What does the account file of the Linux system consist of?

The account file consists of 5 parts: 1. "/etc/passwd", the system user configuration file, which stores the basic information of all users in the system; 2. "/etc/shadow", which stores the system The password information of the user; 3. "/ect/group", the user group configuration file, stores all the information of the user group, etc.

#The operating environment of this tutorial: linux5.9.8 system, Dell G3 computer.

The account file of the Linux system has 5 components:

• /etc/passwd file

• /etc/shadow file

• /ect/group file

• /etc/gshadow file

• /etc/login.defs file

1、/etc/passwd file

/etc/ The passwd file is a system user configuration file that stores the basic information of all users in the system, and all users can perform read operations on this file.

First of all, let’s open this file to see what it contains. The execution command is as follows:

[root@localhost ~]# vi /etc/passwd
#查看一下文件内容
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
...省略部分输出...

You can see that the contents of the /etc/passwd file are very regular, and each line of records corresponds to a user.

Readers may ask, how come there are so many users by default in the Linux system? The vast majority of these users are users necessary for the normal operation of the system or service. Such users are often called system users or pseudo-users. System users cannot be used to log in to the system, but they cannot be deleted, because once deleted, services or programs that rely on these users will not be able to execute normally, which will cause system problems.

Not only that, each line of user information uses ":" as the delimiter and is divided into 7 fields. The meaning of each field is as follows:

用户名：密码：UID（用户ID）：GID（组ID）：描述性信息：主目录：默认Shell

Next, I will give you one by one Introduce these fields.

Username

The username is a string of characters representing the user's identity.

As mentioned before, the user name is only for the convenience of user memory. The Linux system uses UID to identify user identities and assign user permissions. The corresponding relationship between username and UID is defined in the /etc/passwd file.

Password

"x" means that this user has a password, but it is not a real password. The real password is saved in the /etc/shadow file (next section give a detailed introduction).

In early UNIX, what was saved here was the real encrypted password string. However, since all programs can read this file, it is very easy for user data to be stolen.

Although the password is encrypted, it can also be cracked using brute force cracking.

Therefore, the Linux system now places the real encrypted password string in the /etc/shadow file. This file can only be browsed and operated by the root user, thus ensuring the security of the password to the greatest extent.

It should be noted that although "x" does not represent the real password, it cannot be deleted. If "x" is deleted, the system will think that the user does not have a password, resulting in only entering the user name. You can log in without entering a password (you can only log in without a password, not remotely). Unless there are special circumstances (such as cracking the user password), this is of course not feasible.

UID

UID, which is the user ID. Each user has a unique UID, and the Linux system identifies different users through UID.

Actually, UID is a number between 0 and 65535. Numbers in different ranges represent different user identities.

GID

The full name is "Group ID", referred to as "Group ID", which represents the group ID number of the user's initial group. The concepts of initial group and additional group need to be explained here.

Initial group means that the user has the relevant permissions of this user group when logging in. Each user can only have one initial group. Usually, the group name that is the same as the user's user name is used as the user's initial group. For example, if we manually add the user lamp, when creating the user lamp, the lamp group will be created as the initial group of the lamp user.

Additional groups mean that users can join multiple other user groups and have the permissions of these groups. Each user can only have one initial group. In addition to the initial group, users can join other user groups. These user groups are additional groups for this user. There can be multiple additional groups, and users can have permissions for these additional groups.

For example, in addition to the initial group lamp, I added the lamp user to the users group. Then the lamp user belongs to both the lamp group and the users group, where lamp is the initial group and users is an additional group. Group.

Of course, the identities of the initial group and additional groups can be modified, but we do not modify the initial group in our work, only the additional groups, because modifying the initial group sometimes confuses the administrator's logic.

It should be noted that the ID seen in the fourth field of the /etc/passwd file is the initial group of this user.

Descriptive information

This field has no important purpose, it is just used to explain the meaning of this user.

Main directory

也就是用户登录后有操作权限的访问目录，通常称为用户的主目录。

例如，root 超级管理员账户的主目录为 /root，普通用户的主目录为 /home/yourIDname，即在 /home/ 目录下建立和用户名相同的目录作为主目录，如 lamp 用户的主目录就是 /home/lamp/ 目录。

默认的Shell

Shell 就是 Linux 的命令解释器，是用户和 Linux 内核之间沟通的桥梁。

我们知道，用户登陆 Linux 系统后，通过使用 Linux 命令完成操作任务，但系统只认识类似 0101 的机器语言，这里就需要使用命令解释器。也就是说，Shell 命令解释器的功能就是将用户输入的命令转换成系统可以识别的机器语言。

通常情况下，Linux 系统默认使用的命令解释器是 bash（/bin/bash），当然还有其他命令解释器，例如 sh、csh 等。

2、/etc/shadow 文件

/etc/shadow 文件，用于存储 Linux 系统中用户的密码信息，又称为“影子文件”。

前面介绍了 /etc/passwd 文件，由于该文件允许所有用户读取，易导致用户密码泄露，因此 Linux 系统将用户的密码信息从 /etc/passwd 文件中分离出来，并单独放到了此文件中。

/etc/shadow 文件只有 root 用户拥有读权限，其他用户没有任何权限，这样就保证了用户密码的安全性。

注意，如果这个文件的权限发生了改变，则需要注意是否是恶意攻击。

介绍此文件之前，我们先打开看看，执行如下命令：

[root@localhost ~]#vim /etc/shadow
root: $6$9w5Td6lg
$bgpsy3olsq9WwWvS5Sst2W3ZiJpuCGDY.4w4MRk3ob/i85fl38RH15wzVoom ff9isV1 PzdcXmixzhnMVhMxbvO:15775:0:99999:7:::
bin:*:15513:0:99999:7:::
daemon:*:15513:0:99999:7:::
…省略部分输出…

同 /etc/passwd 文件一样，文件中每行代表一个用户，同样使用 ":" 作为分隔符，不同之处在于，每行用户信息被划分为 9 个字段。每个字段的含义如下：

用户名：加密密码：最后一次修改时间：最小修改时间间隔：密码有效期：密码需要变更前的警告天数：密码过期后的宽限时间：账号失效时间：保留字段

接下来，给大家分别介绍这 9 个字段。

用户名

同 /etc/passwd 文件的用户名有相同的含义。

加密密码

这里保存的是真正加密的密码。目前 Linux 的密码采用的是 SHA512 散列加密算法，原来采用的是 MD5 或 DES 加密算法。SHA512 散列加密算法的加密等级更高，也更加安全。

注意，这串密码产生的乱码不能手工修改，如果手工修改，系统将无法识别密码，导致密码失效。很多软件透过这个功能，在密码串前加上 "!"、"*" 或 "x" 使密码暂时失效。

所有伪用户的密码都是 "!!" 或 "*"，代表没有密码是不能登录的。当然，新创建的用户如果不设定密码，那么它的密码项也是 "!!"，代表这个用户没有密码，不能登录。

最后一次修改时间

此字段表示最后一次修改密码的时间，可是，为什么 root 用户显示的是 15775 呢？

这是因为，Linux 计算日期的时间是以  1970 年 1 月 1 日作为 1 不断累加得到的时间，到 1971 年 1 月 1 日，则为 366 天。这里显示 15775 天，也就是说，此 root 账号在 1970 年 1 月 1 日之后的第 15775 天修改的 root 用户密码。

那么，到底 15775 代表的是哪一天呢？可以使用如下命令进行换算：

[root@localhost ~]# date -d "1970-01-01 15775 days"
2013年03月11日 星期一 00:00:00 CST

可以看到，通过以上命令，即可将其换算为我们习惯的系统日期。

最小修改时间间隔

最小修改间隔时间，也就是说，该字段规定了从第 3 字段（最后一次修改密码的日期）起，多长时间之内不能修改密码。如果是 0，则密码可以随时修改；如果是 10，则代表密码修改后 10 天之内不能再次修改密码。

此字段是为了针对某些人频繁更改账户密码而设计的。

密码有效期

经常变更密码是个好习惯，为了强制要求用户变更密码，这个字段可以指定距离第 3 字段（最后一次更改密码）多长时间内需要再次变更密码，否则该账户密码进行过期阶段。

该字段的默认值为 99999，也就是 273 年，可认为是永久生效。如果改为 90，则表示密码被修改 90 天之后必须再次修改，否则该用户即将过期。管理服务器时，通过这个字段强制用户定期修改密码。

