What is the best way to edit /etc/passwd, shadow, and group files?

last updated in Categories News

The best way to edit /etc/passwd, or shadow or group file is to use vipw command. Traditionally (under UNIX and Linux) if you use vi to edit /etc/passwd file and same time a user try to change a password while root editing file, then the user’s change will not entered into file. To avoid this problem and to put a lock while editing file, use vipw and vigr command which will edit the files /etc/passwd and /etc/group respectively. If you pass -s option to these command, then they will edit the shadow versions of those files i.e. /etc/shadow and /etc/gshadow, respectively.


The main purpose of locks is to prevent file corruption. Do not use vi or other text editor to edit password file. Syntax:

  • vipw -s : Edit /etc/passwd file
  • vigr -s : Edit /etc/group file


  • -s : Secure file editing

An example

Login as a root user:

# vipw -s

On other terminal login as normal user (for example vivek) and issue command passwd to change vivek’s password:

$ passwd

(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token lock busy

As you see it returned with an error “passwd: Authentication token lock busy”

This will avoid /etc/shadow file corruption.


Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

7 comment

  1. I think you need a correction in this article.

    vipw will edit /etc/passwd file
    vigr will edit /etc/group file


    vipw -s will edit /etc/shadow file
    vigr -s will edit /etc/gshadow file

    1. Hi Gagan,
      I believe the given tip in the forum is correct. You can take a clear look by using vipw -s, it will redirect you to passwd file. I am confident saying, shadow file contains password information in encrypted format, which we wont find using this comand. 🙂

      1. I have to agree with Gagan. If you actually do vigr –help or vipw –help, it will actually say the following:

        vigr –help
        Usage: vipw [options]

        -g, –group edit group database
        -h, –help display this help message and exit
        -p, –passwd edit passwd database
        -q, –quiet quiet mode
        -s, –shadow edit shadow or gshadow database

        This is direct input from CentOS 6.4. As you can see, the -s is editing the shadow version of the given file. From my experience, you want to edit the groups or password file using vigr or vipw then edit using vigr -s and vipw -s to comply with integrity rules.

  2. Sricharan,

    I can say with confidence and certainty that Gagan Brahmi was correct about your post, I saw his comment after reading and using the commands you suggested, and my /etc/shadow, and /etc/gshadow file were missing my change, and the passwd and group file still contained he information I was removing while trying to create my first chroot jail.

    So to anyone reading this page that is learning linux and creating a chroot jail, only use the vipw, and vigr to edit your passwd and group files. Do not add the -s switch or you will be editing your shadow files and could potentially brick your system.

  3. Is “passwd username -d” causes the same result as edit /etc/passwd file?
    Now I need to set a user to no password, But I don’t know how to do .

  4. Hi

    Mine observation:
    In one of the terminal i login as a admin whic has sudo priviledges, i did sudo su – and typed vipw -s. In the second terminal i logged in as another user and issued passwd command. i abled to successfully change the password.

    Whats your take on that?

    The system is RHEL 5.6 and i am accessing it through SSH.

    Have a question? Post it on our forum!