Where User Account and Group Information Is Stored

Where User Account and Group Information Is Stored
Prev	Chapter 4. Managing User Accounts and Groups (Overview)	Next

Depending on your site policy, user account and group information can be stored in your local system's /etc files or in a name or directory service as follows:

The NIS+ name service information is stored in tables.
The NIS name service information is stored in maps.
The LDAP directory service information is stored in indexed database files.

Note

To avoid confusion, the location of the user account and group information is generically referred to as a file rather than as a database, table, or map.

Most user account information is stored in the passwd file. Password information is stored as follows:

In the passwd file when you are using NIS or NIS+
In the /etc/shadow file when you are using /etc files
In the people container when you are using LDAP

Password aging is available when you are using NIS+ or LDAP, but not NIS.

Group information is stored in the group file for NIS, NIS+ and files. For LDAP, group information is stored in the group container.

Fields in the `passwd` File

The fields in the passwd file are separated by colons and contain the following information:

username:password:uid:gid:comment:home-directory:login-shell

For example:

kryten:x:101:100:Kryten Series 4000 Mechanoid:/export/home/kryten:/bin/csh

The following table describes the passwd file fields.

Table 4.5. Fields in the passwd File

Field Name	Description
`username`	Contains the user or login name. User names should be unique and consist of 1-8 letters (A-Z, a-z) and numerals (0-9). The first character must be a letter, and at least one character must be a lowercase letter.
`password`	Contains an `x`, a placeholder for the encrypted password. The encrypted password is stored in the `shadow` file.
`uid`	Contains a user identification (UID) number that identifies the user to the system. UID numbers for regular users should range from 100 to 60000. All UID numbers should be unique.
`gid`	Contains a group identification (GID) number that identifies the user's primary group. Each GID number must be a whole number between 0 and 60002. The numbers 60001 and 60002 are assigned to `nobody` and `noaccess`. The number 65534 is assigned to `nobody4`.
`comment`	Usually contains the full name of the user. This field is informational only. It is sometimes called the GECOS field because it was originally used to hold the login information needed to submit batch jobs to a mainframe running GECOS (General Electric Computer Operating System) from UNIX systems at Bell Labs.
`home-directory`	Contains the user's home directory path name.
`login-shell`	Contains the user's default login shell, such as `/bin/sh`, `/bin/csh`, or `/bin/ksh`. Table 4–20 describes basic shell features.

Default `passwd` File

The default Solaris passwd file contains entries for standard daemons. Daemons are processes that are usually started at boot time to perform some system-wide task, such as printing, network administration, or port monitoring.

root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:

Table 4.6. Default passwd File Entries

User Name	User ID	Description
`root`	`0`	Superuser account
`daemon`	`1`	Umbrella system daemon associated with routine system tasks
`bin`	`2`	Administrative daemon associated with running system binaries to perform some routine system task
`sys`	`3`	Administrative daemon associated with system logging or updating files in temporary directories
`adm`	`4`	Administrative daemon associated with system logging
`lp`	`71`	Line printer daemon
`uucp`	`5`	Daemon associated with uucp functions
`nuucp`	`6`	Another daemon associated with uucp functions
`smmsp`	`25`	Sendmail message submission program daemon
`webservd`	`80`	Account reserved for WebServer access
`gdm`	50	GNOME Display Manager daemon
`listen`	`37`	Network listener daemon
`nobody`	`60001`	Account reserved for anonymous NFS access.
`noaccess`	`60002`	Assigned to a user or a process that needs access to a system through some application but without actually logging in.
`nobody4`	`65534`	SunOS 4.0 or 4.1 version of the `nobody` user account

Fields in the `shadow` File

The fields in the shadow file are separated by colons and contain the following information:

username:password:lastchg:min:max:warn:inactive:expire

For example:

rimmer:86Kg/MNT/dGu.:8882:0::5:20:8978

The following table describes the shadow file fields.

Table 4.7. Fields in the shadow File

Field Name	Description
`username`	Contains the user name (also called the login name).
`password`	Might contain the one of following entries: A 13-character encrypted user password The string `LK`, which indicates an inaccessible account The string `NP`, which indicates no password for the account
`lastchg`	Indicates the number of days between January 1, 1970, and the last password modification date.
`min`	Contains the minimum number of days required between password changes.
`max`	Contains the maximum number of days the password is valid before the user is prompted to specify a new password.
`warn`	Indicates the number of days before the password expires that the user is warned.
`inactive`	Contains the number of days a user account can be inactive before being locked.
`expire`	Contains the absolute date when the user account expires. Past this date, the user cannot log in to the system.

Fields in the `group` File

The fields in the group file are separated by colons and contain the following information:

group-name:group-password:gid:user-list

For example:

bin::2:root,bin,daemon

The following table describes the group file fields.

Table 4.8. Fields in the group File

Field Name	Description
`group-name`	Contains the name assigned to the group. For example, members of the chemistry department in a university might be called `chem`. Group names can have a maximum of eight characters.
`group-password`	Usually contains an asterisk or is empty. The group-password field is a relic of earlier versions of UNIX. If a group has a password, the newgrp command prompts users to enter the password. However, no utility exists to set the password.
`gid`	Contains the group's GID number. This number must be unique on the local system, and should be unique across the entire organization. Each GID number must be a whole number between 0 and 60002. Numbers under 100 are reserved for system default group accounts. User defined groups can range from 100 to 60000. The numbers 60001 and 60002 are reserved and assigned to `nobody` and `noaccess`, respectively.
`user-list`	Contains a comma-separated list of user names, representing the user's secondary group memberships. Each user can belong to a maximum of 15 secondary groups.

Default `group` File

The default Solaris group file contains the following system groups that support some system-wide task, such as printing, network administration, or electronic mail. Many of these groups having corresponding entries in the passwd file.

root::0:
other::1:
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root
mail::6:root
tty::7:root,adm
lp::8:root,adm
nuucp::9:root
staff::10:
daemon::12:root
smmsp::25:
sysadmin::14:
gdm::50:
webservd::80:
nobody::60001:
noaccess::60002:
nogroup::65534:

Table 4.9. Default group File Entries

Group Name	Group ID	Description
`root`	`0`	Superuser group
`other`	`1`	Optional group
`bin`	`2`	Administrative group associated with running system binaries
`sys`	`3`	Administrative group associated with system logging or temporary directories
`adm`	`4`	Administrative group associated with system logging
`uucp`	`5`	Group associated with uucp functions
`mail`	`6`	Electronic mail group
`tty`	`7`	Group associated with tty devices
`lp`	`8`	Line printer group
`nuucp`	`9`	Group associated with uucp functions
`staff`	`10`	General administrative group.
`daemon`	`12`	Group associated with routine system tasks
`sysadmin`	`14`	Administrative group associated with legacy Admintool and Solstice AdminSuite tools
`smmsp`	25	Daemon for Sendmail message submission program
`webservd`	`80`	Group reserved for WebServer access
`gdm`	50	Group reserved for the GNOME Display Manager daemon
`nobody`	`60001`	Group assigned for anonymous NFS access
`noaccess`	`60002`	Group assigned to a user or a process that needs access to a system through some application but without actually logging in
`nogroup`	`65534`	Group assigned to a user who is not a member of a known group

Prev	Up	Next
What Are User Accounts and Groups?	Home	Tools for Managing User Accounts and Groups