System Administration
Showing results for 
Search instead for 
Did you mean: 

/etc/passwd file deleted automatically

Go to solution

/etc/passwd file deleted automatically


my /etc/passwd file automatically deleted. Could you please help me to find out the reason for that.

Horia Chirculescu
Honored Contributor

Re: /etc/passwd file deleted automatically

"automatically deleted"?!

Are you sure that you are not under some kind of attack? Is this server part of some secure network? Maybe someone has gained access to your system.

Anyway, you should be able to restore that file from backup if you still have access to the system.

Best regards from Romania,
Horia Chirculescu
Best regards from Romania,
Regular Advisor

Re: /etc/passwd file deleted automatically

/etc/passwd file deleted ?? The server is in very dangerous zone.

First block root direct login remotely and change root password of the server.

use ssh login and also check the root previleged users. (given sudo permissions).

Try to restore the /etc/passwd file and check the /var/adm/syslog/syslog.log file.You will get logs.

Re: /etc/passwd file deleted automatically

>my /etc/passwd file automatically deleted.

("Automatically" has the wrong English connotation here, perhaps "unexpectedly" is better.)

Did you run of of space in /tmp/ recently? Were you using vipw(1m)?
Has it occurred more than once?

Re: /etc/passwd file deleted automatically

HI ,

Thanks for your support. I copied the passwd file from the backup, server is up and working fine.Is there any method to find out how its deleted ?
Honored Contributor

Re: /etc/passwd file deleted automatically

You did not answer the question above if /tmp filled up while the /etc/passwd file was being edited by vipw. Other than that explanation, the passwd file may have been deleted by mistake by the root user. If you have enabled the command history look in the history file (/.sh_history). Otherwise you can not find out how it got deleted unless you have system accounting enabled (in most cases system accounting is not running)
Hakki Aydin Ucar
Honored Contributor

Re: /etc/passwd file deleted automatically

Probably there are lots of methods to find, but in native HP UX it is not easy, what I remember is that Host IDS of HP-UX intrusion detection tool, it is free of charge and very good tool to establish what is going on your system files who is tampering them ?

the second alternative very simple ,I use nowadays ,a perl script somebody wrote to Watching Files for Changes but it only gets timestamp for changed file that you monitor not user or reason data:
Steven E. Protter
Exalted Contributor

Re: /etc/passwd file deleted automatically

Shalom Josin,

Only one user, root, numeric user id zero can delete /etc/passwd

Things to check.

root keyboard log. In root home directory .sh_history

scripts in cron schedule
crontab -l
# check the scripts.

Do you have an Ignite backup of your system?

Steven E Protter
Owner of ISN Corporation
Roberto Arias
Valued Contributor

Re: /etc/passwd file deleted automatically

hello , my english is very bad, I write in spanish ( my apologies)

Si editas el /etc/passwd sin vipw el fichero no se bloquea por lo que si el / o el /tmp estan el 100% o lo alcanzan en ese momento , o desde otra sesion de root se edita el /etc/passwd , te puede dejar el fichero vacio.

si editas el /etc/passwd con vipw , se bloquea contra escritura hasta que se termine la primera sesion de vipw.

conclusion: The /etc/passwd file must be edited with vipw in all cases , never edit this file with vi (man vipw)
best regards
The man is your friend
Kapil Jha
Honored Contributor

Re: /etc/passwd file deleted automatically

hahahahah I am sorry for that :)

its better if u can use google language converter it would have helped.
Usted tiene razón hay que tener cuidado de modificar el archivo passwd con vipw, pero la pregunta es por eso que usted necesita para editarlo.

Y si todavía creo que se ha eliminado accedently, usted tiene que cavar más por qué sucedió.

Kapil +

I know lil spanish :).No points for this please.
I am in this small bowl, I wane see the real world......