Page 390
There are a few commands for changing various properties of an account. The chsh command, used to change the login command, is mentioned earlier in this chapter. In addition to it (and the passwd -s), there are two other commands that can be used:
| chfn | Changes the full name field (the comment field) |
| passwd | Changes the password |
The superuser (root) can use these commands to change the properties of any account. Normal users (those whose UIDs do not correspond to 0) can only change the properties of their own account.
Sometimes it is necessary to temporarily disable a user's account. Many times you do not want to remove it, just make it inaccessible. One of the ways that I have seen people do this is to change the user's password. Although this works, it also causes confusion for the user, who doesn't know what is going on.
A better way of disabling the account is to change the login command set in the /etc/passwd file. Make a special program called a tail script:
#!/usr/bin/tail +2 This account has been temporarily closed due to <whatever reason>. Please call the system administrator at 555-1212 to discuss this situation.
The first two characters of the first line (#!) tell the kernel that the rest of the line is a command that needs to be run to interpret this file. (If you are accustomed to shell programming or Perl programming, this ought to look familiar.) The tail command outputs the last two lines of the file (which happens to be everything except the first line that executed the program).
If our friend tpowell has not logged in to his account for 90 days, the system administrator would do something like this:
# chsh -s /usr/local/lib/no-login/old tpowell # su - tpowell This account has been closed due to inactivity. Please call the system administrator at 555-1212 to discuss this situation. #
By using the su command to switch to tpowell, I was able to test and make sure that I had done the command correctly, and that it said what I wanted it to say. It worked.
When logging in via a terminal, init makes sure there is a getty program for the terminal connection. getty listens at the terminal and waits for the user to notify that he or she is ready to
Page 391
log in. When it notices a user, getty outputs a welcome message (/etc/issue), prompts for a username, and runs the login program. The login program checks for the existence of the /etc/nologin file. If it exists, logins are disabled. If it does not exist, the login program gets the username as a parameter and prompts the user for the password. The password is compared to the password on file for the user. If all of this matches up, login starts the login command identified in the /etc/passwd file. If it does not match up, the program will either allow the user another chance to enter the user ID and password, or the program will terminate the process. When init notices that the process terminated, it starts a new getty for the terminal.
After the login command is run, and assuming there is a place to send standard output, the login program outputs the contents of /etc/motd and checks for electronic mail. These two steps can be turned off by placing an empty file in your home directory called .hushlogin. This can be done with the following command:
shell:/home/dpitts$touch .hushlogin shell:/home/dpitts$
The touch command says to update the file passed as a parameter with the current date and time. If that file does not exist, it creates it with nothing in it. It is this second part that had the desired effect.
| NOTE |
|
The su command (su stands for switch user) is used to switch from one user to another. If no user is given as a parameter, the su command assumes a switch to the root user account. If the - parameter is used, all environment variables for the user switched to are read. If not, the environment variables of the real user are kept. The su command switches the effective username. It does not change the actual username.
If a normal user switches to another user, the system will ask for the password of the user being switched to. If root attempts to switch to another user, the system switches to that user without the necessary password.
Sometimes when you are on a system, it is nice to know who else is on the system. Other times it is nice to know other information about a user, such as whether or not the user is currently
Page 392
logged on the system. The next sections discuss the who command and the finger command, lists possible reasons they are used, and explains where the information comes from.
The who command checks the /var/run/utmp file to create its information. The /var/run/utmp command keeps track of who is currently logged on. Other than for mere curiosity's sake, there are other reasons why you might care who is logged on. One possible reason is system performance. If you are getting really bad system performance, you will probably want to see who is logged on and what the logged-on user is doing. The who command tells who, and the ps command tells what. Of course, to communicate with users with write or talk, you need to know if that user is logged on.
The -u parameter for who adds the column for how long it has been since that login has been active. In the following example, there are two users. The first has not done anything for fifteen minutes. The second, me, is currently running a command (gee, I bet it is the who -u command).
shell:/home/dpitts$ who -u wsheldah ttyp0 Sep 1 12:55 00:15 (d3.dialup.lexne) dpitts ttyp1 Sep 1 17:06 . (a20.dialup.seane)
The output is a space-delimited line with the following elements (who -u):
user id <space> terminal logged in <space> Date logged in (month and day) <space> time logged in <space> inactive time <space> where logged in from
The finger command checks some system and user-defined files and reports the information it finds. After the following example of a finger command, the output is explained:
shell:/home/dpitts$ finger dpitts Login: dpitts Name: MCA Financial Systems Directory: /home2/dpitts Shell: /bin/bash On since Mon Sep 1 17:06 (EDT) on ttyp1 from a20.dialup.seane Mail forwarded to dpitts@seanet.com No mail. Plan: David Pitts Systems Administrator, Consultant, Author shell:/home/dpitts$
First, the finger command reads and interprets the /etc/passwd file. From that file, it gives the login ID, the comment field, the home location, and the login command issued. In addition, it checks the /var/run/utmp, and if the person is logged in, it displays how long, on which terminal, and from where. After it gives this information, it then checks for the existence of a .forward file. If one exists, it displays its information. Next, it checks to see if the user has any