Skip to main content

Linux – Passwd and shadow file explained

· 4 min read
Strider

Linux is a multi-user system. Here, several users can work on the system simultaneously. Where are the users stored?

/etc/passwd

On Linux the users are stored in the /etc/passwd file. Here the users are defined and their properties. Under properties fall, home directory, shell, user ID, group ID etc...

The file /etc/passwd is usually expanded like this:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:!:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody::65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:103:106:ftp daemon,,,:/srv/ftp:/bin/false
bitnamiftp:x:1000:1000::/opt/bitnami/apps:/bin/bitnami_ftp_false
mysql:x:1001:1001::/home/mysql:
varnish:x:999:999::/home/varnish:
robot:x:1002:1002::/home/robot:

Here we see the file `/etc/passwd``, which contains all users. It looks a bit confusing. Let's make a break down here.

Let's have a look at the root user.

root:x:0:0:root:/root:/bin/bash

User = root

Password = x

User ID = 0

Group ID = 0

Comment or description = root

home directory = /root

Shell = /bin/bash

Every line in the file is structured like this. But where is the password? The password can be found in the file `/etc/shadow``. This file, can only be read with the root user. I will come back to this in a moment.

We see an x in the password field. What does the x mean exactly? It means that this user has a password, which will be asked at login. There are also users who have no password. e.g. this one.

nobody::65534:65534:nobody:/nonexistent:/usr/sbin/nologin

Here we have no x between the colons. This means that this user can be logged in without a password.

This is useful if you have a rootshell, but you want to have the root user completely. Here you can then delete the x, and thus, move without password, as root user in the system.

Another possibility is to prohibit users from logging in. In the file, we have such a user.

gnats:!:41:41:Gnats Bug Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

This user has an exclamation mark at the position. This means that it is an encrypted password, which can be found in the file /etc/security/shadow. The password must be set by the system administrator. As long as no password is assigned, the account is simply locked and the user cannot log in.

/etc/shadow

The file /etc/shadow looks slightly different from the previous file. In this file, the passwords are stored in the form of hashes. In most cases, the file looks like this.

root:$1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1:18017:0:99999:7:::
daemon:*:18017:0:99999:7:::
....
robot:$1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1:18017:0:99999:7:::
mysql:!:18017:0:99999:7:::
debian-tor:*:18017:0:99999:7:::
systemd-coredump:!!:18032::::::

Here we see the users who have saved more information. Let's make a breakdown here as well.

root:$1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1:18017:0:99999:7:::

User = root

Password = $1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1

Day of last password change = 18017

Minimum validity (When exactly can the user change the password?) = 0

Maximum validity (How long is this password valid?) = 99999

Warning before expiration (How many days in advance will the user be informed)= 7

Number of days before account deactivation with expired password = :

Day of account deactivation = :

Reserved field. Not in use = :

The password itself is not stored here in plain text. This is a hash value of the password. The hash itself is divided into three components.

The hash ID = 1
This indicates which hashing algorithm is used.

  • 1 = MD5
  • 2a = Blowfish
  • 2y = Blowfish
  • 5 = SHA-256
  • 6 = SHA-512

The salt = Ct7iUpMU This is there to prevent simple rainbow tables from guessing the password.

The password hash = 5KRrYfhAr6nZfAnUb/ZYd1
This is the hash value of the password itself.

You can also store the password hash in the file /etc/passwd. Here you just have to replace the x, with the hash, and you can log in as this user.

robot:$1$Ct7iUpMU$5KRrYfhAr6nZfAnUb/ZYd1:1002:1002::/home/robot:

I hope I was able to explain the two files understandably 😄