What is the best way to edit /etc/passwd, shadow, and group files?

by on February 27, 2006 · 5 comments· LAST UPDATED February 27, 2006

in

The best way to edit /etc/passwd, or shadow or group file is to use vipw command. Traditionally (under UNIX and Linux) if you use vi to edit /etc/passwd file and same time a user try to change a password while root editing file, then the user's change will not entered into file. To avoid this problem and to put a lock while editing file, use vipw and vigr command which will edit the files /etc/passwd and /etc/group respectively. If you pass -s option to these command, then they will edit the shadow versions of those files i.e. /etc/shadow and /etc/gshadow, respectively.

The main purpose of locks is to prevent file corruption. Do not use vi or other text editor to edit password file. Syntax:

  • vipw -s : Edit /etc/passwd file
  • vigr -s : Edit /etc/group file

Where,

  • -s : Secure file editing

An example

Login as a root user:

# vipw -s

On other terminal login as normal user (for example vivek) and issue command passwd to change vivek’s password:

$ passwd

(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token lock busy

As you see it returned with an error "passwd: Authentication token lock busy"

This will avoid /etc/shadow file corruption.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 5 comments… read them below or add one }

1 Mohan June 21, 2007 at 5:34 pm

Nice tip. thanks.

Reply

2 Gagan Brahmi July 15, 2009 at 9:46 pm

I think you need a correction in this article.

vipw will edit /etc/passwd file
vigr will edit /etc/group file

AND

vipw -s will edit /etc/shadow file
vigr -s will edit /etc/gshadow file

Reply

3 sricharan February 20, 2012 at 6:34 am

Hi Gagan,
I believe the given tip in the forum is correct. You can take a clear look by using vipw -s, it will redirect you to passwd file. I am confident saying, shadow file contains password information in encrypted format, which we wont find using this comand. :)

Reply

4 Nick October 6, 2013 at 7:48 am

I have to agree with Gagan. If you actually do vigr –help or vipw –help, it will actually say the following:

vigr –help
Usage: vipw [options]

Options:
-g, –group edit group database
-h, –help display this help message and exit
-p, –passwd edit passwd database
-q, –quiet quiet mode
-s, –shadow edit shadow or gshadow database

This is direct input from CentOS 6.4. As you can see, the -s is editing the shadow version of the given file. From my experience, you want to edit the groups or password file using vigr or vipw then edit using vigr -s and vipw -s to comply with integrity rules.

Reply

5 dakkon March 7, 2012 at 2:36 pm

Sricharan,

I can say with confidence and certainty that Gagan Brahmi was correct about your post, I saw his comment after reading and using the commands you suggested, and my /etc/shadow, and /etc/gshadow file were missing my change, and the passwd and group file still contained he information I was removing while trying to create my first chroot jail.

So to anyone reading this page that is learning linux and creating a chroot jail, only use the vipw, and vigr to edit your passwd and group files. Do not add the -s switch or you will be editing your shadow files and could potentially brick your system.

Reply

Leave a Comment

Previous post:

Next post: