Skip to main content

LPI E C - passwd shadow

LPI E C - passwd shadow

etc/passwd & etc/shadow

Welcome to our comprehensive guide on the Linux system files, "/etc/passwd" and "/etc/shadow"! As a system administrator, these files are essential components of your day-to-day work. They hold valuable information about user accounts and passwords, which allows you to manage your system efficiently and securely.

In this guide, we'll explore the contents of both files in detail and explain the purpose of each field. We'll provide you with numerous examples and snippets of code that will help you better understand how to use these files to your advantage.

Additionally, we'll offer practice exams to test your knowledge and understanding of the concepts we've discussed.

So whether you're a seasoned system administrator looking to brush up on your skills or a newcomer to the field, this guide is the perfect resource for anyone who wants to deepen their understanding of the "/etc/passwd" and "/etc/shadow" files.

]# cat /etc/passwd -

The /etc/passwd file is a plaintext file that contains user account information on a Linux system. Each line in the file represents a single user account, and the fields are separated by colons. The fields in /etc/passwd are:

  • Username: the user's login name
  • Password: the user's encrypted password (Note: this field is not used anymore, the password is stored in /etc/shadow)
  • User ID (UID): a unique numerical identifier for the user
  • Group ID (GID): the primary group ID for the user
  • User information (GECOS): additional information about the user, such as their full name
  • Home directory: the user's home directory
  • Login shell: the user's login shell, which is the program that is run when the user logs in

Examples of how to use /etc/passwd:

1. /* ==================== */
To add a new user to the system, you can use the useradd command. For example, to add a new user named "jdoe" with a home directory of /home/jdoe and a login shell of /bin/bash, you could run the following command:

$ sudo useradd -d /home/jdoe -s /bin/bash jdoe

2. /* ==================== */
To list all users on the system, you can use the cut command to extract the first field (the username) from each line of the /etc/passwd file:

$ cut -d: -f1 /etc/passwd

3. /* ==================== */
To change a user's home directory, you can use the usermod command:

sudo usermod -d /new/home/dir username

4. /* ==================== */
To lock a user account, preventing them from logging in, you can use the usermod command to set the user's password to an invalid value:

$ sudo usermod -L username

5. /* ==================== */
To change a user's login shell, you can use the usermod command:

$ sudo usermod -s /bin/zsh username

This will change the user's default shell to Zsh.

6. /* ==================== */
To create a new user account with a specific UID and GID, you can use the useradd command:

$ sudo useradd -u 1001 -g 1001 username

This will create a new user account with the UID and GID set to 1001.

7. /* ==================== */
To delete a user account, you can use the userdel command:

$ sudo userdel username

This will delete the user account and remove its home directory.

8. /* ==================== */
To view a specific user's account information, you can use the grep command to search for the username in the /etc/passwd file:


$ grep username /etc/passwd

This will display the user's account information, including their UID, GID, home directory, and login shell.

9. /* ==================== */
In a large organization with many different departments, it may be necessary to limit access to certain resources based on department membership. One way to achieve this is to create a separate group for each department, and assign users to their respective groups. This can be done using the -G option of the usermod command:


$ sudo usermod -G groupname username

This will add the user to the specified group, allowing them to access resources that are restricted to that group.

10. /* =================== */
In some cases, it may be necessary to restrict a user's access to specific files or directories. This can be done using the chown and chmod commands to change the ownership and permissions of the files or directories in question:

$ sudo chown root:groupname /path/to/file
$ sudo chmod 640 /path/to/file

This will change the ownership of the file to the root user and the specified group, and set the file permissions to read and write for the owner, read for the group, and no access for others.

]# cat /etc/shadow -

The /etc/shadow file is a plaintext file that contains the encrypted passwords for user accounts on a Linux system. The file is readable only by the root user, and it is used to store the password hashes for each user. Each line in the file represents a single user account, and the fields are separated by colons. The fields in /etc/shadow are:

  • Username: the user's login name
  • Password: the user's encrypted password
  • Last password change: the date of the last password change, represented as the number of days since January 1, 1970
  • Minimum password age: the minimum number of days that must pass before the user can change their password again
  • Maximum password age: the maximum number of days that the password is valid before the user is required to change it
  • Password warning period: the number of days before the password expires that the user will receive a warning message 
  • Password inactivity period: the number of days that a user can have an expired password before their account is disabled
  • Account expiration date: the date on which the user account will be disabled
  • Reserved field: not used

Examples of how to use /etc/shadow:

1. /* ==================== */
To change a user's password, you can use the passwd command. For example, to change the password for the user "jdoe", you could run the following command:

 $ sudo passwd jdoe

This command will prompt you to enter a new password for the user, which will then be encrypted and stored in the /etc/shadow file.

