/etc/passwd vs /usr/bin/passwd

Question

In my CentOS 7 system (and other Linux flavors), I have noticed that there are two passwd files, /etc/passwd and /usr/bin/passwd. The former contains plaintext information about the users, groups, default shells, etc., whereas the latter is a binary (?) file that the "passwd" command invokes (as suggested by "which passwd").

These may be basic questions, but I have tried my luck with manuals and explanations on forums, albeit not fully clarifying my mental picture:

1) What is the purpose of each file, and why do we have both? 2) Are the two files related -- is the /usr/bin/passwd a binary version of the /etc/passwd that is constantly updated, for efficiency purposes? 3) What are the appropriate permissions on these files (I am getting a "passwd: Authentication token manipulation error" if I try to change the login password of a non-sudoer user from that user's account, which is what prompted this line of questioning to begin with).

Thanks for reading and I am looking forward to your thoughts!

Answer 1

The two files are different, and serve different purpose.

• /etc/passwd is user database (fun fact: contrary to its name, it doesn't store passwords - those are stored (possibly in hashed form) in /etc/shadow) - see man 5 passwd (i.e. passwd(5)), man 5 shadow (i.e. shadow(5)).

• /usr/bin/passwd is utility that is supposed to modify user records stored in /etc/passwd and /etc/shadow. See man 1 passwd (i.e. passwd(1))

Answer 2

1. /etc/passwd is the password file but it doesn't have to contain passwords - see below. It's a plain text file that contains list of users and groups on a given system. You can read more about it in man 5 passwd:

    /etc/passwd contains one line for each user account, with seven fields delimited
    by colons (":"). These fields are:
   
      ·   login name
   
      ·   optional encrypted password
   
      ·   numerical user ID
   
      ·   numerical group ID
   
      ·   user name or comment field
   
      ·   user home directory
   
      ·   optional user command interpreter
   

And /usr/bin/passwd is a utility for changing user passwords, commonly a part of the shadow package. Not that, ironically, users' passwords are not stored in /etc/passwd but in /etc/shadow on today's system so password file might be a bit misleading. From man 5 passwd:

If the password field is a lower-case "x", then the encrypted password is actually stored in the shadow(5) file instead; there must be a corresponding line in the /etc/shadow file, or else the user account is invalid.

A regular user cannot even read /etc/shadow because it does not have a read privilege on this file but can use passwd utility to change his password because passwd has setuid bit set: https://unix.stackexchange.com/questions/101467/how-does-the-passwd-command-gain-root-user-permissions

2. No, /usr/bin/passwd is not a binary version of /etc/passwd.

3. See:

   $ ls -l /etc/passwd
   -rw-r--r-- 1 root root 1335 Jul 14  2016 /etc/passwd
   $ ls -l /usr/bin/passwd
   -rws--x--x 1 root root 77689 Jul  2  2014 /usr/bin/passwd
   $ ls -l /etc/shadow
   -rw-r----- 1 root shadow 719 Aug  5  2016 /etc/shadow
   

   You cannot change other users' passwords as the regular user.