You are the administrator of any computers that you have root on. This might be your desktop box with one or two users, or it might be a big server with several hundred. Regardless, you'll need to know how to manage users and safely bring down the system. They are both seemingly simple, but do have some quirks to get used to. In addition, you'll have to deal with some of the ideas behind how the password system works.
The easiest way to manage users and groups is with the supplied scripts and programs. Slackware includes the programs adduser, userdel(8), chfn(1), chsh(1), and passwd(1) for dealing with users. Slackware includes groupadd(8), groupdel(8), and groupmod(8) for dealing with groups. With the exception of chfn, chsh, and passwd, these are programs that can only be run as root and are therefore located in /usr/sbin. chfn, chsh, and passwd can be run by anyone and are located in /usr/bin.
Users are added with the adduser program. We'll start out by going through the whole procedure, showing all the questions that are asked and a brief description of what everything means. The default answer is in the brackets, and can be chosen for almost all the questions, unless you really want to change something.
# adduser Login name for new user (8 characters or less) []: jellyd |
This is the name that the user will use to login. It needs to be eight characters or less, because all the login utilities expect it to be so. Generally, you should only use lowercase characters unless you want to type uppercase letters in inconvenient places.
User id for jellyd [ defaults to next available]:
The user ID (UID) is how ownerships are really determined in Linux. Each user has a unique number, starting at 1000 in Slackware. You can pick a UID for the new user, or you can just let adduser assign the user the next free one.
Initial group for jellyd [users]:
All users are placed into the “users” group by default. You might want to place the new user into a different group, but it is not recommended.
Additional groups for jellyd (seperated with commas, no spaces) []:
This question allows you to place the new user into additional groups. It is possible for a user to be in several groups at the same time. This is useful if you have established groups for things like modifying web site files, playing games, and so on.
jellyd's home directory [/home/jellyd]:
Home directories default to being placed under /home. If you run a very large system, it's possible that you have moved the home directories to a different scheme. This allows you to change where the user's home directory will be. You can also disable an account by changing a person's home directory to something like /bin/false, though this is not the recommended method.
jellyd's shell [/bin/bash]:
bash is the default shell for Slackware Linux, and will be fine for most people. If your new user comes from a Unix background, they may be familiar with a different shell. You can change their shell now, or they can change it themselves later using the chsh command.
jellyd's account expiry date (YYYY-MM-DD) []:
Accounts can be set up to expire on a specified date. By default, there is no expiration date. You can change that, if you'd like. This option might be useful for people running an ISP who might want to make an account expire upon a certain date, unless they recieve the next year's payment.
OK, I'm about to make a new account. Here's what you entered so far: New login name: jellyd New UID: [Next available] Initial group: users Additional groups: [none] Home directory: /home/jellyd Shell: /bin/bash Expiry date: [no expiration] This is it... if you want to bail out, hit Control-C. Otherwise, press ENTER to go ahead and make the account. |
You now see all the information that has been entered about the new account, and are given the opportunity to stop. If you entered something incorrectly, you'll have to hit Control-C and start over. Otherwise, you can hit enter and the account will be made.
Making new account... Changing the user information for jellyd Enter the new value, or press return for the default Full Name []: Jeremy Room Number []: Smith 130 Work Phone []: Home Phone []: Other: |
All of this information is optional. You don't have to enter any of this if you don't want to, and the user can change it at any time using chfn. However, it might be useful to enter at least the full name and phone numbers, just in case you need to get in touch with the person.
Changing password for jellyd Enter the new password (minimum of 5, maximum of 127 characters) Please use a combination of upper and lower case letters and numbers. New password: Re-enter new password: Password changed. Done... |
You'll have to enter a password for the new user. Generally, if the new user is not physically present at this point, you'll just pick some default password and tell the user to change it to something more secure.
Choosing a Password | |
---|---|
Having a secure password is the first line of defense against getting cracked. You do not want to have an easily guessed password, because that makes it easier for someone to break into your system. Ideally, a secure password would be a random string of characters, including upper and lowercase letters, numbers, and random charactes. Just remember that a tab character might not be a wise choice, depending on what kinds of computers you'll be logging in from. In general, just use common sense: don't pick a password that is someone's birthday, a common phrase, something found on your desk, or anything that is easily associated with you. “secure1” is also bad. |
Removing users is not difficult at all. Just run userdel with the name of the account to remove. You'll have to make sure that the user is not logged in, and that no processes are running as that user. Also, remember that once you've deleted the user, they're gone.
# userdel jellyd |
Doing this would remove that annoying “jellyd” guy from your system. Good riddance :) This removes the user from the /etc/passwd and /etc/group files, but doesn't remove the user's home directory. If you wanted to remove the home directory as well, you would do the following:
# userdel -r jellyd |
Temporarily disabling an account will be covered in the section called Changing Passwords since that involves modifying the user's password. Changing account information is covered in the section called Changing Passwords and the section called Changing User Information.
The programs to add and remove groups are very simple. groupadd will just add another entry to the /etc/group file with a unique group ID, while groupdel will remove the specified group. It is up to you to go in and edit /etc/group to add users to a specific group.
You create a group like so:
# groupadd cvs |
And remove it like so:
# groupdel cvs |
Of course, it is possible to add, modify, and remove users and groups by hand. After looking through this procedure, you'll probably find it much more convenient to use the scripts, though.
