170 likes | 190 Views
Learn to manage Unix user accounts efficiently by adding, modifying, and removing users. Understand user requirements, configuration files, handling groups, and practical exercises.
E N D
Managing Users • Objectives • to be able to add, modify and remove Unix user accounts • Contents • requirements for a user account • configuration files (passwd, shadow) • adding users • modifying user details • passwords • deleting users • working with groups • Practicals • to add several user accounts • Summary
New User Requirements • An entry in /etc/passwd, which will define the user • login name • user id • default group • descriptive name • login program (shell) • An entry in /etc/shadow, which will control account access • initial password • password aging information • An entry in /etc/group, for the default group assignment • one of the existing groups in this file will become user's primary group • user access to other than primary group can be allowed in this file • And somewhere to store files • a home directory • an initial .bash_profile and application startup files
Preparing Groups (/etc/group) • Use groups for working on projects and in departments • groups provide a second level of access control • groups will allow users to share files • Setup groups before adding new users • One line per group in /etc/group name::gid:user1,user2 • Entry for a new group added with groupadd utility • To change or remove group use groupmod and groupdel group name list of users allowed 'secondary' access to this group numeric id # groupadd -g 151 swamp # groupadd -g 152 barracks
The /etc/passwd file • Each valid user must have an entry in this file • One line per user of the form name::UID:GID:comment:home directory:shell • name must be unique, up to 8 alphanumeric characters, usually lower case • UID user id, a numeric value within the range of 0 to 65535 • GID user primary group, a numeric value within the range of 0 to 65535 • comment this field is free format text, usually fuller description of the user • home directory this is the account location, usually under /home • shell startup program, it is optional (but last colon isn't) • if no value given, it defaults to /usr/bin/sh • recommended shell is /usr/bin/ksh • the shell can be any executable program $ grep root /etc/passwd root:x:0:0:root:/root:/bin/bash operator:x:11:0:operator:/root:/sbin/nologin
Allocating User IDs (UIDs) • Zero always used by root • Entries less than 100 refer to special system accounts root superuser - unrestricted access to entire system daemon looks after background processes bin owns some system commands uucp owns uucp files and processes mail mailserver daemon news internet news daemon at batch daemon jobs ftp owns ftp filesharing named nameserver user for the dns ntp timeserver user sshd Secure shell subsystem haldaemon hardware abstraction layer daemon lp line printing subsystem user nobody guest user • Local user accounts normally start at 100 or higher • each user should have a unique user id • User accounts normally start at 500 or higher • networked systems should use consistent user UIDs
Adding Users • Don't edit the control files manually • Use utilities such as useradd (SVR4), mkuser (AIX) • useradd creates required record in /etc/passwd and /etc/shadow files • allows to create directory structure for the new user • Useful options to useradd to override defaults -u uid specify new user id (default: next available number) -g group specify default group (default other, GID=1) -c comment description of user (default blank) -d dir home directory -m make home directory (recommended, default /home/username ) -k skel_dir skeleton home directory (default /etc/skel) -s shell specify login program (default /bin/bash) • Don't forget to give the user an initial password # useradd -m henry # useradd -u 321 -g 152 -m -s /bin/bash hotlips
Changing User Attributes • Don't edit the control files manually • Use supplied utilities such as usermod (SVR4), chuser (AIX) • usermod uses the same basic set of options that are used with useradd • if you modify UID then use -U option as well, to change the UID of files belonging to the user, but... • ...only files in user's home directory, mail file and cron file will be affected, other files must be located and ownership modified manually • Account inactivity and expiry date can also be set by usermod • Password aging 90 days and warning at 14 days left with chage • Fore user to change password at first login # usermod -g users -c "Henry Blake" henry # usermod -U -u 321 -s /bin/bash hotlips # usermod -f 10 henry # usermod -e 12/01/07 hotlips # chage –M 90 –W 14 henry # passwd –e henry
trapper's primary group is 400 # grep trapper /etc/passwd trapper::416:400::/home/trapper:/bin/bash # groupadd -g 600 swamp # usermod -G swamp trapper # grep trapper /etc/group swamp::600:trapper add new group add trapper to group 600 (his primary membership unchanged) Changing Group Membership • Each user belongs to a group (defined in /etc/passwd) • primary membership can be changed with usermod -g • User can also be allowed access to other groups • secondary membership is controlled by usermod -G • the group must already exist
