Linux is a multi-user system. Here, several users can work on the system simultaneously. Where are the users stored?
/etc/passwd
On Linux the users are stored in the /etc/passwd
file. Here the users are defined and their properties. Under properties fall, home directory, shell, user ID, group ID etc...
The file /etc/passwd
is usually expanded like this:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:!:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody::65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:103:106:ftp daemon,,,:/srv/ftp:/bin/false
bitnamiftp:x:1000:1000::/opt/bitnami/apps:/bin/bitnami_ftp_false
mysql:x:1001:1001::/home/mysql:
varnish:x:999:999::/home/varnish:
robot:x:1002:1002::/home/robot:
Here we see the file `/etc/passwd``, which contains all users. It looks a bit confusing. Let's make a break down here.
Let's have a look at the root user.
root:x:0:0:root:/root:/bin/bash
User = root
Password = x
User ID = 0
Group ID = 0
Comment or description = root
home directory = /root
Shell = /bin/bash
Every line in the file is structured like this. But where is the password? The password can be found in the file `/etc/shadow``. This file, can only be read with the root user. I will come back to this in a moment.
We see an x in the password field. What does the x mean exactly? It means that this user has a password, which will be asked at login. There are also users who have no password. e.g. this one.
nobody::65534:65534:nobody:/nonexistent:/usr/sbin/nologin
Here we have no x between the colons. This means that this user can be logged in without a password.
This is useful if you have a rootshell, but you want to have the root user completely. Here you can then delete the x, and thus, move without password, as root user in the system.
Another possibility is to prohibit users from logging in. In the file, we have such a user.
gnats:!:41:41:Gnats Bug Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
This user has an exclamation mark at the position. This means that it is an encrypted password, which can be found in the file /etc/security/shadow
. The password must be set by the system administrator. As long as no password is assigned, the account is simply locked and the user cannot log in.
/etc/shadow
The file /etc/shadow
looks slightly different from the previous file. In this file, the passwords are stored in the form of hashes.
In most cases, the file looks like this.
root:$1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1:18017:0:99999:7:::
daemon:*:18017:0:99999:7:::
....
robot:$1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1:18017:0:99999:7:::
mysql:!:18017:0:99999:7:::
debian-tor:*:18017:0:99999:7:::
systemd-coredump:!!:18032::::::
Here we see the users who have saved more information. Let's make a breakdown here as well.
root:$1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1:18017:0:99999:7:::
User = root
Password = $1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1
Day of last password change = 18017
Minimum validity (When exactly can the user change the password?) = 0
Maximum validity (How long is this password valid?) = 99999
Warning before expiration (How many days in advance will the user be informed)= 7
Number of days before account deactivation with expired password = :
Day of account deactivation = :
Reserved field. Not in use = :
The password itself is not stored here in plain text. This is a hash value of the password. The hash itself is divided into three components.
The hash ID = 1
This indicates which hashing algorithm is used.
- 1 = MD5
- 2a = Blowfish
- 2y = Blowfish
- 5 = SHA-256
- 6 = SHA-512
The salt = Ct7iUpMU This is there to prevent simple rainbow tables from guessing the password.
The password hash = 5KRrYfhAr6nZfAnUb/ZYd1
This is the hash value of the password itself.
You can also store the password hash in the file /etc/passwd
. Here you just have to replace the x, with the hash, and you can log in as this user.
robot:$1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1:1002:1002::/home/robot:
I hope I was able to explain the two files understandably 😄