HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

passwd change..

 
vas_3
Advisor

passwd change..

HI all,

I have one basic question regarding passwd change of users.
How user can use 'passwd' command?.I mean how user are able to change their passwd?.They can't edit the /etc/passwd and /etc/shadow files..

Regards,
Sri.
10 REPLIES

Re: passwd change..

passwd has setuid root and root can change those files.
Sajjad Sahir
Honored Contributor

Re: passwd change..

Dear vas

no user can't edit that files only superuser
i mean root can do it

thanks and regard

Sajjad Sahir
vas_3
Advisor

Re: passwd change..

Hi Sahir,

Users r using 'passwd' cmd for changing the passwd.That means they r indirectly editing the shadow files right.

Regards,
Sri.
avizen9
Esteemed Contributor

Re: passwd change..

Hello,
basically
only root user able to change, however you can assign sudo access to modify /etc/passwd and /etc/shadow files to any non-root user. thanks,

Re: passwd change..

>Users are using passwd(1) for changing passwd(4). That means they are indirectly editing the shadow files right?

Yes, but really root is editing those files.
Sajjad Sahir
Honored Contributor

Re: passwd change..

Dear Vas

Ordinary users can only change passwords corresponding to their login name. If an old password has been established, it is requested from the user. If valid, a new password is obtained. Once the new password is entered, it is determined if the old password has "aged" sufficiently. If password aging is not sufficient, the new password is rejected and passwd terminates.

If password aging and construction requirements are met, the password is re-entered to ensure consistency. If the new copy differs, passwd repeats the new password prompting cycle, at most twice.

A superuser, whose effective user ID is zero, is allowed to change any password and is not forced to comply with password aging. Superusers are not prompted for old passwords, unless they are attempting to change a superuser's password in a trusted system. On untrusted systems, superusers are not forced to comply with password construction requirements. Null passwords can be created by entering a carriage return in response to the prompt for a new password.

For the files (local system) repository, if no /etc/shadow file exists, then the encrypted password is stored in the password field of /etc/passwd. If the /etc/shadow file exists, then the encrypted password is stored there, and an 'x' is added to the password field of /etc/passwd.

Please remember don't allow any non root users to play with /etc/shadow and /etc/passwd files.


thanks and regards

Sajjad Sahir

vas_3
Advisor

Re: passwd change..

Sorry..i think i confused you..

I attended one interview in that they asked me this question.

We know that users canot edit /etc/passwd and /etc/shadow files.But by using 'passwd' cmd they can change their password.
is there any background process or deamon for doing this?.
I know that root user can change any user passwd.
Regards,
Sri

Re: passwd change..

>But by using passwd cmd they can change their password. is there any background process or deamon for doing this?

As I said above, when you run any setuid root program, you become root and it can edit those files.
The only "demon" might be the NIS process on the NIS server. For "-r nis".
Bill Hassell
Honored Contributor

Re: passwd change..

> We know that users canot edit /etc/passwd and /etc/shadow files.But by using 'passwd' cmd they can change their password.

More accurately stated: We know users cannot run vi or similar program to edit the /etc/passwd file. But as mentioned, the passwd program is a special program that has elevated permission to perform a very specific task: to modify the passwd file on behalf of the user. This is done through permissions given this program that allow it to be run by anyone but be given permission as if it was run by root -- set user-ID or SUID is the common terminology.

> is there any background process or deamon for doing this?.

No. The program does all the work. There are many programs that are configured this way. For instance, chsh allows you to change your shell in the passwd file -- the ll command will show programs that have set userID with the letter "s" in the permissions:

-r-sr-xr-x 5 root bin 53248 Apr 27 2007 chsh

This is standard Unix behavior to allow special privileges with certain commands. Some of the details are shown in the man page for ls.


Bill Hassell, sysadmin
vas_3
Advisor

Re: passwd change..

Thanks for your help.

Regards,
Srinu.