6.3.2.4. /etc/gshadow
The
/etc/gshadow
file is readable only by the root user and contains an encrypted password for each group, as well as group membership and administrator information. Just as in the /etc/group
file, each group's information is on a separate line. Each of these lines is a colon delimited list including the following information:
- Group name — The name of the group. Used by various utility programs as a human-readable identifier for the group.
- Encrypted password — The encrypted password for the group. If set, non-members of the group can join the group by typing the password for that group using the
newgrp
command. If the value of this field is!
, then no user is allowed to access the group using thenewgrp
command. A value of!!
is treated the same as a value of!
— however, it also indicates that a password has never been set before. If the value is null, only group members can log into the group. - Group administrators — Group members listed here (in a comma delimited list) can add or remove group members using the
gpasswd
command. - Group members — Group members listed here (in a comma delimited list) are regular, non-administrative members of the group.
Here is an example line from
/etc/gshadow
:
general:!!:shelley:juan,bob
This line shows that the
general
group has no password and does not allow non-members to join using the newgrp
command. In addition, shelley
is a group administrator, and juan
and bob
are regular, non-administrative members.
Since editing these files manually raises the potential for syntax errors, it is recommended that the applications provided with Red Hat Enterprise Linux for this purpose be used instead. The next section reviews the primary tools for performing these tasks.