passwd(4)							   File Formats 							 passwd(4)

NAME

       passwd - password file

SYNOPSIS

       /etc/passwd

DESCRIPTION

       The file /etc/passwd is a local source of information about users' accounts. The password file can be used in conjunction with other naming
       sources, such as the NIS maps passwd.byname and passwd.bygid, data from the NIS+ passwd table, or password data stored on an  LDAP  server.
       Programs use the getpwnam(3C) routines to access this information.

       Each passwd entry is a single line of the form:

	 username:password:uid:
	 gid:gcos-field:home-dir:
	 login-shell

       where

       username       is the user's login name.

		      The  login  (login) and role (role) fields accept a string of no more than eight bytes consisting of characters from the set
		      of alphabetic characters, numeric characters, period (.), underscore (_), and hyphen (-).  The  first  character	should	be
		      alphabetic  and  the  field  should  contain at least one lower case alphabetic character. A warning message is displayed if
		      these restrictions are not met.

		      The login and role fields must contain at least one character and must not contain a colon (:) or a newline (
).

       password       is an empty field. The encrypted password for the user is in the corresponding entry in  the  /etc/shadow  file.	pwconv(1M)
		      relies  on a special value of 'x' in the password field of /etc/passwd. If this value of 'x' exists in the password field of
		      /etc/passwd, this indicates that the password for the user is already in /etc/shadow and should not be modified.

       uid	      is the user's unique numerical ID for the system.

       gid	      is the unique numerical ID of the group that the user belongs to.

       gcos-field     is the user's real name, along with information to pass along in a mail-message heading. (It is called  the  gcos-field  for
		      historical  reasons.) An ``&'' (ampersand) in this field stands for the login name (in cases where the login name appears in
		      a user's real name).

       home-dir       is the pathname to the directory in which the user is initially positioned upon logging in.

       login-shell    is the user's initial shell program. If this field is empty, the default shell is /usr/bin/sh.

       The maximum value of the uid and gid fields is 2147483647. To maximize interoperability and compatibility, administrators  are  recommended
       to  assign users a range of UIDs and GIDs below 60000 where possible. (UIDs from 0-99 inclusive are reserved by the operating system vendor
       for use in future applications. Their use by end system users or vendors of layered products  is  not  supported  and  may  cause  security
       related issues with future applications.)

       The  password  file is an ASCII file that resides in the /etc directory. Because the encrypted passwords on a secure system are always kept
       in the shadow file, /etc/passwd has general read permission on all systems and can be used by routines that map between numerical user  IDs
       and user names.

       Blank lines are treated as malformed entries in the passwd file and cause consumers of the file , such as getpwnam(3C), to fail.

       The  password file can contain entries beginning with a `+' (plus sign) or '-' (minus sign) to selectively incorporate entries from another
       naming service source, such as NIS, NIS+, or LDAP.

       A line beginning with a '+' means to incorporate entries from the naming service source. There are three styles of the '+' entries in  this
       file.  A single + means to insert all the entries from the alternate naming service source at that point, while a +name means to insert the
       specific entry, if one exists, from the naming service source. A +@netgroup means to insert the entries for  all  members  of  the  network
       group netgroup from the alternate naming service. If a +name entry has a non-null password, gcos, home-dir, or login-shell field, the value
       of that field overrides what is contained in the alternate naming service. The uid and gid fields cannot be overridden.

       A line beginning with a `-' means to disallow entries from the alternate naming service. There are two styles of `-` entries in this  file.
       -name  means  to  disallow any subsequent entries (if any) for name (in this file or in a naming service), and -@netgroup means to disallow
       any subsequent entries for all members of the network group netgroup.

       This is also supported by specifying ``passwd : compat'' in nsswitch.conf(4).  The  "compat"  source  might  not  be  supported	in  future
       releases.  The preferred sources are files followed by the identifier of a name service, such as nis or ldap. This has the effect of incor-
       porating the entire contents of the naming service's passwd database or password-related information after the passwd file.

       Note that in compat mode, for every /etc/passwd entry, there must be a corresponding entry in the /etc/shadow file.

       Appropriate precautions must be taken to lock the /etc/passwd file against simultaneous changes if it is to be edited with a  text  editor;
       vipw(1B) does the necessary locking.

EXAMPLES

       Example 1 Sample passwd File

       The following is a sample passwd file:

	 root:x:0:1:Super-User:/:/sbin/sh
	 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh

       and the sample password entry from nsswitch.conf:

	 passwd: files ldap

       In  this  example, there are specific entries for users root and fred to assure that they can login even when the system is running single-
       user. In addition, anyone whose password information is stored on an LDAP server will be able to login with their  usual  password,  shell,
       and home directory.

       If the password file is:

	 root:x:0:1:Super-User:/:/sbin/sh
	 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
	 +

       and the password entry in nsswitch.conf is:

	 passwd: compat

       then  all the entries listed in the NIS passwd.byuid and passwd.byname maps will be effectively incorporated after the entries for root and
       fred. If the password entry in nsswitch.conf is:

	 passwd_compat: ldap
	 passwd: compat

       then all password-related entries stored on the LDAP server will be incorporated after the entries for root and fred.

       The following is a sample passwd file when shadow does not exist:

	 root:q.mJzTnu8icf.:0:1:Super-User:/:/sbin/sh
	 fred:6k/7KCFRPNVXg:508:10:& Fredericks:/usr2/fred:/bin/csh
	 +john:
	 +@documentation:no-login:
	 +::::Guest

       The following is a sample passwd file when shadow does exist:

	 root:##root:0:1:Super-User:/:/sbin/sh
	 fred:##fred:508:10:& Fredericks:/usr2/fred:/bin/csh
	 +john:
	 +@documentation:no-login:
	 +::::Guest

       In this example, there are specific entries for users root and fred, to assure that they can log in even when the system is running  stand-
       alone. The user john will have his password entry in the naming service source incorporated without change, anyone in the netgroup documen-
       tation will have their password field disabled, and anyone else will be able to log in with their usual password, shell,  and  home  direc-
       tory, but with a gcos field of Guest

FILES

       /etc/nsswitch.conf

       /etc/passwd

       /etc/shadow

SEE ALSO

       chgrp(1),  chown(1),  finger(1),  groups(1),  login(1),	newgrp(1),  nispasswd(1),  passwd(1),  sh(1), sort(1), domainname(1M), getent(1M),
       in.ftpd(1M), passmgmt(1M), pwck(1M), pwconv(1M), su(1M), useradd(1M), userdel(1M),  usermod(1M),  a64l(3C),  crypt(3C),	getpw(3C),  getpw-
       nam(3C), getspnam(3C), putpwent(3C), group(4), hosts.equiv(4), nsswitch.conf(4), shadow(4), environ(5), unistd.h(3HEAD)

       System Administration Guide: Basic Administration

SunOS 5.11							    28 Jul 2004 							 passwd(4)