Meaning of the Second Field in /etc/group – User and Group Management

grouppasswordusers

A sample /etc/group file contains the following entries:

root:*:0:
adm:!:4:logcheck
antoine:x:1000:

The man pages I've read (Debian & OSX) says the second field is to store a group password. As they are rarely used, an asterisk * or a x is usually placed in it rather than leaving it blank.

The shadow man page also says that this second field should store the result of the crypt function. And if an invalid result is stored (such as * or !) it means the password cannot be used as authentication method.

Does that hold true for the group file as well? Why do I end up with 3 different characters in my group file all having the same meaning? Can I safely change all to *?

Best Answer

You are thinking that the !, * or x has a special meaning here, and are therefore worrying that there might be some distinction among them.

The fact is that these characters are chosen simply because they stand out, at least to Western eyes. These characters connote a missing value, or an exception case, or a warning. You could put boogabooga here and have exactly the same effect.

This is because of the way passwords are handled on Unix type systems. When the system receives a password entry, it hashes it and compares it to the stored hash. Therefore, all that matters here is that you use some character or sequence of characters that cannot possibly be a valid password hash. (It also mustn't include a colon, for obvious reasons.)

Though there is no difference between these characters from the core OS's perspective, there are some conventions:

  • When the Linux pwconv(8) program sees x, it takes that to mean "I have already moved this public password hash to the shadow password file."

    That's not an important case in practice because the days of converting to (or, heaven help you, from) shadow passwords are behind us now.

  • If you use usermod -L or passwd -l to lock a user, ! has special meaning in /etc/shadow because that's the convention for "break this hash so it doesn't match any more."

    Adding any other character to the stored hash would break it just as well. Violating this convention merely prevents usermod -U or passwd -u from unlocking the user's login. Just as equally true, since you locked it by hand by adding a bogus character, you can unlock it by hand by removing it.

    All that is just trivia with respect to this question, however. There is no groupmod -L or gpasswd -l, hence no ! convention in /etc/group.

    More trivia: if you are going to lock user accounts by hand, you should stay away from the [A-Za-z0-9/\] set, since those are legal characters for the hash. That's one reason usermod uses ! here instead of x.

I don't see anything wrong with normalizing all your /etc/group password fields, if that makes you feel better. By doing so, you are already saying you're happy hacking these files by hand, so you're probably not the sort to be using the tools that care about the distinctions anyway. Regardless, the change isn't going to have an effect on day-to-day system operation.

Related Question