Login Process & Security of /etc/passwd and /etc/shadow

Similar Messages

• How to recover /etc/passwd and /etc/shadow files

  hi
  Unfortunetly I have a big problem is that someone crash the /etc/passwd and /etc/shadow files from my running server, and my all users are not to able to login. so please can any one help me how to recover this files or any ideas for make these files...
  thanks
  Mohammed Tanvir

  Hello
  It is not working.Pla help me this bit critical
  Step followed
  01.Boot from the cdrom and mount root partision.
  02.Deleted the exsisting file /etc/passwd and /etc/shadow
  03.copy the opasswd and oshadow to the etc directory as passwd and shadow
  04.Umount the root partision
  05.Reeboot the system
  thanks
  Roshantha

• [SOLVED] Today's update of /etc/group, /etc/passwd and /etc/gshadow

  Hello,
  During the regular updates I received an update of /etc/groups. I wonder what I should do here, as there are some differences between the old file and the pacnew one. I suppose that when I use the command to add my user to a group, it gets written into this file. So, just recklessly moving the pacnew file in the place of the old one, will mess up all my groups, won't it?
  Then what should I do? All the entries in the pacnew file are also present in the old one, so I guess I could just delete the pacnew one and keep the old one. Am I right?
  EDIT: The same goes to /etc/passwd and /etc/gshadow.
  Last edited by Unia (2012-10-06 09:51:23)

  teateawhy wrote:
  If you had the uuid user before like me the uuid line in your own files is different from the pacnew file. You have to delete the uuid line near the bottom in your old file. Then insert the new uuid entry including the new number in the place near the top suggested by the pacnew file. Keep the other lines untouched, then save your changes and delete the pacnew files.
  Edit: On a system that has actually been modified from a default install the new files will for sure be different to the old ones.
  Thanks, teateawhy!  I currently have this listed in /etc/passwd:
  uuidd:x:998:998::/:/sbin/nologin
  And this is in the .pacnew file:
  uuidd:x:68:68:uuidd:/:/sbin/nologin
  So, I can just copy the entry from the .pacnew file, overwriting the old entry, right?
  What I don't understand is how the two numbers 998 representing the UID and GID can suddenly change to 68.  Shouldn't they have to correspond with some other reference or list of users/groups...?
  I'm sure it's fine to just replace the entry as you suggested, but I wondered if there was a way to double-check which uid/gid should be used?  It's not that I don't trust you, but I don't fully understand how these group/passwd files work and I'm trying to get my head round it all.
  Cheers,
  esuhl

• [SOLVED] /etc/passwd and /etc/shadow -- pwck shows missing groups

  I recently found out about the pwck and grpck commands to check for errors/inconsistencies in the passwd, group, shadow and gshadow files...  grpck returns no errors, but pwck returns this:
  user 'avahi': no group 84
  user 'postgres': no group 88
  user 'ntp': no group 87
  pwck: no changes
  These are the relevant lines from /etc/passwd:
  avahi:x:84:84:Avahi daemon:/:/bin/false
  postgres:x:88:88:PostgreSQL user:/var/lib/postgres:/bin/bash
  ntp:x:87:87:Network Time Protocol:/var/lib/ntp:/bin/false
  There are lines for those users in /etc/shadow... but...  I'm not sure what I need to do to fix the problem.
  I think I understand enough, now, to maintain the files in future, but would anyone know I can fix this?
  Last edited by esuhl (2012-10-08 20:22:05)

