1 '\" te
   2 .\" Copyright (c) 2013 Gary Mills
   3 .\" Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved.
   4 .\" Copyright 1989 AT&T
   5 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   6 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   7 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   8 .TH PASSWD 4 "Apr 16, 2013"
   9 .SH NAME
  10 passwd \- password file
  11 .SH SYNOPSIS
  12 .LP
  13 .nf
  14 \fB/etc/passwd\fR
  15 .fi
  16 
  17 .SH DESCRIPTION
  18 .sp
  19 .LP
  20 The file \fB/etc/passwd\fR is a local source of information about users'
  21 accounts. The password file can be used in conjunction with other naming
  22 sources, such as the \fBNIS\fR maps \fBpasswd.byname\fR and \fBpasswd.bygid\fR,
  23 data from the \fBNIS+\fR \fBpasswd\fR table, or password data stored on an LDAP
  24 server. Programs use the \fBgetpwnam\fR(3C) routines to access this
  25 information.
  26 .sp
  27 .LP
  28 Each \fBpasswd\fR entry is a single line of the form:
  29 .sp
  30 .in +2
  31 .nf
  32 \fIusername\fR\fB:\fR\fIpassword\fR\fB:\fR\fIuid\fR\fB:\fR
  33 \fIgid\fR\fB:\fR\fIgcos-field\fR\fB:\fR\fIhome-dir\fR\fB:\fR
  34 \fIlogin-shell\fR
  35 .fi
  36 .in -2
  37 .sp
  38 
  39 .sp
  40 .LP
  41 where
  42 .sp
  43 .ne 2
  44 .na
  45 \fB\fIusername\fR\fR
  46 .ad
  47 .RS 15n
  48 is the user's login name.
  49 .sp
  50 The login (\fBlogin\fR) and role (\fBrole\fR) fields accept a string of no more
  51 than 32 bytes consisting of characters from the set of alphabetic
  52 characters, numeric characters, period (\fB\&.\fR), underscore (\fB_\fR), and
  53 hyphen (\fB-\fR). The first character should be alphabetic and the field should
  54 contain at least one lower case alphabetic character. A warning message is
  55 displayed if these restrictions are not met.
  56 .sp
  57 The \fBlogin\fR and \fBrole\fR fields must contain at least one character and
  58 must not contain a colon (\fB:\fR) or a newline (\fB\en\fR).
  59 .RE
  60 
  61 .sp
  62 .ne 2
  63 .na
  64 \fB\fIpassword\fR\fR
  65 .ad
  66 .RS 15n
  67 is an empty field. The encrypted password for the user is in the corresponding
  68 entry in the \fB/etc/shadow\fR file. \fBpwconv\fR(1M) relies on a special value
  69 of '\fBx\fR' in the password field of \fB/etc/passwd\fR. If this value
  70 of '\fBx\fR' exists in the password field of \fB/etc/passwd\fR, this indicates
  71 that the password for the user is already in \fB/etc/shadow\fR and should not
  72 be modified.
  73 .RE
  74 
  75 .sp
  76 .ne 2
  77 .na
  78 \fB\fIuid\fR\fR
  79 .ad
  80 .RS 15n
  81 is the user's unique numerical \fBID\fR for the system.
  82 .RE
  83 
  84 .sp
  85 .ne 2
  86 .na
  87 \fB\fIgid\fR\fR
  88 .ad
  89 .RS 15n
  90 is the unique numerical \fBID\fR of the group that the user belongs to.
  91 .RE
  92 
  93 .sp
  94 .ne 2
  95 .na
  96 \fB\fIgcos-field\fR\fR
  97 .ad
  98 .RS 15n
  99 is the user's real name, along with information to pass along in a mail-message
 100 heading. (It is called the gcos-field for historical reasons.) An ``\fB&\fR\&''
 101 (ampersand) in this field stands for the login name (in cases where the login
 102 name appears in a user's real name).
 103 .RE
 104 
 105 .sp
 106 .ne 2
 107 .na
 108 \fB\fIhome-dir\fR\fR
 109 .ad
 110 .RS 15n
 111 is the pathname to the directory in which the user is initially positioned upon
 112 logging in.
 113 .RE
 114 
 115 .sp
 116 .ne 2
 117 .na
 118 \fB\fIlogin-shell\fR\fR
 119 .ad
 120 .RS 15n
 121 is the user's initial shell program. If this field is empty, the default shell
 122 is \fB/usr/bin/sh\fR.
 123 .RE
 124 
 125 .sp
 126 .LP
 127 The maximum value of the \fIuid\fR and \fIgid\fR fields is \fB2147483647\fR. To
 128 maximize interoperability and compatibility, administrators are recommended to
 129 assign users a range of \fBUID\fRs and \fBGID\fRs below \fB60000\fR where
 130 possible. (\fBUID\fRs from \fB0\fR-\fB99\fR inclusive are reserved by the
 131 operating system vendor for use in future applications. Their use by end system
 132 users or vendors of layered products is not supported and may cause security
 133 related issues with future applications.)
 134 .sp
 135 .LP
 136 The password file is an \fBASCII\fR file that resides in the \fB/etc\fR
 137 directory. Because the encrypted passwords on a secure system are always kept
 138 in the \fBshadow\fR file, \fB/etc/passwd\fR has general read permission on all
 139 systems and can be used by routines that map between numerical user \fBID\fRs
 140 and user names.
 141 .sp
 142 .LP
 143 Blank lines are treated as malformed entries in the \fBpasswd\fR file and cause
 144 consumers of the file , such as \fBgetpwnam\fR(3C), to fail.
 145 .sp
 146 .LP
 147 The password file can contain entries beginning with a `+' (plus sign) or '-'
 148 (minus sign) to selectively incorporate entries from another naming service
 149 source, such as NIS, NIS+, or LDAP.
 150 .sp
 151 .LP
 152 A line beginning with a '+' means to incorporate entries from the naming
 153 service source. There are three styles of the '+' entries in this file. A
 154 single + means to insert all the entries from the alternate naming service
 155 source at that point, while a +\fIname\fR means to insert the specific entry,
 156 if one exists, from the naming service source. A +@\fInetgroup\fR means to
 157 insert the entries for all members of the network group \fInetgroup\fR from the
 158 alternate naming service. If a +\fIname\fR entry has a non-null \fBpassword\fR,
 159 \fIgcos\fR, \fIhome-dir\fR, or \fIlogin-shell\fR field, the value of that field
 160 overrides what is contained in the alternate naming service. The \fIuid\fR and
 161 \fIgid\fR fields cannot be overridden.
 162 .sp
 163 .LP
 164 A line beginning with a `\(mi' means to disallow entries from the alternate
 165 naming service. There are two styles of `-` entries in this file. -\fIname\fR
 166 means to disallow any subsequent entries (if any) for \fIname\fR (in this file
 167 or in a naming service), and -@\fInetgroup\fR means to disallow any subsequent
 168 entries for all members of the network group \fInetgroup\fR.
 169 .sp
 170 .LP
 171 This is also supported by specifying ``passwd : compat'' in
 172 \fBnsswitch.conf\fR(4). The "compat" source might not be supported in future
 173 releases. The preferred sources are \fBfiles\fR followed by the identifier of a
 174 name service, such as \fBnis\fR or \fBldap\fR. This has the effect of
 175 incorporating the entire contents of the naming service's \fBpasswd\fR database
 176 or password-related information after the \fBpasswd\fR file.
 177 .sp
 178 .LP
 179 Note that in compat mode, for every \fB/etc/passwd\fR entry, there must be a
 180 corresponding entry in the \fB/etc/shadow\fR file.
 181 .sp
 182 .LP
 183 Appropriate precautions must be taken to lock the \fB/etc/passwd\fR file
 184 against simultaneous changes if it is to be edited with a text editor;
 185 \fBvipw\fR(1B) does the necessary locking.
 186 .SH EXAMPLES
 187 .LP
 188 \fBExample 1 \fRSample \fBpasswd\fR File
 189 .sp
 190 .LP
 191 The following is a sample \fBpasswd\fR file:
 192 
 193 .sp
 194 .in +2
 195 .nf
 196 root:x:0:1:Super-User:/:/sbin/sh
 197 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
 198 .fi
 199 .in -2
 200 .sp
 201 
 202 .sp
 203 .LP
 204 and the sample password entry from \fBnsswitch.conf\fR:
 205 
 206 .sp
 207 .in +2
 208 .nf
 209 passwd: files ldap
 210 .fi
 211 .in -2
 212 .sp
 213 
 214 .sp
 215 .LP
 216 In this example, there are specific entries for users \fBroot\fR and \fBfred\fR
 217 to assure that they can login even when the system is running single-user. In
 218 addition, anyone whose password information is stored on an LDAP server will be
 219 able to login with their usual password, shell, and home directory.