2. /* ==================== */
To list all users whose accounts are locked, you can use the awk command to search for lines in the /etc/shadow file where the second field (the password) is set to *:

$ sudo awk -F: '$2=="*"{print $1}' /etc/shadow

3. /* ==================== */
To set a user's password to a specific value, you can use the passwd command followed by the username:

$ sudo passwd username

4. /* ==================== */
To disable password aging for a user, you can set the minimum and maximum password ages to zero using the chage command:

$ sudo chage -m 0 -M 0 username

5. /* ==================== */
To lock a user's account due to security concerns, you can use the usermod command to set the user's password to an invalid value:


$ sudo usermod -L username

This will prevent the user from logging in until their password is reset.

6. /* ==================== */
To view a specific user's password expiration information, you can use the chage command:


$ sudo chage -l username

This will display the user's password expiration information, including the last password change date, the minimum and maximum password ages, and the password warning and inactivity periods.

7. /* ==================== */
To force a user to change their password at their next login, you can use the chage command:

$ sudo chage -d 0 username

This will set the user's last password change date to the epoch (January 1, 1970), which will require the user to change their password the next time they log in.

8. /* ==================== */
To temporarily disable a user's account without deleting it, you can use the usermod command to set the user's password to an invalid value and set the password aging values to -1:


$ sudo usermod -L -e -1 username

This will prevent the user from logging in until their password is reset and remove the account's expiration date, allowing the account to be reactivated by resetting the password.

9. /* ==================== */

In a high-security environment, it may be necessary to enforce strict password policies to ensure that user passwords are sufficiently strong and changed regularly. This can be done using the passwd command with the -S option to check the password aging information for a given user:


$ sudo passwd -S username

This will display the password aging information for the specified user, including the number of days since the last password change, the minimum and maximum password ages, and the warning and inactivity periods.

10. /* ==================== */
In some cases, it may be necessary to temporarily disable a user's account due to suspicious activity or security concerns. This can be done using the usermod command to set the user's password to an invalid value and set the password aging values to -1:


$ sudo usermod -L -e -1 username

This will prevent the user from logging in until their password is reset and remove the account's expiration date, allowing the account to be reactivated by resetting the password.

11. /* ==================== */
In a situation where a user has forgotten their password and cannot log in, it may be necessary to reset their password manually. This can be done using the passwd command with the -f option to force a password change:

$ sudo passwd -f username

This will force the user to change their password the next time they log in, allowing them to regain access to their account.


Practice Assessment Exam
Answers below exam

1. /* ==================== */

A system administrator needs to add a new user called "jane" to the "sales" group. Which of the following commands should the administrator use?


A. usermod -p sales jane
B. usermod -g sales jane
C. useradd -G sales jane
D. useradd -p sales jane

2. /* ==================== */

A system administrator needs to change the ownership of a file called "data.txt" to a user called "john" and a group called "developers". Which of the following commands should the administrator use?


A. chown john:developers data.txt
B. chgrp john:developers data.txt
C. chmod 755 data.txt
D. chmod 640 data.txt

3. /* ==================== */

A system administrator needs to check the password aging information for a user called "bob". Which of the following commands should the administrator use?

A. passwd -S bob
B. passwd -l bob
C. passwd -f bob
D. passwd -u bob

4. /* ==================== */

A system administrator needs to temporarily disable the account for a user called "mary". Which of the following commands should the administrator use?


A. usermod -L -e -1 mary
B. usermod -l mary
C. userdel mary
D. passwd -d mary

5. /* ==================== */

A system administrator needs to create a new user account for a new employee named "Sam" who will be working in the accounting department. The user should have a home directory, an encrypted password, and should be a member of the "accounting" group. Which of the following commands should the administrator use?


A. useradd -g accounting -m -p mypassword Sam
B. useradd -G accounting -m -p mypassword Sam
C. useradd -g accounting -d /home/Sam -p mypassword Sam
D. useradd -G accounting -d /home/Sam -p mypassword Sam

6. /* ==================== */

A system administrator needs to grant a user called "jane" the ability to execute a script located in the /usr/local/bin directory. The script should not be readable or writable by the user. Which of the following commands should the administrator use?


A. chmod 711 /usr/local/bin/script.sh
B. chmod 700 /usr/local/bin/script.sh
C. chmod 555 /usr/local/bin/script.sh
D. chmod 755 /usr/local/bin/script.sh

7. /* ==================== */

A system administrator needs to delete a user called "tom" from the system, along with their home directory and all files owned by the user. Which of the following commands should the administrator use?


