Menu
In my CentOS 7 system (and other Linux flavors), I have noticed that there are two passwd files, /etc/passwd and /usr/bin/passwd. The former contains plaintext information about the users, groups, default shells, etc., whereas the latter is a binary (?) file that the "passwd" command invokes (as suggested by "which passwd").
These may be basic questions, but I have tried my luck with manuals and explanations on forums, albeit not fully clarifying my mental picture:
1) What is the purpose of each file, and why do we have both? 2) Are the two files related -- is the /usr/bin/passwd a binary version of the /etc/passwd that is constantly updated, for efficiency purposes? 3) What are the appropriate permissions on these files (I am getting a "passwd: Authentication token manipulation error" if I try to change the login password of a non-sudoer user from that user's account, which is what prompted this line of questioning to begin with).
Thanks for reading and I am looking forward to your thoughts!
730
/usr/bin/passwd is a binary used for setting/changing user's password. / etc/passwd lists users, their home directories, UIDs, GIDs and shells. Passwords are stored (encrypted) in /etc/shadow.
Traditionally, the /etc/passwd file is used to keep track of every registered user that has access to a system. The /etc/passwd file is a colon-separated file that contains the following information: User name. Encrypted password. User ID number (UID)
/etc/passwd file aims at user account details while /etc/shadow aims at the user's password details. the passwd file is world-readable. shadow file can only be read by the root account. The user's encrypted password can only be stored in /etc/shadow file.
if you remove the 2nd field of the /etc/passwd file then users can login without any challenge. Simply attempting to login will allow them in.
The two files are different, and serve different purpose.
/etc/passwd is user database (fun fact: contrary to its name, it doesn't store passwords - those are stored (possibly in hashed form) in /etc/shadow) - see man 5 passwd (i.e. passwd(5)), man 5 shadow (i.e. shadow(5)).
/usr/bin/passwd is utility that is supposed to modify user records stored in /etc/passwd and /etc/shadow. See man 1 passwd (i.e. passwd(1))
138
/etc/passwd is the password file but it doesn't have to
contain passwords - see below. It's a plain text file that contains
list of users and groups on a given system. You can read more about
it in man 5 passwd:
/etc/passwd contains one line for each user account, with seven fields delimited
by colons (":"). These fields are:
· login name
· optional encrypted password
· numerical user ID
· numerical group ID
· user name or comment field
· user home directory
· optional user command interpreter
And /usr/bin/passwd is a utility for changing user passwords,
commonly a part of the shadow
package.
Not that, ironically, users' passwords are not stored in /etc/passwd
but in /etc/shadow on today's system so password file might be a
bit misleading. From man 5 passwd:
If the password field is a lower-case "x", then the encrypted password is actually stored in the shadow(5) file instead; there must be a corresponding line in the /etc/shadow file, or else the user account is invalid.
A regular user cannot even read /etc/shadow because
it does not have a read privilege on this file but can use passwd
utility to change his password because passwd has setuid bit set:
https://unix.stackexchange.com/questions/101467/how-does-the-passwd-command-gain-root-user-permissions
No, /usr/bin/passwd is not a binary version of /etc/passwd.
See:
$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1335 Jul 14 2016 /etc/passwd
$ ls -l /usr/bin/passwd
-rws--x--x 1 root root 77689 Jul 2 2014 /usr/bin/passwd
$ ls -l /etc/shadow
-rw-r----- 1 root shadow 719 Aug 5 2016 /etc/shadow
You cannot change other users' passwords as the regular user.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
