .SH SEE ALSO
 336  337  .sp
 337  338  .LP
 338  339  \fBchgrp\fR(1), \fBchown\fR(1), \fBfinger\fR(1), \fBgroups\fR(1),
 339  340  \fBlogin\fR(1), \fBnewgrp\fR(1), \fBnispasswd\fR(1), \fBpasswd\fR(1),
 340  341  \fBsh\fR(1), \fBsort\fR(1), \fBdomainname\fR(1M), \fBgetent\fR(1M),
 341  342  \fBin.ftpd\fR(1M), \fBpassmgmt\fR(1M), \fBpwck\fR(1M), \fBpwconv\fR(1M),
 342  343  \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M), \fBusermod\fR(1M),
 343  344  \fBa64l\fR(3C), \fBcrypt\fR(3C), \fBgetpw\fR(3C), \fBgetpwnam\fR(3C),
 344  345  \fBgetspnam\fR(3C), \fBputpwent\fR(3C), \fBgroup\fR(4), \fBhosts.equiv\fR(4),
 345  346  \fBnsswitch.conf\fR(4), \fBshadow\fR(4), \fBenviron\fR(5),
 346  347  \fBunistd.h\fR(3HEAD)
 347  348  .sp
 348  349  .LP
 349  350  \fISystem Administration Guide: Basic Administration\fR

↓ open down ↓

289 lines elided

↑ open up ↑

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX