1. 1 itec 400 User Administration Unix System Directories George Vaughan Franklin University

2. 2 Topics User Administration –The password file –The shadow password file –The group file –Adding Users –Disabling Users –Removing Users Unix/Linux System Directories

3. 3 User Administration The Pieces: –/etc/passwd –/etc/shadow –/etc/group The Function: –Username Policy –Password Policy –Group Membership Policy User related commands

4. 4 The Password file Located in /etc/passwd. Serves as the user database for the system. Information in /etc/passwd is useful for applications. Readable by all. Historically, /etc/passwd contained user’s password in encrypted form. Today, encrypted passwords readable by all is too dangerous. Today, passwords are stored in /etc/shadow. Readable only by root.

5. 5 The Password File Format of /etc/passwd (colon separated fields): userName:passWord:UID:GID:userInfo:homeDir:loginApplication Example: vaughang:x:257:100:George Vaughan:/export/home/vaughang:/bin/ksh userNameThe login name of the user passWordWhere password used to be stored. ‘x’ indicates use of shadow password. UIDA unique user identifier GIDA unique group identifier userInfoUser Information such as user name (GECOS field) homeDirInitial directory after login loginApplication Initial application after shell (usually a shell)

6. 6 The Password File User Name: –Often generated by a script –Often limited to 8 characters RedHat: 32 char – any char except newline and colon Password: –‘x’ indicates use of /etc/shadow –‘*’ indicates account is disabled. –Standard limit, 8 chars, unencrypted –Redhat limit, arbitrary length, unencrypted –Never leave this field empty. UID –A unique user identifier –unsigned 32 bit Integer –root has UID 0 –Most systems: UID = 100: user accounts –Redhat: UID = 500: user accounts

7. 7 The Password File GID –A unique group identifier –unsigned 32 bit Integer –0 for group root, 1 for bin, 2 for daemon –Most systems: UID = 100: user groups –Redhat: UID = 500: user groups User Info: –usually user name –can support up to 5 comma-separated subfields used by “finger” command. –GECOS field. Originally used at Bell Labs to store user info for rje to a GE mainframe Home Directory –Initial directory after login Login Application –Usually a shell. –/etc/shells contains a list of valid shells on system - user cannot change shell to something not in /etc/shells. –Can be any application - does not have to be in /etc/shells.

8. 8 The Password File A simple ASCII file. Can be edited with standard editor ‘vipw’ (vi the password file) –allows only one editing session at a time –minimizes corruption due to pilot error or abnormal terminations.

9. 9 The Shadow Password File Location on both Linux and Solaris: /etc/shadow Readable only by root If used, contains the encrypted password. Used by default on RH Linux In RH Linux, /etc/shadow can be edited by vipw.

10. 10 The Shadow Password File Format of /etc/shadow (colon separated fields): userName:passWord:changedDate:minLife:maxLife:warn:disable:expireDate:unused example: gvaughan:$1$ItpbrZB2$2g/qNx0DhRmnoXbpA1EQJ/:12198:0:99999:7::: userNameLogin ID of User (REQUIRED) passWordEncrypted Password (REQUIRED) changedDateDate password was last changed (Unix time) minLifeMinimum number of days between password changes maxLifeMaximum number of days between password changes warnNumber of days to warn user in advance of password expiration disableNumber of days of inactivity before account is disabled expireDateDate that account will expire (Unix time) unusedReserved for future use

11. 11 Encrypted Passwords Encrypted Passwords: –DES (13 characters in encrypted form) –MD5 (34 characters in encrypted form) Most Linux distributions support MD5. MD5 is the default in Redhat MD5 passwords always begin with “$1$”

12. 12 The Group File Permissions for users can be managed on a group basis. Defines which users are members of which group. A user can be a member of more than one group (Some systems restrict number of groups a user can be a member of). The group associated with a user in /etc/passwd file is the user’s primary group.