A. userdel -r tom
B. userdel -d /home/tom tom
C. userdel -f -r tom
D. userdel -r -f tom

8. /* ==================== */

A system administrator needs to give a user called "bob" the ability to read and write to a directory called "/data", but prevent them from deleting any files or directories within that directory. Which of the following commands should the administrator use?


A. chmod 640 /data
B. chmod 750 /data
C. chmod 755 /data
D. chmod 775 /data

9. /* ==================== */

A system administrator needs to change the password for a user called "joe" who is currently logged in to the system. Which of the following commands should the administrator use?


A. passwd joe
B. sudo passwd joe
C. chpasswd joe
D. sudo chpasswd joe

10. /* =================== */

A system administrator wants to grant a user named "jenny" read and write access to a file called "salesdata.txt", but also ensure that the file can only be edited by users in the "sales" group. Which of the following commands should the administrator use?


A. chmod 664 salesdata.txt
B. chgrp sales salesdata.txt && chmod 640 salesdata.txt
C. chown jenny:sales salesdata.txt && chmod 660 salesdata.txt
D. chown jenny:sales salesdata.txt && chmod 664 salesdata.txt

11. /* =================== */
A system administrator needs to give a group called "accounting" the ability to read, write, and execute files within a directory called "/financials", but prevent them from renaming or deleting any files within that directory. Which of the following commands should the administrator use?

A. chmod 750 /financials
B. chmod 755 /financials
C. chmod 770 /financials
D. chmod 775 /financials

12. /* =================== */

A system administrator wants to create a new user account called "sarah" and ensure that their home directory is set to "/home/users/sarah". Which of the following commands should the administrator use?


A. useradd sarah
B. useradd -d /home/users/sarah sarah
C. useradd -m -d /home/users/sarah sarah
D. useradd -M -d /home/users/sarah sarah

13. /* =================== */

You have a user account "jdoe" that needs to be temporarily disabled. Which command can you use to achieve this?

    A. passwd -l jdoe
    B. usermod -s /bin/false jdoe
    C. usermod -L jdoe
    D. chsh -s /bin/false jdoe

14. /* =================== */

You need to change the primary group of a user account "jsmith" to "sales". Which command can you use to achieve this?

    A. usermod -G sales jsmith
    B. usermod -aG sales jsmith
    C. usermod -g sales jsmith
    D. usermod -a -G sales jsmith

15. /* =================== */

You want to create a new user account "klee" with the home directory "/home/klee" and the default shell "/bin/bash". Which command can you use to achieve this?

    A. adduser klee -d /home/klee -s /bin/bash
    B. useradd -d /home/klee -s /bin/bash klee
    C. adduser klee -m -s /bin/bash
    D. useradd -m -d /home/klee -s /bin/bash klee
 

16. /* =================== */

You need to grant user "jdoe" the ability to run the "mount" command as root. Which command can you use to achieve this?

    A. usermod -aG sudo jdoe
    B. usermod -aG wheel jdoe
    C. visudo -f /etc/sudoers
    D. echo "jdoe ALL=(ALL) /bin/mount" >> /etc/sudoers


17. /* =================== */

You are a system administrator managing a server with multiple users. One of the users is unable to login to their account and receives an error message "User account has expired". Upon investigating, you find that the account's expiry date has passed. What could be the reason for this issue and how can you resolve it?


A) The user's account was manually expired by the administrator. To resolve this issue, the administrator can update the expiry date for the user's account in the /etc/shadow file using the chage command.

B) The user's account was set to expire automatically. To resolve this issue, the administrator can update the expiry date for the user's account in the /etc/shadow file using the chage command.

C) The user's account was locked due to failed login attempts. To resolve this issue, the administrator can unlock the user's account using the passwd command.

18. /* =================== */

You are a system administrator managing a server with multiple users. One of the users reports that they are unable to change their password. Upon investigation, you find that the user's password is not meeting the password policy requirements. What could be the reason for this issue and how can you resolve it?


A) The password policy requirements are set by the administrator. To resolve this issue, the administrator can modify the password policy in the /etc/pam.d/common-password file.

B) The password policy requirements are set by the user. To resolve this issue, the user can modify their password to meet the password policy requirements.

C) The password policy requirements are set by the system. To resolve this issue, the administrator can modify the password policy in the /etc/login.defs file.

 

ANSWERS

1. /* ==================== */

Answer: C. useradd -G sales jane

Explanation: To add a user to a group, the useradd command should be used with the -G option followed by the group name. In this scenario, the correct command is useradd -G sales jane.

