Friday, April 18, 2008

Using a Shadow Password File of Unix and Linux

To plug the password security hole presented by the / etc / passwd file, a technique called a shadow password file is usually used. This file contains the actual passwords, also in encrypted format. However, the shadow password file is not world-readable, and permissions are set so that only the root account can access this file.

On many systems, the name of the shadow password file is /etc/shadow. Check your documentation to determine the exact path on your system. Also note that on some older systems (and a few current ones), you'll have to load an extra component to install the shadow password file capabilities. Keep up-to-date by consulting your vendor's Web site.

The contents of this file also can vary from one system to another. However, the following format contains the fields used in most implementations:

Internet 2010

username:password:last:may:must:warn:expire:disable:reserved

The following list describes these fields:

  • username—This field is used for the same purpose as it is in the /etc/ pa s swd file. It is the login name for this user's account.
  • last—The number of days, since January 1, 1970, that the password for this account was changed.
  • disable—The number of days, since January 1, 1970, that the account has been disabled.

As you can see, using a shadow password file gives you additional control over accounts, such as setting password expiration values. It also gives you informational fields (such as last and disable that can be used when managing user accounts.

The /etc/groups File

This file contains a list of user groups and a numerical value used to identify the group. The syntax for entries in this file is as follows:

groupname:grouppassword:groupID:username1,username2

  • groupname—A name associated with the group. Using a meaningful name can help you simplify user administration.
  • grouppassword—Yes, you can place a password on a group, but this is generally not done. Instead, this field is usually left blank.
  • groupID—This is the group's ID number, which is used by the operating system to identify the group. It is often referred to as the GID. This number can range from 0 to 32,767, and the numbers 0 to 10 are generally reserved for system groups. For example, in most Unix implementations, the root user has a GID of zero.
  • usernamel,username2 . . . —This is a comma-delimited list of members of the group. Separate each using a comma.

Users can be members of more than one group. If this is the case, the first group is the user's primary group, and the GID of this group is used when files are created or saved. Users can use the groups command to view the group(s) of which they are a member. The command chgrp can be used to change the current default group.

No comments:

Internet Blogosphere