  2ManyDogs wrote:I don't know how to fix the errors, but I'm really curious about why you decided to run those commands. Were you having a problem you thought might be ralated to groups and/or passwords? What are groups 84, 97, and 88?
  Ha!  Well... when I started using Arch I really didn't know much about Linux and I an update providing some .pacnew files (/etc/group, gshadow, passwd, shadow) and... well...  I don't know what I did, but I think it was probably not what I should have done(!).  I used grpck in the past and got no errors and it suddenly occurred to me today that there should be an equivalent for checking /etc/passwd... so that's why I just ran the commands now.  Everything seems to be working, however...
  I don't have an entry for groups 84, 87 and 88 in my /etc/group file...  Hmmm...
  I tried running this command to find any files associated with that group, but only get the following:
  [root@i7pc tim]# find / -gid 88
  find: `/run/user/1000/gvfs': Permission denied
  find: `/proc/1806/task/1806/fd/5': No such file or directory
  find: `/proc/1806/task/1806/fdinfo/5': No such file or directory
  find: `/proc/1806/fd/5': No such file or directory
  find: `/proc/1806/fdinfo/5': No such file or directory
  I get similar output for the other groups, so... can I just delete them from /etc/passwd and /etc/shadow?
  I notice I have the avahi package installed, however, and group 84 relates to user 'avahi'... so...  surely I need the avahi user...?
  Last edited by esuhl (2012-10-07 23:09:30)

• Migration form /etc/passwd and /etc/shadow to iPlanet Directory !

  Hi,
  we try to migrate from files (shadow passwd on Solaris) to LDAP- Server from iPlanet. So far so good. Our problem is now to migrate users, which have no password (NP in shadow) or users with an locked account (*LK* in shadow). Is there an attribute or flag, e.g. in the class shadowaccout which describes this issue.

  Hi Alois,
  I assume that your question is about preventing locked or no-password users from logging into the directory.
  The easiest would be to inactivate both no-password and locked users. I would
  1) create one role for both no-password and locked users, then
  2) assign the corresponding role to each user who is either locked or has no password
  3) inactivate both roles.
  By inactivating a role, all users possessing that particular role become inactivated. Inactivated users can not login to the directory.
  I would recommend you to read the 'Advanced Entry Management' chapter of the administrator's guide.
  I hope this helps.
  Bertold

• /etc/group and /etc/passwd corrupted

  My /etc/group and /etc/passwd (and possibly others) are corrupted (my silly error handling pacnew files). I tried restoring the backups (group- and similar) and also ran grpconv, pwdconv,, pwck without fixing things.  I've edited the files, using those in another machine as a template but no luck.
  Various commands (e.g. ssh) fail with the message:
                                   No user exists for uid 1000
  Before I give up and reinstall, is there any way I can restore things to how they should be?

  Thanks for replies. I can't recreate my user because it's already there. I can log in as ac without difficulty and do most things - just a few (mportant) fail.
  I don't understand why it keeps saying the user ac is uid 1000. After reading the wikis I think my /etc/group and /etc/passwd are correct. /etc/passwd has:
              ac:x:1000:100::/home/ac:/bin/bash
  and /etc/group has:
             users:x:100:ac
             ac:x:100:ac
  I'm not sure the last line should be there, but removing it doesn't help. The entries on a second machine are similar.
  I'll sleep on it to see if I think of something else to try in the morning, otherwise I'll have to reinstall tomorrow.

• /etc/hosts and /etc/inet/hosts

  we're running Sol10x86 11-06 and notice that there's no link between /etc/hosts and /etc/inet/hosts as there has been on some previous versions. /etc/hosts is the only file that contains all of the info for our IPMP configuration, and that seems to be enough during reboot.
  what looks at /etc/inet/hosts? any danger in making /etc/inet/hosts a link to /etc/hosts?

