Spring 2009Adding users: Unix/Linux+ Straightforward, but tedious (Chapter 6 in USAH)CNT 4603Spring 2009Adding users: Unixó A number of C library calls (getpwent(), etc.) exist toaccess entries in the password file (/etc/passwd). ManyUNIX commands depend on the file being available,readable, with the proper format.ó Create an entry in /etc/passwd, selecting a uniquelogin name, unique UID, appropriate GID, unique homedirectory and appropriate shell.ó Older Unix/Linux systems limited username to 8characters – newer ones often don’t, but some toolsCNT 4603Spring 2009still only show 8 characters. For instance, look at thedifference in w and who output for long usernames:$ w06:44:59 up 2 days, 1:45, 6 users, load average: 0.00, 0.00, 0.05USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATtesttest tty2 - 06:41 2:41 0.00s 0.00s -bashtesttest tty3 - 06:42 1:57 0.00s 0.00s -bash$ whotesttest01 tty2 2008-06-04 06:41testtest02 tty3 2008-06-04 06:42[fsucs@acer1 Slides]$ó The password file requires 7 “:” separated fields:CNT 4603Spring 2009Adding users: Unixó Name:Password (encrypted):UID:GID:GECOS:HomeDirectory:Shelló Example:user1:f9cPz5ilB5N0o:501:501:USER1:/home/faculty/user1:/bin/tcshCNT 4603Spring 2009Adding users: Unix+ Some UNIXes (BSD) provide vipw, which will lock outothers from editing the /etc/passwd file simultaneouslyand may also include some syntax checking, just likevisudoerCNT 4603Spring 2009Unix users: grouping them+ Make sure the group in /etc/passwd exists in/etc/group, which has the format:+ groupname:password:gid:user-listó groupname is the name of the group.CNT 4603Spring 2009Unix users: grouping themó gid is the group’s numerical ID within the system; itmust be unique.ó user-list is a comma-separated list of users allowedin the group (used for multiple-group memberships byan individual).CNT 4603Spring 2009Unix users: grouping them+ Exampleroot:x:0:rootbin:x:1:root,bin,daemondaemon:x:2:root,bin,daemonsys:x:3:root,bin,admadm:x:4:root,adm,daemontty:x:5:disk:x:6:rootlp:x:7:daemon,lpmem:x:8:kmem:x:9:wheel:x:10:rootCNT 4603Spring 2009Unix/Linux: making user accounts+ Give the user a password: passwd username (as root)+ Edit their disk quota (if disk quotas are in use) viaedquota. Type edquota -p protouser username.(How do users see their current quota usage? quota-v)+ (NOTE: Not all UNIXes support disk quotas!)CNT 4603Spring 2009Unix: making user accounts+ Make sure the home directory exists and has the rightpermissions and that the appropriate default startup filesare installed in the home directory (.login, .cshrc,.Xdefaults, etc.):+ Then do something like these:CNT 4603Spring 2009Unix: making user accountsmkdir /home/faculty/user1cp /usr/skel/.[A-Za-z]* /home/faculty/user1chmod 700 /home/faculty/user1chown -R user1:u1 /home/faculty/user1[ OR, IF YOU DON’T HAVE THE ’:’ SYNTAX ]chown -R user1 /home/faculty/user1chgrp -R u1 /home/faculty/user1CNT 4603Spring 2009Unix: making user accountsYou can do these steps manually, use a vendor-suppliedscript/program, or write your own.+ SunOS 11 (OpenSolaris): useradd, usermod, userdel+ FreeBSD: adduser+ Linux: adduser+ Linux: useraddCNT 4603Spring 2009The trend is to provide GUI interfaces for most ofSysAdmin functions.CNT 4603Spring 2009Unix/Linux: shadow password filesMost Unix/Linux distributions now use a “shadow”password file in addition to the main password file –a shadow password file moves the encrypted passwordout of the publicly-readable /etc/passwd file and intoa root-accessible-only file. Why is this a good idea?See “John the Ripper” or “Ophcrack” (or older programssuch as Alec Muffett’s “Crack”) – any hacker can try tosystematically guess passwords with such programs.CNT 4603Spring 2009Unix/Linux: shadow password filesAlso allows for creation of new fields to supportpassword rules, password aging, etc. Examples:CNT 4603Spring 2009Unix/Linux: shadow password files+ SunOS 11: /etc/shadow (See “man shadow”)+ FreeBSD: /etc/master.passwd (See “man passwd”)+ Redhat/CentOS Linux: /etc/shadow (See “man 5shadow”)CNT 4603Spring 2009Unix/Linux: removing usersRemoving Unix/Linux users – you can just undo thesteps above!However, it can be problematic to find all files ownedby the user, if you gave them access to directories outsideof their home directory.+ One solution: repquota, if quotas are used.+ Or, find / -user USERNAME -print – but that onlyCNT 4603Spring 2009works as long as the username is still in the passwordfile. Otherwise, you need to use find / -uid UID -printCNT 4603Spring 2009Unix: removing users+ Don’t forget their unread mailbox, often something like(/var/spool/mail/username)+ Don’t forget any other system files that might havetheir name (e.g., /etc/alias.)You usually will want to archive (or otherwise preserve)the user data.CNT 4603Spring 2009Unix/Linux: disabling user accountsThe easiest is usually to disable their login shell:user1:f9cPz5ilB5N0o:501:501:USER1:/home/user1:/bin/nologinYou can put text into /etc/nologin.txt to modifythe message from the nologin program, but it isn’tcustomizable per user.CNT 4603Spring 2009Unix/Linux /etc/shells/etc/shells keeps a list of trusted shells users canchange to via “chsh” /etc/shells is also consulted byother programs to make sure that a shell is a “legitimate”one for that system; in the past, even sendmail used toconsult this file.In general, this file is becoming much less used than itwas in the past. Here’s a current Fedora /etc/shells,which is very minimalistic:CNT 4603Spring 2009$ cat /etc/shells/bin/sh/bin/bash/sbin/nologinCNT 4603Spring 2009treating /etc/passwd as a critical file1. On a busy machine, you might create a cron script tomake backups, something like:cp /saved/passwd.1 /saved/passwd.2cp /saved/passwd.0 /saved/passwd.1cp /etc/passwd /saved/passwd.0CNT 4603Spring 2009treating /etc/passwd as a critical file2. A rare problem is having the “root” file system fill upand the password file getting truncated to a zero-lengthfile. What is the biggest problem now? How can youget around it?3. Use pwck (and grpck) on BSD systems to make cursorycheck of these important files.CNT 4603Spring 2009treating /etc/passwd as a critical file[root@sophie root]# pwckuser adm: directory /var/adm does not existuser gopher: directory /var/gopher does not existuser ident: directory /home/ident does not existuser pcap: directory /var/arpwatch does not existuser vmail: directory /home/vmail does not existpwck: no