What is a user account?

A user account is a systematic approach to track and monitor the usage of

system resources. Each user account contains two unique identifiers;
username and UID.

When a user account is created, its username is mapped to a unique UID.

Username is flexible. It can be changed as per requirement. Regardless it is

selected first time or changed later; it must be unique in system. Two users
can’t use the same username.

UID is fixed. It cannot be changed. Once assigned, it always remains the same
for that user account.

Username is used to access the user account. Username is also known as login
name. UID is used to authenticate, track and monitor the activity of user
account. Username is used by the user while the UID is used by the system

The root user account

This is the main user account in Linux system. It is automatically created

during the installation. It has the highest privilege in system. It can do any
administrative work and can access any service. This account is intended for
system administration and should be used only for this purpose. It should not
be used for routine activities. It can’t be deleted. But if require, it can be
disabled.

The regular user account

This is the normal user account. During the installation, one regular user
account is created automatically. After the installation, we can create as many
regular user accounts as we need. This account has moderate privilege. This
account is intended for routine works. It can perform only the tasks for which
it is allowed and can access only those files and services for which it is
authorized. As per requirement, it can be disabled or deleted.
 The service account

Service accounts are created by installation packages when they are installed.
These accounts are used by services to run processes and execute functions.
These accounts are neither intended nor should be used for routine work.

When a user enters username and password, depending on type of user

management model is used, following steps are performed in local system or
in remote system.

If centralized model is used, following steps are performed in centralized

system through directory service otherwise same steps are performed in local
system through those text files which contain user login details.

 System checks whether the user account exists or not.

 If user account exists, it checks whether the user is allowed to login
from that particular location where username and password are entered or
not.
 If user is allowed to login, it checks the supplied password.
 If supplied password is incorrect, it checks the threshold value for
retries.
 If threshold value is exceeded, it locks the account.
 If threshold value is not exceeded, it allows user to retype the
correct password.
 If supplied password is correct, it checks the password expiry date.

 If password is expired, it forces user to update his password.

 If password is about to expire, it shows a configured warning
message which prompts user to change his password before expiry date.

If supplied username and password are correct and all above conditions are
satisfied, user is allowed to login.

User management files

In standalone user management model, to store user information, four text
files named passwd, shadow, group and gshadow are used. These files are
stored in /etc directory.

Since the entire user management system is controlled through these files,
Linux itself maintain and update a back copy of each file in same directory.

The back copy is stored with the original name. To distinguish the backup
copy from original copy, a hyphen sign is used as prefix in the name of the
backup copy.

Following table lists the name of backup file along with original file.

Original file name passwd shadow group

Backup file name passwd- shadow- group-

The /etc/group file

In Linux every user must be a member of at least one group. While we create a
user account, shell automatically creates a group and adds created user in it.
This group is known as user’s primary group. Unless we manually change or
update a user’s primary group name, it matches with the username. For
example, if username is john, his default primary group name will also be john.
Besides primary group, additional groups can be setup as per requirement.

The file /etc/group stores group information. Each line in this file stores one
group entry. Each line contains following four fields separated by colons.

Group name, group password, GID, group members

Group name
 This field is used to store the group name. There are three essential rules for
group name.

 Each group name must be unique.

 A group name must be less than 255 characters in length.
 A group name must be start with a letter.

Group password

If the group password is used, this field stores a place holder character, to
indicate that the password is stored in a separate file. If the group password is
not used then this field is kept blank.

GID

This field stores the GID of group.

Group members

This field stores the username of group members.

Since a group may contain several members and a user can be the member of
several groups, a user’s primary group information can’t be revealed from this
file. To reveal a user’s primary group information, always the /etc/passwd file
should be used.
The /etc/gshadow file

This file stores group password and other password related information.
Password information of each group is stored in an individual line. There are
four fields in each line.

Group name, group password, group admin, group members

Group name

This field stores the name of group.

