mirror of https://github.com/tLDP/LDP
383 lines
14 KiB
Plaintext
383 lines
14 KiB
Plaintext
<chapter id="managing-users">
|
|
<title>Managing user accounts</title>
|
|
|
|
<blockquote><para><quote>The similarities of sysadmins and drug
|
|
dealers: both measure stuff in Ks, and both have users.</quote>
|
|
(Old, tired computer joke.)</para></blockquote>
|
|
|
|
<para> This chapter explains how to create new user accounts,
|
|
how to modify the properties of those accounts, and how to remove
|
|
the accounts. Different Linux systems have different tools for
|
|
doing this.</para>
|
|
|
|
<sect1 id="account">
|
|
<title>What's an account?</title>
|
|
|
|
<para> When a computer is used by many people it is usually
|
|
necessary to differentiate between the users, for example, so that
|
|
their private files can be kept private. This is important even
|
|
if the computer can only be used by a single person at a time,
|
|
as with most microcomputers. Thus, each user is given a unique
|
|
username, and that name is used to log in.</para>
|
|
|
|
<para> There's more to a user than just a name, however. An
|
|
<glossterm>account</glossterm> is all the files, resources,
|
|
and information belonging to one user. The term hints at banks,
|
|
and in a commercial system each account usually has some money
|
|
attached to it, and that money vanishes at different speeds
|
|
depending on how much the user stresses the system. For example,
|
|
disk space might have a price per megabyte and day, and processing
|
|
time might have a price per second. </para>
|
|
|
|
</sect1>
|
|
|
|
<sect1 id="adduser">
|
|
<title>Creating a user</title>
|
|
|
|
<para> The Linux kernel itself treats users are mere numbers.
|
|
Each user is identified by a unique integer, the <glossterm>user
|
|
id</glossterm> or <glossterm>uid</glossterm>, because numbers are
|
|
faster and easier for a computer to process than textual names.
|
|
A separate database outside the kernel assigns a textual name,
|
|
the <glossterm>username</glossterm>, to each user id. The database
|
|
contains additional information as well. </para>
|
|
|
|
<para> To create a user, you need to add information about
|
|
the user to the user database, and create a home directory for
|
|
him. It may also be necessary to educate the user, and set up
|
|
a suitable initial environment for him. </para>
|
|
|
|
<para> Most Linux distributions come with a program for
|
|
creating accounts. There are several such programs available.
|
|
Two command line alternatives are <command>adduser</command>
|
|
and <command>useradd</command>; there may be a GUI tool as well.
|
|
Whatever the program, the result is that there is little if
|
|
any manual work to be done. Even if the details are many and
|
|
intricate, these programs make everything seem trivial. However,
|
|
<xref linkend="manual-adduser"> describes how to do it by hand.
|
|
</para>
|
|
|
|
<sect2 id="etc-passwd">
|
|
<title><filename>/etc/passwd</filename> and other informative
|
|
files</title>
|
|
|
|
<para> The basic user database in a Unix system is the text file,
|
|
<filename>/etc/passwd</filename> (called the <glossterm>password
|
|
file</glossterm>), which lists all valid usernames and their
|
|
associated information. The file has one line per username,
|
|
and is divided into seven colon-delimited fields:
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para>Username.</para></listitem>
|
|
<listitem><para>Previously this was where the user's password was stored.
|
|
</para></listitem>
|
|
<listitem><para>Numeric user id.</para></listitem>
|
|
<listitem><para>Numeric group id.</para></listitem>
|
|
<listitem><para>Full name or other description of
|
|
account.</para></listitem>
|
|
<listitem><para>Home directory.</para></listitem>
|
|
<listitem><para>Login shell (program to run at
|
|
login).</para></listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
The format is explained in more detail on the
|
|
<filename>passwd</filename> manual page. </para>
|
|
|
|
<para>
|
|
Most Linux systems use <glossterm>shadow passwords</glossterm>.
|
|
As mentioned, previously passwords were stored in the
|
|
<filename>/etc/passwd</filename> file. This newer method
|
|
of storing the password: the encrypted
|
|
password is stored in a separate file,
|
|
<filename>/etc/shadow</filename>,
|
|
which only root can read. The <filename>/etc/passwd</filename>
|
|
file only contains a special marker in the second field.
|
|
Any program that needs to verify a user is setuid, and
|
|
can therefore access the shadow password file. Normal
|
|
programs, which only use the other fields in the password
|
|
file, can't get at the password.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 id="uid-gid">
|
|
<title>Picking numeric user and group ids</title>
|
|
|
|
<para> On most systems it doesn't matter what the numeric user
|
|
and group ids are, but if you use the Network filesystem (NFS),
|
|
you need to have the same uid and gid on all systems. This
|
|
is because NFS also identifies users with the numeric uids.