13. 13 The Group File Format of /etc/group (colon separated list): groupName:passWord:GID:userList Example: cs::102:lint,cs,chen04,christcl,olinger groupNameName of group passWordObsolete GIDUnique group identifier userListComma separated list of users

14. 14 The Group File Group Name: on many systems, restricted to 8 char. Password: –Obsolete, still used in Linux. –Often contains an ‘x’ or nothing. –If field has ‘*’, means group is disabled. GID –A unique group identifier –unsigned 32 bit Integer –0 for group root, 1 for bin, 2 for daemon –Most systems: UID = 100: user groups –Redhat: UID = 500: user groups User List: comma separated, no spaces

15. 15 The Group File If a user is defined as a member of a group in /etc/passwd but not in /etc/group, the file /etc/passwd takes precedence. On Linux, the file /etc/group can be edited with vigr Linux supports a shadow group file. –Its location is /etc/gshadow –It is used to store group passwords.

16. 16 User Related Commands Note: User administration commands will be addressed in later slides. id –reports UID and GID from /etc/passwd –example: >id root uid=0(root) gid=1(other)groups groups –reports groups that user is a member of. –example: >groups root other root bin sys adm uucp mail tty lp nuucp daemon

17. 17 User Related Commands newgrp –Logs user into new group (that user is a member of) –Example: >groups faculty wheel >touch trash1 >newgrp wheel >touch trash2 >ls –l -rw-rw-r--1vaughang faculty …trash1 -rw-rw-r--1vaughang wheel …trash2

18. 18 User Related Commands finger –displays information about a user –example: >finger vaughang Login name: vaughang In real life: George Vaughan Directory: /export/home/vaughang Shell: /bin/ksh On since Feb 17 15:48:34 on pts/7 from dhcp9544228.inet.com 13 seconds Idle Time

19. 19 Adding Users 3 different ways to add users: –Manually –Using the ‘useradd’ command –Using a GUI based system administration tool.

20. 20 Adding Users Many Unix and Linux distributions provide GUI applications that allow for the creation of user accounts. However these GUI systems tend to be distribution specific. Large sites have custom scripts for adding users that enforce local policies

21. 21 Adding Users It is good to know how to add users manually: –Useful if problems occur with GUI apps –Useful for writing scripts with site specific policies. –Useful for understanding how user management works at the O.S. level. Lecture will focus on adding users manually. Book has good description of GUI apps for adding users.

22. 22 Adding Users Manually Activities when adding users: –Edit /etc/passwd file –Edit /etc/shadow file –Edit /etc/group (if necessary) –Set initial password –Setup the new user’s home directory –Copy startup files to user’s home directory –Test the account

23. 23 Adding Users Manually (Red Hat) The following scenario adds a new user named ‘dummy1’. The scenario is simplified yet complete

24. 24 Adding Users Manually (Red Hat) Edit /etc/passwd –Use ‘vipw’ for safety dummy1:x:502:502:Mr. Dummy:/home/dummy1:/bin/bash Edit /etc/shadow –Continue using ‘vipw’ Would you like to edit /etc/shadow now [y/n]? y dummy1:*:0:0:30:7:::

25. 25 Adding Users Manually (Red Hat) Change new user’s password # passwd dummy1 Changing password for user dummy1 New password: Retype new password: passwd: all authentication tokens updated successfully Re-edit /etc/shadow –Set the ‘password changed’ to 0 (1/1/70) –Will force user to change immediately Edit /etc/group vi /etc/group dummy1:x:502:

26. 26 Adding Users Manually (Red Hat) Create user’s home directory # mkdir /home/dummy1 # chown dummy1 /home/dummy1 # ls -ld /home/dummy1 drwxr-xr-x 2 dummy1 root 4096 Feb 17 23:20 /home/dummy1 # chmod 700 /home/dummy1 drwx------ 2 dummy1 root 4096 Feb 17 23:20 /home/dummy1 Copy login initialization files # cp -rf /etc/skel/.[a-zA-Z]* ~dummy1 # chmod 644 ~dummy1/.[a-zA-Z]* # chown dummy1 ~dummy1/.[a-zA-Z]* # chgrp dummy1 ~dummy1/.[a-zA-Z]*

