Linux - User management

UNIX

First step for the administrator

When several people have access to a system, the administrator must manage the users. To do so, he must know the common commands and files to be configured.

The important files are:

the /etc/passwd file
the /etc/group file

The /etc/passwd file

The /etc/passwd file contains all the information relating to the user (login, passwords, etc.). Only the superuser (root) must be able to change it. It is therefore necessary to change the rights of this file so that it can only be read by other users.

This file has a special format making it possible to locate each user, each of its lines has the following format:

account_name : password : user_number : group_number : comment : directory : start_program

Seven fields are specified separated by the character ":":

the user's account name
the user's password(encrypted, of course)
the number identifying the user to the operating system (UID=User ID, user identification)
the number identifying the user's group (GID=Group ID, group identification)
the comment where information on the user or simply his real name can be found
the connection directory which is the directory in which the user finds himself after being connected to the system
the command is executed after connection to the system (often, this is the command interpreter)

Here is an example of a passwd file:

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/bin/bash

daemon:x:2:2:daemon:/sbin:/bin/bash

news:x:9:13:News system:/etc/news:/bin/bash

uucp:x:10:14::/var/lib/uucp/taylor_config:/bin/bash

cquoi:x:500:100:Cool......:/home/cquoi:/bin/bash

It is important to know that the passwords located in this file are encrypted. It is therefore useless to edit and replace the password field by directly typing the password, which would only cause the account to be blocked.

When a user connects, the login program compares the password typed in by the user (after encrypting it) with the password stored in the passwd file. If they do not match, the connection can not be established.

To prohibit use, simply replace the encrypted password by a star: "*".

Access to an account may potentially be left open by leaving the password field empty. Anybody wishing to connect with this account can then do so.
To be able to change an account password using the passwd command, you must either be a system administrator or the account owner (the system will then ask the user to enter the old password before asking him to enter the new password twice).

UID: (unique) identifier for each user account. Numbers beween 0 and 99 are frequently reserved for the machine's own accounts. Numbers higher than 100 are reserved for user accounts.

GID: group identifier. The default group (called group) has the number 50. This identifier is used in connection with access rights to the files. This issue will only concern you if your system has more than one user group. (In which case, you must pay attention to the /etc/group file.

From the shell, it is possible to change the command interpreter. To do so, use the chsh or passwd -s command. Linux will then look for the program you have specified in the /etc/shells file. Only commands that are present in this file will be accepted and will replace the current value of the start_program field. These restrictions do not apply to the superuser account.
Make sure that the access rights for the /etc/shells file are the same as for the /etc/passwd file
The superuser may not necessarily be called root. To change this, simply replace the root account name with the desired name.
A privileged account is an account whose identifier (UID, User ID) is zero.

The /etc/group file

The /etc/group file contains a list of users belonging to the different groups. In fact, when a large number of users have access to the system, they are frequently placed in different groups, each of which has it own access rights to the files and directories.

It has different fields that are separated by ":":

groupe_name : special_field : group_number : member1, member2

The special field is frequently blank.
The group number is the number which makes the link between the /etc/group and /etc/passwd files.

Here is an example of a /etc/group file:

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:

tty:x:5:

disk:x:6:

lp:x:7:

wwwadmin:x:8:

kmem:x:9:

wheel:x:10:

mail:x:12:cyrus

news:x:13:news

When the ls command is used with the option -l, the group number is displayed with the number of the user to whom the file (or the directory) belongs. This unique number corresponds to a unique group name (often 8 characters max.).
The same user can appear in several groups. When he connects to the system he belongs to a group specified in the /etc/passwd (in the GID field). He can change this using the newgrp command. The file access rights are then defined.
File protections must prevent the modification of files by non-privileged users.
To add a group, the administrator can change the /etc/group file using a text editor. He can also use the addgroup or groupadd command (not always present). In the first instance, he will only have to add the line(s) relating to the groups. For example, the line:
```
admin : : 56 : CCM
```
To add a user to a group, edit the /etc/group file and add the name at the end of the line, separating the names of the members using a comma.
To delete a group, edit the /etc/group file and delete the corresponding line. Please note, do not forget to change the the numbers (GID) of the deleted group in the /etc/passwd file, if users belonged to it. It is also important to search the files and directories of this group to change this (otherwise, the files and directories may become inaccessible).

Customizing the shell

Use the /etc/profile file to configure the shell. This relates to all users.

Firstly, find the Shell variables such as OPENWINHOME, PATH, etc.
Then, the type of terminal and the TERM variable are defined.
One part is reserved for the shell prompt, finally a last one makes it possible to define the colors for the ls command.

When Linux starts up, it is advisable to have the numeric keypad turned on, which does not happen by default.
There are then only several lines to be added to the /etc/profile file, which are:

INITTY=/dev/tty[1-7]

for tty in $INITTY;

do setleds -D +num < $tty

done

When connecting to the shell, the first thing that appears is the prompt, which can be configured how as user wants.
If the administrator wants a prompt which reads: "Hello#", just edit the /etc/profile file. This file contains a variable called PS1. All lines relating to this variable must then be preceded by a hash: #. So the line PS1='Hello#' must be added.

All that remains is to save and log on again. You will then notice several changes.
Tip: leave a blank space after the prompt to improve readability.

It is also possible to use variables in the prompt (for example, to display the time or name of the machine, etc.):

\d	to add the date (English format)
\t	to add the time(HH:MM:SS)
\u	to add the user name
\r	to return to the line
\w	to add the full path of the current directory
\W	to add the current directory
\h	to add the name of the machine

The color can also be changed. To do so, use the variable PS1 as follows:

PS1='\[\033[num_colorm]desired_prompt\033[0m]'

The color number is shown in the list below:

Black	0;30
Red	0;31
Green	0;32
Brown	0;33
Blue	0;34
Violet	0;35
Cyan	0;36
Light Gray	0;37
Gray	1;30
Pink	1;31
Light Green	1;32
Light Brown	1;33
Light Blue	1;34
Light Violet	1;35
Light Cyan	1;36
White	1;37

Here is an example which shows the time followed by the user name in red:

PS1='\t \[\033[0;31m]\u\033[0m]'