|
|
If you aren't using NFS, you can let your account creation tool
|
|
pick them automatically. </para>
|
|
|
|
<para> If you are using NFS, you'll have to be invent a mechanism
|
|
for synchronizing account information. One alternative is to
|
|
the NIS system (see XXX network-admin-guide). </para>
|
|
|
|
<para> However, you should try to avoid re-using numeric uids
|
|
(and textual usernames), because the new owner of the uid (or
|
|
username) may get access to the old owner's files (or mail,
|
|
or whatever). </para>
|
|
|
|
</sect2>
|
|
|
|
<!--
|
|
%\subsection{Managing groups}
|
|
%
|
|
% \meta Debian creates a new group for each user; give reason for
|
|
this;
|
|
% give reasons against.
|
|
-->
|
|
|
|
<sect2 id="etc-skel">
|
|
<title>Initial environment: <filename>/etc/skel</filename></title>
|
|
|
|
<para> When the home directory for a new user is created, it is
|
|
initialized with files from the <filename>/etc/skel</filename>
|
|
directory. The system administrator can create files in
|
|
<filename>/etc/skel</filename> that will provide a nice
|
|
default environment for users. For example, he might create a
|
|
<filename>/etc/skel/.profile</filename> that sets the EDITOR
|
|
environment variable to some editor that is friendly towards
|
|
new users. </para>
|
|
|
|
<para> However, it is usually best to try to keep
|
|
<filename>/etc/skel</filename> as small as possible, since it
|
|
will be next to impossible to update existing users' files. For
|
|
example, if the name of the friendly editor changes, all existing
|
|
users would have to edit their <filename>.profile</filename>. The
|
|
system administrator could try to do it automatically, with a
|
|
script, but that is almost certain going to break someone's file.
|
|
</para>
|
|
|
|
<para> Whenever possible, it is better to put global configuration
|
|
into global files, such as <filename>/etc/profile</filename>. This
|
|
way it is possible to update it without breaking users'
|
|
own setups. </para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 id="manual-adduser">
|
|
<title>Creating a user by hand</title>
|
|
|
|
<para> To create a new account manually, follow these steps:
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para> Edit <filename>/etc/passwd</filename> with
|
|
<command>vipw</command> and add a new line for the new account. Be
|
|
careful with the syntax. <emphasis>Do not edit directly with an
|
|
editor!</emphasis> <command>vipw</command> locks the file, so
|
|
that other commands won't try to update it at the same time. You
|
|
should make the password field be `<literal>*</literal>', so
|
|
that it is impossible to log in. </para></listitem>
|
|
|
|
<listitem><para> Similarly, edit <filename>/etc/group</filename>
|
|
with <command>vigr</command>, if you need to create a new group
|
|
as well. </para></listitem>
|
|
|
|
<listitem><para> Create the home directory of the user with
|
|
<command>mkdir</command>. </para></listitem>
|
|
|
|
<listitem><para> Copy the files from
|
|
<filename>/etc/skel</filename> to the new home directory.
|
|
</para></listitem>
|
|
|
|
<listitem><para> Fix ownerships and permissions with
|
|
<command>chown</command> and <command>chmod</command>. The
|
|
<option>-R</option> option is most useful. The correct
|
|
permissions vary a little from one site to another, but usually
|
|
the following commands do the right thing:
|
|
|
|
<screen>
|
|
<userinput>cd /home/newusername
|
|
chown -R username.group .
|
|
chmod -R go=u,go-w .
|
|
chmod go= .</userinput>
|
|
</screen>
|
|
|
|
</para></listitem>
|
|
|
|
<listitem><para> Set the password with <command>passwd</command>.
|
|
</para></listitem>
|
|
|
|
</itemizedlist>
|
|
</para>
|
|
|
|
<para> After you set the password in the last step, the account
|
|
will work. You shouldn't set it until everything else has been
|
|
done, otherwise the user may inadvertently log in while you're
|
|
still copying the files. </para>
|
|
|
|
<para>
|
|
It is sometimes necessary to create dummy
|
|
accounts
|
|
that are not used by people. For example, to set up an anonymous
|
|
FTP server (so that anyone can download files from it, without
|
|
having to get an account first), you need to create an account
|
|
called ftp. In such cases, it is usually not necessary to set
|
|
the password (last step above). Indeed, it is better not to, so
|
|
that no-one can use the account, unless they first become root,
|
|
since root can become any user. </para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<!--
|
|
%\section{Educating a new user}
|
|
%
|
|
% \meta
|
|
% make sure they know how to get help
|
|
% large sites might want to write a small booklet (or even just
|
|
% a couple of pages) with important stuff: how to log in
|
|
% and out, how to change password, which systems there are,
|
|
% how to use mail, list of people that answer questions
|
|
-->
|
|
|
|
<sect1 id="user-properties">
|
|
<title>Changing user properties</title>
|
|
|
|
<para>
|
|
There are a few commands for changing various
|
|
properties of an account (i.e., the relevant field
|
|
in <filename>/etc/passwd</filename>):
|
|
|
|
<glosslist>
|
|
<glossentry><glossterm><command>chfn</command></glossterm>
|
|
<glossdef><para> Change the full name field.
|
|
</para></glossdef></glossentry>
|
|
<glossentry><glossterm><command>chsh</command></glossterm>
|
|
<glossdef><para> Change the login shell.
|
|
</para></glossdef></glossentry>
|
|
<glossentry><glossterm><command>passwd</command></glossterm>
|
|
<glossdef><para>Change the password.
|
|
</para></glossdef></glossentry>
|
|
</glosslist>
|
|
|
|
The super-user may use these commands to change the properties
|
|
of any account. Normal users can only change the properties
|
|
of their own account. It may sometimes be necessary to disable
|
|
these commands (with <command>chmod</command>) for normal users,
|
|
for example in an environment with many novice users. </para>
|
|
|
|
<para>
|
|
Other tasks need to be done by hand. For example, to
|
|
change the username, you need to edit
|
|
<filename>/etc/passwd</filename>
|
|
directly (with <command>vipw</command>, remember). Likewise, to add
|
|
or remove the user to more groups, you need to edit
|
|
<filename>/etc/group</filename> (with <command>vigr</command>). Such
|
|
tasks tend to
|
|
be rare, however, and should be done with caution: for
|
|
example, if
|
|
you change the username, e-mail will no longer reach the
|
|
user, unless you also create a mail alias.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1 id="deluser">
|
|
<title>Removing a user</title>
|
|
|
|
<para> To remove a user, you first remove all
|
|
his files, mailboxes, mail aliases, print jobs,
|
|
<command>cron</command> and <command>at</command> jobs,
|
|
and all other references to the user. Then you remove the
|
|
relevant lines from <filename>/etc/passwd</filename> and
|
|
<filename>/etc/group</filename> (remember to remove the username
|
|
from all groups it's been added to). It may be a good idea to
|
|
first disable the account (see below), before you start removing
|
|
stuff, to prevent the user from using the account while it is
|
|
being removed. </para>
|
|
|
|
<para>
|
|
Remember that users may have files outside their home
|
|
directory. The <command>find</command> command can find them:
|
|
|
|
<screen>
|
|
find / -user username
|
|
</screen>
|
|
|
|
However, note that the above command will take a
|
|
<emphasis>long</emphasis> time, if you have large disks. If you
|
|
mount network disks, you need to be careful so that you won't
|
|
trash the network or the server. </para>
|
|
|
|
<para> Some Linux distributions come with special
|
|
commands to do this; look for <command>deluser</command> or
|
|
<command>userdel</command>. However, it is easy to do it by
|
|
hand as well, and the commands might not do everything. </para>
|
|
|
|
</sect1>
|
|
|
|
<sect1 id="disable-user">
|
|
<title>Disabling a user temporarily</title>
|
|
|
|
<para> It is sometimes necessary to temporarily disable an
|
|
account, without removing it. For example, the user might not
|
|
have paid his fees, or the system administrator may suspect that
|
|
a cracker has got the password of that account. </para>
|
|
|
|
<para> The best way to disable an account is to change its shell
|
|
into a special program that just prints a message. This way,
|
|
whoever tries to log into the account, will fail, and will
|
|
know why. The message can tell the user to contact the system
|
|
administrator so that any problems may be dealt with. </para>
|
|
|
|
<para>
|
|
It would also be possible to change the username
|
|
or password to something else, but then the user
|
|
won't know what is going on. Confused users mean more
|
|
work.
|
|
</para>
|
|
|
|
<para> A simple way to create the special programs is to write
|
|
`tail scripts':
|
|
|
|
<screen>
|
|
#!/usr/bin/tail +2
|
|
This account has been closed due to a security breach.
|
|
Please call 555-1234 and wait for the men in black to arrive.
|
|
</screen>
|
|
|
|
The first two characters (`<literal>#!</literal>') tell the
|
|
kernel that the rest of the line is a command that needs to be
|
|
run to interpret this file. The <command>tail</command> command
|
|
in this case outputs everything except the first line to the
|
|
standard output. </para>
|
|
|
|
<para>
|
|
If user billg is suspected of a security breach,
|
|
the system administrator would do something like this:
|
|
|
|
<screen>
|
|
<prompt>#</prompt> <userinput>chsh -s
|
|
/usr/local/lib/no-login/security billg</userinput>
|
|
<prompt>#</prompt> <userinput>su - tester</userinput>
|
|
This account has been closed due to a security breach.
|
|
Please call 555-1234 and wait for the men in black to arrive.
|
|
<prompt>#</prompt>
|
|
</screen>
|
|
|
|
The purpose of the <command>su</command> is to test that the
|
|
change worked, of course. </para>
|
|
|
|
<para> Tail scripts should be kept in a separate directory,
|
|
so that their names don't interfere with normal user commands.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<!--
|
|
%\section{Accounting}
|
|
%
|
|
% \meta
|
|
% sac et al
|
|
-->
|
|
|
|
</chapter>
|