Page 383
by David Pitts
Page 384
In order to run a process, there must be a process owner. That process owner is a user account. In some instances, the user account is a default system username (such as daemon, bin, or sys), but in most instances, the user account is an actual person who logs on to a system, performs tasks, and logs off the system.
Even in a single user environment, it is important to know how to create accounts. Most duties do not require the use of the default user, root. Therefore, one of the first tasks that should be done when setting up a new system is to make a user account under which much of the tasks will be done. Only when absolutely necessary should someone log on to root to perform a task (and even then, the person should use the su command to switch to root, not log on as root).
This chapter shows how to add and remove users. In addition, it gives you a look at the components that make up a user, discusses passwords, and covers a few tools for identifying the users on the system.
There are two ways to add users to a system. The first is to use a script that prompts for the requested information. The second is to manually edit the /etc/passwd file and the /etc/group file. The use of a script is the preferred method. First, it limits the mistakes (always a good idea!). Second, you don't have to understand the process or be familiar with the editor. But, because you are reading this book, the second reason—understanding the process and familiarization with the editor—becomes moot.
Adding a user is a simple process, involving the following six steps:
The first task is to edit the /etc/passwd file, adding the new user to the list. Technically, it is the second thing you should do. The real first thing you should do is copy the /etc/passwd file to a backup file in case you make a mistake. The /etc/passwd file should be owned by root and the group ID set to zero (root or system). The permissions for the file should be set so that root has read and write permissions and everyone else (including group) should only have read access (644 in hex).
Each user must have a distinct username and password from a security perspective. Each should also have a unique user ID number. The rest of the information associated with a user doesn't
Page 385
have to be unique, and in some cases, is exactly the same as that of other users. The format of the /etc/passwd file is a series of seven segments delimited by colons:
username : password : user ID : group ID : comment : home directory : login command
The default /etc/passwd file looks like this when Red Hat Linux is first installed:
root::0:0:root:/root:/bin/bash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin: adm:*:3:4:adm:/var/adm: lp:*:4:7:lp:/var/spool/lpd: sync:*:5:0:sync:/sbin:/bin/sync shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown halt:*:7:0:halt:/sbin:/sbin/halt mail:*:8:12:mail:/var/spool/mail: news:*:9:13:news:/usr/lib/news: uucp:*:10:14:uucp:/var/spool/uucppublic: operator:*:11:0:operator:/root:/bin/bash games:*:12:100:games:/usr/games: man:*:13:15:man:/usr/man: postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash nobody:*:-1:100:nobody:/dev/null: ftp:*:14:50::/home/ftp:/bin/bash
If there is nothing to be entered into a field, then that field is left blank (see the ftp entry). There will still be a colon delimiting the field from the other fields. Following is a short description of each of the fields:
| username | A unique identifier for the user |
| password | The user's encrypted password |
| user ID (UID) | The unique number that identifies a user to the operating system |
| group ID (GID) | The unique number that identifies the user's group |
| comment | The information displayed when a person is fingered; usually the user's name |
| home directory | The directory in which the user is placed upon login |
| login command | The command executed when the user logs in; usually a shell |
The following sections give more detailed descriptions of the contents of these fields.
The username is a single string. Usually it is eight characters or less. This username uniquely identifies the user, and it should be easy for the user to identify and remember. The system identifies the user by this name. Typically, a combination of the letters of the first and last name is used (mine is dpitts on many systems).
Page 386
Although there are traditions (corporate folklore) as to how the username is designated, the computer does not care what the username is, as long as it is unique. In fact, underscores, periods, numbers, and some special characters can be used in the username. Also, case makes a difference; dpitts is different from dpittS or DPitts.
The system stores the user's encrypted password in this field. If the system is using a shadow password system, the value placed in this field will be an x. A value of * blocks login access to the account, as * is not a valid character for an encrypted field. This field should never be edited (after it is set up) by hand, but a program such as passwd should be used so that proper encryption takes place. If this field is changed by hand, the old password is no longer valid and, more than likely, will have to be changed by root.
If the system is using a shadow password system, a separate file exists called /etc/shadow that contains passwords (encrypted, of course).
Every username has a number associated with it. This number, also called the UID, is used by the system to identify everything owned by the user. All processes, files, and so on associated with the user are identified in this manner. The valid range for the user ID is zero and up. Therefore, the account nobody from the /etc/passwd file listing earlier in this chapter, has an invalid UID, because it is -1.
This field is used by other programs to identify the user. Typically, the user's real name is placed in this field. Many times the user's telephone number is also placed here. One thing to keep in mind concerning this field is that anyone can read it. This means that you should not put anything in this field that you do not want everyone who has access to your system to see. This field is sometimes called the GECOS field, after the operating system that first used it.
In addition to users having access to this field, certain utilities use this field as an identifier as well. sendmail, for example, can access this field to show who is sending the mail. finger displays this information upon request.
The home directory field tells the system where to dump the user, if the login is successful. Typically, this directory is the home directory of the user, but it does not have to be. The system does not care where the directory points, as long as that user can enter it.
Typically, the home directories are grouped together for convenience. The standard directory, under which all users are placed, is /home. So, my directory might be /home/dpitts; and rbowen's directory would be /home/rbowen. Some systems, and some companies, use a different location for grouping home directories. Some alternative locations I have seen are /u, /user, /s, and /usr.