Option A is incorrect because the -p option is used to set the encrypted password for the user. Option B is incorrect because the -g option is used to set the user's primary group, not additional groups. Option D is incorrect because the -p option is used to set the encrypted password for the user.
 

2. /* ==================== */

Answer: A. chown john:developers data.txt

Explanation: To change the ownership of a file, the chown command should be used with the format user:group file. In this scenario, the correct command is chown john:developers data.txt.

Option B is incorrect because the chgrp command is used to change the group ownership of a file, not the user ownership. Option C is incorrect because chmod 755 changes the file permissions, not the ownership. Option D is incorrect because chmod 640 changes the file permissions, not the ownership.

3. /* ==================== */

Answer: A. passwd -S bob

Explanation: To check the password aging information for a user, the passwd command should be used with the -S option followed by the username. In this scenario, the correct command is passwd -S bob.

Option B is incorrect because the -l option is used to lock a user's account. Option C is incorrect because the -f option is used to force a password change. Option D is incorrect because the -u option is used to unlock a user's account.

4. /* ==================== */

Answer: A. usermod -L -e -1 mary

Explanation: To temporarily disable a user account, the usermod command should be used with the -L option to lock the account and the -e -1 option to set the account expiration date to a past date. In this scenario, the correct command is usermod -L -e 1 mary.

Option B is incorrect because usermod -l is used to change the username

5. /* ==================== */

Answer: D. useradd -G accounting -d /home/Sam -p mypassword Sam

Explanation: To create a new user account with a home directory, an encrypted password, and membership in a group, the useradd command should be used with the -G option followed by the group name, the -d option followed by the home directory path, and the -p option followed by the encrypted password. In this scenario, the correct command is useradd -G accounting -d /home/Sam -p mypassword Sam.

Option A is incorrect because the -m option is used to create a home directory for the user, not the -g option. Option B is incorrect because the -G option is used to add the user to a supplementary group, not the primary group. Option C is incorrect because the -m option is missing to create a home directory for the user.


6. /* ==================== */

Answer: D. chmod 755 /usr/local/bin/script.sh

Explanation: To grant a user the ability to execute a script, the chmod command should be used with the appropriate file permissions. In this scenario, the correct command is chmod 755 /usr/local/bin/script.sh, which sets the file permissions to read, write, and execute for the owner and read and execute for the group and others.

Option A is incorrect because it only allows execute permission for the owner, not the group and others. Option B is incorrect because it only allows read, write, and execute permission for the owner, which is not necessary in this scenario. Option C is incorrect because it allows read and execute permission for all users, including the user "jane", which violates the requirement that the script should not be readable by the user.


7. /* ==================== */

Answer: C. userdel -f -r tom

Explanation: To delete a user account along with their home directory and all files owned by the user, the userdel command should be used with the -f option to force the deletion of the user and their files, and the -r option to remove the home directory and its contents. In this scenario, the correct command is userdel -f -r tom.

Option A is incorrect because it only removes the user account, not the home directory or files owned by the user. Option B is incorrect because it only removes the user's home directory, not the user account or other files owned by the user. Option D is incorrect because the -r option should come before the -f option.


8. /* ==================== */

Answer: B. chmod 750 /data

Explanation: To give a user the ability to read and write to a directory, but prevent them from deleting any files or directories within that directory, the chmod command should be used with the appropriate file permissions. In this scenario, the correct command is chmod 750 /data, which sets the file permissions to read, write, and execute for the owner, read and execute for the group, and no permissions for others.

Option A is incorrect because it only allows read and write permission for the owner, not execute permission, which is necessary for accessing the directory. Option C is incorrect because it allows read and execute permission for all users, including others, which violates the requirement that the user should not be able to delete any files or directories within the directory. Option D is incorrect because it allows write permission for the group and others, which also violates the requirement.


9. /* ==================== */

Answer: A. passwd joe

Explanation: To change the password for a user, the passwd command should be used with the username as an argument. In this scenario, the correct command is passwd joe.

Option B is incorrect because it uses the sudo command, which is not necessary in this scenario unless the administrator is not currently logged in as a user with sufficient privileges to change passwords. Option C is incorrect because it uses the chpasswd command, which is used to change passwords in bulk for multiple users through a script or file, not for a single user. Option D is incorrect for the same reason as option B.


10. /* ==================== */

Answer: C. chown jenny:sales salesdata.txt && chmod 660 salesdata.txt

Explanation: To grant a user read and write access to a file and ensure that it can only be edited by members of a specific group, the chown and chmod commands can be used. In this scenario, the correct command is chown jenny:sales salesdata.txt && chmod 660 salesdata.txt, which changes the ownership of the file to user "jenny" and group "sales", and sets the file permissions to read and write for the owner and group, but no permissions for others.

