Learn › Linux Foundations › Important Files and Paths
cat - a hands-on Linux lab on a real virtual machine.
Read the account roster with cat /etc/passwd. The seven colon-separated fields (username, password placeholder x, UID, GID, comment, home, shell) and how to read one line. Structure-only: your accounts vary, so the drills teach the field shape, why x is not a missing password, and how UID and shell separate humans from service accounts.
Every Linux machine keeps a guest list. Not of people who walked in the door, but of every account the system knows about: you, the all-powerful root account, and a crowd of quiet background accounts that run services you never see. That list is a single plain-text file, and any user is allowed to read it.
The file is /etc/passwd. Despite the name, it does not hold your password. It holds the roster: one line per account, each line packed with the facts the system needs to let that account exist. By the end of this lesson you will read any line in it like a sentence.
The black boxes in this lesson are a practice terminal: a safe sandbox that only checks the one command each step teaches, so you cannot break anything. /etc/passwd is a real system file, and its exact accounts change from machine to machine. The lines shown here are one real capture, kept as an example. On the live machine at the end of the module, you read your own machine's roster and see your own accounts.
/etc/passwd is the account database for the system, written as plain text. Every user account, whether a human like you or a background service, has exactly one line in this file. The system reads it constantly: when you log in, when a program asks who owns a file, when a service starts up under its own account.
The /etc folder, remember, is where Linux keeps its system-wide configuration files. passwd is one of the oldest and most important. Because it is plain text, you can read it with the same cat command you have used all along, no special tool required.
The name is a leftover from history. Decades ago this one file really did store passwords too. That turned out to be a security problem, because every user can read the file, so the actual passwords were moved out to a separate root-only file. The name passwd stayed, even though the passwords left.
There is only one move to see the whole list: print the file. cat reads a file and dumps its full contents to the screen, and that is exactly what you want here. Ask the machine to show you every account it knows about:
cat /etc/passwd
prompt: student@linuxcamp:~$ answer: cat /etc/passwd output: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin student:x:1000:1000:Student User:/home/student:/bin/bash hint: Use cat to print the file, then the full path /etc/passwd: cat /etc/passwd
Those exact accounts belong to the machine this was captured on. On YOUR machine the list will be different: different service accounts, different real names, different ID numbers, maybe a different name than student for the human account. That is expected. What stays the same everywhere is the SHAPE of each line, and that shape is the whole lesson.
Every line follows one rigid pattern: seven fields, separated by colons. The colon is the fence between fields. Learn the seven once and you can read any account on any Linux machine. Here they are, left to right:
Seven fields, six colons between them. Some fields can be empty (you might see two colons back to back, ::), but the fences are always there, so the count never changes.
Take the very first line of almost every /etc/passwd on Earth, the root account, and walk its seven fields:
root:x:0:0:root:/root:/bin/bash
Read left to right, the line says: an account called root, password stored elsewhere, user 0 and group 0, described as root, living in /root, running bash when it logs in. One line, the whole account.
The number that carries the power is field 3, the UID. UID 0 is the superuser, the account that can do anything, no matter what the account is named. Rename root to something else and give the new name UID 0, and it is still all-powerful. The system trusts the number, not the name.
The single most common misread of this file is field 2. Every line shows a lone x where you might expect a password. It is tempting to think x means the account has no password or an empty one. It does not.
The x is a placeholder. It means the real password, stored as a scrambled hash, lives in a different file called /etc/shadow. That file is readable only by root, which is the whole point: /etc/passwd can be read by everyone, so the secret was moved somewhere locked. The x is a signpost that says look in shadow, not here.
Do not read x as no password. It is the opposite: it means a real password exists and is safely hidden in /etc/shadow, which only root can open. A truly passwordless account would show something else in that field, not x.
Look back at the roster. The human accounts, root and student, end their line with /bin/bash, a real shell you can type commands into. But daemon, bin, www-data and the rest end with /usr/sbin/nologin. That last field, the shell, is a security switch.
These are service accounts: accounts that exist only so a background program can run under its own name and own its own files, never so a person can log in. Giving them a shell of /usr/sbin/nologin (or on some machines /bin/false) is how the system locks them out. If someone tries to log in as www-data, the login fails instantly, because there is no usable shell to hand them. The account can own files and run a service, but no one can sit down at it.
Which service accounts you see, and whether they end in /usr/sbin/nologin or /bin/false, varies by machine and by what is installed. Both mean the same thing: no interactive login. What is worth memorising is the RULE, a real shell like /bin/bash in field 7 means a human can log in; a nologin or false shell means the account is locked out on purpose.
Two fields together tell you almost instantly whether a line is a person or a service: the UID (field 3) and the shell (field 7).
Regular human accounts almost always have a UID of 1000 or higher, and a real shell like /bin/bash. Service accounts have low UIDs (under 1000) and a locked shell like /usr/sbin/nologin. Root is the special case: UID 0, and a real shell, because root is a real login even though it is not an ordinary user.
Scaffolding off. No command is printed this time. You have every piece you need.
You have just sat down at an unfamiliar Linux machine and you want to see every account it knows about: the humans, root, and all the quiet service accounts. You know the file that holds the roster, and you know the command that prints a plain-text file to the screen. Put them together.
prompt: student@linuxcamp:~$ answer: cat /etc/passwd output: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin student:x:1000:1000:Student User:/home/student:/bin/bash hint: The command that prints a file, then the path to the account roster. Think cat, then /etc/passwd.
That is the everyday move: cat /etc/passwd. cat printed the file, and the path /etc/passwd pointed it at the account roster. You got one line per account, each with its seven colon-separated fields. Your own machine's accounts will differ, name by name, but the shape, seven fields split by six colons, is what you will see on every Linux machine, and the command is exactly what a working engineer types to answer who is on this box.
You earned this cheat sheet. The command is simple; the reading is the skill:
Seven fields, six colons. When you need to know who is on a machine, cat /etc/passwd is the first command, and field 3 (the UID) plus field 7 (the shell) tell you at a glance whether each line is a person or a service.
/etc/passwd holds the accounts; its locked twin /etc/shadow holds the passwords. The x in field 2 is the link between them. You will meet /etc/group, the file behind field 4's group IDs, in a lesson of its own.
The practice terminal has shown you the shape of /etc/passwd. You can print the roster, split any line into its seven fields, read the UID and shell to tell a human from a service, and you know the x hides a real password in /etc/shadow. Every one of those you typed or reasoned out yourself.
The Important Files module ends with one real Linux machine, the Important Files capstone mission, and that is where you read the real system files for yourself. A VM boots just for you, with its own live /etc/passwd, its own accounts, its own hostname. It hands you objectives that use exactly what you practiced across this module. One difference from here: the mission shows no commands. You read the objective, you recall the command, you type it. That recall is what makes it stick.
Finish the other Important Files lessons, then go read a real machine's roster for yourself.
Practice /etc/passwd in a real Linux terminal at The Linux Camp. Progress is verified automatically as you type commands on the machine.