27. 27 Adding Users Manually (Red Hat) Test new account # su - dummy1 # ls -al ~dummy1 total 52 drwx------ 4 dummy1 root 4096 Feb 17 23:47. drwxr-xr-x 6 root root 4096 Feb 17 23:20.. -rw------- 1 dummy1 dummy1 28 Feb 17 23:48.bash_history -rw-r--r-- 1 dummy1 dummy1 24 Feb 17 23:33.bash_logout -rw-r--r-- 1 dummy1 dummy1 191 Feb 17 23:33.bash_profile -rw-r--r-- 1 dummy1 dummy1 124 Feb 17 23:33.bashrc -rw-r--r-- 1 dummy1 dummy1 5450 Feb 17 23:33.canna -rw-r--r-- 1 dummy1 dummy1 820 Feb 17 23:33.emacs -rw-r--r-- 1 dummy1 dummy1 118 Feb 17 23:33.gtkrc drw-r--r-- 3 dummy1 dummy1 4096 Feb 17 23:33.kde -rw-r--r-- 1 dummy1 dummy1 3511 Feb 17 23:33.screenrc drwx----- 2 dummy1 dummy1 4096 Feb 17 23:46.xauth

28. 28 Adding Users (Notes) Distributions often come with /etc/skel directory which contains default initialization files that are copied in user home directories. System wide initialization files: –/etc/profile –/etc/bashrc Initialization files in user home directory: –$HOME/bash_profile –$HOME/bashrc

29. 29 Adding Users (Notes) What is the order of execution of initilaization files upon login? I added echo statements to the initialization files and here is what I found: 1.START /etc/profile 2.END /etc/profile 3.START /home/gvaughan/.bash_profile A.START /home/gvaughan/.bashrc i.START /etc/bashrc ii.END /etc/bashrc B.END /home/gvaughan/.bashrc 4.END /home/gvaughan/.bash_profile So BASH executes /etc/profile and then $HOME/bash_profile and $HOME/bash_profile executes $HOME/bashrc which then executes /etc/bashrc

30. 30 Adding Users (Notes) In Linux, the file /etc/login.defs contains system-wide login controls, such as: –system location of mailboxes –number of login retries –delay between failed login attempts –default values for user admin commands –many other controls…

31. 31 Adding Users with useradd (Red Hat) In this scenario, we will add a user with the ‘useradd’ command. ‘useradd’ has many options - see man page The user’s name is Michael Johnson

32. 32 Adding Users with useradd (Red Hat) Find out the default settings for useradd useradd -D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel

33. 33 Adding Users with useradd (Red Hat) Create user with useradd –useradd -c "Michael Johnson" -g students -G wheel -m -s /bin/ksh johnsonm  -c specifies user information in /etc/passwd  -g defines primary GID (in /etc/passed)  -G defines secondary GID (in /etc/group)  -m creates a home directory in /home if one does not exist  -s overrides default system shell (affects /etc/passwd)

34. 34 Adding Users with useradd (Red Hat) Check contents of /etc/passwd, /etc/shadow and /etc/group: # tail /etc/passwd johnsonm:x:503:200:Michael Johnson:/home/johnsonm:/bin/ksh Notice in /etc/passwd: –useradd uses next available UID –primary GID is students (see /etc/group below) –home directory is /home/johnsonm –default shell is ksh

35. 35 Adding Users with useradd (Red Hat) # tail /etc/shadow johnsonm:!!:12102:0:99999:7::: Notice in /etc/shadow –password is !! (not defined) –practically infinite max password age

36. 36 Adding Users with useradd (Red Hat) # tail /etc/group students:x:200: wheel:x:10:root,gvaughan,johnsonm Notice in /etc/group –johnsonm is explicitly in group wheel –Johnson is not listed in group students, but this Johnson’s primary GID (why?)

37. 37 Adding Users with useradd (Red Hat) Change password on johnsonm: # passwd johnsonm Changing password for user johnsonm New password: Retype new password: passwd: all authentication tokens updated successfully Test user account: # su - johnsonm $ pwd /home/johnsonm $ ls -al total 48 drwx------ 4 johnsonm students 4096 Feb 18 23:02. drwxr-xr-x 7 root root 4096 Feb 18 22:58.. -rw-r--r-- 1 johnsonm students24 Feb 18 22:58.bash_logout

38. 38 Adding Users with useradd (Red Hat) Switch back to ‘root’ Reset password age to Jan. 1 st, 1970 so new user has to change password upon first login: chage -d 0 –M 15 user_ID –“-d 0” sets last password change to 01/01/70 –“-M 15” requires password to have a max age of 15 days.

