| |
Rute User's Tutorial and Exposition. 11. User Accounts and Ownerships
Next: 12. Using Internet Services
Up: rute
Previous: 10. Mail
Contents
Subsections
UNIX intrinsically supports
multiple users. Each user has a personal home directory
/home/<username> in which the user's files are stored,
hidden from other users.
So far you may have been using the machine as the
root
user, who is the system administrator and has complete access to
every file on the system.
The
root is also called the superuser.
The home directory of the
root user is
/root. Note that there is
an ambiguity here: the root directory is the topmost directory,
known as the
/ directory. The
root user's home
directory is
/root and is called the home
directory of
root.
Other than the superuser, every other user has limited access to
files and directories. Always use your machine as a normal user.
Log in as
root only to do system administration. This practice
will save you from the destructive power that the
root
user has. In this chapter we show how to manually and automatically
create new users.
Users are also divided into sets, called groups. A user
can belong to several groups and there can be as many groups on
the system as you like. Each group is defined by a list of users
that are part of that set. In addition, each user may have a group of
the same name (as the user's login name), to which only that user belongs.
Each file on a system is owned by a particular user and
also owned by a particular group. When you run
ls -al, you can see the user that owns the file in the third
column and the group that owns the file in the fourth column
(these will often be identical, indicating that the file's group
is a group to which only the user belongs). To change the
ownership of the file, simply use the
chown, change ownerships, command as follows.
|
chown <user>[:<group>] <filename>
|
The only place in the whole system where a user name is registered is
in this file. [Exceptions to this rule are several distributed
authentication schemes and the Samba package, but you needn't worry
about these for now.] Once a user is added to this file, that user is said
to exist on the system. If you thought that user
accounts were stored in some unreachable dark corner, then this should
dispel that idea. This is also known as the password file to
administrators. View this file with
less:
5
10
15
|
root:x:0:0:Paul Sheer:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
alias:x:501:501::/var/qmail/alias:/bin/bash
paul:x:509:510:Paul Sheer:/home/paul:/bin/bash
jack:x:511:512:Jack Robbins:/home/jack:/bin/bash
silvia:x:511:512:Silvia Smith:/home/silvia:/bin/bash
|
Above is an extract of my own password file. Each user is stored
on a separate line. Many of these are not human login
accounts but are used by other programs.
Each line contains seven fields separated by colons. The
account for
jack looks like this:
-
jack
- The user's login name. It should be composed of
lowercase letters and numbers.
Other characters are allowed, but
are not preferable. In particular, there should never be two
user names that differ only by their capitalization.
-
x
- The user's encrypted password. An
x in this field indicates that it
is stored in a separate file,
/etc/shadow. This shadow password
file is a later addition to UNIX systems. It contains additional information about the
user.
-
511
- The user's user identification number, UID. [This is used by programs as a short alternative to the user's login name. In fact, internally, the login name is never used, only the UID.]
-
512
- The user's group identification number, GID. [Similarly applies to the GID. Groups will be discussed later.]
-
Jack Robbins
- The user's full name. [Few programs ever make use of this field.]
-
/home/jack
- The user's home directory. The
HOME environment variable will
be set to this when the user logs in.
-
/bin/bash
- The shell to start when the user logs in.
The problem with traditional
passwd files is that they
had to be world readable [Everyone on the system
can read the file.] in order for programs to extract information,
such as the user's full name, about the user. This means that
everyone can see the encrypted password in the second field.
Anyone can copy any other user's password field and then try
billions of different passwords to see if they match. If you
have a hundred users on the system, there are bound to be several
that chose passwords that matched some word in the dictionary. The
so-called dictionary attack will simply try all 80,000
common English words until a match is found. If you think you are
clever to add a number in front of an easy-to-guess dictionary
word, password cracking algorithms know about these as
well. [And about every other trick you can think of.] To
solve this problem the
shadow password file was
invented. The shadow password file is used only for
authentication [Verifying that the user is the genuine owner of the account.]and is not world readable--there is no
information in the shadow password file that a common program
will ever need--no regular user has permission to see the
encrypted password field. The fields are colon separated just
like the
passwd file.
Here is an example line from a
/etc/shadow file:
|
jack:Q,Jpl.or6u2e7:10795:0:99999:7:-1:-1:134537220
|
-
jack
- The user's login name.
-
Q,Jpl.or6u2e7
- The user's encrypted password known
as the hash of the password. This is the user's 8-character
password with a one-way hash function applied
to it. It is simply a mathematical algorithm applied to the
password that is known to produce a unique result for each
password. To demonstrate: the (rather poor) password
Loghimin hashes to
:lZ1F.0VSRRucs: in the
shadow file. An almost identical password
loghimin gives
a completely different hash
:CavHIpD1W.cmg:.
Hence, trying to guess the password from the hash
can only be done by trying every possible password. Such
a brute force attack is
therefore considered computationally expensive but not impossible.
To check if an entered password matches, just apply the
identical mathematical algorithm to it: if it matches, then the
password is correct. This is how the login command works.
Sometimes you will see a
* in place of a hashed password.
This means that the account has been disabled.
-
10795
- Days since January 1, 1970, that the
password was last changed.
-
0
- Days before which password may not be changed.
Usually zero. This field is not often used.
-
99999
- Days after which password must be changed.
This is also rarely used, and will be set to 99999 by default.
-
7
- Days before password is to expire that user is
warned of pending password expiration.
-
-1
- Days after password expires that account is
considered inactive and disabled.
-1 is used to
indicate infinity--that is, to mean we are effectively not using this
feature.
-
-1
- Days since January 1, 1970, when
account will be disabled.
-
134537220
- Flag reserved for future use.
On a UNIX system you may want to give a number of users the same
access rights. For instance, you may have five users that should be
allowed to access some privileged file and another ten users that are
allowed to run a certain program. You can group these
users into, for example, two groups
previl and
wproc
and then make the relevant file and directories owned by that group
with, say,
|
chown root:previl /home/somefile
chown root:wproc /usr/lib/wproc
|
Permissions [Explained later.] dictate the
kind of access, but for the meantime, the file/directory must
at least be owned by that group.
The
/etc/group file is also colon separated. A line might look like this:
|
wproc:x:524:jack,mary,henry,arthur,sue,lester,fred,sally
|
- wproc
- The name of the group. There should really also be a user of this name as well.
- x
- The group's password. This field is usually set with an
x and is not used.
- 524
- The GID group ID. This must be unique in the group's file.
- jack,mary,henry,arthur,sue,lester,fred,sally
- The list of users that belong
to the group. This must be comma separated with no spaces.
You can obviously study the
group file to find out which
groups a user belongs to, [That is, not ``which users does a group consist of?''
which is easy to see at a glance.] but
when there are a lot of groups, it can be tedious to scan through
the entire file. The
groups command prints out this
information.
The following steps are required to create a user account:
-
/etc/passwd entry
- To create an entry in this file, simply edit it and
copy an existing line. [When editing configuration files,
never write out a line from scratch if it has some kind of
special format. Always copy an existing entry that has proved
itself to be correct, and then edit in the appropriate changes.
This will prevent you from making errors.] Always add users from
the bottom and try to preserve the ``pattern'' of the file--that is,
if you see numbers increasing, make yours fit in; if you
are adding a normal user, add it after the existing lines of
normal users. Each user must have a unique UID and should usually have
a unique GID. So if you are adding a line to the end of the
file, make your new UID and GID the same as the last line but
incremented by 1.
-
/etc/shadow entry
- Create a new shadow password entry.
At this stage you do not know what the hash is, so just make it
a
*. You can set the password with the
passwd command later.
-
/etc/group entry
- Create a new group entry for the user's group.
Make sure the number in the group entry matches that in the
passwd file.
-
/etc/skel
- This directory contains a template home directory
for the user. Copy the entire directory and all its contents
into
/home directory, renaming it to the name of the
user. In the case of our
jack example, you should have
a directory
/home/jack.
- Home directory ownerships
- You need to now change the
ownerships of the home directory to match the user. The command
chown -R jack:jack /home/jack will accomplish this change.
- Setting the password
- Use
passwd <username> to
set the user's password.
The above process is tedious. The commands that perform all
these updates automatically are
useradd,
userdel, and
usermod. The man pages
explain the use of these commands in detail. Note that different
flavors of UNIX have different commands to do this. Some may
even have graphical programs or web interfaces to assist in
creating users.
In addition, the commands
groupadd,
groupdel, and
groupmod do the same with
respect to groups.
It is possible to switch from one user to another, as well as view your
login status and the status of other users. Logging in also follows
a silent procedure which is important to understand.
A user most often gains access to the system through the
login program. This program looks up the UID
and GID from the
passwd and
group file
and authenticates the user.
The following is quoted from the
login man page, and
explains this procedure in detail:
login is used when signing onto a system. It can also
be used to switch from one user to another at any time (most
modern shells have support for this feature built into them,
however).
If an argument is not given, login prompts for the
username.
If the user is not root, and if /etc/nologin
exists, the contents of this file are printed to the screen,
and the login is terminated. This is typically used to
prevent logins when the system is being taken down.
If special access restrictions are specified for the user in
/etc/usertty, these must be met, or the login attempt
will be denied and a syslog [System error
log program--
syslog writes all system messages to the file
/var/log/messages.] message will be generated. See the
section on "Special Access Restrictions."
If the user is
root, then the login must be occuring on a tty
listed in /etc/securetty. [If this file is not
present, then root logins will be allowed from anywhere. It is
worth deleting this file if your machine is protected by a
firewall and you would like to easily login from another machine
on your LAN.
If
/etc/securetty is present, then logins
are only allowed from the terminals it lists.] Failures will
be logged with the syslog facility.
After these conditions have been checked, the password will be
requested and checked (if a password is required for this
username). Ten attempts are allowed before login dies, but
after the first three, the response starts to get very slow.
Login failures are reported via the syslog facility. This
facility is also used to report any successful root logins.
If the file .hushlogin exists, then a "quiet" login
is performed (this disables the checking of
mail and the printing of the last login time and message of
the day). Otherwise, if /var/log/lastlog exists, the
last login time is printed (and the current login is
recorded).
Random administrative things, such as setting the UID and GID
of the tty are performed. The TERM environment variable is
preserved, if it exists (other environment variables are
preserved if the -p option is used). Then the HOME,
PATH, SHELL, TERM,
MAIL, and LOGNAME environment variables
are set. PATH defaults to
/usr/local/bin:/bin:/usr/bin:
. [Note that the
. --the current directory--is listed in the
PATH. This is only the default
PATH however.] for normal users, and to
/sbin:/bin:/usr/sbin:/usr/bin for root. Last, if this is
not a "quiet" login, the message of the day is printed and
the file with the user's name in /usr/spool/mail will be
checked, and a message printed if it has non-zero length.
The user's shell is then started. If no shell is specified
for the user in /etc/passwd, then /bin/sh is
used. If there is no directory specified in /etc/passwd,
then / is used (the home directory is checked for the
.hushlogin file described above).
To temporarily become another user, you can use the
su
program:
This command prompts you for a password (unless you are the root user
to begin with). It does nothing more than change the
current user to have the access rights of
jack. Most
environment variables will remain the same. The
HOME,
LOGNAME, and
USER environment variables will be
set to
jack, but all other environment variables will
be inherited.
su is, therefore, not the same as a
normal login.
To get the equivalent of a login with
su, run
This will cause all initialization scripts (that are normally run
when the user logs in) to be executed. [What actually
happens is that the subsequent shell is started with a
- in front of the zero'th argument. This makes the shell read the
user's personal profile. The
login command also does this.] Hence, after running
su with the
- option, you logged in as if with the
login command.
who and
w print a list of users logged in to the
system, as well as their CPU consumption and other statistics.
who --help gives:
5
10
15
|
Usage: who [OPTION]... [ FILE | ARG1 ARG2 ]
-H, --heading print line of column headings
-i, -u, --idle add user idle time as HOURS:MINUTES, . or old
-m only hostname and user associated with stdin
-q, --count all login names and number of users logged on
-s (ignored)
-T, -w, --mesg add user's message status as +, - or ?
--message same as -T
--writable same as -T
--help display this help and exit
--version output version information and exit
If FILE is not specified, use /var/run/utmp. /var/log/wtmp as FILE is common.
If ARG1 ARG2 given, -m presumed: `am i' or `mom likes' are usual.
|
A little more information can be gathered from the
info
pages for this command. The idle time indicates how long since
the user has last pressed a key. Most often, one just types
who -Hiw.
w is similar. An extract of the
w man page says:
w displays information about the users currently on
the machine, and their processes. The header shows, in this
order, the current time, how long the system has been
running, how many users are currently logged on, and the
system load averages for the past 1, 5, and 15 minutes.
The following entries are displayed for each user: login name,
the tty name, the remote host, login time, idle time, JCPU,
PCPU, and the command line of their current process.
The JCPU time is the time used by all processes attached to
the tty. It does not include past background jobs, but does
include currently running background jobs.
The PCPU time is the time used by the current process, named in
the "what" field.
Finally, from a shell script the
users command is useful
for just seeing who is logged in. You can use in a shell script, for example:
|
for user in `users` ; do
<etc>
done
|
id prints your real and effective UID and
GID. A user normally has a UID and a GID but may also have
an effective UID and GID as well. The real UID and GID are what
a process will generally think you are logged in as. The
effective UID and GID are the actual access permissions that you
have when trying to read, write, and execute files.
There is a file
/etc/security/limits.conf that stipulates the
limitations on CPU usage, process consumption, and other resources
on a per-user basis. The documentation for this config file is
contained in
/usr/[share/]doc/pam-<version>/txts/README.pam_limits.
Next: 12. Using Internet Services
Up: rute
Previous: 10. Mail
Contents
|
|
