What is the best way to edit /etc/passwd, shadow, and group files?

The best way to edit /etc/passwd, or shadow or group file is to use vipw command. Traditionally (under UNIX and Linux) if you use vi to edit /etc/passwd file and same time a user try to change a password while root editing file, then the user’s change will not entered into file. To avoid this problem and to put a lock while editing file, use vipw and vigr command which will edit the files /etc/passwd and /etc/group respectively. If you pass -s option to these command, then they will edit the shadow versions of those files i.e. /etc/shadow and /etc/gshadow, respectively.

The main purpose of locks is to prevent file corruption. Do not use vi or other text editor to edit password file. Syntax:

  • vipw -s : Edit /etc/passwd file
  • vigr -s : Edit /etc/group file

Where,

  • -s : Secure file editing

An example

Login as a root user:

# vipw -s

On other terminal login as normal user (for example vivek) and issue command passwd to change vivek’s password:

$ passwd

(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token lock busy

As you see it returned with an error “passwd: Authentication token lock busy”

This will avoid /etc/shadow file corruption.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 7 comments so far... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
7 comments… add one
  • Mohan Jun 21, 2007 @ 17:34

    Nice tip. thanks.

  • Gagan Brahmi Jul 15, 2009 @ 21:46

    I think you need a correction in this article.

    vipw will edit /etc/passwd file
    vigr will edit /etc/group file

    AND

    vipw -s will edit /etc/shadow file
    vigr -s will edit /etc/gshadow file

    • sricharan Feb 20, 2012 @ 6:34

      Hi Gagan,
      I believe the given tip in the forum is correct. You can take a clear look by using vipw -s, it will redirect you to passwd file. I am confident saying, shadow file contains password information in encrypted format, which we wont find using this comand. 🙂

      • Nick Oct 6, 2013 @ 7:48

        I have to agree with Gagan. If you actually do vigr –help or vipw –help, it will actually say the following:

        vigr –help
        Usage: vipw [options]

        Options:
        -g, –group edit group database
        -h, –help display this help message and exit
        -p, –passwd edit passwd database
        -q, –quiet quiet mode
        -s, –shadow edit shadow or gshadow database

        This is direct input from CentOS 6.4. As you can see, the -s is editing the shadow version of the given file. From my experience, you want to edit the groups or password file using vigr or vipw then edit using vigr -s and vipw -s to comply with integrity rules.

  • dakkon Mar 7, 2012 @ 14:36

    Sricharan,

    I can say with confidence and certainty that Gagan Brahmi was correct about your post, I saw his comment after reading and using the commands you suggested, and my /etc/shadow, and /etc/gshadow file were missing my change, and the passwd and group file still contained he information I was removing while trying to create my first chroot jail.

    So to anyone reading this page that is learning linux and creating a chroot jail, only use the vipw, and vigr to edit your passwd and group files. Do not add the -s switch or you will be editing your shadow files and could potentially brick your system.

  • Crashedbboy Dec 30, 2014 @ 16:28

    Is “passwd username -d” causes the same result as edit /etc/passwd file?
    Now I need to set a user to no password, But I don’t know how to do .

  • Vikash Kumar Jha Jan 22, 2015 @ 15:12

    Hi

    Mine observation:
    In one of the terminal i login as a admin whic has sudo priviledges, i did sudo su – and typed vipw -s. In the second terminal i logged in as another user and issued passwd command. i abled to successfully change the password.

    Whats your take on that?

    The system is RHEL 5.6 and i am accessing it through SSH.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum