Managing Users Objectives –to be able to add, modify and remove Unix user accounts Contents –requirements for a user account –configuration files (passwd, shadow) –adding users –modifying user details –passwords –deleting users –working with groups Practicals –to add several user accounts Summary

New User Requirements An entry in /etc/passwd, which will define the user –login name –user id –default group –descriptive name –login program (shell) An entry in /etc/shadow, which will control account access –initial password –password aging information An entry in /etc/group, for the default group assignment –one of the existing groups in this file will become user's primary group –user access to other than primary group can be allowed in this file And somewhere to store files –a home directory –an initial.bash_profile and application startup files

Preparing Groups (/etc/group) Use groups for working on projects and in departments –groups provide a second level of access control –groups will allow users to share files Setup groups before adding new users One line per group in /etc/group name :: gid : user1,user2 Entry for a new group added with groupadd utility To change or remove group use groupmod and groupdel # groupadd -g 151 swamp # groupadd -g 152 barracks # groupadd -g 151 swamp # groupadd -g 152 barracks group name numeric id list of users allowed 'secondary' access to this group

The /etc/passwd file Each valid user must have an entry in this file One line per user of the form name :: UID : GID : comment : home directory : shell –name must be unique, up to 8 alphanumeric characters, usually lower case –UID user id, a numeric value within the range of 0 to –GID user primary group, a numeric value within the range of 0 to –comment this field is free format text, usually fuller description of the user –home directory this is the account location, usually under /home –shell startup program, it is optional (but last colon isn't) –if no value given, it defaults to /usr/bin/sh –recommended shell is /usr/bin/ksh –the shell can be any executable program $ grep root /etc/passwd root:x:0:0:root:/root:/bin/bash operator:x:11:0:operator:/root:/sbin/nologin $ grep root /etc/passwd root:x:0:0:root:/root:/bin/bash operator:x:11:0:operator:/root:/sbin/nologin

Allocating User IDs (UIDs) Zero always used by root Entries less than 100 refer to special system accounts rootsuperuser - unrestricted access to entire system daemonlooks after background processes binowns some system commands uucpowns uucp files and processes mailmailserver daemon newsinternet news daemon atbatch daemon jobs ftpowns ftp filesharing namednameserver user for the dns ntptimeserver user sshdSecure shell subsystem haldaemonhardware abstraction layer daemon lpline printing subsystem user nobodyguest user Local user accounts normally start at 100 or higher –each user should have a unique user id User accounts normally start at 500 or higher –networked systems should use consistent user UIDs

Adding Users Don't edit the control files manually Use utilities such as useradd (SVR4), mkuser (AIX) –useradd creates required record in /etc/passwd and /etc/shadow files –allows to create directory structure for the new user Useful options to useradd to override defaults -u uid specify new user id (default: next available number) -g group specify default group (default other, GID=1) -c comment description of user (default blank) -d dir home directory -m make home directory (recommended, default /home/username ) -k skel_dir skeleton home directory (default /etc/skel) -s shell specify login program (default /bin/bash) Don't forget to give the user an initial password # useradd -m henry # useradd -u 321 -g 152 -m -s /bin/bash hotlips # useradd -m henry # useradd -u 321 -g 152 -m -s /bin/bash hotlips

Changing User Attributes Don't edit the control files manually Use supplied utilities such as usermod (SVR4), chuser (AIX) –usermod uses the same basic set of options that are used with useradd –if you modify UID then use -U option as well, to change the UID of files belonging to the user, but... –...only files in user's home directory, mail file and cron file will be affected, other files must be located and ownership modified manually Account inactivity and expiry date can also be set by usermod # usermod -g users -c "Henry Blake" henry # usermod -U -u 321 -s /bin/bash hotlips # usermod -g users -c "Henry Blake" henry # usermod -U -u 321 -s /bin/bash hotlips # usermod -f 10 henry # usermod -e 01/31/05 hotlips # usermod -f 10 henry # usermod -e 01/31/05 hotlips

Changing Group Membership Each user belongs to a group (defined in /etc/passwd) –primary membership can be changed with usermod -g User can also be allowed access to other groups –secondary membership is controlled by usermod -G –the group must already exist # grep trapper /etc/passwd trapper::416:400::/home/trapper:/bin/bash # groupadd -g 600 swamp # usermod -G swamp trapper # grep trapper /etc/group swamp::600:trapper # grep trapper /etc/passwd trapper::416:400::/home/trapper:/bin/bash # groupadd -g 600 swamp # usermod -G swamp trapper # grep trapper /etc/group swamp::600:trapper add new group trapper's primary group is 400 add trapper to group 600 (his primary membership unchanged)

