≡ Menu

What is the best way to edit /etc/passwd, shadow, and group files?

The best way to edit /etc/passwd, or shadow or group file is to use vipw command. Traditionally (under UNIX and Linux) if you use vi to edit /etc/passwd file and same time a user try to change a password while root editing file, then the user's change will not entered into file. To avoid this problem and to put a lock while editing file, use vipw and vigr command which will edit the files /etc/passwd and /etc/group respectively. If you pass -s option to these command, then they will edit the shadow versions of those files i.e. /etc/shadow and /etc/gshadow, respectively.

The main purpose of locks is to prevent file corruption. Do not use vi or other text editor to edit password file. Syntax:

  • vipw -s : Edit /etc/passwd file
  • vigr -s : Edit /etc/group file

Where,

  • -s : Secure file editing

An example

Login as a root user:

# vipw -s

On other terminal login as normal user (for example vivek) and issue command passwd to change vivek’s password:

$ passwd

(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token lock busy

As you see it returned with an error "passwd: Authentication token lock busy"

This will avoid /etc/shadow file corruption.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 7 comments… add one }

  • Mohan June 21, 2007, 5:34 pm

    Nice tip. thanks.

  • Gagan Brahmi July 15, 2009, 9:46 pm

    I think you need a correction in this article.

    vipw will edit /etc/passwd file
    vigr will edit /etc/group file

    AND

    vipw -s will edit /etc/shadow file
    vigr -s will edit /etc/gshadow file

    • sricharan February 20, 2012, 6:34 am

      Hi Gagan,
      I believe the given tip in the forum is correct. You can take a clear look by using vipw -s, it will redirect you to passwd file. I am confident saying, shadow file contains password information in encrypted format, which we wont find using this comand. :)

      • Nick October 6, 2013, 7:48 am

        I have to agree with Gagan. If you actually do vigr –help or vipw –help, it will actually say the following:

        vigr –help
        Usage: vipw [options]

        Options:
        -g, –group edit group database
        -h, –help display this help message and exit
        -p, –passwd edit passwd database
        -q, –quiet quiet mode
        -s, –shadow edit shadow or gshadow database

        This is direct input from CentOS 6.4. As you can see, the -s is editing the shadow version of the given file. From my experience, you want to edit the groups or password file using vigr or vipw then edit using vigr -s and vipw -s to comply with integrity rules.

  • dakkon March 7, 2012, 2:36 pm

    Sricharan,

    I can say with confidence and certainty that Gagan Brahmi was correct about your post, I saw his comment after reading and using the commands you suggested, and my /etc/shadow, and /etc/gshadow file were missing my change, and the passwd and group file still contained he information I was removing while trying to create my first chroot jail.

    So to anyone reading this page that is learning linux and creating a chroot jail, only use the vipw, and vigr to edit your passwd and group files. Do not add the -s switch or you will be editing your shadow files and could potentially brick your system.

  • Crashedbboy December 30, 2014, 4:28 pm

    Is “passwd username -d” causes the same result as edit /etc/passwd file?
    Now I need to set a user to no password, But I don’t know how to do .

  • Vikash Kumar Jha January 22, 2015, 3:12 pm

    Hi

    Mine observation:
    In one of the terminal i login as a admin whic has sudo priviledges, i did sudo su – and typed vipw -s. In the second terminal i logged in as another user and issued passwd command. i abled to successfully change the password.

    Whats your take on that?

    The system is RHEL 5.6 and i am accessing it through SSH.

Leave a Comment