密码需要变更前的警告天数

与第 5 字段相比较，当账户密码有效期快到时，系统会发出警告信息给此账户，提醒用户 "再过 n 天你的密码就要过期了，请尽快重新设置你的密码！"。

该字段的默认值是 7，也就是说，距离密码有效期的第 7 天开始，每次登录系统都会向该账户发出 "修改密码" 的警告信息。

密码过期后的宽限天数

也称为“口令失效日”，简单理解就是，在密码过期后，用户如果还是没有修改密码，则在此字段规定的宽限天数内，用户还是可以登录系统的；如果过了宽限天数，系统将不再让此账户登陆，也不会提示账户过期，是完全禁用。

比如说，此字段规定的宽限天数是 10，则代表密码过期 10 天后失效；如果是 0，则代表密码过期后立即失效；如果是 -1，则代表密码永远不会失效。

账号失效时间

同第 3 个字段一样，使用自  1970 年 1 月 1 日以来的总天数作为账户的失效时间。该字段表示，账号在此字段规定的时间之外，不论你的密码是否过期，都将无法使用！

该字段通常被使用在具有收费服务的系统中。

保留

这个字段目前没有使用，等待新功能的加入。

3、/ect/group 文件

/ect/group 文件是用户组配置文件，即用户组的所有信息都存放在此文件中。

此文件是记录组 ID（GID）和组名相对应的文件。前面讲过，etc/passwd 文件中每行用户信息的第四个字段记录的是用户的初始组 ID，那么，此 GID 的组名到底是什么呢？就要从 /etc/group 文件中查找。

/etc/group 文件的内容可以通过 Vim 看到：

[root@localhost ~]#vim /etc/group
root:x:0:
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
…省略部分输出…
lamp:x:502:

可以看到，此文件中每一行各代表一个用户组。在前面章节中，我们曾创建 lamp 用户，系统默认生成一个 lamp 用户组，在此可以看到，此用户组的 GID 为 502，目前它仅作为 lamp 用户的初始组。

各用户组中，还是以 "：" 作为字段之间的分隔符，分为 4 个字段，每个字段对应的含义为：

组名：密码：GID：该用户组中的用户列表

接下来，分别介绍各个字段具体的含义。

组名

也就是是用户组的名称，有字母或数字构成。同 /etc/passwd 中的用户名一样，组名也不能重复。

组密码

和 /etc/passwd 文件一样，这里的 "x" 仅仅是密码标识，真正加密后的组密码默认保存在 /etc/gshadow 文件中。

不过，用户设置密码是为了验证用户的身份，那用户组设置密码是用来做什么的呢？用户组密码主要是用来指定组管理员的，由于系统中的账号可能会非常多，root 用户可能没有时间进行用户的组调整，这时可以给用户组指定组管理员，如果有用户需要加入或退出某用户组，可以由该组的组管理员替代 root 进行管理。但是这项功能目前很少使用，我们也很少设置组密码。如果需要赋予某用户调整某个用户组的权限，则可以使用 sudo 命令代替。

组ID (GID)

就是群组的 ID 号，Linux 系统就是通过 GID 来区分用户组的，同用户名一样，组名也只是为了便于管理员记忆。

这里的组 GID 与 /etc/passwd 文件中第 4 个字段的 GID 相对应，实际上，/etc/passwd 文件中使用 GID 对应的群组名，就是通过此文件对应得到的。

组中的用户

此字段列出每个群组包含的所有用户。需要注意的是，如果该用户组是这个用户的初始组，则该用户不会写入这个字段，可以这么理解，该字段显示的用户都是这个用户组的附加用户。

举个例子，lamp 组的组信息为 "lamp:x:502:"，可以看到，第四个字段没有写入 lamp 用户，因为 lamp 组是 lamp 用户的初始组。如果要查询这些用户的初始组，则需要先到 /etc/passwd 文件中查看 GID（第四个字段），然后到 /etc/group 文件中比对组名。