  I don't have a copy of 11/06, but I've never seen a default installation of Solaris without that link.
  It's certainly there in 08/07. Is there any chance that whatever process is populating /etc/hosts on your machines is breaking that link?
  Darren

• [Solved] Questions about /etc/group and /etc/gshadow

  This morning, package filesystem was upgraded to 2015.02-1 and pacnew files were created for /etc/group and /etc/gshadow. I ran diff against my current files, and the differences seem very minor, to me. I need some guidance to understand whether I should implement the pacnew changes.
  The only significant difference I see in the group file is that in my original version, my username is added to the wheel group. This seems correct, to me.
  For gshadow, there is the same difference for wheel. However, there are several entries where my original entry contains an exclamation point, but the new version does not. For example:
  < proc:!::
  > proc:::
  If I run man /etc/gshadow, it does not give me what I understand as a man page, and gives me what appears to be a listing of the stuff in my /etc/gshadow file, instead. Which does not help me.
  So, like I say, I need some guidance on dealing with these pacnew files.
  Tim
  PS - I now see that "man gshadow" gives me an actual man page. Sorry. I am currently studying it.
  Last edited by ratcheer (2015-02-24 21:37:52)

  After the update to filesystem 2015.02-1 some voices in /etc/gshadow were changed (in the pacnew file) from
  systemd-journal-gateway:!::
  systemd-timesync:!::
  systemd-network:!::
  systemd-bus-proxy:!::
  systemd-resolve:!::
  to
  systemd-journal-gateway:::
  systemd-timesync:::
  systemd-network:::
  systemd-bus-proxy:::
  systemd-resolve:::
  What's the change? Before they had a locked password (the ! sign) and now they haven't?

• Systemd entries in /etc/passwd and others...

  Hi! How do I find out what are correct entries for systemd in /etc/passwd, /etc/group, /etc/shadow and others in current system? What if I screw them up during system update and maybe lose some of them or will end up having those unneeded?...

  I don't understand what you want. A backup maybe? Do you have any pacnew files?

• Socket functions and /etc/hosts and /etc/servi​ces

  I have verified that I con open a socket with either the host name or the IP address.
  But can I use either the port number or the service name (from /etc/services)?
  It allows me to use a string constant instead of a numeric, but it doesn't seem to work.

  The string form for the port number is specifically meant to use the NI Service Locator service and nothing else. It does not link into /etc/services or anything like that at all but is a proprietary service locator solution from NI. There exist LabVIEW VIs that one can use to both query this service as well as register new services. It can be found at vi.lib/Utility/ServLocInterface.llb. The actual service used to be programmed in LabVIEW around LabVIEW 7.0 but quickly was moved to a real system service at least on Windows. Not sure if other platforms still use the VI based service implementation or have a native service deamon too, for this.
  Theoretically it would be possible to create some translation program in LabVIEW that reads /etc/services and then registers them through the service locator API but I'm not sure I see a real benefit in this.
  Rolf Kalbermatter
  CIT Engineering Netherlands
  a division of Test & Measurement Solutions

• Deleted my /etc/groups and /etc/gshadow and now no mouse and keyboard.

  Hey.
  So a few days ago I updated my system and did something we all know to avoid. I accidently moved the empty .pacnew files over my groups and gshadow files so my entire group layout is out of the window. I am an idiot I know. My mom told me that when I was six. So I am now looking at fixing my system. My biggest problem is that now xorg runs but the keyboard and mouse don't respownd. This isn't a USB problem since I tried using non USB keyboard. In runlevel 3 keyboard works fine.
  Xorg.log says something about input bring used by someone else  so my guess based on the above is that what I need to do is restore my old groups since its probably a group ownership problem. My question is if anyone knows which groups should I restore and how does one go about repairing the Damage? I would be thankfully to anyone who would take the time saving me from my own stupidity.
  Last edited by Greenstuff (2012-08-22 08:03:26)

  This might be the solution. Perhaps I should post my /etc/group file and you can fix yours? I don't know, did you ensure that all your groups have the correct GID?

