Adding New Users Chapter 6
Chapter 6 - Adding new users Introduction Adding and removing users is a routine chore. These tasks are simple, but they are also boring. Most administrators build tools to automate the process and then delegate the actual work to an assistant or operator. Account hygiene is a key determinant of system security Infrequently used accounts are prime targets for hackers, as are accounts with easily guessed passwords Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file The /etc/passwd file is a list of users recognized by the system. Each line in the file represents one user and contains several fields separated by colons: Login name Encrypted password (unless there is a shadow password) UID number Default GID number GECOS information (full name, office, extension, phone) Home directory Login shell The contents are often shared among systems via NIS or NIS+ Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file Login name Must be unique On some OS’s (and with NIS/NIS+) they are limited to 8 characters Case sensitive (but most mail systems expect lower case) Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file Encrypted password This is set by passwd (yppasswd if you use NIS) Encryption Schemes Most use DES encryption input: first 8 characters are used output: 13 characters are produced no matter what Red Hat and FreeBSD include support for MD5 input: can be of any length output: 31 characters (first 3 are $1$) Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file Shadow passwords: (Chapter 21) places encrypted passwords in a separate file (not world readable) Solaris requires shadow passwords Notes: A * in this field prevents someone from logging in. Never leave this field empty. Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file UID number Size: On most modern systems UIDs are a 32 bit integer On older systems the largest UID was 32,767 By definition, root has UID 0 HINTS: avoid recycling UID’s (restoring files can be a problem) Keep unique UID’s across your system Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file Default GID number Group ID numbers Size: 16 or 32 bit integer (signed or unsigned) Defined in /etc/group Reservations GID 0 - reserved for the group “root” or “wheel” GID 1 - reserved for the group “daemon” Modern versions UNIX allow users to be in up to 16 groups. Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file File creation: BSD or Not? Inherit the GID of the parent directory or the user? If from the user, they may want to change which group they are in at the time with the command newgrp Most OS’s do not follow the BSD semantics But they allow it as a mount option (grpid) Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file GECOS field no well defined syntax records personal information finger and sendmail use this info (but most others do not) chfn lets users change their own GECOS information this can be abused Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file Home directory Users are placed in their home directory when they log in If the home directory is missing: All print an error message Some allow the login to proceed (and put the user in /) Some don’t allow the login to continue. Beware: if home directories are mounted over NFS, they may be unavailable in the event of a server or network problem. Chapter 6 - Adding new users
Chapter 6 - Adding new users 1. The /etc/passwd file Login shell Normally a command interpreter such as /bin/sh, /bin/csh, /bin/ksh, /bin/tcsh, /bin/bash sh is the default on most systems and is used if /etc/passwd does not specify a login shell Users can change their shell with chsh /etc/shells contains a list that chsh will allow. Chapter 6 - Adding new users
2. The FreeBSD /etc/master.passwd File On FreeBSD, the “real” password file is /etc/master.passwd. The /etc/passwd file exists for backward compatibility, but it is generated from master.passwd and is never edited directly. This file also contains fields to implement password aging The authors of our text are not very enthusiastic about password aging. See Chapter 21 for a discussion. It also contains information for account expiration. Chapter 6 - Adding new users
3. The FreeBSD /etc/login.conf File The login.conf entry can set Resource limits (max process size, open files,…) Session accounting limits (when logins are allowed, how long) Default environment variables Default paths (PATH, MANPATH, …) Location of the message of the day Host and TTY-based access control Default umask Account controls (min passwd length, password aging,…) Chapter 6 - Adding new users
4. The Solaris and Red Hat /etc/shadow File The use of a shadow password file is mandatory under Solaris. You can also use it under Red Hat Linux if you install the shadow package. /etc/shadow is readable only by the superuser keeps encrypted passwords safe from prying eyes. Has fields for password expiration, and aging. Chapter 6 - Adding new users
