Unlock Linux User Management: Master /etc/passwd, /etc/shadow, /etc/group and More

Preface

Earlier we studied the concepts and commands of Linux User and Group Management . Today we continue with the system configuration files related to user accounts.

User and Group Configuration Files

In a Linux system, user and related attribute information (excluding passwords) is stored in the /etc/passwd file. Because all users have read permission to this file, passwords are not stored here; they are kept in the /etc/shadow file.

/etc/passwd

The /etc/passwd file is the system user configuration file that stores user account information (excluding passwords).

Each line defines a user account and consists of seven fields separated by colons.

The fields, from left to right, are:

username:encrypted_password:UID:GID:full_name_or_description:home_directory:login_shell

First field – username

Second field – encrypted password placeholder ("x")

Third field – user ID (UID)

Fourth field – group ID (GID)

Fifth field – user description (full name or empty)

Sixth field – home directory

Seventh field – login shell (e.g., /bin/bash; /sbin/nologin disables login)

/etc/shadow

For security, actual passwords are hashed with SHA‑512 and stored in /etc/shadow, which is readable only by root.

Explanation:

First field – username

Second field – encrypted password ("!!" if no password, otherwise the hash)

Third field – days since 1970‑01‑01 when the password was last changed

Fourth field – minimum number of days between password changes (0 means no restriction)

Fifth field – maximum number of days the password is valid (default 99999, effectively never expires)

Sixth field – days of warning before password expiration (default 7 days)

Seventh field – grace period after expiration during which the old password can still be used

Eighth field – account expiration date (days since 1970‑01‑01)

Ninth field – reserved (unused)

/etc/login.defs

The /etc/login.defs file defines default settings applied when creating users, such as UID/GID ranges, password policies, and account expiration.

These defaults do not affect the root user, and when conflicts arise with /etc/passwd or /etc/shadow, the latter files take precedence.

Example command to filter out comments and blank lines:

grep -v '^#' /etc/login.defs

Key parameters:

MAIL_DIR – /var/spool/mail PASS_MAX_DAYS – 99999 (password valid for 273 years)

PASS_MIN_DAYS – 0 (minimum interval between password changes)

PASS_MIN_LEN – 5 (minimum password length; not enforced when PAM is used)

PASS_WARN_AGE – 7 (days before expiration to warn the user)

UID_MIN – 500 (minimum UID for regular users)

UID_MAX – 60000 (maximum UID)

GID_MIN – 500 (minimum group ID)

GID_MAX – 60000 (maximum group ID)

CREATE_HOME – yes (create home directory with useradd)

UMASK – 077 (default permissions for new home directories)

USERGROUPS_ENAB – yes (delete the user's primary group when the user is removed)

ENCRYPT_METHOD – SHA512 (default password hashing algorithm)

/etc/group

Group account information is stored in /etc/group, readable by all users. The actual encrypted group passwords are kept in /etc/gshadow.

Explanation:

First field – group name

Second field – group password placeholder ("x"), actual encrypted password stored in /etc/gshadow Third field – GID (group ID)

Fourth field – comma‑separated list of group members

The GID here corresponds to the fourth field in /etc/passwd ; the group name is resolved via this file.

/etc/gshadow

The /etc/gshadow file stores encrypted group passwords and related information.

Explanation:

First field – group name (matches /etc/group)

Second field – group password (usually empty; if set, defines a group administrator)

Third field – group administrator

Fourth field – additional group members (same as the fourth field in /etc/group)

Group passwords are primarily used to designate a group administrator, allowing delegated management of group membership without root privileges. In practice this feature is rarely used; sudo is commonly employed instead.

In summary, we have covered /etc/passwd, /etc/shadow, /etc/group, and their relationships: first locate the GID and group name in /etc/group, then find the matching user and UID in /etc/passwd, and finally retrieve the corresponding password entry from /etc/shadow.