Description
The shadow database driver provides access to the
traditional UNIX file-based user database in /etc/passwd
,
/etc/shadow
and /etc/group
. The additional Vitalnix
specific database from /etc/vxshadow
is also supported.
Configuration file
The following variables are recognized in the configuration file:
PASSWD_DB |
Path to the passwd file, usually
/etc/passwd |
SHADOW_DB |
Path to the shadow file, usually
/etc/shadow |
GROUP_DB |
Path to the group file, usually
/etc/group |
VXSHADOW_DB |
Path to the optional Vitalnix database, usually
/etc/vxshadow |
The Shadow driver also reads
/etc/vitalnix/autouid.conf
to source UID/GID boundaries for
automatic UID/GID generation.
Database storage architecture
Within the Shadow storage mechanism, account data is spread
over three plain-text files, /etc/passwd
, /etc/shadow
and /etc/group
. Group shadow information in
/etc/gshadow
) has always been rarely used (the file disappeared
from default installs during the openSUSE Linux lifetime), and Vitalnix does
not support it at all.
passwd
/etc/passwd
is a text file, comprising zero or
more users, each separated by newline. In each line, fields are separated by a
colon (:
). The different fields are:
- login name
- unused field (formerly password)
- UID, numerical user id
- GID, numerical id of the user's primary group
- real name (and possibly custom data)
- home directory
- command interpreter (shell, e.g.
/bin/bash
)
In a typical shadow system, the 2nd field always
contains an "x
", which indicates to look into
/etc/shadow
for the password instead. Access to the
shadow
file is restricted to mode 0640(root,shadow)
.
Any fields after the command interpreter are marked as reserved. The Shadow
driver preserves them for you.
The GECOS field itself can have multiple fields, separated by
comma (,
). You can freely assign any text to it, though it is
normally used to store the name of the user there. Other details added there
are Room Number, Work Phone, Home Phone and Other. An other document says that
the initial values for nice
, umask
and
ulimit
can be set there, but usually no application will use these
fields nowadays. If the Command Interpreter field is empty, it is interpreted
as /bin/sh
, however, the empty string is preserved.
Vitalnix does not care too much about the extra GECOS fields like room number, but handles the whole GECOS field as one entity, like most other tools. The only special handling of this field is in vxfinger(1), where there is an option to search only part or all of the GECOS field.
A file entry from a passwd
file might look
like:
jengelh:x:1500:100:Jan
Engelhardt:/home/jengelh:/bin/bash
shadow
The /etc/shadow
file, which is free to not exist,
is also composed of newlines and colons:
- login name
- encrypted password
- days since January 01 1970 that password was last changed
- days before password may be changed
- days after which password must be changed
- days before password is to expire that user is warned
- days after password expires that account is disabled
- days since January 01 1970 that account is disabled
A line from a shadow
file might be:
jengelh:$2a$05$xWG3SMLJ.dbFtkstUPp4feI1eMm3qoijsEO3YXrSzisuYXKrARrIS:13051:0:10000:0:::
group
The group database is also stored in a plain-text file,
/etc/group
. Its fields are:
- group name
- unused field
- numerical group ID
- comma-separated list of members who have membership in this group as secondary/supplemental group - this is not their primary group
A typical line is (this group has no extra users):
users:x:100:
vxshadow
/etc/vxshadow
contains data specific to Vitalnix
and is also not essential for the Shadow VXDB driver to function properly. It
is also composed like the other files (i.e. plain-text with newlines and
colons); the fields are:
- username
- uuid -- external unique user identifier
- pvgrp -- private group tag (user-defined string anyhow)
- day on which account will finally be deleted
Default permissions
The default permissions for the database files should be as follows:
/etc/passwd |
0644(root,shadow) |
/etc/shadow |
0640(root,shadow) |
/etc/group |
0644(root,shadow) |
/etc/vxpasswd |
0644(root,shadow) |
/etc/vxshadow |
0640(root,shadow) |