• User passwd and profiles during migration

  Hi
  I am migrating my system to another hardware. For users to access the new server, should I simply add /etc/passwd and /etc/shadow in the new system as well as creating their home directory?
  thx

  Hi Charles,
  >>I am very nervous about doing the uninstall and finding my user's client profile is inaccessible and all the settings will need to be redone.
  As far as I know, as long as we follow the right guidance to do the migration, this won’t happen.
  The following Microsoft official article provides step-to-step guidance for migrating from previous versions to Windows Server 2012 R2 Essentials.
  Migrate from Previous Versions to Windows Server 2012 R2 Essentials or Windows Server Essentials Experience
  http://technet.microsoft.com/en-us/library/dn408633.aspx
  Best regards,
  Frank Shen

• NIS/YP and /etc/master.passwd

  I'm trying to get a bundle of servers (10.4.10 Server) configured to use NIS for their local authentication. This is required in order for myself and our other unix admins to gain access to the host in a standard way.
  I can get the machine to authenticate of NIS (using the Directory Services app), however it then lets ALL users log in.
  I need to make the standard +@netgroup:::::: directives work in /etc/passwd or /etc/master.passwd - however it appears that the OS is completely ignoring these files - despite having ticked the box for "Use BSD local files (/etc) for authentication" in the NIS configuration window.
  I've tried restricting access with various combinations of the BSD Local Files and NIS Domain check boxes being checked.
  If "Use NIS domain for authentication" is checked, then all users can log in (via ssh). If not, no users can. So I figure I should not use NIS for auth, but instead use local files and then specify that certain netgroups are allowed in. This also does not work.
  On all my other unix hosts, we use something like this in /etc/passwd:
  +sysadminnetgroup::::::
  +::::::/bin/false
  Thus creating the effect of allowing all our sys admins, and denying all other users. This works brilliantly, since we do want some users to access certain hosts (i.e. a couple of public hosts for the students programming in C) - but don't want them accessing everything. I can't just set their shell in NIS to /bin/false for this reason.
  In short, how can I make my macs auth from NIS, but then restrict which users can actually log in?

  Applying that same thing to the rest of the commands, and I finally got it done. Thanks so much.
  It's weird that whatever she did to make it so this had to be done was fixed by just doing these commands.

• /etc/auto_home and Lion

  Hi there,
  at work we support Mac clients autheticating against a RedHat Directory Server. Network users get their home
  directories from the LDAP automout maps.
  In  them Mac client, running OS X prior to Lion (leopard and snow leopard) I am able to accomplish it by editing: Login Options provide a network Accout server (my Linux LDAP server) and then from the System prederence GUI navigate to Login Options network account server and set 'RFC 2307' for LDAP Mappings.
  When propted for Base Suffix I specify:
  o=beo.al.gov,dc=beo,dc=al,dc=gov.
  The above allows me to authenticate MAC users. They are able to find an automounted home in the MAC when the /etc/auto_master, /etc/auto_home
  and /etc/autofs.conf look like this:
  % cat /etc/auto_master
           # Automounter master map
           +auto_master            # Use directory service
           /net                    -hosts
           -nobrowse,resvport,nosuid
           /home                   auto_home       -nobrowse,resvport
           /Network/Servers        -fstab
           /-                      -static
  % cat /etc/autofs.conf
    [snip]
             # Mount options.
             # A string containing a comma-separated list of mount
             # options
             # that will be applied, by default, to all mounts done by
             # automountd(8).
             # The options for a particular mount can override these
             # options.
             # This controls the same default mount options that the
             # -o option to
             # automountd(8) controls.
             AUTOMOUNTD_MNTOPTS=nosuid,nodev,resvport
             [snip]
  and
  % cat /etc/auto_home
            # Automounter map for /home
            +auto_home      # Use directory service
             In Mac clients running Lion 10.7.3 I tried the above changes but my users don't find their home when they login.  In addition to the modification of /et
  c/autofs.conf and /etc/auto_master in order for my user to see their home directories I have also to add a complete list of all the mount points in the mac-lion's: /et
  c/auto_home like this:
           # Automounter map for /home
           +auto_home      # Use directory service
           [snip]
           db25_hera_public
           hera:/export/db25/hera_public
           db25_user_office
           hera:/export/db25/user_office
           Public                          odysseynfs:/Public
           Public2                         odysseynfs:/Public2
           ajax                           users.xr:/export/ajax
           zeus
           zeus.as4.al.gov:/export/zeus
           zeus4
           zeus.as4.al.gov:/export/zeus4
           ogmgr                          ulisses:/ogmgr
           achilles
           achillesnfs48:/export/achilles
           .etc...
           [snip]
  It appears thus that the automounter behaves differently in Lion  compared to snow-leopard or ealier versions of the Mac OS X.  How do I make it behave more  like snow-leopard so that I don' have to carry around the above /etc/auto_home large file when I upgrade my mac clients? 
  thanks in advance for your help!   __ giampiero

