passwd - password file
The file /etc/passwd is a local source of information about users' accounts. The password file can be used in conjunction with other naming sources, such as the NIS maps passwd.byname or password data stored on an LDAP server. Programs use the getpwnam(3C) routines to access this information.
Each passwd entry is a single line of the form:
username:password:uid: gid:gecos-field:home-dir: login-shell
is the user's login name.
The login (login) and role (role) fields accept a string of no more than thirty-two bytes consisting of characters from the set of alphabetic characters, numeric characters, period (.), underscore (_), and hyphen (- ). The first character should be alphabetic and the field should contain at least one lower case alphabetic character. A warning message is displayed if these restrictions are not met.
The login and role fields must contain at least one character and must not contain a colon (:) or a newline (\n).
Obsolete. The encrypted password for the user is in the corresponding entry in the /etc/shadow file. pwconv(8) relies on a special value of 'x' in the password field of /etc/passwd. If this value of 'x' exists in the password field of /etc/passwd, this indicates that the password for the user is already in /etc/shadow and should not be modified.
is the user's unique numerical ID for the system.
is the unique numerical ID of the group that the user belongs to.
is the user's real name, along with information to pass along in a mail-message heading. (It is called the gecos-field for historical reasons.) An ``&'' (ampersand) in this field stands for the login name (in cases where the login name appears in a user's real name).
is the pathname to the directory in which the user is initially positioned upon logging in.
is the user's initial shell program. If this field is empty, the default shell is /usr/bin/sh.
The maximum value of the uid and gid fields is 2147483647. To maximize interoperability and compatibility, administrators are recommended to assign users a range of UIDs and GIDs below 60000 where possible. (UIDs from 0-99 inclusive are reserved by the operating system vendor for use in future applications. Their use by end system users or vendors of layered products is not supported and may cause security related issues with future applications.)
The password file is an ASCII file that resides in the /etc directory. Because the encrypted passwords on a secure system are always kept in the shadow file, /etc/passwd has general read permission on all systems and can be used by routines that map between numerical user IDs and user names.
Blank lines are treated as malformed entries in the passwd file and cause consumers of the file, such as getpwnam(3C), to fail.
Password file entries beginning with a `+' (plus sign) or '-' (minus sign) are no longer supported and are ignored. The passwd : compat configuration in nsswitch.conf is no longer supported. Instead, pam_list()function should be used. For more information, see the pam_list(7) and nsswitch.conf(5) man pages.
Appropriate precautions must be taken to lock the /etc/passwd file against simultaneous changes if it is to be edited with a text editor.
The following is a sample passwd file:
root:x:0:0:Super-User:/root:/usr/bin/bash daemon:x:1:1::/:/bin/sh bin:x:2:2::/usr/bin:/bin/sh fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
and the sample password entry from nsswitch.conf:
passwd: files ldap
In this example, there are specific entries for users root and fred to assure that they can login even when the system is running single-user. In addition, anyone whose password information is stored on an LDAP server will be able to login with their usual password, shell, and home directory.
chgrp(1), chown(1), finger(1), groups(1), login(1), newgrp(1), passwd(1), sh(1), sort(1), a64l(3C), crypt(3C), getpw(3C), getpwnam(3C), getspnam(3C), putpwent(3C), unistd.h(3HEAD), group(5), hosts.equiv(5), nsswitch.conf(5), shadow(5), environ(7), domainname(8), getent(8), pwck(8), pwconv(8), su(8), useradd(8), userdel(8), usermod(8)
Entries in the password file that begin with a `+' (plus sign) or '-' (minus sign) are ignored.
The solaris.user.manage and solaris.role.manage authorizations are required to modify the passwd fields for users and roles respectively. These authorizations allow an administrator to set the username, uid, gecos-field, home-dir, and login-shell for users and roles respectively. Setting the gid requires the solaris.group.delegate/assign authorization. See group(5).