First, we'll add a new user to the /etc/passwd(5), /etc/shadow(5), and /etc/group(5) files. The passwd file holds some information about the user, but (strangely enough) not their password. The passwd file has to be readable by anyone, but you don't want encrypted passwords world-readable because this gives would-be crackers a good place to start. So the encrypted passwords are kept in the shadow file, which is only readable by root, and everyone's password is entered into the passwd file as “x”. The group file lists all the groups and who is in each.
Let's go ahead and examine the /etc/passwd file and figure out how to add someone. A typical entry in passwd looks like this:
chris:x:1000:100:Chris Lumens,Room 2,,:/home/chris:/bin/bash |
Each line is an entry for one person, and fields on each line are separated by a colon. The fields are the login name, encrypted password (“x” for everyone on a Slackware system, since we use the shadow password suite), user ID, group ID, the optional finger information separated by commas, home directory, and shell. What you have to do in this file is add a new line onto the end, filling in the appropriate information.
Make sure that the password is an x, that the user ID is unique, that they are in group 100 (the “users” group under Slackware), and that they have a valid shell.
Next, we'll need to add an entry in the /etc/shadow file, which holds the passwords. A typical entry looks like this:
chris:$1$w9bsw/N9$UWLr2bRER6YyBS.CAEp7R.:11055:0:99999:7::: |
Again, each line is an entry for one person and the fields are separated by colons. The fields are the login name, encrypted password, days since the Epoch (January 1, 1970) that the password was last changed, days before the password may be changed, days after which the password must be changed, days before password expiration that the user is notified, days after expiration that the account is disabled, days since the Epoch that the account is disabled, and a reserved field.
As you can see, most of that is for account expiration information. If you aren't using expiration information, you only need to fill in a few fields with some special values. Otherwise, you'll need to do some calculations and decision making before you can fill those fields in. For our new user, put some random garbage in the password field. Don't worry about what the password is right now because you're going to change it in a minute. The only character you cannot include in the password field is a colon. Leave the “days since password was changed” field blank as well. Fill in 0, 99999, and 7 just as you see in the example entry, and leave the other fields blank.
For those of you who see my encrypted password above and think you've got a leg up on breaking into my system, go right ahead. If you can crack that password, you'll know the password to a firewalled test system. Now that's useful :)
Since everyone is a member of the “users” group by default, you won't need to add the new user to it. If you want to create a new group or add the new user to other groups, you'll need to modify the /etc/group file. Here is a typical entry:
cvs::102:chris,logan,david,root |
The fields are group name, group password, group ID, and group members. Creating a new group is a simple matter of adding a new line with a unique group ID and listing all the people you want to be in the group. Any users that are in this new group and are logged in will have to log out and log back in for those changes to take effect.
Now, go back and use the passwd command to create a new password for the user. Then, use mkdir to create the new user's home directory in the location you entered into the /etc/passwd file.
If you've installed sendmail(8) on your system and actively use mail, you will need to create a new file in /var/spool/mail with the proper permissions and ownerships for this new user. Here's an example:
# touch /var/spool/mail/jellyd # chown jellyd.users /var/spool/mail/jellyd # chmod 660 /var/spool/mail/jellyd |
Those commands would create a mail file for the new user “jellyd” and set up the correct ownerships and permissions.
Removing a user is a simple matter of getting rid of everything you just created. Remove the user's entry from /etc/passwd and /etc/group. Remove their login name from any groups in the /etc/group file, remove their mail spool file if they have one, and delete their home directory if needed.
Removing groups is a simple matter of removing the group's entry from /etc/group.
The passwd program changes passwords by modifying the /etc/shadow file. This file holds all the passwords for the system in an encrypted format. In order to change your password, you would type:
$ passwd Changing password for chris Old password: Enter the new password (minumum of 5, maximum of 127 characters) Please use a combination of upper and lower case letters and numbers. New password: |
As you can see, you are prompted to enter your old password. It won't appear on the screen as you type it, just like when you log in. Then, you are prompted to enter the new password. passwd performs a lot of checks on your new password, and it will complain if your new password doesn't pass its checks. You can ignore its warnings if you want. You will eventually be prompted to enter your new password again for confirmation.
If you are root, you can also change another user's password:
# passwd ted |
You will then have to go through the same procedure as above, except that you won't have to enter the old password. (One of the many benefits of being root...)
If you've got some troublemakers on your system, you can also temporarily disable their accounts. Later on, you can reenable their accounts. Both disabling an account and reenabling an account can be done with passwd. To disable an account, do the following as root:
# passwd -l david |
This will change david's password to something that can never match any encrypted value. Then, you would change their password back later by typing this:
# passwd -u david |
Now, david's account is back to normal. Disabling an account might be useful if the user doesn't play by the rules you've set up on your system or if they've exported a very large copy of xeyes(1) to your X desktop.
There are two pieces of information that a user can change about their account at any time: their shell and their finger information. Slackware Linux uses chsh (change shell) and chfn (change finger) to modify these values.
A user can pick any shell that is listed in the /etc/shells file. For most people, bash will do just fine. Others might be familiar with a shell found on their Unix system at work or school and want to use what they already know. The shell is changed using chsh:
$ chsh Password: Changing the login shell for chris Enter the new value, or press return for the default Login Shell [/bin/bash]: |
After entering your password, enter the full path to the new shell. Make sure that it's listed in the /etc/shells(5) file first. root can also change a user's shell by running chsh with a username as the argument.
The finger information is the optional information such as your full name, phone numbers, and room number. This can be changed using chfn, and follows the same procedure as it did during account creation. As usual, root can change anyone's finger information.