Whta does '\+::::::/bin/bash' in /etc/passwd mean?

Question

Found the line \+::::::/bin/bash in my /etc/passwd, which looks strange to me. What does that mean? Has my computer been hacked?

Answer 1

The answer lies in the nsswitch.conf(5) man page:

Interaction with +/- syntax (compat mode)

Linux libc5 without NYS does not have the name service switch but does allow the user some policy control. In /etc/passwd you could have entries of the form +user or +@netgroup (include the specified user from the NIS passwd map), -user or -@netgroup (exclude the specified user), and + (include every user, except the excluded ones, from the NIS passwd map).

You can override certain passwd fields for a particular user from the NIS passwd map by using the extended form of +user:::::: in /etc/passwd. Non-empty fields override information in the NIS passwd map.

Since most people only put a + at the end of /etc/passwd to include everything from NIS, the switch provides a faster alternative for this case (passwd: files nis) which doesn’t require the single + entry in /etc/passwd, /etc/group, and /etc/shadow. If this is not sufficient, the NSS compat service provides full +/- semantics. By default, the source is nis, but this may be overridden by specifying nisplus as source for the pseudo-databases passwd_compat, group_compat and shadow_compat. These pseudo-databases are only available in GNU C Library.

Assuming that your /etc/nsswitch.conf contains passwd: compat, I believe that that line means "include all NIS users, but override the login shell to /bin/bash".