Understanding /etc/passwd, /etc/shadow, and /etc/group
Linux stores user and group information in three main text files: /etc/passwd, /etc/shadow, and /etc/group. Think of /etc/passwd as the system's phone book for user accounts—it lists every user, with username, user ID, home directory, and default shell. /etc/shadow is the locked drawer where actual password hashes and expiration data are kept; only root can read it. /etc/group is the list of teams: it defines groups and which users belong to them for permission sharing. You normally don't edit these files by hand—tools like useradd, usermod, and passwd do that—but understanding their format helps you see how accounts are stored and how to look up information with grep, getent, and similar commands.
Quick Reference
| File | What It Is |
|---|---|
/etc/passwd |
Text file listing all user accounts (one per line); seven colon-separated fields |
/etc/shadow |
Secure file storing password hashes and aging info (root-only read); nine fields |
/etc/group |
Text file listing all groups (one per line); four colon-separated fields |
Understanding /etc/passwd
/etc/passwd lists every user who can log in (or run programs) on the system. Each line has exactly seven fields, separated by colons.
When This File Matters
- You need to see which user accounts exist on the system
- You're troubleshooting login or permission issues
- You want to know a user's UID, home directory, or default shell
- You're learning how Linux stores user information
Format of Each Line
A typical line looks like:
jdoe:x:1001:1001:Jane Doe:/home/jdoe:/bin/bash| Field | Name | Meaning | Example |
|---|---|---|---|
| 1 | Username | Login name | jdoe |
| 2 | Password placeholder | Usually x; real password is in /etc/shadow | x |
| 3 | UID | User ID (number); 0 = root | 1001 |
| 4 | GID | Primary group ID | 1001 |
| 5 | GECOS | Extra info (full name, etc.); often just the full name | Jane Doe |
| 6 | Home directory | User's home directory path | /home/jdoe |
| 7 | Shell | Default shell (e.g. /bin/bash or /usr/sbin/nologin) | /bin/bash |
Viewing /etc/passwd
You can read the file with cat, less, or grep. Only root can change it; normal users can usually read it.
View and search
# View the whole file (may be long)
cat /etc/passwd
# or
less /etc/passwd
# Search for one user
grep jdoe /etc/passwd
# List only usernames (first field)
cut -d: -f1 /etc/passwdSpecial Accounts
You'll often see accounts with UID 0 (root), low UIDs for system accounts (e.g. daemon, nobody), and /usr/sbin/nologin or /bin/false as the shell—those are for services, not real people logging in.
Understanding /etc/shadow
/etc/shadow holds the actual password hashes and related data. Unlike /etc/passwd, it is readable only by root, so nobody can see or steal the password hashes. Each line corresponds to a user in passwd and has nine colon-separated fields.
When This File Matters
- You're managing password policies (expiration, minimum age)
- You need to lock or unlock an account (without changing the password)
- You're learning how Linux stores and protects passwords
- You're troubleshooting why a user can't log in (expired, locked)
Format of Each Line
A typical line looks like:
jdoe:$6$rounds=...$hashedpassword...:19000:0:99999:7:::| Field | Meaning | Example |
|---|---|---|
| 1 | Username (must match /etc/passwd) | jdoe |
| 2 | Password hash (or !/* for locked/disabled) | $6$... or ! |
| 3 | Last password change (days since Jan 1, 1970) | 19000 |
| 4 | Minimum days between password changes | 0 |
| 5 | Maximum days until password expires | 99999 |
| 6 | Days to warn before expiration | 7 |
| 7 | Account expiration date (days since epoch, or empty) | empty |
| 8 | Reserved | empty |
| 9 | Reserved | empty |
Viewing /etc/shadow
Only root can read /etc/shadow. Normal users get "Permission denied." Use sudo if your account has permission.
View and search (as root or with sudo)
# View the file (requires root)
sudo cat /etc/shadow
# Search for one user
sudo grep jdoe /etc/shadow
# Check if an account is locked (second field is ! or *)
sudo grep jdoe /etc/shadowSecurity note: Don't share shadow output or copy hashes; treat them as secret. Use passwd, chage, or usermod to change passwords or policies instead of editing /etc/shadow by hand.
Understanding /etc/group
/etc/group is the list of teams on the system. Groups let you give permissions to several users at once (e.g. everyone in the "developers" group can read a project directory). Each line defines one group: group name, GID, and which users are members.
When This File Matters
- You need to see which groups exist and who belongs to them
- You're setting up permissions for a directory or file by group
- You're troubleshooting "permission denied" or group-based access
- You're learning how Linux organizes users into groups
Format of Each Line
Each line has four fields separated by colons:
developers:x:1005:jdoe,jsmith,mkay| Field | Meaning | Example |
|---|---|---|
| 1 | Group name | developers |
| 2 | Password (usually x; group passwords are rarely used) | x |
| 3 | GID (group ID) | 1005 |
| 4 | List of usernames in the group (comma-separated, no spaces) | jdoe,jsmith,mkay |
Every user has a primary group (stored in /etc/passwd); that group doesn't have to list the user in /etc/group because membership is implied. The member list in /etc/group is for additional (supplementary) groups.
Viewing /etc/group
Most systems allow any user to read /etc/group. You can use cat, grep, or getent.
View and search
# View the whole file
cat /etc/group
# or
less /etc/group
# Search for one group
grep developers /etc/group
# List only group names (first field)
cut -d: -f1 /etc/group
# See which groups a user is in
groups jdoe
# or
id jdoeTips for Success
- Use
getent passwd usernameandgetent group groupnameto look up users and groups (works with NIS/LDAP too) - Use
groups usernameorid usernameto see a user's groups - Don't edit these files by hand; use
usermod,passwd,chage,groupadd,groupdel, andusermod -aG - Use
chage -l usernameto see password aging in a readable way; lock an account withusermod -L username - Remember: the second field in
passwdis almost alwaysx; passwords are in/etc/shadow
Common Mistakes to Avoid
- Editing passwd, shadow, or group by hand and breaking the format (wrong colons, typos, spaces in group member list)
- Assuming the second field in passwd is the real password (it isn't on a normal system)
- Changing root's UID or deleting system accounts; removing a group that is the primary group for any user
- Copying or logging shadow contents where others can see them; assuming you can "decrypt" the hash—you can't
- Forgetting that the primary group doesn't have to list the user in the fourth field of
/etc/group
Best Practices
- Use
greporgetentto query; useusermod,passwd, andchageto change users; usegroupadd/groupdelandusermod -aGfor groups - Back up
/etc/passwd,/etc/shadow, and/etc/groupbefore making any changes (as root) - Use
sudoonly when needed and don't leave root shells open