Group password

If group password is used, this field stores it in encrypted form. If group

password is not used, this field is kept blank to indicate that password is not
assigned.

Group admin

This field stores the username of group admin.

Group members

This field stores the username of group members.

The /etc/passwd file

This file contains a list of all user accounts. Each user account is stored in an
individual line. Each line contains following seven fields separated by colons.

1. Username
2. Placeholder character for password
3. UID
4. GID
5. Description
6. Home directory
7. Login shell

The /etc/shadow file

This file stores users’ password and password related information. Just
like /etc/passwd file, this file also uses an individual line for each entry. Each
line contains following nine fields.

1. Username
2. Encrypted password
3. Number of days when password was last changed
4. Number of days before password can be changed
5. Number of days after password must be changed
6. Number of days before password expiry date to display the warning
message
7. Number of days to disable the account after the password expiry
8. Number of days since the account is disabled
9. Reserved field

The /etc/passwd file is stored in /etc directory. To view it, we can use any

regular file viewer command such as cat, less, more, etc.

#cat /etc/passwd
Each line in /etc/passwd file represents an individual user account and
contains following seven fields separated by colons (:).

1. Username or login name

2. Encrypted password
3. User ID
4. Group ID
5. User description
6. User’s home directory
 7. User’s login shell

Let’s understand each field in detail.

Username or Login name

The first field stores username or login name. Login process compares the
value stored in this field with the value we typed at the login prompt in
username field. If both values match, login process assumes that username is
valid. While comparing username, login process starts looking for the supplied
username in the first field of each line starting from first line and keeps
looking until a match is found or all lines are checked.

Since each line represents an individual user account, the value stored in this
field must be unique.

This field can store maximum 32 characters. Due to this limit, a username in
Linux always consists less than or equal to 32 characters in length.

This field does not have any default value. It means, in order to create a new
user account, we must have to supply the desired username.

As we know, Linux is a case sensitive operating system. In order to avoid any

unnecessary confusion, we should not use initial capitalization in username.
For example, in Linux “Sanjay” and “sanjay” are two different usernames.

Except colons and newlines characters, we are allowed to use any symbol or

character in this field. The characters colons and newlines are used as field
separator and entry separator in this file respectively.

Although we are allowed to use any symbol or character except colons and
newlines, still we should never use special symbols in this field. A username
with special symbol works in login process, but it may not work in other
processes or services. Let’s take an example to understand it more clearly.

It’s a common practice to use username as email address in Linux. In email

address at (@) sign separates recipient name and domain name.

A username “sanjay@goswami”, if used with default setup in a domain name

“example.com”, will become sanjay@[email protected].

While phrasing this address, email server will understand domain name
as “[email protected]” instead of “example.com” and username
as “sanjay” instead of “sanjay@goswami”.

An email sent on this address will never deliver. The best and safest way to
avoid this kind of error, always use alphanumeric characters and generic
symbols such as underscore and hyphen in username.

Encrypted password

The second field stores encrypted password. Historically, this field was used to
store user’s password encrypted with DES algorithm. Over the time computing
power increased and DES algorithm became trivial to crack.

To use a more secure algorithm, Linux moved user’s password in a separate

file /etc/shadow. Since user’s password no longer stored in this field, a
placeholder value x is used to indicate that actual password is stored in other
location.

User ID

Third field stores UID of user. In Linux, every user has a unique ID known as
UID (User ID). UID is a 32 bits integer value. Linux uses UID to track and
manage each action of user such as creating file, modifying system properties,
starting applications and process, etc. The first UID (0) is always assigned to
user root. Besides 0, other low UIDs (usually less than 500) are assigned to
service accounts such bin, lp, mail, news, games, ftp etc. UIDs of regular user
accounts usually start from 500.

Never assign a deleted user account’s UID to a new user account. Linux uses
UID rather than login name to tack the files. If files created under deleted
account exist in system or restored from backup, new user will be mapped
with those files automatically.

Group ID

A group is a collection of user accounts which are alike or require access to a

particular resource. Linux is a multiuser network operating system. Managing
services based individual user account is the most tedious task. Grouping
makes this job easier. For example, you are asked to allow a specific service for
twenty users which belong to a particular group. Without grouping you have
to set the permission twenty times. But with grouping, you can do it in single
time.

In Linux, every user belongs to one or more groups. While creating a user
account, if we don’t specify the group name, shell automatically creates a new
group and adds user account in that group. This group is known as primary
group or default group of the user. Once user account is created, as per
requirement it can be added in other groups. Other groups will be considered
as secondary groups of the user.

Fourth field in each line, stores GID of user’s primary group. Group
information of a user account is stored in /etc/group file separately. Just like
username, group name is also associated with a unique GID. Same as UID, GID
is a 32 bits integer value. Linux uses GID instead of group name to track,
monitor and authenticate the activities of group.

User description
 Fifth field stores descriptive information about the user. In a multiuser
environment where several users use system, if stored, this field provides all
necessary information about a user such as his full name, email address,
phone number, position in organization, etc. Usually the chfn utility is used to
store and the finger utility is used to read this information.

Home directory

Sixth field stores information about user’s home directory. Login process uses
this information to decide where it has to put the user just after the login. In
other words, this is the default directory which user gets just after the login
process. While creating a user if this information is omitted, shell automatically
sets it to /home/username.

If login process does not find user’s home directory at the location specified in
this field, depending on system configuration, it may either completely
disallow the login or put the user in / directory. Getting root (/) directory just
after the login is an indication that user’s home directory is missing or not
accessible.
Login shell

The last field stores information about user’s default shell. If no shell
information is specified while creating a regular user account, shell will use
default value which is /bin/bash. If no shell is required, this field can be set to
blank.

Some special accounts never require a shell access. Administrators usually

assign a fake shell such /bin/false or set this field to blank in these accounts.
This precaution prevents hackers from breaking the system through these
accounts.

Historically, the /etc/passwd file used to store all login information in a

standalone Linux system. Later, due to following reasons password
information was moved in /etc/shadow file.

 The /etc/passwd file has only one field for password information. Since

there is only one field, besides encrypted password other password related
information cannot be stored in this file.
 For password encryption, the /etc/passwd file supports basic algorithm
such as DES. A hacker can easily reveal a password encrypted with DES
algorithm.
 The /etc/passwd file is world readable. It means any local user can
view the passwords stored in this file.

The /etc/shadow file addresses all above issues.

 The /etc/shadow file has nine fields to store encrypted password and

other password related information.
 The /etc/shadow file supports all advanced algorithms and has plenty
of room for further updates.
 The /etc/shadow file is readable only by root user.

The /etc/shadow file permission

Unlike /etc/passwd file, the /etc/shadow file is not world readable. It is
readable only by the root user or super user. To see this feature in action,
access a root shell and run following commands.

#su [any regular user account]

$cat /etc/shadow
$exit
#cat /etc/shadow
In Ubuntu Linux, by default root account is disabled. If you are following
tutorial on Ubuntu Linux, access a super user shell and run following
commands.

$cat /etc/shadow
$sudo cat /etc/shadow
[sudo] password for super user
Following figure shows above commands with output.
As you can see in above figure, when we tried to view the content
of /etc/shadow file from a regular user account, shell denied the action. But
when we performed the same action from a root user or super user account,
shell allowed to it.

This security feature keeps encrypted passwords safe from unauthorized users
and password cracking programs.

The /etc/shadow file format

Each line in /etc/shadow file represents an individual user account and
contains following nine fields separated by colons (:).

1. Username
2. Encrypted password
3. Date of last password change
4. Minimum required days between password changes
5. Maximum allowed days between password changes
6. Number of days in advance to display password expiration message
7. Number of days after password expiration to disable the account
8. Account expiration date
9. Reserve field
Let’s understand each field in detail.

