Where User Account and Group Information Is Stored

Language:

This section covers the following information:

Fields in the passwd File
Default passwd File
Fields in the shadow File
Fields in the group File
Default group File
Commands for Obtaining User Account Information

Depending on your site policy, user account and group information can be stored in your local system's /etc files or in a name or directory service as follows:

The NIS name service information is stored in maps
The LDAP directory service information is stored in indexed database files

Note - To avoid confusion, the location of the user account and group information is generically referred to as a file rather than as a database, table, or map.

Most user account information is stored in the passwd file. Password information is stored as follows:

In the passwd file when you are using NIS
In the /etc/shadow file when you are using /etc files
In the people container when you are using LDAP

Password aging is available when you are using LDAP, but not NIS.

Group information is stored in the group file for NIS. For LDAP, group information is stored in the group container.

Fields in the `passwd` File

The fields in the passwd file are separated by colons and contain the following information:

username:password:UID:GID:comment:home-directory:login-shell

For example:

kryten:x:101:100:Kryten Series 4000 Mechanoid:/export/home/kryten:/bin/csh

For a complete description of the fields in the passwd file, see the passwd(1) man page.

Default `passwd` File

The default passwd file contains entries for standard daemons. Daemons are processes that are usually started at boot time to perform some system-wide task, such as printing, network administration, or port monitoring.

Note - Additional users and groups are created and removed when packages are added or removed from the system. These ongoing changes are reflected in the passwd file. Administrators do not need to clean up this file.

The following display shows the contents of a sample passwd file:

root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
dladm:x:15:65:Datalink Admin:/:
netadm:x:16:65:Network Admin:/:
netcfg:x:17:65:Network Configuration Admin:/:
smmsp:x:25:25:SendMail Message Submission Program:/:
gdm:x:50:50:GDM Reserved UID:/var/lib/gdm:
zfssnap:x:51:12:ZFS Automatic Snapshots Reserved UID:/:/usr/bin/pfsh
upnp:x:52:52:UPnP Server Reserved UID:/var/coherence:/bin/ksh
xvm:x:60:60:xVM User:/:
mysql:x:70:70:MySQL Reserved UID:/:
openldap:x:75:75:OpenLDAP User:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
unknown:x:96:96:Unknown Remote UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
ikeuser:x:67:12:IKE Admin:/:
ftp:x:21:21:FTPD Reserved UID:/:
dhcpserv:x:18:65:DHCP Configuration Admin:/:
aiuser:x:60003:60001:AI User:/:
pkg5srv:x:97:97:pkg(5) server UID:/:

The display above shows sample passwd file contents without any explanation. The following table provides a description and the source package information for each daemon in a standard passwd file.

Table 3 Default passwd File Entries

User Name	User ID	Description	Package
`root`	`0`	Reserved for superuser account	`system/core-os`
`daemon`	`1`	Umbrella system daemon associated with routine system tasks	`system/core-os`
`bin`	`2`	Administrative daemon associated with running system binaries to perform some routine system task	`system/core-os`
`sys`	`3`	Administrative daemon associated with system logging or updating files in temporary directories	`system/core-os`
`adm`	`4`	Administrative daemon associated with system logging	`system/core-os`
`lp`	`71`	Reserved for the Line printer daemon	`system/core-os`
`uucp`	`5`	Assigned to the daemon that is associated with `uucp` functions	`system/core-os`
`nuucp`	`9`	Assigned to another daemon associated with `uucp` functions	`system/core-os`
`dladm`	`15`	Reserved for datalink administration	`system/core-os`
`netadm`	`16`	Reserved for network administration	`system/core-os`
`netcfg`	`17`	Reserved for network configuration administration	`system/core-os`
`smmsp`	`25`	Assigned to the Sendmail message submission program daemon	`system/core-os`
`gdm`	`50`	Assigned to the GNOME Display Manager daemon	`system/core-os`
`zfssnap`	`51`	Reserved for automatic snapshots	`system/core-os`
`upnp`	`52`	Reserved for UPnP server	`system/core-os`
`xvm`	`60`	Reserved for xVM user	`system/core-os`
`mysql`	`70`	Reserved for MySQL user	`system/core-os`
`openldap`	`75`	Reserved for OpenLDAP user	`library/ldap`
`webservd`	`80`	Reserved for WebServer access	`system/core-os`
`postgres`	`90`	Reserved for PostgresSQL access	`system/core-os`
`svctag`	`95`	Reserved for Service Tag Registry access	`system/core-os`
`unknown`	`96`	Reserved for unmappable remote users in NFSv4 ACLs	`system/core-os`
`nobody`	`60001`	Reserved for NFS Anonymous Access user	`system/core-os`
`noaccess`	`60002`	Reserved for No Access user	`system/core-os`
`nobody4`	`65534`	Reserved for SunOS 4.x NFS Anonymous Access user	`system/core-os`
`ikeuser`	`67`	Reserved for Internet Key Exchange (IKE) access	`system/network/ike`
`ftp`	`21`	Reserved for FTP access	`service/network/ftp`
`dhcpserv`	`18`	Reserved for DHCP server user	`service/network/dhcp/` `isc-dhcp`
`aiuser`	`60003`	Reserved for AI user	`system/install/auto-install/` `auto-install-common`
`pkg5srv`	`97`	Reserved for `pkg`(5) depot server	`package/pkg`

