mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-11 17:04:19 +01:00
256 lines
7.8 KiB
Groff
256 lines
7.8 KiB
Groff
.\" Copyright (c) 1988, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by the University of
|
|
.\" California, Berkeley and its contributors.
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93
|
|
.\" $Id$
|
|
.\"
|
|
.Dd September 29, 1994
|
|
.Dt PASSWD 5
|
|
.Os
|
|
.Sh NAME
|
|
.Nm passwd
|
|
.Nd format of the password file
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm passwd
|
|
files are files consisting of newline separated records, one per user,
|
|
containing ten colon (``:'') separated fields. These fields are as
|
|
follows:
|
|
.Pp
|
|
.Bl -tag -width password -offset indent
|
|
.It name
|
|
User's login name.
|
|
.It password
|
|
User's
|
|
.Em encrypted
|
|
password.
|
|
.It uid
|
|
User's id.
|
|
.It gid
|
|
User's login group id.
|
|
.It class
|
|
User's general classification (unused).
|
|
.It change
|
|
Password change time.
|
|
.It expire
|
|
Account expiration time.
|
|
.It gecos
|
|
General information about the user.
|
|
.It home_dir
|
|
User's home directory.
|
|
.It shell
|
|
User's login shell.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Ar name
|
|
field is the login used to access the computer account, and the
|
|
.Ar uid
|
|
field is the number associated with it. They should both be unique
|
|
across the system (and often across a group of systems) since they
|
|
control file access.
|
|
.Pp
|
|
While it is possible to have multiple entries with identical login names
|
|
and/or identical user id's, it is usually a mistake to do so. Routines
|
|
that manipulate these files will often return only one of the multiple
|
|
entries, and that one by random selection.
|
|
.Pp
|
|
The login name must never begin with a hyphen (``-''); also, it is strongly
|
|
suggested that neither upper-case characters or dots (``.'') be part
|
|
of the name, as this tends to confuse mailers. No field may contain a
|
|
colon (``:'') as this has been used historically to separate the fields
|
|
in the user database.
|
|
.Pp
|
|
The password field is the
|
|
.Em encrypted
|
|
form of the password.
|
|
If the
|
|
.Ar password
|
|
field is empty, no password will be required to gain access to the
|
|
machine. This is almost invariably a mistake.
|
|
Because these files contain the encrypted user passwords, they should
|
|
not be readable by anyone without appropriate privileges.
|
|
.Pp
|
|
The group field is the group that the user will be placed in upon login.
|
|
Since this system supports multiple groups (see
|
|
.Xr groups 1 )
|
|
this field currently has little special meaning.
|
|
.Pp
|
|
The
|
|
.Ar class
|
|
field is currently unused. In the near future it will be a key to
|
|
a
|
|
.Xr termcap 5
|
|
style database of user attributes.
|
|
.Pp
|
|
The
|
|
.Ar change
|
|
field is the number in seconds,
|
|
.Dv GMT ,
|
|
from the epoch, until the
|
|
password for the account must be changed.
|
|
This field may be left empty to turn off the password aging feature.
|
|
.Pp
|
|
The
|
|
.Ar expire
|
|
field is the number in seconds,
|
|
.Dv GMT ,
|
|
from the epoch, until the
|
|
account expires.
|
|
This field may be left empty to turn off the account aging feature.
|
|
.Pp
|
|
The
|
|
.Ar gecos
|
|
field normally contains comma (``,'') separated subfields as follows:
|
|
.Pp
|
|
.Bd -unfilled -offset indent
|
|
name user's full name
|
|
office user's office number
|
|
wphone user's work phone number
|
|
hphone user's home phone number
|
|
.Ed
|
|
.Pp
|
|
This information is used by the
|
|
.Xr finger 1
|
|
program.
|
|
.Pp
|
|
The user's home directory is the full
|
|
.Tn UNIX
|
|
path name where the user
|
|
will be placed on login.
|
|
.Pp
|
|
The shell field is the command interpreter the user prefers.