Username

As we know, except password information, all other login information is stored

in /etc/passwd file. This field connects /etc/shadow file
with /etc/passwd file. In both files, this field represents login name and stores
the exactly same information. When a new user account is created, both files
are updated simultaneously.

Encrypted password

This field stores actual user password in encrypted form. For encryption it uses
SHA512 algorithm. In this algorithm, a random salt is mixed with original
password before encryption. If two or more users have selected the same
password, due to this feature, their encrypted passwords will be different.
Controlling Login

Linux does not support blank password in login process. Any user or service
which does not have a valid password or have a blank password is not allowed
to login. By setting a value other than an encrypted password, this field can be
used to control the user login. For example, if the value (!) or (*) is stored in
this field, the account will be locked and user or service will not be allowed to
login.

Both characters (! and *) represent a blank password. The difference between

both characters is that, the first character, the exclamation sign (!), is used for
user accounts and the second character, the asterisk sign (*), is used for
service accounts. If require, a user account can be unlocked by setting a
password in this field through passwd command.

Following figure shows both values in Ubuntu Linux.

Minimum required days between password changes

This field sets the minimum required days that must be elapsed between
password changes. Once a password is changed, a user is not allowed to
change his password until the days specified in this field are elapsed. If the
value is set to 0 (zero), user is allowed to change his password immediately.

Maximum allowed days between password changes

This filed sets the maximum allowed days between password changes. Once a
password is changed, a user must have to change his password again before
the days specified in this field are elapsed. In other word, the days specified in
this field are the maximum allowed days for a user to use a password. If this
field is set to blank, a user can use his password as long as he wants to use.

By default there is a grace period of seven days. A user will be forced to

change his password when the days set in this field and extra seven days are
passed.
Number of days in advance to display password expiration message

This field sets number of days in advance to display password expiration

message. If remaining days to change a password are less than or equal to the
days specified in this field, user will get a warning message to change his
password.

Warning message will be display only when user will be login in command line
terminal. This message will not be displayed if user is login in GUI desktop.
Number of days after password expiration to disable the account

This field sets the number of days after password expiration to disable the
account. If a user does not change his password in maximum allowed days, his
password will be marked as expired. A user account which password is expired
will be disabled automatically once the days specified in this field are elapsed.

Account expiration date

This field sets an account expiration date. A user is not allowed to login after
the date specified in this field. To specify a date, number of days starting from
1 January 1970 is used. For example, to set account expiration date to 28 June
2018, number 17710 will be used. If this field is set to blank, user account will
never expire.

Reserve field

The last field is reserved for future. Since it’s a reserved field and does not
store any value, usually it is skipped while formatting this file.
Understanding /etc/shadow file entries with
example
An entry in /etc/shadow file looks like following.

john:
$6$iTEFbMTM$CXmxPwErbEef9RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lIqavLilTQgniAHm3Czw/LoaGzo
FzaMm.YwOl/:17707:0:90:14:::
Following table explains this entry field by field.

Understanding /etc/shadow file entries with

example
An entry in /etc/shadow file looks like following.

john:
$6$iTEFbMTM$CXmxPwErbEef9RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lIqavLilTQgniAHm3Czw/LoaGzo
FzaMm.YwOl/:17707:0:90:14:::
Following table explains this entry field by field.

Field Description
john This is the username.
$6$iTEFbMTM$CXmxPwErbEef9 This is the encrypted
RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lI password.
qavLilTQgniAHm3Czw/LoaGzoFzaMm.YwOl/
17707 John last changed his
password on 25 June
2018.
0 If require, John can
change his password
 immediately
90 John can use this
password till 30
September 2018. (90 + 7
grace days).
14 After 15 September 2018
whenever John will
login in CLI terminal,
he will get a warning
message to change his
password.
[bank field] John account will not
be disabled even if his
password is expired.
[blank field] John account will never
expire.
Reserve filed is
omitted.