Chapter 6 - Adding new users 5. The /etc/group File Contains the names of UNIX groups and a list of each group’s members Each line contains Group name Encrypted password (vestigal and rarely used) allows users to change to the group with the password even if not in the list of members. GID number List of members (comma separated) Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users Introduction Before you create an account fo a new user, it’s very important that the user sign and date a copy of your local user agreement and policy statement. See Chapter 27 for more info. The process consists of: Edit the passwd and shadow files to define the user’s account Set an initial password Create the user’s home directory Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users For the user Copy default startup files Set the user’s mail home and establish mail aliases For you: Add the user to the /etc/group file Config the disk quotas Verify the account has been set up. Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users Editing the passwd and shadow files To safely edit the passwd file, run vipw to invoke a text editor on a copy of it. vipw allows only one person to edit the passwd file at a time. On Solaris, vipw asks if you want to edit the shadow file after you have edited the passwd file On FreeBSD, vipw edits the master.passwd file (then runs pwd_mkdb to generate the derived passwd file) Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users Setting the initial password Root can change any user’s password with the passwd command. passwd user Different implementations of passwd do/require different things NEVER leave a new account - or any account that has access to a shell - without a password. Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users Creating the user’s home directory Any directory you create is intially owned by root, so you must change its owner and group with the chown and chgrp commands The following is an example of their usage: mkdir /home/staff/tyler chown tyler /home/staff/tyler chgrp staff /home/staff/tyler chmod 700 /home/staff/tyler Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users Copying the default startup files You can customize commands and utilities by placing configuration files in a user’s home directory. Startup files traditionally begin with a dot ls ignores these files unless it is given a “-a” option Some vendors supply a starting point set /etc/skel or /usr/share/skel Depending upon a user’s shell, /etc may contain system-wide startup files that are processed before the user’s own startup files Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users Setting the user’s mail home It is convenient for each user to receive email on only one machine. This scheme is often implemented with an entry in the global aliases file /etc/mail/aliases or the sendmail userDB See Chapter 19 for general information about email Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users Editing the /etc/group file When you added a new user (in /etc/passwd) you placed them in a group. /etc/group should be updated to reflect this and any other groups you wish to add them to. Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users Setting disk quotas If your site uses disk quotas, you should set quota limits for each new account with the edquota command edquota can be done interactively, or with a “-p” to make a user just like someone else. edquota -p someone_else new_user Chapter 6 - Adding new users
Chapter 6 - Adding new users 6. Adding Users Verifying the new login To verify that a new account has been properly configured, first log out, then log in as the new user and execute the following commands: pwd ls -la If your site requires users to sign a written contract, be sure this step has been completed before releasing the account Be sure to remind new users to change their password immediately Chapter 6 - Adding new users
Chapter 6 - Adding new users 7. Removing Users When a user leaves your organization, that user’s login account must be removed from the system. This procedure involves removing all references to the login name that were added by you or your adduser program: Before you remove a user’s home directory, it’s always a good idea to make an extra backup of their directory (and mail spool) before deleting them Chapter 6 - Adding new users
Chapter 6 - Adding new users 7. Removing Users You may want to use the following checklist: Set user’s disk quota to 0 Remove the user from any local user database Remove the user from the aliases file (or add a forwarding address) Remove the user’s crontab file and pending at jobs Kill any of the user’s processes that are still running. Remove any temporary files owned by the user Remove the user from the passwd and group files Remove the user’s home directory Remove the user’s mail spool Chapter 6 - Adding new users
Chapter 6 - Adding new users 7. Removing Users Once you have removed a user, be sure to verify that the user’s old UID owns no more files on the system. A fast way to do this is with the quot command Example: quot /home quot does not require disk quotas to be active quot only works on local disks (not over NFS mounts) If there are, you can find their exact path with find -x /home -nouser -print Chapter 6 - Adding new users
Chapter 6 - Adding new users 8. Disabling Logins On occasion, a user’s login must be temporarily disabled. Some people just put a * in the password file for the encrypted password. However, some setups allow net logins without a password. These days you should replace the user’s shell with a program that explains why the login has been disabled (and how to rectify the situation) Chapter 6 - Adding new users
Chapter 6 - Adding new users 8. Disabling Logins Be careful about this placing this pseudo-shell in the /etc/shells file do you want them to have ftp access? ftpd checks to see if the user’s login shell is in /etc/shells Do you want them to continue to receive email sendmail does also…. Chapter 6 - Adding new users
9. Vendor-Supplied Account Management Utilities Solaris, HP-UX, and Red Hat provide a similar set of utilities to help automate the creation, deletion, and modification of users and groups Users: useradd adds users to the passwd file (and shadow) usermod and userdel modify and delete users Groups: groupadd, groupmod, and groupdel operate on /etc/group Chapter 6 - Adding new users
Chapter 6 - Adding new users