|
|
If there is nothing in the
|
|
.Ar shell
|
|
field, the Bourne shell
|
|
.Pq Pa /bin/sh
|
|
is assumed.
|
|
.Sh YP/NIS INTERACTION
|
|
The
|
|
.Pa /etc/passwd
|
|
file can be configured to enable the YP/NIS group database.
|
|
An entry whose
|
|
.Ar name
|
|
field consists of a plus sign (`+') followed by a login name, will be
|
|
replaced internally to the C library with the YP/NIS password entry for the
|
|
named group. An entry whose
|
|
.Ar name
|
|
field consists of a single plus sign with no login name following,
|
|
will be replaced with the entire YP/NIS
|
|
.Dq Li passwd.byname
|
|
map.
|
|
.Pp
|
|
If any fields other than the login name are left empty, they
|
|
will be used to override the YP/NIS database's values. So, for
|
|
example, an
|
|
.Pa /etc/master.passwd
|
|
entry of:
|
|
.Bd -literal -offset indent
|
|
+:::::::::/etc/noaccess
|
|
|
|
.Ed
|
|
would use the entire contents of the YP/NIS password database, but
|
|
each entry would have its designated shell replaced by
|
|
.Pa /etc/noaccess
|
|
(presumably, a program to tell those users that they are not allowed to
|
|
access the machine).
|
|
This is the only way to specify values for the fields which are not
|
|
present in the Sixth Edition format used by YP/NIS.
|
|
.Pp
|
|
If the YP/NIS password database is enabled for any reason, all reverse
|
|
lookups (i.e.,
|
|
.Fn getpwuid )
|
|
will use the entire database, even if only a few logins are enabled.
|
|
Thus, the login name returned by
|
|
.Fn getpwuid
|
|
is not guaranteed to have a valid forward mapping.
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/master.passwd -compact
|
|
.It Pa /etc/passwd
|
|
ASCII password file, with passwords removed
|
|
.It Pa /etc/pwd.db
|
|
.Xr db 3 -format
|
|
password database, with passwords removed
|
|
.It Pa /etc/master.passwd
|
|
ASCII password file, with passwords intact
|
|
.It Pa /etc/spwd.db
|
|
.Xr db 3 -format
|
|
password database, with passwords intact
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr adduser 8 ,
|
|
.Xr chpass 1 ,
|
|
.Xr getpwent 3 ,
|
|
.Xr login 1 ,
|
|
.Xr passwd 1 ,
|
|
.Xr pwd_mkdb 8 ,
|
|
.Xr vipw 8 ,
|
|
.Xr yp 4
|
|
.Sh BUGS
|
|
User information should (and eventually will) be stored elsewhere.
|
|
.Pp
|
|
The YP/NIS password database makes encrypted passwords visible to
|
|
ordinary users, thus making password cracking easier.
|
|
.Pp
|
|
The YP/NIS password database is in old-style (Sixth Edition) format,
|
|
and so cannot specify site-wide values for user login class, password
|
|
expiration date, and other fields present in the current format and
|
|
not in the old.
|
|
.Sh COMPATIBILITY
|
|
The password file format has changed since 4.3BSD.
|
|
The following awk script can be used to convert your old-style password
|
|
file into a new style password file.
|
|
The additional fields
|
|
.Dq class ,
|
|
.Dq change
|
|
and
|
|
.Dq expire
|
|
are added, but are turned off by default.
|
|
Class is currently not implemented, but change and expire are; to set them,
|
|
use the current day in seconds from the epoch + whatever number of seconds
|
|
of offset you want.
|
|
.Bd -literal -offset indent
|
|
BEGIN { FS = ":"}
|
|
{ print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 }
|
|
.Ed
|
|
.Sh HISTORY
|
|
A
|
|
.Nm
|
|
file format appeared in
|
|
.At v6 .
|
|
The YP/NIS functionality is modeled after
|
|
.Tn SunOS
|
|
and first appeared in
|
|
.Tn FreeBSD
|
|
1.1. The override capability is new in
|
|
.Tn FreeBSD
|
|
2.0.
|