Exercise - Adding and Modifying Users Write down the commands to perform the following: # add a user called frank # add a user called radar specifying the Korn shell # add a user called klinger using /home2/klinger as the home directory # add a user called mulcahy specifying a UID of 400 and a group of staff # modify the user frank to use the korn shell # modify radar to give him a new UID of 401 # add a user called frank # add a user called radar specifying the Korn shell # add a user called klinger using /home2/klinger as the home directory # add a user called mulcahy specifying a UID of 400 and a group of staff # modify the user frank to use the korn shell # modify radar to give him a new UID of 401

Setting Passwords New user accounts have to have an initial password Forgotten passwords have to be reset –Verify that the person asking to reset the password is the account owner Use the standard passwd program with a username –as root you will not be prompted for an existing password –choose a simple password and inform the user verbally Lock the user account # passwd -l henry # passwd henry new password: retype password: # passwd henry new password: retype password:

Choosing Passwords Too many passwords are easy to guess –1980's survey on US systems guessed 80% of passwords –standard password guessing programs readily available Advise users on sensible passwords –no proper words or names –use letters and digits –include symbols Most systems enforce basic rules –minimum password length –use of non alphanumerics –some system can use dictionaries of disallowed words Systems like SuSE and RedHat keep a password history –used to stop users cycling round a few favourite passwords Don't have guest accounts –if someone has to use your system give them an account with password

The /etc/shadow file Each valid user must have an entry, of the format: name : password : last change : min : max : warn : inactive : expire : flag –name user login name, cross-reference to /etc/passwd file –password valid (encrypted) passwords have exactly 13 characters –if this field is blank there is no password –NP in this field implies no password has been set (login not accessible) –LK or * in this field implies the account is never used (locked) –last change number of days of last password change since 1/1/70 –min minimum number of days between password changes –max maximum number of days the password is valid –warn number of days before expiry that user will be warned –inactive number of inactivity days allowed for this user –expire an absolute date, beyond which the account will be disabled $ grep root /etc/shadow root:b93.GT2r.7IZ6:9718:0:60:7::: $ grep root /etc/shadow root:b93.GT2r.7IZ6:9718:0:60:7:::

Account Security Use preset expiry dates for temporary employees –very useful for contract staff Use inactivity counts to lock unused accounts –perhaps the user has left the company and no one told you Change passwords known by someone who leaves –change ALL passwords if they knew the root password Lock accounts if they are temporarily unused –user is on secondment or holiday Use the password ageing mechanism! # passwd -l trapper # passwd -n 27 -x 30 -w 3 radar # usermod -e 12/24/05 hotlips # usermod -f 5 hotlips

Exercise - Account Security Write down the commands to perform the following: # add a password for user frank # force frank to change his password at next login # enable password ageing for trapper (min 21 max 31 warn 7) # set the expiry date for hawkeye to 31 Jan 2005 # lock henry's account # now unlock henry's account # add a password for user frank # force frank to change his password at next login # enable password ageing for trapper (min 21 max 31 warn 7) # set the expiry date for hawkeye to 31 Jan 2005 # lock henry's account # now unlock henry's account

Removing User: Preparation When a user leaves there are two main concerns: –protect the system from unauthorised access via his/her account –protect and manage his/her files and directories left on the system Proposed sequence of steps –lock the account password, until you are ready to remove it altogether –save all files owned by the user, somewhere outside the home directory –change access permission on saved files, allowing access to root only –consider cron or at jobs setup by the user –set up mail forwarding to send mail to a manager # passwd -l henry # mkdir /hold; chmod 000 /hold # cd / # find. -user henry -print | cpio -ov | compress >/hold/henry # find. -user henry -type f -exec rm -f {} \; # find. -user henry -type d -exec rmdir {} \; # su - henry -c ”echo ’bigboss’ > ~henry/.forward" # passwd -l henry # mkdir /hold; chmod 000 /hold # cd / # find. -user henry -print | cpio -ov | compress >/hold/henry # find. -user henry -type f -exec rm -f {} \; # find. -user henry -type d -exec rmdir {} \; # su - henry -c ”echo ’bigboss’ > ~henry/.forward"

Removing User Account Delete user account only when his/her data is safe Use userdel utility (SVR4) or rmuser (AIX) Without any options userdel will leave all files owned by that user untouched and open to misuse. –the -r option with userdel will remove user files, but only those in the home directory (including the home directory itself) –userdel does not remove mail file –more significantly, userdel does not remove user's cron table or stop cron from executing the task scheduled by that user # userdel -r henry

Summary User account information stored in 3 files: /etc/passwd /etc/shadow /etc/group Account information contains: –login name –password –user and group ids –full name –home directory –login shell SVR4 provides utilities for manipulating user details passwd useradd, usermod, userdel groupadd, groupmod, groupdel