Fields in the `shadow` File

The /etc/shadow file stores encrypted user passwords and related information. The fields in the shadow file are separated by colons and contain the following information:

username:password:lastchg:min:max:warn:inactive:expire

The default password hashing algorithm is SHA256. The password hash for the user is similar to the following:

$5$cgQk2iUy$AhHtVGx5Qd0.W3NCKjikb8.KhOiA4DpxsW55sP0UnYD

For a complete description of the fields in the shadow file, see the shadow(4) man page.

Fields in the `group` File

The group file is a local source of group information. The fields in the group file are separated by colons and contain the following information:

group-name:group-password:GID:user-list

For example:

bin::2:root,bin,daemon

For a complete description of the fields in the group file, see the group(4) man page.

Default `group` File

The default group file contains the following system groups that support some system-wide tasks such as printing, network administration, or electronic mail. Most of these groups have corresponding entries in the passwd file.

The following displays the contents of a sample group file.

root::0:
other::1:root
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon

The display above provides sample group file contents without any explanations. The following table provides further information about each group listed in a typical group file.

Table 4 Default group File Entries

Group Name	Group ID	Description	`pkg` (5)
`root`	`0`	Superuser group	`system/core-os`
`other`	`1`	Optional group	`system/core-os`
`bin`	`2`	Administrative group associated with running system binaries	`system/core-os`
`sys`	`3`	Administrative group associated with system logging or temporary directories	`system/core-os`
`adm`	`4`	Administrative group associated with system logging	`system/core-os`

Commands for Obtaining User Account Information

The following table describes the commands that system administrators can use to obtain information about user accounts. This information is stored in various files within the /etc directory. Using these commands to obtain user account information is preferred over using the cat command to view similar information.

Table 5 Commands to Obtain Information About Users

Command	Description	Man Page Reference
`auths`	Lists and manages authorizations.	`auths`(1)
`getent`	Displays a list of entries from the administrative database. The information generally comes from one or more of the sources that are specified for the `/etc/nsswitch.conf` database.	`getent`(1M)
`logins`	Displays information about users, roles, and system logins. The output is controlled by the command options that are specified and can include user, role, system login, UID, `passwd` account field value, primary group, primary group ID, multiple group names, multiple group IDs, home directory, login shell, and password-aging parameters.	`logins`(1M)
`profiles`	Lists and manages rights profiles.	`profiles`(1)
`roles`	Displays the roles that are assigned to a user.	`roles`(1)
`userattr`	Displays the first value that is found for `attribute_name`. If a user is not specified, the user is taken from the real user ID of the process. Attribute names are defined in the `user_attr`(4) and `prof_attr`(4) man pages. Note - This command is new in Oracle Solaris 11.	Example 3, Setting Per-User PAM Policy by Modifying a User's Account

Managing User Accounts and User Environments in Oracle® Solaris 11.3