 220 
 221 .sp
 222 .LP
 223 If the password file is:
 224 
 225 .sp
 226 .in +2
 227 .nf
 228 root:x:0:1:Super-User:/:/sbin/sh
 229 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
 230 +
 231 .fi
 232 .in -2
 233 .sp
 234 
 235 .sp
 236 .LP
 237 and the password entry in \fBnsswitch.conf\fR is:
 238 
 239 .sp
 240 .in +2
 241 .nf
 242 passwd: compat
 243 .fi
 244 .in -2
 245 .sp
 246 
 247 .sp
 248 .LP
 249 then all the entries listed in the \fBNIS\fR \fBpasswd.byuid\fR and
 250 \fBpasswd.byname\fR maps will be effectively incorporated after the entries for
 251 \fBroot\fR and \fBfred\fR. If the password entry in \fBnsswitch.conf\fR is:
 252 
 253 .sp
 254 .in +2
 255 .nf
 256 passwd_compat: ldap
 257 passwd: compat
 258 .fi
 259 .in -2
 260 
 261 .sp
 262 .LP
 263 then all password-related entries stored on the LDAP server will be
 264 incorporated after the entries for \fBroot\fR and \fBfred\fR.
 265 
 266 .sp
 267 .LP
 268 The following is a sample \fBpasswd\fR file when \fBshadow\fR does not exist:
 269 
 270 .sp
 271 .in +2
 272 .nf
 273 root:q.mJzTnu8icf.:0:1:Super-User:/:/sbin/sh
 274 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
 275 +john:
 276 +@documentation:no-login:
 277 +::::Guest
 278 .fi
 279 .in -2
 280 .sp
 281 
 282 .sp
 283 .LP
 284 The following is a sample \fBpasswd\fR file when \fBshadow\fR does exist:
 285 
 286 .sp
 287 .in +2
 288 .nf
 289 root:##root:0:1:Super-User:/:/sbin/sh
 290 fred:##fred:508:10:& Fredericks:/usr2/fred:/bin/csh
 291 +john:
 292 +@documentation:no-login:
 293 +::::Guest
 294 .fi
 295 .in -2
 296 .sp
 297 
 298 .sp
 299 .LP
 300 In this example, there are specific entries for users \fBroot\fR and
 301 \fBfred\fR, to assure that they can log in even when the system is running
 302 standalone. The user \fBjohn\fR will have his password entry in the naming
 303 service source incorporated without change, anyone in the netgroup
 304 \fBdocumentation\fR will have their password field disabled, and anyone else
 305 will be able to log in with their usual password, shell, and home directory,
 306 but with a \fIgcos\fR field of \fBGuest\fR
 307 
 308 .SH FILES
 309 .sp
 310 .ne 2
 311 .na
 312 \fB\fB/etc/nsswitch.conf\fR\fR
 313 .ad
 314 .RS 22n
 315 
 316 .RE
 317 
 318 .sp
 319 .ne 2
 320 .na
 321 \fB\fB/etc/passwd\fR\fR
 322 .ad
 323 .RS 22n
 324 
 325 .RE
 326 
 327 .sp
 328 .ne 2
 329 .na
 330 \fB\fB/etc/shadow\fR\fR
 331 .ad
 332 .RS 22n
 333 
 334 .RE
 335 
 336 .SH SEE ALSO
 337 .sp
 338 .LP
 339 \fBchgrp\fR(1), \fBchown\fR(1), \fBfinger\fR(1), \fBgroups\fR(1),
 340 \fBlogin\fR(1), \fBnewgrp\fR(1), \fBnispasswd\fR(1), \fBpasswd\fR(1),
 341 \fBsh\fR(1), \fBsort\fR(1), \fBdomainname\fR(1M), \fBgetent\fR(1M),
 342 \fBin.ftpd\fR(1M), \fBpassmgmt\fR(1M), \fBpwck\fR(1M), \fBpwconv\fR(1M),
 343 \fBsu\fR(1M), \fBuseradd\fR(1M), \fBuserdel\fR(1M), \fBusermod\fR(1M),
 344 \fBa64l\fR(3C), \fBcrypt\fR(3C), \fBgetpw\fR(3C), \fBgetpwnam\fR(3C),
 345 \fBgetspnam\fR(3C), \fBputpwent\fR(3C), \fBgroup\fR(4), \fBhosts.equiv\fR(4),
 346 \fBnsswitch.conf\fR(4), \fBshadow\fR(4), \fBenviron\fR(5),
 347 \fBunistd.h\fR(3HEAD)
 348 .sp
 349 .LP
 350 \fISystem Administration Guide: Basic Administration\fR