Summer 2009Mainstays of management: people anddataManaging users and data are two of the most importantcategories of system administration duties. We will lookat what it means to add and remove both people anddata.CNT 4603Summer 2009Adding local users: Unix/Linux+ Straightforward, but tediousCNT 4603Summer 2009Adding local users: Unixó A number of C library calls (getpwent(), etc.) exist toaccess entries in the password file (/etc/passwd). ManyUNIX commands depend on the file being available,readable, with the proper format.ó Create an entry in /etc/passwd, selecting a uniquelogin name, unique UID, appropriate GID, unique homedirectory and appropriate shell.CNT 4603Summer 2009Adding local users: Unixó Older Unix/Linux systems limited username to 8characters – newer ones often don’t, but some toolsstill only show 8 characters. For instance, look at thedifference in w and who output for long usernames:CNT 4603Summer 2009Adding local users: Unix$ w06:44:59 up 2 days, 1:45, 6 users, load average: 0.00, 0.00, 0.05USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATtesttest tty2 - 06:41 2:41 0.00s 0.00s -bashtesttest tty3 - 06:42 1:57 0.00s 0.00s -bash$ whotesttest01 tty2 2008-06-04 06:41testtest02 tty3 2008-06-04 06:42[fsucs@acer1 Slides]$CNT 4603Summer 2009Adding local users: Unixó The password file requires 7 “:” separated fields:ó Name:Password (encrypted):UID:GID:GECOS:HomeDirectory:Shelló Example:user1:f9cPz5ilB5N0o:501:501:USER1:/home/faculty/user1:/bin/tcshCNT 4603Summer 2009Adding users: Unix+ Some UNIXes provide vipw, which will lock outothers from editing the /etc/passwd file simultaneouslyand may also include some syntax checking, just likevisudoerCNT 4603Summer 2009Unix users: grouping them+ Make sure the group in /etc/passwd exists in/etc/group, which has the format:+ groupname:password:gid:user-listó groupname is the name of the group.CNT 4603Summer 2009Unix users: grouping themó gid is the group’s numerical ID within the system; itmust be unique.ó user-list is a comma-separated list of users allowedin the group (used for multiple-group memberships byan individual).CNT 4603Summer 2009Unix users: grouping them+ Exampleroot:x:0:rootbin:x:1:root,bin,daemondaemon:x:2:root,bin,daemonsys:x:3:root,bin,admadm:x:4:root,adm,daemontty:x:5:disk:x:6:rootlp:x:7:daemon,lpmem:x:8:kmem:x:9:wheel:x:10:rootCNT 4603Summer 2009Unix/Linux: making user accounts+ Give the user a password: passwd username (as root)+ Edit their disk quota (if disk quotas are in use) viaedquota. Type edquota -p protouser username.(How do users see their current quota usage? quota-v)+ (NOTE: Not all UNIXes support disk quotas!)CNT 4603Summer 2009Unix: making user accounts+ Make sure the home directory exists and has the rightpermissions and that the appropriate default startup filesare installed in the home directory (.login, .cshrc,.Xdefaults, etc.):+ Then do something like these:CNT 4603Summer 2009Unix: making user accountsmkdir /home/faculty/user1cp /etc/skel/.[A-Za-z]* /home/faculty/user1chmod 700 /home/faculty/user1chown -R user1:user1 /home/faculty/user1[ OR, IF YOU DON’T HAVE THE ’:’ SYNTAX ]chown -R user1 /home/faculty/user1chgrp -R user1 /home/faculty/user1CNT 4603Summer 2009Unix: making user accountsYou can do these steps manually, use a vendor-suppliedscript/program, or write your own.+ OpenSolaris: useradd, usermod, userdel+ FreeBSD: adduser+ Linux: adduser+ Linux: useraddCNT 4603Summer 2009Unix: making user accountsAlso, there are often GUIs, or you can use webmin.CNT 4603Summer 2009Unix/Linux: shadow password filesMost Unix/Linux distributions now use a “shadow”password file in addition to the main password file –a shadow password file moves the encrypted passwordout of the publicly-readable /etc/passwd file and into aroot-accessible-only file. Why is this a good idea? See“John the Ripper” or “Ophcrack” – any hacker can try tosystematically guess passwords with such programs.CNT 4603Summer 2009Unix/Linux: shadow password filesAlso allows for creation of new fields to supportpassword rules, password aging, etc. Examples:CNT 4603Summer 2009Unix/Linux: shadow password files+ OpenSolaris: /etc/shadow (See “man shadow”)+ FreeBSD: /etc/master.passwd (See “man passwd”)+ Redhat/CentOS: /etc/shadow (See “man shadow”)CNT 4603Summer 2009Unix/Linux: removing usersRemoving Unix/Linux users – you can just undo thesteps above!However, it can be problematic to find all files ownedby the user, if you gave them access to directories outsideof their home directory.CNT 4603Summer 2009Unix/Linux: removing users+ Or, find / -user USERNAME -print – but that onlyworks as long as the username is still in the passwordfile. Otherwise, you need to use find / -uid UID -printCNT 4603Summer 2009Unix: removing users+ Don’t forget their unread mailbox, often something like(/var/spool/mail/username)+ Don’t forget any other system files that might havetheir name (e.g., /etc/aliases.)CNT 4603Summer 2009Unix/Linux: removing usersYou usually will want to archive (or otherwise preserve)the user data.CNT 4603Summer 2009Unix/Linux: disabling user accountsThe easiest is usually to disable their login shell:user1:x:501:501:USER1:/home/user1:/sbin/nologinuser2:x:502:502:USER2:/home/user2:/bin/falseYou can put text into /etc/nologin.txt to modifythe message from the nologin program, but it isn’tcustomizable per user.CNT 4603Summer 2009Unix/Linux /etc/shells/etc/shells keeps a list of trusted shells users canchange to via “chsh” /etc/shells is also consulted byother programs to make sure that a shell is a “legitimate”one for that system; in the past, even sendmail used toconsult this file.CNT 4603Summer 2009Unix/Linux /etc/shellsIn general, this file is becoming much less used than itwas in the past. Here’s a current Fedora /etc/shells,which is very minimalistic:$ cat /etc/shells/bin/sh/bin/bash/sbin/nologinCNT 4603Summer 2009/bin/passwd binary1. Require a reasonable choice of password.2. Have a central password server where all must connect.CNT 4603Summer 2009treating /etc/passwd as a critical file1. On a busy machine, you might create a cron script tomake backups, something like:cp /saved/passwd.1 /saved/passwd.2cp /saved/passwd.0 /saved/passwd.1cp /etc/passwd /saved/passwd.0CNT 4603Summer 2009treating /etc/passwd as a critical file2. A rare but serious problem is having the “root” filesystem fill up and the password file getting truncatedto a zero-length file. What is the