每个用户都可以加入多个附加组，但是只能属于一个初始组。所以我们在实际工作中，如果需要把用户加入其他组，则需要以附加组的形式添加。例如，我们想让 lamp 也加入 root 这个群组，那么只需要在第一行的最后一个字段加入 lamp，即 root:x:0:lamp 就可以了。

一般情况下，用户的初始组就是在建立用户的同时建立的和用户名相同的组。

4、/etc/gshadow文件

组用户信息存储在 /etc/group 文件中，而将组用户的密码信息存储在 /etc/gshadow 文件中。

首先，我们借助 Vim 命令查看一下此文件中的内容：

[root@localhost ~]#vim /etc/gshadow
root:::
bin:::bin, daemon
daemon:::bin, daemon
...省略部分输出...
lamp:!::

文件中，每行代表一个组用户的密码信息，各行信息用 ":" 作为分隔符分为 4 个字段，每个字段的含义如下：

组名：加密密码：组管理员：组附加用户列表

组名

同 /etc/group 文件中的组名相对应。

组密码

For most users, the group password is usually not set, so this field is often empty, but sometimes it is "!", which means that the group does not have a group password and does not have a group administrator.

Group Administrator

From the perspective of a system administrator, the biggest function of this file is to create a group administrator. So, what is a group administrator?

Considering that there are too many accounts in the Linux system, and the super administrator root may be busy, when a user wants to join a group, root may not be able to respond in time. In this case, if there is a group administrator, then he can add the user to the group he manages, saving the trouble of root.

However, due to the current tools such as sudo, this function of group administrators is rarely used.

Additional users in the group

This field displays which additional users are in this user group, and is the same as the additional group display in the /etc/group file.

5./etc/login.defs file

/etc/login.defs file is used to configure the user when creating a user. Make default settings for some basic properties, such as specifying the range of user UID and GID, user expiration time, maximum password length, etc.

It should be noted that the user default configuration of this file is not valid for the root user. And, when the configuration in this file conflicts with the user information in the /etc/passwd and /etc/shadow files, the system will take effect in /etc/passwd and /etc/shadow.

Readers can use the vim /etc/login.defs command to view the contents of the file. Table 1 provides a detailed explanation of each option in the file.

Table 1 /etc/login.defs file content

Setting items	Meaning
MAIL_DIR /var/spool/mail	When creating a user, the system will create a user mailbox in the directory /var/spool/mail. For example, the lamp user's mailbox is /var/spool/mail/lamp.
PASS_MAX_DAYS 99999	Password validity period, 99999 is the number of days that the password is valid since January 1, 1970, which is equivalent to 273 years. It can be understood that the password is always valid.
PASS_MIN_DAYS 0	Indicates the minimum number of days since the last password change before the user can change the password again. The default value is 0.
PASS_MIN_LEN 5	Specify the minimum length of the password, which defaults to no less than 5 characters. However, now that user authentication has been replaced by the PAM module when logging in, this option does not take effect.
PASS_WARN_AGE 7	Specifies the number of days before the system starts passing user passwords that are about to expire, the default is 7 days.
UID_MIN 500	Specify a minimum UID of 500, which means that when adding a user, the default UID starts at 500. Note that if you manually specify a user with a UID of 550, the next user created will have a UID starting from 551, even if the UIDs between 500 and 549 are not used.
UID_MAX 60000	The maximum UID for a given user is 60000.
GID_MIN 500	Specify a minimum GID of 500, which means that when adding a group, the group's GID starts at 500.
GID_MAX 60000	The maximum user GID is 60000.
CREATE_HOME yes	Specify whether to create the user's home directory when creating a user. Yes means to create it, no means not to create it. The default is yes.
UMASK 077	Permissions for the user's home directory are set to 077 by default.
USERGROUPS_ENAB yes	Specify whether to delete the user group at the same time when deleting the user. For preparation, this refers to deleting the initial group of the user. The default value of this item is yes.
ENCRYPT_METHOD SHA512	Specify the encryption rule used for user passwords. SHA512 is used by default. This is the new password encryption mode. The original Linux could only use DES or MD5 encryption.

Related recommendations: "Linux Video Tutorial"

The above is the detailed content of What does the account file of the Linux system consist of?. For more information, please follow other related articles on the PHP Chinese website!