Exercise - Adding and Modifying Users • Write down the commands to perform the following: # add a user called frank # add a user called radar specifying the Korn shell # add a user called klinger using /home2/klinger as the home directory # add a user called mulcahy specifying a UID of 400 and a group of staff # modify the user frank to use the korn shell # modify radar to give him a new UID of 401
Setting Passwords • New user accounts have to have an initial password • Forgotten passwords have to be reset • Verify that the person asking to reset the password is the account owner • Use the standard passwd program with a username • as root you will not be prompted for an existing password • choose a simple password and inform the user verbally • Lock the user account # passwd henry new password: retype password: # passwd -l henry
Choosing Passwords • Too many passwords are easy to guess • 1980's survey on US systems guessed 80% of passwords • standard password guessing programs readily available • Advise users on sensible passwords • no proper words or names • use letters and digits • include symbols • Most systems enforce basic rules • minimum password length • use of non alphanumerics • some system can use dictionaries of disallowed words • Most modern linux systems keep a password history • used to stop users cycling round a few favourite passwords • Don't have guest accounts • if someone has to use your system give them an account with password
The /etc/shadow file • Each valid user must have an entry, of the format: name:password:last change:min:max:warn:inactive:expire:flag • name user login name, cross-reference to /etc/passwd file • password valid (encrypted) passwords have exactly 13 characters • if this field is blank there is no password • NP in this field implies no password has been set (login not accessible) • LK or * in this field implies the account is never used (locked) • last change number of days of last password change since 1/1/70 • min minimum number of days between password changes • max maximum number of days the password is valid • warn number of days before expiry that user will be warned • inactive number of inactivity days allowed for this user • expire an absolute date, beyond which the account will be disabled $ grep root /etc/shadow root:b93.GT2r.7IZ6:9718:0:60:7:::
Account Security • Use preset expiry dates for temporary employees • very useful for contract staff • Use inactivity counts to lock unused accounts • perhaps the user has left the company and no one told you • Change passwords known by someone who leaves • change ALL passwords if they knew the root password • Lock accounts if they are temporarily unused • user is on secondment or holiday • Use the password ageing mechanism! # usermod -e 12/24/05 hotlips # usermod -f 5 hotlips # passwd -l trapper # passwd -m 27 -x 30 -w 3 radar
Exercise - Account Security • Write down the commands to perform the following: # add a password for user frank # force frank to change his password at next login # enable password ageing for trapper (min 21 max 31 warn 7) # set the expiry date for hawkeye to 31 Jan 2007 # lock henry's account # now unlock henry's account
Removing User: Preparation • When a user leaves there are two main concerns: • protect the system from unauthorised access via his/her account • protect and manage his/her files and directories left on the system • Proposed sequence of steps • lock the account password, until you are ready to remove it altogether • save all files owned by the user, somewhere outside the home directory • change access permission on saved files, allowing access to root only • consider cron or at jobs setup by the user • set up mail forwarding to send mail to a manager # passwd -l henry # mkdir /hold; chmod 000 /hold # cd / # find . -user henry -print | cpio -ov | compress >/hold/henry # find . -user henry -type f -exec rm -f {} \; # find . -user henry -type d -exec rmdir {} \; # su - henry -c ”echo ’bigboss’ > ~henry/.forward"
Removing User Account • Delete user account only when his/her data is safe • Use userdel utility (SVR4) or rmuser (AIX) • Without any options userdel will leave all files owned by that user untouched and open to misuse. • the -r option with userdel will remove user files, but only those in the home directory (including the home directory itself) • userdel does not remove mail file • more significantly, userdel does not remove user's cron table or stop cron from executing the task scheduled by that user # userdel -r henry
Summary • User account information stored in 3 files: /etc/passwd /etc/shadow /etc/group • Account information contains: • login name • password • user and group ids • full name • home directory • login shell • SVR4 provides utilities for manipulating user details passwd useradd, usermod, userdel groupadd, groupmod, groupdel