The /etc/passwd and /etc/group files are fundamental to Linux user and group management. Understanding their structure, syntax, and proper management is essential for system administration, security, and maintaining a well-organized multi-user environment.
/etc/passwd File Structure
/etc/passwd
The passwd file contains user account information in a colon-separated format with seven fields per line.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
john:x:1000:1000:John Doe:/home/john:/bin/bash
# username:password:UID:GID:GECOS:home_directory:shell
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
john:x:1000:1000:John Doe:/home/john:/bin/bash
# username:password:UID:GID:GECOS:home_directory:shell
| Field | Description | Example | Notes |
|---|---|---|---|
| Username | User login name | john, root, www-data | Case sensitive, no spaces |
| Password | Password placeholder | x | 'x' indicates shadow password file |
| UID | User ID number | 0, 1000, 65534 | 0 = root, 1-999 = system users |
| GID | Primary Group ID | 0, 1000, 1001 | References /etc/group |
| GECOS | User information field | John Doe | Full name, room, phone, etc. |
| Home Directory | User's home directory | /home/john, /root | Absolute path required |
| Shell | Login shell | /bin/bash, /usr/sbin/nologin | Full path to executable |
/etc/group File Structure
/etc/group
The group file contains group information in a colon-separated format with four fields per line.
root:x:0:
sudo:x:27:john
developers:x:1001:john,sarah,mike
john:x:1000:
# group_name:password:GID:user_list
sudo:x:27:john
developers:x:1001:john,sarah,mike
john:x:1000:
# group_name:password:GID:user_list
| Field | Description | Example | Notes |
|---|---|---|---|
| Group Name | Group identifier | sudo, developers, john | Case sensitive, no spaces |
| Password | Group password | x | Rarely used, 'x' = /etc/gshadow |
| GID | Group ID number | 0, 27, 1001 | 0 = root group |
| User List | Group members | john,sarah | Comma-separated usernames |
UID and GID Number Ranges
| Range | Type | Purpose | Examples | Management |
|---|---|---|---|---|
| 0 | Superuser | Root user and group | root:root | System reserved |
| 1-999 | System Users/Groups | System services and daemons | www-data, mysql, postgres | Package managers |
| 1000-60000 | Regular Users/Groups | Human users and custom groups | john, developers, admin | System administrators |
| 65534 | Nobody | Unprivileged operations | nobody, nfsnobody | System reserved |
UID/GID Best Practices:
• Always check available UIDs/GIDs before creating new ones
• Use
• Use
• Maintain consistent UID/GID ranges across systems for NFS and shared environments
• Document custom UID/GID assignments for future reference
• Always check available UIDs/GIDs before creating new ones
• Use
getent passwd | cut -d: -f3 | sort -n to see used UIDs• Use
getent group | cut -d: -f3 | sort -n to see used GIDs• Maintain consistent UID/GID ranges across systems for NFS and shared environments
• Document custom UID/GID assignments for future reference
Special Users and Groups
System Users
Service accounts for system daemons and processes.
# Web server
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
# Database server
mysql:x:106:111:MySQL Server,,,:/nonexistent:/bin/false
# SSH server
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
# Database server
mysql:x:106:111:MySQL Server,,,:/nonexistent:/bin/false
# SSH server
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
Characteristics:
- UIDs 1-999 (system range)
- Non-login shells (/usr/sbin/nologin, /bin/false)
- Specific home directories for service data
- Created automatically by package managers
Special Purpose Groups
Groups with specific system privileges and access.
# Superuser privileges
sudo:x:27:john
# Audio device access
audio:x:29:pulse
# Video device access
video:x:44:john
# System administration
adm:x:4:syslog,john
sudo:x:27:john
# Audio device access
audio:x:29:pulse
# Video device access
video:x:44:john
# System administration
adm:x:4:syslog,john
Common Groups:
- sudo - Administrative privileges
- adm - System monitoring access
- dialout - Serial port access
- cdrom - CD/DVD drive access
- plugdev - External device access
Practical File Management
Working with passwd and group files
# 1. View passwd file contents
cat /etc/passwd
getent passwd
# Filter specific user
getent passwd john
grep john /etc/passwd
# 2. View group file contents
cat /etc/group
getent group
# Filter specific group
getent group sudo
grep developers /etc/group
# 3. Check user's groups
groups john
id john
getent group | grep john
# 4. Count users and groups
wc -l /etc/passwd # Total users
wc -l /etc/group # Total groups
getent passwd | wc -l
getent group | wc -l
# 5. Find system users (UID 1-999)
getent passwd | awk -F: '$3 >= 1 && $3 <= 999 {print $1 " : " $3}'
# 6. Find regular users (UID 1000+)
getent passwd | awk -F: '$3 >= 1000 && $3 != 65534 {print $1 " : " $3}'
# 7. Check for duplicate UIDs
getent passwd | cut -d: -f3 | sort -n | uniq -d
# 8. Check for duplicate GIDs
getent group | cut -d: -f3 | sort -n | uniq -d
# 9. List users with their primary groups
getent passwd | awk -F: '{print $1 " : " $4 " -> " (system("getent group " $4 " | cut -d: -f1") ? "unknown" : "")}'
# 10. Check file permissions (should be 644)
ls -l /etc/passwd /etc/group
stat /etc/passwd
stat /etc/groupRelated Authentication Files
/etc/shadow
Secure password storage with encrypted hashes and account aging information.
root:$6$...$hash:18888:0:99999:7:::
john:$6$...$hash:18900:0:90:7:30:19000:
# username:password:last_change:min:max:warn:inactive:expire
john:$6$...$hash:18900:0:90:7:30:19000:
# username:password:last_change:min:max:warn:inactive:expire
Permissions: 640 (root:shadow)
Security: Contains encrypted passwords, root access only
/etc/gshadow
Secure group password storage and group administration information.
sudo:!::john
developers:!::john,sarah
# groupname:password:admins:members
developers:!::john,sarah
# groupname:password:admins:members
Permissions: 640 (root:shadow)
Usage: Rarely used in modern systems
User and Group Management Commands
Command Line Tools:
User Information
File Analysis
System Information
User Information
id username - Display user and group IDswhoami - Show current usernamegroups username - Show user's groupsgetent passwd username - Get user entryfinger username - User information (if installed)File Analysis
getent passwd - All user entriesgetent group - All group entriescut -d: -f1 /etc/passwd - List all usernamesawk -F: '{print $3 " " $1}' /etc/passwd | sort -n - Users by UIDpwck - Verify integrity of password filesgrpck - Verify integrity of group filesSystem Information
w - Show logged in users and their processeswho - Show logged in userslast - Show last logged in usersusers - Show logged in usernames
Security Considerations
File Permissions and Security
# Correct permissions:
-rw-r--r-- 1 root root /etc/passwd
-rw-r----- 1 root shadow /etc/shadow
-rw-r--r-- 1 root root /etc/group
-rw-r----- 1 root shadow /etc/gshadow
-rw-r--r-- 1 root root /etc/passwd
-rw-r----- 1 root shadow /etc/shadow
-rw-r--r-- 1 root root /etc/group
-rw-r----- 1 root shadow /etc/gshadow
- /etc/passwd: Must be world-readable (644) for many system functions
- /etc/shadow: Must be root-only readable (640) to protect passwords
- /etc/group: World-readable (644) for group membership checks
- /etc/gshadow: Root-only (640) for group password protection
Security Best Practices
- Regularly audit user accounts and remove unused ones
- Ensure no users have UID 0 except root
- Check for accounts with empty passwords or invalid shells
- Monitor for unauthorized changes to authentication files
- Use
pwckandgrpckregularly to verify file integrity - Implement proper backup procedures for authentication files
- Use centralized authentication (LDAP, Active Directory) for large environments
Common Security Checks
# Check for users with UID 0 (besides root)
sudo awk -F: '$3 == 0 && $1 != "root" {print $1}' /etc/passwd
# Check for accounts with no password
sudo getent shadow | awk -F: '$2 == "" {print $1}'
# Check for accounts with invalid shells
sudo getent passwd | awk -F: '$7 ~ /false|nologin/ {print $1}'
# Verify file permissions
ls -l /etc/passwd /etc/shadow /etc/group /etc/gshadow
# Check for duplicate UIDs
sudo getent passwd | cut -d: -f3 | sort -n | uniq -d
# Check for users without home directories
sudo getent passwd | awk -F: '{if (system("test -d " $6)) print $1 " : " $6}'
Important Security Notes:
• Never edit /etc/passwd or /etc/group files directly - use proper commands (useradd, usermod, etc.)
• Always verify file permissions after manual changes
• Regular backups of authentication files are essential
• Monitor for unauthorized account creation or privilege escalation
• Use
• Implement proper logging and monitoring for authentication events
• Never edit /etc/passwd or /etc/group files directly - use proper commands (useradd, usermod, etc.)
• Always verify file permissions after manual changes
• Regular backups of authentication files are essential
• Monitor for unauthorized account creation or privilege escalation
• Use
visudo for sudoers file edits, never edit directly• Implement proper logging and monitoring for authentication events
Key Takeaways
The /etc/passwd and /etc/group files are fundamental components of Linux user and group management. Understanding their structure, proper UID/GID allocation, and security considerations is essential for effective system administration. Regular auditing, proper file permissions, and using the correct management commands ensure system security and stability in multi-user environments.
Next Step: Explore Linux process management to understand how the system handles running programs, resource allocation, and service management.