/etc/passwd File

Purpose

Contains basic user attributes.

Description

The /etc/passwd file contains basic user attributes. This is an ASCII file that contains an entry for each user. Each entry defines the basic attributes applied to a user. When you use the mkuser command to add a user to your system, the command updates the /etc/passwd file.
Note: Certain system-defined group and user names are required for proper installation and update of the system software. Use care before replacing this file to ensure that no system-supplied groups or users are removed.

An entry in the /etc/passwd file has the following form:

Name:Password: UserID:PrincipleGroup:Gecos: HomeDirectory:Shell

Attributes in an entry are separated by a : (colon). For this reason, you should not use a : (colon) in any attribute. The attributes are defined as follows:

Attribute Definition
Name Specifies the user's login name. There are a number of restrictions on naming users. See the mkuser command for more information.
Password Contains an * (asterisk) indicating an invalid password or an ! (exclamation point) indicating that the password is in the /etc/security/passwd file. Under normal conditions, the field contains an !. If the field has an * and a password is required for user authentication, the user cannot log in.
UserID Specifies the user's unique numeric ID. This ID is used for discretionary access control. The value is a unique decimal integer.
PrincipleGroup Specifies the user's principal group ID. This must be the numeric ID of a group in the user database or a group defined by a network information service. The value is a unique decimal integer.
Gecos Specifies general information about the user that is not needed by the system, such as an office or phone number. The value is a character string. The Gecos field cannot contain a colon.
HomeDirectory Specifies the full path name of the user's home directory. If the user does not have a defined home directory, the home directory of the guest user is used. The value is a character string.
Shell Specifies the initial program or shell that is executed after a user invokes the login command or su command. If a user does not have a defined shell, /usr/bin/sh, the system shell, is used. The value is a character string that may contain arguments to pass to the initial program.

Users can have additional attributes in other system files. See the "Files" section for additional information.

Changing the User File

You should access the user database files through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases. Use the following commands to access user database files:

The mkuser command adds new entries to the /etc/passwd file and fills in the attribute values as defined in the /usr/lib/security/mkuser.default file.

The Password attribute is always initialized to an * (asterisk), an invalid password. You can set the password with the passwd or pwdadm command. When the password is changed, an ! (exclamation point) is added to the /etc/passwd file, indicating that the encrypted password is in the /etc/security/passwd file.

Use the chuser command to change all user attributes except Password. The chfn command and the chsh command change the Gecos attribute and Shell attribute, respectively. To display all the attributes in this file, use the lsuser command. To remove a user and all the user's attributes, use the rmuser command.

To write programs that affect attributes in the /etc/passwd file, use the subroutines listed in the related information section.

Security

Access Control: This file should grant read (r) access to all users and write (w) access only to the root user and members of the security group.

Examples

  1. Typical records that show an invalid password for smith and guest follow:
    smith:*:100:100:8A-74(office):/home/smith:/usr/bin/sh
    guest:*:200:0::/home/guest:/usr/bin/sh  
    The fields are in the following order: user name, password, user ID, primary group, general (gecos) information, home directory, and initial program (login shell). The * (asterisk) in the password field indicates that the password is invalid. Each attribute is separated by a : (colon).
  2. If the password for smith in the previous example is changed to a valid password, the record will change to the following:
    smith:!:100:100:8A-74(office):/home/smith:/usr/bin/sh 
    The ! (exclamation point) indicates that an encrypted password is stored in the /etc/security/passwd file.

Files

Item Description
/etc/passwd Contains basic user attributes.
/usr/lib/security/mkuser.default Contains default attributes for new users.
/etc/group Contains the basic attributes of groups.
/etc/security/group Contains the extended attributes of groups.
/etc/security/passwd Contains password information.
/etc/security/user Contains the extended attributes of users.
/etc/security/environ Contains the environment attributes of users.
/etc/security/limits Contains the process resource limits of users.