  Hi Felbit,
  I searched in the discussions about /etc/auto_home and Lion but came out empty
  A friend opened a call with Apple about this same issue but got no reply...
  I think that we are on the 'bleading-edge' here.
  I though that my solution would help
  i.e.
  1) Login Options:  specify Your  Network Account server (I have a Linux LDAP server) from the System preference GUI
  then: navigate to Login Options network account server and set 'RFC 2307' for LDAP Mappings.
  When prompted for Base Suffix I specify:
  o=beo.al.gov,dc=beo,dc=al,dc=gov.
  2) edit /etc/auto_master to read:
           # Automounter master map
           +auto_master            # Use directory service
           /net                    -hosts
           -nobrowse,resvport,nosuid
           /home                   auto_home       -nobrowse,resvport
           /Network/Servers        -fstab
           /-                      -static
    and /etc/
  autofs.conf
    [snip]
             # Mount options.
             # A string containing a comma-separated list of mount
             # options
             # that will be applied, by default, to all mounts done by
             # automountd(8).
             # The options for a particular mount can override these
             # options.
             # This controls the same default mount options that the
             # -o option to
             # automountd(8) controls.
             AUTOMOUNTD_MNTOPTS=nosuid,nodev,resvport
             [snip]
  3) append all the mounts you need in your /etc/auto_home file:
  like this:
           # Automounter map for /home
           +auto_home      # Use directory service
           db25_hera_public
           hera:/export/db25/hera_public
           db25_user_office
           hera:/export/db25/user_office
           Public                          odysseynfs:/Public
           Public2                         odysseynfs:/Public2
           ajax                           users.xr:/export/ajax
  (...) etc..
  is the above not working from you?
  It should work for Lion and it works also on leopard and snow leopard as well.
  Is step 3  giving you problems?
  Did you also try mounting manually your filesystem like this:
  sudo mount achillesnfs48:/export/achilles /mnt

• New /etc/passwd.shadow

  I have seen that with an upgrade I have an /etc/shadow.pacnew From what I know it is only a shadow copy of /etc/passwd without the password and can simply be generated by pwconv (similarly /etc/group.shadow can be generated by grpconv). So my question is why archlinux proposes me /etc/shadow.pacnew? What I did is simply fix the new /etc/passwd that were also proposed, rm the /etc/shadow.pacnew and run pwconv. If this is really the good thing to do, /etc/shadow.pacnew shouldn't have been proposed.

  olive wrote:I think most of you do not understand my point. I do not understand why /etc/shadow has to be shipped in the first place. It would be best to just ship /etc/passwd and to generate /etc/shadow automatically by pwconv. There are a lot of such files that can be automatically generated and such files are in general not included in the package.
  I ran pwconv and now I have two entries for dbus in /etc/shadow:
  I manually megerd the shadow.pacnew and had en entry for dbus
  dbus:x:14871::::::
  after running pwconv I have two entries for dbus:
  dbus:x:14871::::::
  and
  dbus:x:15686:0:99999:7:::
  I assume there arnt ment to be two?
  *EDIT
  Seems either works? I dont get any problems either way (I dont think)
  But, I think that:
  dbus:x:15686:0:99999:7:::
  was the original entry for dbus before the pacnew anyway?
  Last edited by jrussell (2012-12-12 00:33:27)