As far as I know, all unix variants have an /etc/passwd
file with the traditional layout, for the sake of applications that read the file directly. Each line in the file contains colon-separated records which correspond to struct passwd
fields:
- user name (login)
- encrypted password (if present)
- user id (number, in decimal)
- principal group id (number, in decimal)
- Gecos field. This field is not used by system programs except for display purposes. It is normally a comma-separated list of fields, the first three being full name, office number and telephone number.
- home directory
- login shell
One thing that varies between systems is how much liberty you can take with the syntax. For example, GNU libc (i.e. Linux) ignores lines that begin with #
: they are comments. GNU libc also ignores whitespace at the beginning of a line, so they can be indented. An invalid line might cause programs to stop processing the file or to skip to the next line.
Most modern systems no longer store an encrypted password in the second field. The content of that field is not a reliable indication of whether the user has a password set (and even if you found that out, this is not a reliable indication of whether the user can log in, because there are many other authentication methods such as SSH keys, one-time passwords, biometrics, smartcards, …).
When passwords aren't in /etc/passwd
, where they are is system-dependent. The Rosetta Stone for Unix mentions many unix variants.
- Solaris uses
/etc/shadow
, and this has been copied by others including Linux. Linux and Solaris shadow files have the same format; I don't know if the other systems that have a file called /etc/shadow
use the same format.
- BSD systems have
/etc/master.passwd
, and additionally have database files for faster access, updated by pwd_mkdb
.
Remember that /etc/passwd
hasn't been guaranteed to contain the full list of users for a couple of decades: users can come from other databases such as NIS (YP) or LDAP. As a system administrator, avoid edit the /etc/passwd
file directly; use vipw
instead, if your system provides it (and if it doesn't, consult your manuals to see what method is recommended to modify the user database).
What I wrote above goes for groups, too. The fields in /etc/group
are struct group
members: group name, password (largely unused), numerical group id, and a comma-separated list of user names (the users who have this group as a secondary group). Linux has a /etc/gshadow
file, but this is rarely used, as group authentication is not widely practiced.
Best Answer
The entries like
+::0:0:::
can only work as intended if you havepasswd: compat
in your/etc/nsswitch.conf
file. If you usepasswd: files nis
instead, this entry will not have its intended effect.At least according to
nsswitch.conf(5)
man page on my Debian 9 system, that does not seem like valid syntax anyway: it should be either+user::0:0:::
whereuser
would be a NIS username who will be given root access on this system, or just+
which includes all NIS users except those that have previously been excluded using-user
or-@netgroup
syntax, without overriding the NIS-specified UID/primaryGID values.By extension,
+::0:0:::
would seem to mean "every NIS user is root on this system", which seems like not a good idea in the first place.The danger is, for an application that handles authentication on its own by reading
/etc/passwd
and/etc/shadow
but does not implement thepasswd: compat
style syntax extensions, that line literally means "user+
has UID 0 and GID 0 and has no password".If you're using such an application, this is a "type
+
to the username prompt, just press Enter at the password prompt; you now have root access" vulnerability. Since there is no valid shell, you might not get shell access immediately: but just having UID 0 access through an application probably gives a savvy intruder plenty of leverage to gain full root shell access quite soon afterwards.