Библиотека сайта rus-linux.net
|Purchase||Copyright © 2002 Paul Sheer. Click here for copying permissions.||Home|
Next: 12. Using Internet Services Up: rute Previous: 10. Mail   Contents
- 11.1 File Ownerships
- 11.2 The Password File
- 11.3 Shadow Password File:
- 11.4 The
- 11.5 Manually Creating a User Account
- 11.6 Automatically:
- 11.7 User Logins
UNIX intrinsically supports
multiple users. Each user has a personal home directory
/home/<username> in which the user's files are stored,
hidden from other users.
So far you may have been using the machine as the
user, who is the system administrator and has complete access to
every file on the system.
root is also called the superuser.
The home directory of the
root user is
/root. Note that there is
an ambiguity here: the root directory is the topmost directory,
known as the
/ directory. The
root user's home
/root and is called the home
Other than the superuser, every other user has limited access to
files and directories. Always use your machine as a normal user.
Log in as
root only to do system administration. This practice
will save you from the destructive power that the
user has. In this chapter we show how to manually and automatically
create new users.
Users are also divided into sets, called groups. A user can belong to several groups and there can be as many groups on the system as you like. Each group is defined by a list of users that are part of that set. In addition, each user may have a group of the same name (as the user's login name), to which only that user belongs.
Each file on a system is owned by a particular user and
also owned by a particular group. When you run
ls -al, you can see the user that owns the file in the third
column and the group that owns the file in the fourth column
(these will often be identical, indicating that the file's group
is a group to which only the user belongs). To change the
ownership of the file, simply use the
chown, change ownerships, command as follows.
The only place in the whole system where a user name is registered is
in this file. [Exceptions to this rule are several distributed
authentication schemes and the Samba package, but you needn't worry
about these for now.] Once a user is added to this file, that user is said
to exist on the system. If you thought that user
accounts were stored in some unreachable dark corner, then this should
dispel that idea. This is also known as the password file to
administrators. View this file with
Above is an extract of my own password file. Each user is stored on a separate line. Many of these are not human login accounts but are used by other programs.
Each line contains seven fields separated by colons. The
jack looks like this:
- The user's login name. It should be composed of lowercase letters and numbers. Other characters are allowed, but are not preferable. In particular, there should never be two user names that differ only by their capitalization.
- The user's encrypted password. An
xin this field indicates that it is stored in a separate file,
/etc/shadow. This shadow password file is a later addition to UNIX systems. It contains additional information about the user.
- The user's user identification number, UID. [This is used by programs as a short alternative to the user's login name. In fact, internally, the login name is never used, only the UID.]
- The user's group identification number, GID. [Similarly applies to the GID. Groups will be discussed later.]
- The user's full name. [Few programs ever make use of this field.]
- The user's home directory. The
HOMEenvironment variable will be set to this when the user logs in.
- The shell to start when the user logs in.
The problem with traditional
passwd files is that they
had to be world readable [Everyone on the system
can read the file.] in order for programs to extract information,
such as the user's full name, about the user. This means that
everyone can see the encrypted password in the second field.
Anyone can copy any other user's password field and then try
billions of different passwords to see if they match. If you
have a hundred users on the system, there are bound to be several
that chose passwords that matched some word in the dictionary. The
so-called dictionary attack will simply try all 80,000
common English words until a match is found. If you think you are
clever to add a number in front of an easy-to-guess dictionary
word, password cracking algorithms know about these as
well. [And about every other trick you can think of.] To
solve this problem the
shadow password file was
invented. The shadow password file is used only for
authentication [Verifying that the user is the genuine owner of the account.]and is not world readable--there is no
information in the shadow password file that a common program
will ever need--no regular user has permission to see the
encrypted password field. The fields are colon separated just
Here is an example line from a
- The user's login name.
- The user's encrypted password known
as the hash of the password. This is the user's 8-character
password with a one-way hash function applied
to it. It is simply a mathematical algorithm applied to the
password that is known to produce a unique result for each
password. To demonstrate: the (rather poor) password
:lZ1F.0VSRRucs:in the shadow file. An almost identical password
loghimingives a completely different hash
:CavHIpD1W.cmg:. Hence, trying to guess the password from the hash can only be done by trying every possible password. Such a brute force attack is therefore considered computationally expensive but not impossible. To check if an entered password matches, just apply the identical mathematical algorithm to it: if it matches, then the password is correct. This is how the login command works. Sometimes you will see a
*in place of a hashed password. This means that the account has been disabled.
- Days since January 1, 1970, that the password was last changed.
- Days before which password may not be changed. Usually zero. This field is not often used.
- Days after which password must be changed. This is also rarely used, and will be set to 99999 by default.
- Days before password is to expire that user is warned of pending password expiration.
- Days after password expires that account is
considered inactive and disabled.
-1is used to indicate infinity--that is, to mean we are effectively not using this feature.
- Days since January 1, 1970, when account will be disabled.
- Flag reserved for future use.
On a UNIX system you may want to give a number of users the same
access rights. For instance, you may have five users that should be
allowed to access some privileged file and another ten users that are
allowed to run a certain program. You can group these
users into, for example, two groups
and then make the relevant file and directories owned by that group
Permissions [Explained later.] dictate the kind of access, but for the meantime, the file/directory must at least be owned by that group.
/etc/group file is also colon separated. A line might look like this:
- The name of the group. There should really also be a user of this name as well.
- The group's password. This field is usually set with an
xand is not used.
- The GID group ID. This must be unique in the group's file.
- The list of users that belong to the group. This must be comma separated with no spaces.
You can obviously study the
group file to find out which
groups a user belongs to, [That is, not ``which users does a group consist of?''
which is easy to see at a glance.] but
when there are a lot of groups, it can be tedious to scan through
the entire file. The
groups command prints out this
The following steps are required to create a user account:
- To create an entry in this file, simply edit it and copy an existing line. [When editing configuration files, never write out a line from scratch if it has some kind of special format. Always copy an existing entry that has proved itself to be correct, and then edit in the appropriate changes. This will prevent you from making errors.] Always add users from the bottom and try to preserve the ``pattern'' of the file--that is, if you see numbers increasing, make yours fit in; if you are adding a normal user, add it after the existing lines of normal users. Each user must have a unique UID and should usually have a unique GID. So if you are adding a line to the end of the file, make your new UID and GID the same as the last line but incremented by 1.
- Create a new shadow password entry.
At this stage you do not know what the hash is, so just make it
*. You can set the password with the
- Create a new group entry for the user's group.
Make sure the number in the group entry matches that in the
- This directory contains a template home directory
for the user. Copy the entire directory and all its contents
/homedirectory, renaming it to the name of the user. In the case of our
jackexample, you should have a directory
- Home directory ownerships
- You need to now change the
ownerships of the home directory to match the user. The command
chown -R jack:jack /home/jackwill accomplish this change.
- Setting the password
passwd <username>to set the user's password.
The above process is tedious. The commands that perform all
these updates automatically are
usermod. The man pages
explain the use of these commands in detail. Note that different
flavors of UNIX have different commands to do this. Some may
even have graphical programs or web interfaces to assist in
In addition, the commands
groupmod do the same with
respect to groups.
It is possible to switch from one user to another, as well as view your login status and the status of other users. Logging in also follows a silent procedure which is important to understand.
A user most often gains access to the system through the
login program. This program looks up the UID
and GID from the
and authenticates the user.
The following is quoted from the
login man page, and
explains this procedure in detail:
login is used when signing onto a system. It can also be used to switch from one user to another at any time (most modern shells have support for this feature built into them, however).
If an argument is not given, login prompts for the username.
If the user is not root, and if /etc/nologin exists, the contents of this file are printed to the screen, and the login is terminated. This is typically used to prevent logins when the system is being taken down.
If special access restrictions are specified for the user in /etc/usertty, these must be met, or the login attempt will be denied and a syslog [System error log program--
syslogwrites all system messages to the file
/var/log/messages.] message will be generated. See the section on "Special Access Restrictions."
If the user is
root, then the login must be occuring on a tty listed in /etc/securetty. [If this file is not present, then root logins will be allowed from anywhere. It is worth deleting this file if your machine is protected by a firewall and you would like to easily login from another machine on your LAN. If
/etc/securettyis present, then logins are only allowed from the terminals it lists.] Failures will be logged with the syslog facility.
After these conditions have been checked, the password will be requested and checked (if a password is required for this username). Ten attempts are allowed before login dies, but after the first three, the response starts to get very slow. Login failures are reported via the syslog facility. This facility is also used to report any successful root logins.
If the file .hushlogin exists, then a "quiet" login is performed (this disables the checking of mail and the printing of the last login time and message of the day). Otherwise, if /var/log/lastlog exists, the last login time is printed (and the current login is recorded).
Random administrative things, such as setting the UID and GID of the tty are performed. The TERM environment variable is preserved, if it exists (other environment variables are preserved if the -p option is used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment variables are set. PATH defaults to /usr/local/bin:/bin:/usr/bin:
.[Note that the
.--the current directory--is listed in the
PATH. This is only the default
PATHhowever.] for normal users, and to /sbin:/bin:/usr/sbin:/usr/bin for root. Last, if this is not a "quiet" login, the message of the day is printed and the file with the user's name in /usr/spool/mail will be checked, and a message printed if it has non-zero length.
The user's shell is then started. If no shell is specified for the user in /etc/passwd, then /bin/sh is used. If there is no directory specified in /etc/passwd, then / is used (the home directory is checked for the .hushlogin file described above).
To temporarily become another user, you can use the
This command prompts you for a password (unless you are the root user
to begin with). It does nothing more than change the
current user to have the access rights of
environment variables will remain the same. The
USER environment variables will be
jack, but all other environment variables will
su is, therefore, not the same as a
To get the equivalent of a login with
This will cause all initialization scripts (that are normally run
when the user logs in) to be executed. [What actually
happens is that the subsequent shell is started with a
- in front of the zero'th argument. This makes the shell read the
user's personal profile. The
login command also does this.] Hence, after running
su with the
- option, you logged in as if with the
w print a list of users logged in to the
system, as well as their CPU consumption and other statistics.
who --help gives:
A little more information can be gathered from the
pages for this command. The idle time indicates how long since
the user has last pressed a key. Most often, one just types
w is similar. An extract of the
w man page says:
wdisplays information about the users currently on the machine, and their processes. The header shows, in this order, the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.
The following entries are displayed for each user: login name, the tty name, the remote host, login time, idle time, JCPU, PCPU, and the command line of their current process.
The JCPU time is the time used by all processes attached to the tty. It does not include past background jobs, but does include currently running background jobs.
The PCPU time is the time used by the current process, named in the "what" field.
Finally, from a shell script the
users command is useful
for just seeing who is logged in. You can use in a shell script, for example:
id prints your real and effective UID and
GID. A user normally has a UID and a GID but may also have
an effective UID and GID as well. The real UID and GID are what
a process will generally think you are logged in as. The
effective UID and GID are the actual access permissions that you
have when trying to read, write, and execute files.
There is a file
/etc/security/limits.conf that stipulates the
limitations on CPU usage, process consumption, and other resources
on a per-user basis. The documentation for this config file is
Next: 12. Using Internet Services Up: rute Previous: 10. Mail   Contents