39. 39 Disabling A User Account Sometimes you may want to disable a user, but not remove user (e.g. really old password) This can be done quickly by prefixing an ‘*’ to the password in /etc/shadow. Can also use ‘passwd -l userName ’

40. 40 Disabling A User Account We can also create a program (pseudo shell) that just displays message why user is prevented access and then just exit. We than edit /etc/passwd and set the user’s default shell to the pseudo shell. Don’t add pseudo shell to /etc/shells.

41. 41 Removing Users Book provides a list of tasks to be performed if you wish to remove a user account (including home directory, etc.). See man page for ‘userdel’.

42. 42 System Directories / mnttmpusrvarbinbootdevhomeetclost+foundinitrdmisc tftboot sbinliboptprocroot rc*.dincludegrubsrcnullvmlinuzgrouppasswd

43. 43 /bin Contains executables for basic commands Examples of commands in /bin: awk, bash, cat, chmod, cp, date, echo, grep, kill, ls, ps, pwd, … If you create a useful shell or perl script that others would find useful, this is a good location for the script Don’t replace or change existing system commands in this directory – unless upgrading O.S.

44. 44 /boot Contains Kernel executable –/boot/vmlinuz Contains directory for grub (boot loader) –/boot/grub –The ascii configuration file for grub is: /boot/grub/grub.conf –Note that /etc/grub.conf is a symbolic link to /boot/grub/grub.conf

45. 45 /dev Contains entries for devices such as disk portions, tape drives, printers, etc. In Unix/Linux, every device is treated as if it were a file. Very nice – O.S. provides a generalized file-like interface to hardware. /dev/null is a ‘fake’ device which stores nothing: –a ‘bit’ bucket –useful for “throwing away” error or warning messages –example: myprog 2>/dev/null will throw away all error messages.

46. 46 /etc Contains many system configuration files. System Administrators do much work with files here. Examples of config files and config directories in /etc: passwd, group, shadow, rc*.d, init.d, inittab, hosts, httpd

47. 47 /home Usual location for user home directories (other directories may be used for home directories)

48. 48 /initrd Facilitates the use of a RAM disk during boot sequence. the RAM disk version of initrd is used during boot the process to store a minimum set of drivers. When initrd is no longer needed, it is moved to /initrd so it can be unmounted.

49. 49 /lost+found fschk (File System Check) is a utility that is run during the boot process to check the integrity of file systems. fschk can also be run after the boot process on unmounted files systems. If fschk finds corrupted files, the corrupted files are placed in /lost+found directory

50. 50 /misc Used for mounting: –removable devices such as zip drives –remote filesystems when using network file systems

51. 51 /mnt A directory containing mount points for filesystems. Usually used for mounting filesystems after system boot. For example, a windows filesystem may be mounted at: /mnt/dos

52. 52 /opt Used for installing “optional” software packages

53. 53 /proc Virtual filesystem Contains a directory for each running process. Each process directory has the executing image. Also has files containing different types of process statistics for the given process such as current working directory, process state, PID, etc Information in these “files” is updated by the Kernel in real-time.

54. 54 /root Home directory of super user ‘root’. Not to be confused with the root directory. ‘/’. Why do you think the home directory for root is not in /home?

55. 55 /sbin Contains many commands for system administration Examples: fschk, fdisk, halt, shutdown, nologin, mkfs

56. 56 /tftboot Used to allow client machines and diskless work stations to boot off of a central server.

57. 57 /tmp Used for temporary files Any user can read and write to this directory Cleaned by tmpwatch tmpwatch runs periodically under cron, removing old files in /tmp /tmp is not intended for permanent storage

58. 58 /usr Use to be location of user home directories. Contains many common library and header files. Contains many sub directories such as /usr/bin, /usr/include, /usr/lib /usr/src/linux-2.4 contains the source code for the Linux kernel. /usr/src/linux-2.4/init contains the source for the init process /usr/include/stdio.h is the standard I/O header file for the ‘C’ language /usr/share/man – location of system man pages

59. 59 /var Contains files which a constantly varying. Examples: –log files –print spoolers –mail spoolers

60. 60 References Essential System Administration, Aeleen Frisch, 2002 Linux Administration Handbook, Evi Nemeth, et. al., 2002 Redhat Fedora and Enterprise Linux 4, Christopher Negus, 2005