Option A is incorrect because it does not set the file group correctly. Option B is incorrect because it only changes the group ownership of the file and does not grant read and write access to the user. Option D is incorrect because it grants read and write access to all users, including others who are not in the "sales" group.


11. /* =================== */

Answer: C. chmod 770 /financials

Explanation: To give a group read, write, and execute permissions to a directory, but prevent them from renaming or deleting any files within that directory, the chmod command should be used with the appropriate file permissions. In this scenario, the correct command is chmod 770 /financials, which sets the file permissions to read, write, and execute for the owner and group, but no permissions for others.

Option A is incorrect because it only allows read, write, and execute permission for the owner and no permissions for the group. Option B is incorrect because it allows read, write, and execute permission for all users, including others, which violates the requirement that the group should not be able to rename or delete files. Option D is incorrect because it allows write permission for others, which also violates the requirement.

12. /* =================== */

Answer: C. useradd -m -d /home/users/sarah sarah

Explanation: To create a new user account and set their home directory, the useradd command should be used with the appropriate options. In this scenario, the correct command is `useradd


13. /* =================== */

Answer: B. usermod -s /bin/false jdoe will change the shell of user "jdoe" to /bin/false, which will effectively disable the account.


14. /* =================== */

Answer: C. usermod -g sales jsmith will change the primary group of user "jsmith" to "sales". Option A will add user "jsmith" to the "sales" group, option B will add user "jsmith" to the "sales" group as a secondary group, and option D will add user "jsmith" to the "sales" group without removing any existing group memberships.



15. /* =================== */

Answer: D. useradd -m -d /home/klee -s /bin/bash klee will create a new user account "klee" with the home directory "/home/klee" and the default shell "/bin/bash". Option A will create the user account and specify the home directory and shell, but will not create the home directory. Option B will create the user account with the specified home directory and shell, but will not create a password or any default files in the home directory. Option C will create the user account with the specified shell and create the home directory, but will use the default home directory path ("/home/klee").


16. /* =================== */

Answer: D. echo "jdoe ALL=(ALL) /bin/mount" >> /etc/sudoers will append a line to the sudoers file, granting user "jdoe" permission to run the "mount" command as root. Option A and B will add user "jdoe" to the "sudo" or "wheel" group, respectively, but will not grant specific command permissions. Option C will open the sudoers file in the vi editor, which can be used to edit the file.


17. /* =================== */

Answer: B) The user's account was set to expire automatically. To resolve this issue, the administrator can update the expiry date for the user's account in the /etc/shadow file using the chage command.

Explanation: The error message "User account has expired" indicates that the user's account has reached its expiry date. This could be due to either a manual expiry set by the administrator or an automatic expiry set when the user's account was created. Option A is partially correct in identifying that the administrator can update the expiry date in the /etc/shadow file, but it does not explain the reason for the issue. Option C is incorrect because a locked account would result in a different error message and requires a different resolution.

Option B is the correct answer because it explains that the user's account was set to expire automatically and provides the solution to update the expiry date in the /etc/shadow file using the chage command. The chage command allows the administrator to modify the password expiry and aging information for a user's account.

It is important to note that the administrator should also investigate why the account was set to expire and ensure that the expiry date is appropriate for the user's access needs.

 


18. /* =================== */

Answer:
C) The password policy requirements are set by the system. To resolve this issue, the administrator can modify the password policy in the /etc/login.defs file.

Explanation:
In Linux systems, password policy requirements are set by the system administrator and defined in the /etc/login.defs file. This file contains default configuration settings for user accounts, including password policy settings such as minimum and maximum password length, password expiration time, and password complexity requirements.

Option A is incorrect because the /etc/pam.d/common-password file is used to configure PAM (Pluggable Authentication Modules) settings, not password policy requirements. Although it is possible to configure password policy settings using PAM, it is not the recommended approach as it can be complex and may result in inconsistent password policies across different authentication methods.

Option B is incorrect because users cannot set password policy requirements themselves. They can only choose a password that meets the existing policy requirements.

Option C is the correct answer because the system administrator can modify the password policy settings in the /etc/login.defs file. The changes made in this file will apply to all users on the system. To resolve the issue, the administrator can update the password policy requirements in the /etc/login.defs file to allow the user to change their password accordingly.

It is worth noting that some Linux distributions may use different methods to define password policy requirements, such as the use of tools like "pam_cracklib" or "pam_passwdqc". In such cases, the method of modifying password policy requirements may differ.

Labels: