LPI E C - passwd shadow
LPI E C - passwd shadow
etc/passwd & etc/shadow
Welcome to our comprehensive guide on the Linux system files, "/etc/passwd" and "/etc/shadow"! As a system administrator, these files are essential components of your day-to-day work. They hold valuable information about user accounts and passwords, which allows you to manage your system efficiently and securely.
In this guide, we'll explore the contents of both files in detail and explain the purpose of each field. We'll provide you with numerous examples and snippets of code that will help you better understand how to use these files to your advantage.
Additionally, we'll offer practice exams to test your knowledge and understanding of the concepts we've discussed.
So whether you're a seasoned system administrator looking to brush up on your skills or a newcomer to the field, this guide is the perfect resource for anyone who wants to deepen their understanding of the "/etc/passwd" and "/etc/shadow" files.
]# cat /etc/passwd -
The /etc/passwd file is a plaintext file that contains user account information on a Linux system. Each line in the file represents a single user account, and the fields are separated by colons. The fields in /etc/passwd are:
- Username: the user's login name
- Password: the user's encrypted password (Note: this field is not used anymore, the password is stored in /etc/shadow)
- User ID (UID): a unique numerical identifier for the user
- Group ID (GID): the primary group ID for the user
- User information (GECOS): additional information about the user, such as their full name
- Home directory: the user's home directory
- Login shell: the user's login shell, which is the program that is run when the user logs in
Examples of how to use /etc/passwd:
1. /* ==================== */
To add a new user to the system, you can use the useradd command. For example, to add a new user named "jdoe" with a home directory of /home/jdoe and a login shell of /bin/bash, you could run the following command:
$ sudo useradd -d /home/jdoe -s /bin/bash jdoe
2. /* ==================== */
To list all users on the system, you can use the cut command to extract the first field (the username) from each line of the /etc/passwd file:
$ cut -d: -f1 /etc/passwd
3. /* ==================== */
To change a user's home directory, you can use the usermod command:
sudo usermod -d /new/home/dir username
4. /* ==================== */
To lock a user account, preventing them from logging in, you can use the usermod command to set the user's password to an invalid value:
$ sudo usermod -L username
5. /* ==================== */
To change a user's login shell, you can use the usermod command:
$ sudo usermod -s /bin/zsh username
This will change the user's default shell to Zsh.
6. /* ==================== */
To create a new user account with a specific UID and GID, you can use the useradd command:
$ sudo useradd -u 1001 -g 1001 username
This will create a new user account with the UID and GID set to 1001.
7. /* ==================== */
To delete a user account, you can use the userdel command:
$ sudo userdel username
This will delete the user account and remove its home directory.
8. /* ==================== */
To view a specific user's account information, you can use the grep command to search for the username in the /etc/passwd file:
$ grep username /etc/passwd
This will display the user's account information, including their UID, GID, home directory, and login shell.
9. /* ==================== */
In a large organization with many different departments, it may be necessary to limit access to certain resources based on department membership. One way to achieve this is to create a separate group for each department, and assign users to their respective groups. This can be done using the -G option of the usermod command:
$ sudo usermod -G groupname username
This will add the user to the specified group, allowing them to access resources that are restricted to that group.
10. /* =================== */
In some cases, it may be necessary to restrict a user's access to specific files or directories. This can be done using the chown and chmod commands to change the ownership and permissions of the files or directories in question:
$ sudo chown root:groupname /path/to/file
$ sudo chmod 640 /path/to/file
This will change the ownership of the file to the root user and the specified group, and set the file permissions to read and write for the owner, read for the group, and no access for others.
]# cat /etc/shadow -
The /etc/shadow file is a plaintext file that contains the encrypted passwords for user accounts on a Linux system. The file is readable only by the root user, and it is used to store the password hashes for each user. Each line in the file represents a single user account, and the fields are separated by colons. The fields in /etc/shadow are:
- Username: the user's login name
- Password: the user's encrypted password
- Last password change: the date of the last password change, represented as the number of days since January 1, 1970
- Minimum password age: the minimum number of days that must pass before the user can change their password again
- Maximum password age: the maximum number of days that the password is valid before the user is required to change it
- Password warning period: the number of days before the password expires that the user will receive a warning message
- Password inactivity period: the number of days that a user can have an expired password before their account is disabled
- Account expiration date: the date on which the user account will be disabled
- Reserved field: not used
Examples of how to use /etc/shadow:
1. /* ==================== */
To change a user's password, you can use the passwd command. For example, to change the password for the user "jdoe", you could run the following command:
$ sudo passwd jdoe
This command will prompt you to enter a new password for the user, which will then be encrypted and stored in the /etc/shadow file.
2. /* ==================== */
To list all users whose accounts are locked, you can use the awk command to search for lines in the /etc/shadow file where the second field (the password) is set to *:
$ sudo awk -F: '$2=="*"{print $1}' /etc/shadow
3. /* ==================== */
To set a user's password to a specific value, you can use the passwd command followed by the username:
$ sudo passwd username
4. /* ==================== */
To disable password aging for a user, you can set the minimum and maximum password ages to zero using the chage command:
$ sudo chage -m 0 -M 0 username
5. /* ==================== */
To lock a user's account due to security concerns, you can use the usermod command to set the user's password to an invalid value:
$ sudo usermod -L username
This will prevent the user from logging in until their password is reset.
6. /* ==================== */
To view a specific user's password expiration information, you can use the chage command:
$ sudo chage -l username
This will display the user's password expiration information, including the last password change date, the minimum and maximum password ages, and the password warning and inactivity periods.
7. /* ==================== */
To force a user to change their password at their next login, you can use the chage command:
$ sudo chage -d 0 username
This will set the user's last password change date to the epoch (January 1, 1970), which will require the user to change their password the next time they log in.
8. /* ==================== */
To temporarily disable a user's account without deleting it, you can use the usermod command to set the user's password to an invalid value and set the password aging values to -1:
$ sudo usermod -L -e -1 username
This will prevent the user from logging in until their password is reset and remove the account's expiration date, allowing the account to be reactivated by resetting the password.
9. /* ==================== */
In a high-security environment, it may be necessary to enforce strict password policies to ensure that user passwords are sufficiently strong and changed regularly. This can be done using the passwd command with the -S option to check the password aging information for a given user:
$ sudo passwd -S username
This will display the password aging information for the specified user, including the number of days since the last password change, the minimum and maximum password ages, and the warning and inactivity periods.
10. /* ==================== */
In some cases, it may be necessary to temporarily disable a user's account due to suspicious activity or security concerns. This can be done using the usermod command to set the user's password to an invalid value and set the password aging values to -1:
$ sudo usermod -L -e -1 username
This will prevent the user from logging in until their password is reset and remove the account's expiration date, allowing the account to be reactivated by resetting the password.
11. /* ==================== */
In a situation where a user has forgotten their password and cannot log in, it may be necessary to reset their password manually. This can be done using the passwd command with the -f option to force a password change:
$ sudo passwd -f username
This will force the user to change their password the next time they log in, allowing them to regain access to their account.
Practice Assessment Exam
Answers below exam
1. /* ==================== */
A
system administrator needs to add a new user called "jane" to the
"sales" group. Which of the following commands should the administrator
use?
A. usermod -p sales jane
B. usermod -g sales jane
C. useradd -G sales jane
D. useradd -p sales jane
2. /* ==================== */
A
system administrator needs to change the ownership of a file called
"data.txt" to a user called "john" and a group called "developers".
Which of the following commands should the administrator use?
A. chown john:developers data.txt
B. chgrp john:developers data.txt
C. chmod 755 data.txt
D. chmod 640 data.txt
3. /* ==================== */
A
system administrator needs to check the password aging information for a
user called "bob". Which of the following commands should the
administrator use?
A. passwd -S bob
B. passwd -l bob
C. passwd -f bob
D. passwd -u bob
4. /* ==================== */
A
system administrator needs to temporarily disable the account for a
user called "mary". Which of the following commands should the
administrator use?
A. usermod -L -e -1 mary
B. usermod -l mary
C. userdel mary
D. passwd -d mary
5. /* ==================== */
A system administrator needs to create a new user account for a new
employee named "Sam" who will be working in the accounting department.
The user should have a home directory, an encrypted password, and should
be a member of the "accounting" group. Which of the following commands
should the administrator use?
A. useradd -g accounting -m -p mypassword Sam
B. useradd -G accounting -m -p mypassword Sam
C. useradd -g accounting -d /home/Sam -p mypassword Sam
D. useradd -G accounting -d /home/Sam -p mypassword Sam
6. /* ==================== */
A
system administrator needs to grant a user called "jane" the ability to
execute a script located in the /usr/local/bin directory. The script
should not be readable or writable by the user. Which of the following
commands should the administrator use?
A. chmod 711 /usr/local/bin/script.sh
B. chmod 700 /usr/local/bin/script.sh
C. chmod 555 /usr/local/bin/script.sh
D. chmod 755 /usr/local/bin/script.sh
7. /* ==================== */
A
system administrator needs to delete a user called "tom" from the
system, along with their home directory and all files owned by the user.
Which of the following commands should the administrator use?
A. userdel -r tom
B. userdel -d /home/tom tom
C. userdel -f -r tom
D. userdel -r -f tom
8. /* ==================== */
A
system administrator needs to give a user called "bob" the ability to
read and write to a directory called "/data", but prevent them from
deleting any files or directories within that directory. Which of the
following commands should the administrator use?
A. chmod 640 /data
B. chmod 750 /data
C. chmod 755 /data
D. chmod 775 /data
9. /* ==================== */
A
system administrator needs to change the password for a user called
"joe" who is currently logged in to the system. Which of the following
commands should the administrator use?
A. passwd joe
B. sudo passwd joe
C. chpasswd joe
D. sudo chpasswd joe
10. /* =================== */
A
system administrator wants to grant a user named "jenny" read and write
access to a file called "salesdata.txt", but also ensure that the file
can only be edited by users in the "sales" group. Which of the following
commands should the administrator use?
A. chmod 664 salesdata.txt
B. chgrp sales salesdata.txt && chmod 640 salesdata.txt
C. chown jenny:sales salesdata.txt && chmod 660 salesdata.txt
D. chown jenny:sales salesdata.txt && chmod 664 salesdata.txt
11. /* =================== */
A
system administrator needs to give a group called "accounting" the
ability to read, write, and execute files within a directory called
"/financials", but prevent them from renaming or deleting any files
within that directory. Which of the following commands should the
administrator use?
A. chmod 750 /financials
B. chmod 755 /financials
C. chmod 770 /financials
D. chmod 775 /financials
12. /* =================== */
A
system administrator wants to create a new user account called "sarah"
and ensure that their home directory is set to "/home/users/sarah".
Which of the following commands should the administrator use?
A. useradd sarah
B. useradd -d /home/users/sarah sarah
C. useradd -m -d /home/users/sarah sarah
D. useradd -M -d /home/users/sarah sarah
13. /* =================== */
You have a user account "jdoe" that needs to be temporarily disabled. Which command can you use to achieve this?
A. passwd -l jdoe
B. usermod -s /bin/false jdoe
C. usermod -L jdoe
D. chsh -s /bin/false jdoe
14. /* =================== */
You need to change the primary group of a user account "jsmith" to "sales". Which command can you use to achieve this?
A. usermod -G sales jsmith
B. usermod -aG sales jsmith
C. usermod -g sales jsmith
D. usermod -a -G sales jsmith
15. /* =================== */
You
want to create a new user account "klee" with the home directory
"/home/klee" and the default shell "/bin/bash". Which command can you
use to achieve this?
A. adduser klee -d /home/klee -s /bin/bash
B. useradd -d /home/klee -s /bin/bash klee
C. adduser klee -m -s /bin/bash
D. useradd -m -d /home/klee -s /bin/bash klee
16. /* =================== */
You need to grant user "jdoe" the ability to run the "mount" command as root. Which command can you use to achieve this?
A. usermod -aG sudo jdoe
B. usermod -aG wheel jdoe
C. visudo -f /etc/sudoers
D. echo "jdoe ALL=(ALL) /bin/mount" >> /etc/sudoers
17. /* =================== */
You
are a system administrator managing a server with multiple users. One
of the users is unable to login to their account and receives an error
message "User account has expired". Upon investigating, you find that
the account's expiry date has passed. What could be the reason for this
issue and how can you resolve it?
A)
The user's account was manually expired by the administrator. To
resolve this issue, the administrator can update the expiry date for the
user's account in the /etc/shadow file using the chage command.
B)
The user's account was set to expire automatically. To resolve this
issue, the administrator can update the expiry date for the user's
account in the /etc/shadow file using the chage command.
C) The
user's account was locked due to failed login attempts. To resolve this
issue, the administrator can unlock the user's account using the passwd
command.
18. /* =================== */
You
are a system administrator managing a server with multiple users. One
of the users reports that they are unable to change their password. Upon
investigation, you find that the user's password is not meeting the
password policy requirements. What could be the reason for this issue
and how can you resolve it?
A)
The password policy requirements are set by the administrator. To
resolve this issue, the administrator can modify the password policy in
the /etc/pam.d/common-password file.
B) The password policy
requirements are set by the user. To resolve this issue, the user can
modify their password to meet the password policy requirements.
C)
The password policy requirements are set by the system. To resolve this
issue, the administrator can modify the password policy in the
/etc/login.defs file.
ANSWERS
1. /* ==================== */
Answer: C. useradd -G sales jane
Explanation:
To add a user to a group, the useradd command should be used with the
-G option followed by the group name. In this scenario, the correct
command is useradd -G sales jane.
Option A is incorrect because
the -p option is used to set the encrypted password for the user. Option
B is incorrect because the -g option is used to set the user's primary
group, not additional groups. Option D is incorrect because the -p
option is used to set the encrypted password for the user.
2. /* ==================== */
Answer: A. chown john:developers data.txt
Explanation:
To change the ownership of a file, the chown command should be used
with the format user:group file. In this scenario, the correct command
is chown john:developers data.txt.
Option B is incorrect because
the chgrp command is used to change the group ownership of a file, not
the user ownership. Option C is incorrect because chmod 755 changes the
file permissions, not the ownership. Option D is incorrect because chmod
640 changes the file permissions, not the ownership.
3. /* ==================== */
Answer: A. passwd -S bob
Explanation:
To check the password aging information for a user, the passwd command
should be used with the -S option followed by the username. In this
scenario, the correct command is passwd -S bob.
Option B is
incorrect because the -l option is used to lock a user's account. Option
C is incorrect because the -f option is used to force a password
change. Option D is incorrect because the -u option is used to unlock a
user's account.
4. /* ==================== */
Answer: A. usermod -L -e -1 mary
Explanation:
To temporarily disable a user account, the usermod command should be
used with the -L option to lock the account and the -e -1 option to set
the account expiration date to a past date. In this scenario, the
correct command is usermod -L -e 1 mary.
Option B is incorrect because usermod -l is used to change the username
5. /* ==================== */
Explanation:
To create a new user account with a home directory, an encrypted
password, and membership in a group, the useradd command should be used
with the -G option followed by the group name, the -d option followed by
the home directory path, and the -p option followed by the encrypted
password. In this scenario, the correct command is useradd -G accounting
-d /home/Sam -p mypassword Sam.
Option A is incorrect because
the -m option is used to create a home directory for the user, not the
-g option. Option B is incorrect because the -G option is used to add
the user to a supplementary group, not the primary group. Option C is
incorrect because the -m option is missing to create a home directory
for the user.
6. /* ==================== */
Answer: D. chmod 755 /usr/local/bin/script.sh
Explanation:
To grant a user the ability to execute a script, the chmod command
should be used with the appropriate file permissions. In this scenario,
the correct command is chmod 755 /usr/local/bin/script.sh, which sets
the file permissions to read, write, and execute for the owner and read
and execute for the group and others.
Option A is incorrect
because it only allows execute permission for the owner, not the group
and others. Option B is incorrect because it only allows read, write,
and execute permission for the owner, which is not necessary in this
scenario. Option C is incorrect because it allows read and execute
permission for all users, including the user "jane", which violates the
requirement that the script should not be readable by the user.
7. /* ==================== */
Answer: C. userdel -f -r tom
Explanation:
To delete a user account along with their home directory and all files
owned by the user, the userdel command should be used with the -f option
to force the deletion of the user and their files, and the -r option to
remove the home directory and its contents. In this scenario, the
correct command is userdel -f -r tom.
Option A is incorrect
because it only removes the user account, not the home directory or
files owned by the user. Option B is incorrect because it only removes
the user's home directory, not the user account or other files owned by
the user. Option D is incorrect because the -r option should come before
the -f option.
8. /* ==================== */
Answer: B. chmod 750 /data
Explanation:
To give a user the ability to read and write to a directory, but
prevent them from deleting any files or directories within that
directory, the chmod command should be used with the appropriate file
permissions. In this scenario, the correct command is chmod 750 /data,
which sets the file permissions to read, write, and execute for the
owner, read and execute for the group, and no permissions for others.
Option
A is incorrect because it only allows read and write permission for the
owner, not execute permission, which is necessary for accessing the
directory. Option C is incorrect because it allows read and execute
permission for all users, including others, which violates the
requirement that the user should not be able to delete any files or
directories within the directory. Option D is incorrect because it
allows write permission for the group and others, which also violates
the requirement.
9. /* ==================== */
Answer: A. passwd joe
Explanation:
To change the password for a user, the passwd command should be used
with the username as an argument. In this scenario, the correct command
is passwd joe.
Option B is incorrect because it uses the sudo
command, which is not necessary in this scenario unless the
administrator is not currently logged in as a user with sufficient
privileges to change passwords. Option C is incorrect because it uses
the chpasswd command, which is used to change passwords in bulk for
multiple users through a script or file, not for a single user. Option D
is incorrect for the same reason as option B.
10. /* ==================== */
Answer: C. chown jenny:sales salesdata.txt && chmod 660 salesdata.txt
Explanation:
To grant a user read and write access to a file and ensure that it can
only be edited by members of a specific group, the chown and chmod
commands can be used. In this scenario, the correct command is chown
jenny:sales salesdata.txt && chmod 660 salesdata.txt, which
changes the ownership of the file to user "jenny" and group "sales", and
sets the file permissions to read and write for the owner and group,
but no permissions for others.
Option A is incorrect because it
does not set the file group correctly. Option B is incorrect because it
only changes the group ownership of the file and does not grant read and
write access to the user. Option D is incorrect because it grants read
and write access to all users, including others who are not in the
"sales" group.
11. /* =================== */
Answer: C. chmod 770 /financials
Explanation:
To give a group read, write, and execute permissions to a directory,
but prevent them from renaming or deleting any files within that
directory, the chmod command should be used with the appropriate file
permissions. In this scenario, the correct command is chmod 770
/financials, which sets the file permissions to read, write, and execute
for the owner and group, but no permissions for others.
Option A
is incorrect because it only allows read, write, and execute permission
for the owner and no permissions for the group. Option B is incorrect
because it allows read, write, and execute permission for all users,
including others, which violates the requirement that the group should
not be able to rename or delete files. Option D is incorrect because it
allows write permission for others, which also violates the requirement.
12. /* =================== */
Answer: C. useradd -m -d /home/users/sarah sarah
Explanation:
To create a new user account and set their home directory, the useradd
command should be used with the appropriate options. In this scenario,
the correct command is `useradd
13. /* =================== */
14. /* =================== */
Answer: C. usermod -g sales jsmith will change the primary group of
user "jsmith" to "sales". Option A will add user "jsmith" to the "sales"
group, option B will add user "jsmith" to the "sales" group as a
secondary group, and option D will add user "jsmith" to the "sales"
group without removing any existing group memberships.
15. /* =================== */
16. /* =================== */
17. /* =================== */
Answer: B) The user's account was set to expire
automatically. To resolve this issue, the administrator can update the
expiry date for the user's account in the /etc/shadow file using the
chage command.
Explanation: The error message "User account has
expired" indicates that the user's account has reached its expiry date.
This could be due to either a manual expiry set by the administrator or
an automatic expiry set when the user's account was created. Option A is
partially correct in identifying that the administrator can update the
expiry date in the /etc/shadow file, but it does not explain the reason
for the issue. Option C is incorrect because a locked account would
result in a different error message and requires a different resolution.
Option
B is the correct answer because it explains that the user's account was
set to expire automatically and provides the solution to update the
expiry date in the /etc/shadow file using the chage command. The chage
command allows the administrator to modify the password expiry and aging
information for a user's account.
It is important to note
that the administrator should also investigate why the account was set
to expire and ensure that the expiry date is appropriate for the user's
access needs.
18. /* =================== */
Answer:
C) The password policy
requirements are set by the system. To resolve this issue, the
administrator can modify the password policy in the /etc/login.defs
file.
Explanation:
In Linux systems, password policy
requirements are set by the system administrator and defined in the
/etc/login.defs file. This file contains default configuration settings
for user accounts, including password policy settings such as minimum
and maximum password length, password expiration time, and password
complexity requirements.
Option A is incorrect because the
/etc/pam.d/common-password file is used to configure PAM (Pluggable
Authentication Modules) settings, not password policy requirements.
Although it is possible to configure password policy settings using PAM,
it is not the recommended approach as it can be complex and may result
in inconsistent password policies across different authentication
methods.
Option B is incorrect because users cannot set password
policy requirements themselves. They can only choose a password that
meets the existing policy requirements.
Option C is the correct
answer because the system administrator can modify the password policy
settings in the /etc/login.defs file. The changes made in this file will
apply to all users on the system. To resolve the issue, the
administrator can update the password policy requirements in the
/etc/login.defs file to allow the user to change their password
accordingly.
It is worth noting that some Linux distributions may
use different methods to define password policy requirements, such as
the use of tools like "pam_cracklib" or "pam_passwdqc". In such cases,
the method of modifying password policy requirements may differ.
Comments