|
On a Unix system, there is a file, /etc/passwd, that traditionally holds
account information. As an example, typically this file contains a user's
username, password, user and group id, other information like
the last time they changed their password and when they must change it by,
their home directory, default shell, and lastly, personal information
like their full name, office location and phone number.
If you think over that information, you can see that it ranges from
information that is pretty public -- like full name -- to information that
is very private, like their password. Furthermore, since this is stored in
a sequential file, if you can see one piece of information about a user,
you can see them all.
Shadow password files are a mechanism to separate the public information
about a user from the private information about a user. One way this is
implemented, the shadow password file is /etc/shadow and is protected much
more strongly than /etc/passwd. The passwd file is world-readable, but the
shadow file is only readable by root. There are OS functions for changing
its contents, rather than just having it be done by file access. It
contains the password and other relevant information, like the last time it
was changed, when it will expire, if the account should be disabled if the
password expires and so on.
To sum up, the file /etc/passwd contains data about a user that should not
be world-readable. Shadow password files create a file with tighter
protection as a way of protecting the sensitive fields of the data about a
user.
For more information on this topic, visit these other searchSecurity resources:
Best Web Links: Unix security
Best Web Links: Passwords/Authentication
Featured Topic: Passwords
|
