Users
Users are defined in the /etc/passwd file. It looks like this
root:5rhfVf3ogJ.co:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
operator:*:11:0:operator:/root:
games:*:12:100:games:/usr/games:
gopher:*:13:30:gopher:/usr/lib/gopher-data:
ftp:*:14:50:FTP User:/home/ftp:
nobody:*:99:99:Nobody:/:
randy:8qWn2TC..oGsQ:999:1001:Randy Appleton,149D West
Science,227-1593:/home/randy:/bin/bash
beyond:dGBLiC3lDyX7M:1052:1052:Brad Pouls:/home/beyond:/bin/bash
jwillco:gAG0YW2DQbv22:371:371:Jeremiah Willcock:/home/jwillco:/bin/tcsh
tproehl:ZcHZbHgvz79cM:9000:9000:Todd Proehl:/home/tproehl:/bin/bash |
The fields are
-
User name.
-
The password encrypted with a SALT, or an 'x' if the password is stored
in /etc/shadow.
-
The user ID
-
The group ID
-
User identification
-
The home directory
-
The shell to start them
User and Group ID's
The User ID zero is special. User ID zero has special superuser
privliges. The name 'root' is NOT special. If two users
have
the same user ID they are the SAME PERSON. The susyem will never
distinguish between them.
The group ID is just the starting group ID. A user can change
their current group with the 'newgrp' command.
Passwords
All passwords are encrypted with a 'salt', which is just the first
two letters of the username. This means that cutting the password
entry and pasting it to some other person's password field is unlikely
to work. The encryption always produces 10 letters. Any
entry
that is not ten letters long means the person will NEVER be able to log
in using their password. Passwords are not stored in
plaintext.
There is no reliable way to get from the encrypted password back to the
unencrypted password, nor is it needed. Remember that this file
is
world readable.
Some systems (including ours) use shadow passwords. In these
systems
the password entry is stored as 'x', and the passwords themselves are
kept
in a special file called /etc/shadow, which is not world
readable.
These system are more secure.
Home Dir
The home directory just tells where you start when you first log in,
and where the $HOME shell variable is set.
Shell
This tells when program to run when they first log in. It need
not be a 'shell'. Some users like 'ppp' run special programs like
'pppd'. Setting this to a 'wrong' value like /bin/false means
that
the user cannot log in.
Shadow
The passwords are often defined in the file /etc/shadow. If so,
then
the entry in /etc/passwd is a fake entry. This is done because
/etc/passwd
is world readable, and must stay world readable or *many* programs like
finger and ls break.
root:$1$uYKmNlyy$mqnsEESBvzKAplyWGYUZN.:11226:0:99999:7:::
bin:*:10914:0:99999:7:::
daemon:*:10914:0:99999:7:::
adm:*:10914:0:99999:7::: |
-
Login name
-
Ecrypted password
-
Days since Jan 1, 1970 that password was last changed
-
Days before password may be changed
-
Days after which password must be changed
-
Days before password is to expire that user is warned
-
Days after password expires that account is disabled
-
Days since Jan 1, 1970 that account is disabled
-
A reserved field
Groups
Groups are defined in the file /etc/group
root::0:root
bin::1:root,bin,daemon
daemon::2:root,bin,daemon
sys::3:root,bin,adm
adm::4:root,adm,daemon
tty::5:
disk::6:root |
The fields are...
-
Group name -- name of the group
-
Password -- the encrypted password. If none is listed then none
is
needed.
-
GID -- The numeric ID of the group. This should match the entries
found in the password file.
-
User List -- A comma seperated list of users in the group
Remember that each user is in only one group at a time. Therefore
if you could access a file as group 'staff', and you could join group
'staff',
that does not means that you can easily access the file. You
might
have to change to group 'staff' with the 'newgrp' command. You
can
see what groups you can be in with the 'groups' command.
How to make a New User
Manually, you have several things you need to do...
-
Add an entry into /etc/password. The password itself should either be
set
to nothing, or to 'x' if you have shadow passwords. In that case you
should
also make an entry in /etc/shadow, again with a null password. Remember
that the UID should be unique.
-
Add an entry to /etc/shadow if need be.
-
Make the home directory. Change the ownership of it to this new user.
-
Copy any needed "dot files" from /etc/skel. Remember that cp *
/home/user
does not copy dot files, and that cp .* /home/user copies too much.
Change
the ownership of these files too.
-
Set the password for this user with 'passwd user'.
-
Test it.
Much easier and safer, is to use the 'adduser' command. Just type
'adduser
-p password name' and everything happens for you.
Good passwords
Good passwords are NEVER based on a dictonary word, nor personal
information.
In fact, good sysadmins run 'crack' to check for that. Ideas for good
passwords
...
-
First letter of words in a sentence.
-
Words shifted one key up or down or left or right.
- Use olde english village names.
- Use first words of phrases.
-
Arithmatic expressions.
Other Notes
- The password file can be edited with locking by using the vipw
command.
- The password commands lock the password file. You can
manually unlock it with 'rm' on the lock file.
- The password file can be checked for consistency with pwck.