≡ Menu

etc passwd

nixCraft FAQ Roundup May 14, 2007

Recently updated/posted Linux and UNIX FAQ (mostly useful to Linux/UNIX new administrators or users) :


How Linux or UNIX Understand which program to run – PART I

This article was organically contributed by monk.

When you are logged in to a Linux server and you type a command. It is the responsibility of the shell to interpret your command. Here I will explain how BASH shell finds out which program to run. The method used by SHELL is straightforward but often creates confusion for new Linux user/admins/Interns.

Remember your shell deals with different commands and command line options to process your request.
For example:

  1. Internal commands aka shell builtin command (such as set)
  2. External commands (such as clear, date)
  3. Aliases (such as alias rm='rm -i')
  4. Command substitutions ( such as echo "Today is $(date)")
  5. Functions
  6. Pipes ( such as cat /etc/passwd | wc -l)
  7. I/O redirection (such as cat /etc/passwd > /tmp/names)

As you can see, SHELL has to do many things before it can find the correct executable file for you. For example, when you type single command date; SHELL will locate date command for you. Then it spawns (forks) a new process and "execs" the date command. Please note that discussion related forks and kernel is beyond the scope of this document (see nice explanation by Tony @ How shells call other programs). Here you just want to understand how Linux knows which program to run.

Shell uses PATH variable

Your shell uses the environment variable called PATH to locate commands. Just type following command to display your current PATH:

$ echo $PATH


The variable PATH defines search path for commands. As you can see, PATH holds a colon-separated list of directories in which the shell looks for commands. Returning to the date example, when you type date command, shell will start with the directory on left (i.e. /usr/local/bin) side of PATH variable and checks to see if there is date command executable file. If executable file found, shell will execute date command. If command cannot be located at all in all directories then you will see command not found error message. BASH shell use following sequence to execute command (for example purpose, we will use date command):

  1. If there exists a shell FUNCTION date() execute it and stop.
  2. If there exists a shell builtin date command, execute it and stop
  3. If the date is neither a shell function nor a builtin then BASH searches in HASH tables. If there exists an entry for date command execute it and stop.
  4. Finally, if date does not exist in HASH tables, it will search using PATH variable.
  5. If above all method fails then SHELL will return error "Command not found" and always exit with 127 status code.

However, things started to get complicated if it is a shell script, the SHELL does exactly the same thing (as mentioned above), but the exec fails, which causes the shell to read the script and interpret it.

What is a HASH table?

A HASH table is nothing but some sort of caching mechanism to speed up things. For each command, the full file name of the command is determined by searching the directories in $PATH variable and remembered by shell in HASH table. Just type hash command and it will display the all remembered directory name:
$ hash

hits    command
5    /usr/bin/chsh
1    /usr/bin/man
1    /bin/ls

Related shell commands
To solve a command searching mysteries Linux/SHELL offers couple of commands.

type command

Tells whether command is an alias, function, buitin command or executable command file. To be frank type command indicate how it would be interpreted if used as a command name. General syntax:
type {command-name}

$ type -a ls

ls is aliased to 'ls --color=auto'

$ type date

date is hashed (/bin/date)

$ type dirs

dirs is a shell builtin

$ type if

if is a shell keyword

$ type getip

getip is a function
getip ()
lynx --dump 'http://localhost:81/getip'

which command

Use to locate a command in a PATH.
$ which ls


Continue reading the second part of "How Linux or UNIX Understand which program to run" series (this is part I).

  • PART I : How Linux or UNIX Understand which program to run
  • PART II : An example: How shell Understand which program to run

Updated for accuracy by Vivek. This article almost rewritten to fix typos.

Search for all account without password and lock them

For security, reason it is necessary to disable all account(s) with no password and lock them down. Solaris, Linux and FreeBSD provide account locking (unlocking) facility.

Lock Linux user account with the following command:

passwd -l {user-name}

For unlocking the account use:

passwd  -u {user-name}

-l : This option disables an account by changing the password to a value, which matches no possible encrypted value.

Lock FreeBSD user account with the following command:

pw lock {username}

FreeBSD unlocking the account use:

pw unlock {username}

Lock Solaris UNIX user account with the following command:

passwd -l {username}

Lock HP-UX user account with the following command:

passwd -l {username}

For unlocking the HP-UX account you need to edit /etc/passwd file using text editor (or use SAM):

vi /etc/passwd 

However, how will you find out account without password? Again, with the help of 'passwd -s' (status) command you can find out all passwordless accounts.

Linux display password status

passwd -S {user-name}

-S : Display account status information. The status information consists of total seven fields. The second field indicates the status of password using following format:

  • L : if the user account is locked (L)
  • NP : Account has no password (NP)
  • P: Account has a usable password (P)
# passwd -S radmin

radmin P 10/08/2005 0 99999 7 -1

Solaris UNIX display password status

passwd -s {user-name}

-s : Display account status information using following format:

  • PS : Account has a usable password
  • LK : User account is locked
  • NP : Account has no password

I have already written about small awk one line approach to find out all passwords less accounts.

Automated Scripting Solution
However, in real life you write a script and execute it from cron job. Here is small script for Linux:

USERS="$(cut -d: -f 1 /etc/passwd)"
for u in $USERS
passwd -S $u | grep -Ew "NP" >/dev/null
if [ $? -eq 0 ]; then
passwd -l $u

FreeBSD script:

USERS="$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}'
/etc/master.passwd | cut -d: -f1)"
for u in $USERS
pw lock $u

Sun Solaris script:

USERS=`passwd -sa | grep -w NP | awk '{ print $1 }'`
for u in $USERS
passwd -l $u

You can easily add email alert support to script so that when ever scripts finds passwordless account(s) it will send an email alert. See the complete working example of script here.

FreeBSD: How to write protect important file ( even root can NOT modify / delete file )

The chflags utility modifies the file flags of the listed files as specified by the flags operand.

FreeBSD offers write protection, you need to to set special bit call immutable. Once this bit is setup no one can delete or modify file including root. And only root can clear the File immutable bit.

You must be a root user to setup or clear the immutable bit.

Setup file immutable bit

Use chflags command as follows:
# chflags schg /tmp/test.doc
Try to remove or moify file file with rm or vi:
# rm -f /tmp/test.doc

rm: /tmp/test.doc: Operation not permitted

Now root user is not allowed to remove or modify file. This is useful to protect important file such as /etc/passwd, /etc/master.passwd etc.

Display if file immutable bit is on or off

ls -lo /tmp/test.doc

-rw-r--r--  1 root  wheel  schg 19 Jun 29 22:22 /tmp/test.doc

Clear or remove file immutable bit

#chflags noschg /tmp/test.doc
Now you can remove or modify file. Please note that immutable flag can be set by root user only. chflags also supports few other interesting flags.

  • arch: set the archived flag
  • nodump: set the nodump flag
  • sappnd: set the system append-only flag
  • schg: set the system immutable flag
  • sunlnk: set the system undeletable flag
  • uappnd: set the user append-only flag
  • uchg: set the user immutable flag
  • uunlnk: set the user undeletable flag

Putting the letters no before an option causes the flag to be turned off.

Please note Linux also supports immutable flag to write protect files using chattr command.

See man page chflags and ls commands for more information.