A sample /etc/group
file contains the following entries:
root:*:0:
adm:!:4:logcheck
antoine:x:1000:
The man pages I've read (Debian & OSX) says the second field is to store a group password. As they are rarely used, an asterisk *
or a x
is usually placed in it rather than leaving it blank.
The shadow
man page also says that this second field should store the result of the crypt
function. And if an invalid result is stored (such as *
or !
) it means the password cannot be used as authentication method.
Does that hold true for the group
file as well? Why do I end up with 3 different characters in my group
file all having the same meaning? Can I safely change all to *
?
Best Answer
You are thinking that the
!
,*
orx
has a special meaning here, and are therefore worrying that there might be some distinction among them.The fact is that these characters are chosen simply because they stand out, at least to Western eyes. These characters connote a missing value, or an exception case, or a warning. You could put
boogabooga
here and have exactly the same effect.This is because of the way passwords are handled on Unix type systems. When the system receives a password entry, it hashes it and compares it to the stored hash. Therefore, all that matters here is that you use some character or sequence of characters that cannot possibly be a valid password hash. (It also mustn't include a colon, for obvious reasons.)
Though there is no difference between these characters from the core OS's perspective, there are some conventions:
When the Linux
pwconv(8)
program seesx
, it takes that to mean "I have already moved this public password hash to the shadow password file."That's not an important case in practice because the days of converting to (or, heaven help you, from) shadow passwords are behind us now.
If you use
usermod -L
orpasswd -l
to lock a user,!
has special meaning in/etc/shadow
because that's the convention for "break this hash so it doesn't match any more."Adding any other character to the stored hash would break it just as well. Violating this convention merely prevents
usermod -U
orpasswd -u
from unlocking the user's login. Just as equally true, since you locked it by hand by adding a bogus character, you can unlock it by hand by removing it.All that is just trivia with respect to this question, however. There is no
groupmod -L
orgpasswd -l
, hence no!
convention in/etc/group
.More trivia: if you are going to lock user accounts by hand, you should stay away from the
[A-Za-z0-9/\]
set, since those are legal characters for the hash. That's one reasonusermod
uses!
here instead ofx
.I don't see anything wrong with normalizing all your
/etc/group
password fields, if that makes you feel better. By doing so, you are already saying you're happy hacking these files by hand, so you're probably not the sort to be using the tools that care about the distinctions anyway. Regardless, the change isn't going to have an effect on day-to-day system operation.