Page 387
The login command is the command that is executed when the user first logs in. In most cases this is a shell command. In other cases it might be a front-end interface or a single application. If this field is left blank, the system will default to /bin/bash shell.
Red Hat allows two different ways for the users to change the login command: the chps command and the passwd -s command. Both of these commands look exactly alike in their implementation. Both ask for a password and then ask what to change the login command to. Before your security hairs on the back of your neck start to stand straight up, there is a file called /etc/shells that has the same ownership and permissions as the /etc/passwd file. In this file, the system administrator defines which login commands are acceptable. Because of the permissions, every user has access to read the file, but not to change it. The following is an example of an /etc/shells file:
shell:/home/dpitts$ cat /etc/shells /bin/sh /bin/bash /bin/tcsh /bin/csh /bin/ash /bin/zsh
As you can see, the only login command the user can change to are shells. Following is an example of both the chsh command and the passwd -s command. As always, the password is not displayed.
shell:/home/dpitts$ chsh
Password:
Changing the login shell for dpitts
Enter the new value, or press return for the default
Login Shell [/bin/bash]:
shell:/home/dpitts$ passwd -s
Password:
Changing the login shell for dpitts
Enter the new value, or press return for the default
Login Shell [/bin/bash]: /bin/bash
shell:/home/dpitts$
After the /etc/passwd file has been set up, the next step is to define the groups that that user is associated with. Every user is associated with at least one group. A group is a collection of users thrown together for a particular purpose. This purpose could be job function—programmer, system administrator, accountant, or engineer—or the users could all have access to a special device—scanner, color printer, or modem.
There is no limit to the number of groups on a system. In fact, the default /etc/group file contains eighteen groups:
Page 388
root::0:root bin::1:root, bin, daemon daemon::2:root,bin,daemon sys::3:root,bin,adm tty::5: disk::6:root,adm lp::7:lp mem::8: kmem::9: wheel::10:root floppy::11:root mail::12:mail news::13:news uucp::14:uucp man::15:man users::100:games nogroup::-1:
Each line contains four segments and, like the passwd file, is delimited by colons:
group name : password : group ID : users
If there is nothing to be entered into a field, that field is left blank (notice the password field). There will still be a colon delimiting the field from the other fields. Following is a short description of each of the fields:
| group name | A unique identifier for the group |
| password | Usually left blank or an *, but a password can be assigned |
| group ID | The unique number that identifies a group to the operating system |
| users | A list of all user IDs that belong to that group |
Like the /etc/passwd file, there are two ways of editing this file. The first way is with a script, such as addgroup or groupadd; the second way is to manually edit the file with a text editor. (By the way, always make sure you make a backup copy of the file before you edit it!) When adding groups to this file, just follow the format of the other files. Add a unique group, assign it a password if necessary, give it a unique group ID, and then list the users associated with that group. The users, by the way, are separated with commas. If the line is not in the correct format or is incorrect in some other way, the users might not be able to use that group ID.
If the system were using a shadow password system, the password field would be moved to /etc/shadow.group, and an x would be assigned to the field.
When finished editing the /etc/group file, double-check its permissions. It should be owned by root, and its group should be root or sys (group ID of 0). The permissions should be read and write for owner and read for everyone else (644 in hex).
The list of groups does not have to be in any particular order. The list of users in each group is also irrelevant. Red Hat Linux will search the entire file until it comes to the line it is looking for.
Page 389
Although users can be in several groups, Linux only allows them to be active in a single group at any given time. The starting group, commonly called the primary group, is the group identified in the /etc/passwd file. If a user wants to switch to another group (and he or she is in the group according to /etc/group), the user must issue the newgrp command to switch.
Removing a group or a user from a group is as simple as editing the /etc/group file and removing either the entire line or the particular user you want removed. You should also check the /etc/passwd file to make sure that there are no users defined to the group you just deleted.
After a new user has been added to the /etc/passwd file and the /etc/group file, the next step is to create the user's new home directory. For the rest of this chapter, assume that the home directory is /home/username.
To create the directory, go to the /home directory (cd /home), and issue the mkdir command. The parameter passed to the mkdir command is the directory you wish to correct. In the following example, I am creating a user directory for tpowell:
shell:/home/dpitts$ cd /home shell:/home/dpitts$ mkdir tpowell
I now have a directory for my friend Tim. Now that I have the directory, I need to copy the files from /etc/skel to the new home. This is accomplished with the cp command, as shown in the following example:
shell:/home/dpitts$ cp /etc/skel/* /home/tpowell
Now that the basic files are placed in the new user's account, it is time to give the files and the new home directory to the new user, and to give the files the correct file permissions. Of course, an individual site might differ as to the security placed on the files and directories. The following is a general guideline of the commands that need to be executed:
Issue the passwd command as root and set the password of the new user. After you have set this password, the account will work. If you are creating dummy accounts, you might not want to set the password.