1 .\" Copyright (c) 1993 Michael Haardt (michael@moria.de),
2 .\" Fri Apr 2 11:32:09 MET DST 1993
4 .\" SPDX-License-Identifier: GPL-2.0-or-later
6 .\" Modified Sun Jul 25 10:46:28 1993 by Rik Faith (faith@cs.unc.edu)
7 .\" Modified Sun Aug 21 18:12:27 1994 by Rik Faith (faith@cs.unc.edu)
8 .\" Modified Sun Jun 18 01:53:57 1995 by Andries Brouwer (aeb@cwi.nl)
9 .\" Modified Mon Jan 5 20:24:40 MET 1998 by Michael Haardt
10 .\" (michael@cantor.informatik.rwth-aachen.de)
11 .TH passwd 5 (date) "Linux man-pages (unreleased)"
13 passwd \- password file
17 file is a text file that describes user login accounts for the system.
18 It should have read permission allowed for all users (many utilities, like
20 use it to map user IDs to usernames), but write access only for the
23 In the good old days there was no great problem with this general
25 Everybody could read the encrypted passwords, but the
26 hardware was too slow to crack a well-chosen password, and moreover the
27 basic assumption used to be that of a friendly user-community.
28 These days many people run some version of the shadow password suite, where
30 has an \[aq]x\[aq] character in the password field,
31 and the encrypted passwords are in
33 which is readable by the superuser only.
35 If the encrypted password, whether in
39 is an empty string, login is allowed without even asking for a password.
40 Note that this functionality may be intentionally disabled in applications,
41 or configurable (for example using the
42 .RB \[dq] nullok \[dq]
44 .RB \[dq] nonull \[dq]
48 If the encrypted password in
50 is "\fI*NP*\fP" (without the quotes),
51 the shadow record should be obtained from an NIS+ server.
53 Regardless of whether shadow passwords are used, many system administrators
54 use an asterisk (*) in the encrypted password field to make sure
55 that this user can not authenticate themself using a
57 (But see NOTES below.)
59 If you create a new login, first put an asterisk (*) in the password field,
64 Each line of the file describes a single user,
65 and contains seven colon-separated fields:
69 name:password:UID:GID:GECOS:directory:shell
73 The field are as follows:
76 This is the user's login name.
77 It should not contain capital letters.
80 This is either the encrypted user password,
81 an asterisk (*), or the letter \[aq]x\[aq].
84 for an explanation of \[aq]x\[aq].)
89 login account (superuser) has the user ID 0.
92 This is the numeric primary group ID for this user.
93 (Additional groups for the user are defined in the system group file; see
97 This field (sometimes called the "comment field")
98 is optional and used only for informational purposes.
99 Usually, it contains the full username.
100 Some programs (for example,
102 display information from this field.
104 GECOS stands for "General Electric Comprehensive Operating System",
105 which was renamed to GCOS when
106 GE's large systems division was sold to Honeywell.
107 Dennis Ritchie has reported: "Sometimes we sent printer output or
108 batch jobs to the GCOS machine.
109 The gcos field in the password file was a place to stash the
110 information for the $IDENTcard.
114 This is the user's home directory:
115 the initial directory where the user is placed after logging in.
116 The value in this field is used to set the
118 environment variable.
121 This is the program to run at login (if empty, use
123 If set to a nonexistent executable, the user will be unable to login
126 The value in this field is used to set the
128 environment variable.
132 If you want to create user groups, there must be an entry in
134 or no group will exist.
136 If the encrypted password is set to an asterisk (*), the user will be unable
139 but may still login using
141 run existing processes and initiate new ones through
145 or mail filters, etc.
146 Trying to lock an account by simply changing the
147 shell field yields the same result and additionally allows the use of