~ CHAPTER 5: MANAGING USERS ~

Under Linux, every file and program must be owned by a user. Each user has a unique identifier

called a user ID (UID). Each user must also belong to al least one group, a collection of users

established by the system administrator.

Each user’s rights can be defined in one of two ways: a normal user or the root user. The root is

also known as the superuser.

Linux UIDs are comparable to Windows SIDs (system IDs). You’ll also notice the distinct absence

of Access Control Lists (ACLs) in Linux. Which system is better? Depends on what you want and

whom you ask.

About Users

In Linux, everything has an owner attached to it. Given this, it is impossible for a Linux system to

exist without users!

At the very least, it needs one root user; however, most Linux distributions ship with several

special users set up.

TIP: Whenever possible, run applications without root privileges. The benefit of doing this is

hat if an application is found to have a security problem, it cannot be exploited to gain system

privileges.

Home Directories

A home directory allows each user to work in a customized environment without having to change

the environment customized by another user—even if both users are logged into the system at the

same time.

The directory is called /home. If your login was Patti then your home directory would be /home/Patti.

Passwords

Every account should either have a password or be tagged as impossible to log in to.

Uses DES for encryption.

When users entered their passwords at login prompt, the password they entered would be encrypted.
The encrypted value would then be compared against the user’s password entry. If the two

encrypted values matched, the user was allowed to enter the system. The actual algorithm for

performing the encryption was computationally cheap enough that a single encryption wouldn’t

take too long.

======================================================================

linux5.html PAGE 2 2002/07/14

Shadow password. Passwords are placed in a file called shadow.

Choose a good password, choose a non-language word (not English, Spanish, German, and

mix upper/lower and numbers and punctuation.

Shells

When users log in to the system, they expect an environment that can help them be productive.

The first program that users encounter is called a shell. Under Linux, must shells are text-based.

Of course, most users prefer that the first program run be a shell, such as BASH.

Startup Scripts

Under DOS, we are used to having the autoexec.bat and config.sys file run automatically when we

start up the system.

When you create a user’s account you should provide a default set of dot files to get the user started.

If you use the tools that come with Linux, you don’t need to worry about creating these files—

the tools automatically do this for you.

Mail

Creating a new user means not only creating the user’s home directory and setting up the

environment. It also means making it possible for the user to send and receive e-mail.

Mailboxes are kept in the /var/spool/mail directory.

If a users login is patti, her mailbox will be /var/spool/mail/patti

An empty mailbox is a zero-length file. To create a zero-length file anywhere in the system,

you simply use the touch command like so:

[root@ford^/root]#touch^myfile

User Databases

In contrast, Linux takes the path of the traditional UNIX and keeps all user information in

straight text files.

This is beneficial for the simple reason that it allows you to make changes to user information

without the need of any other tool but a text editor such as pico.

======================================================================

linux5.html PAGE 3 2002/07/14

The /etc/passwd File

The /etc/passwd file stores the user’s login, encrypted password entry, UID, default GUD,

name, home directory and login shell. The file keeps one user per line, and each entry for the

user is delimited by a colon. For example:

sshah:boQavhhaCKaXg:100:102:Steve^Shah://home/sshah:/bin/tsch

NOTE: Linux allows for logins to be longer than 8 characters, but not a good idea. The

minimum is 6 characters.

Many sites disable accounts by altering the encrypted password entry so that when the disabled

account’s user enters her password, it won’t match the value in the password file. You can do

this by inserting an asterisk (*). For example: b0QavhhaCKaXg*.

NOTE: Some distributions of Linux reserve the UID-1 (or65535) for the user “nobody”.

The /etc/shadow File

The /etc/passwd file would remain readable by all users, but the passwords kept in the

/etc/shadow file would be readable only by those programs with root privileges, such as the

The format of each line in the /etc/shadow file contains the following:

Login name
Encrypted password
Days since Jan 1, 1970, that the password has been changed.
Days before the password may be changed.
Days after which the password must be changed.
Days before the password is about to expire that the user is warned
Days after the password is expired that the account is disabled.
Days since Jan. 1, 1970, that the account has been disabled.
Reserved field.

Entries with a –1 imply infinity. This tags the user as never having to change their password.

======================================================================

linux5.html PAGE 4 2002/07/14

The /etc/group File

The /etc/passwd file contains each user’s default GID. This GID is mapped to the group’s

name and other members of the group in the /etc/group file. The format of each line in the

/etc/group file is:

Group name
Encrypted password for the group
GID number
Comma-separated list of member users.

Again each field is separated by a colon:

Project:baHrE1KPNjrPE:102:sshah, hdc

User Management Tools

The wonderful part of having password database files that have a well-defined format is straight

text is that it is easy for anyone to be able to write his or her own management tools.

Command-Line User Management

You can choose from among six command-line tools to perform the same actions performed ]

by the GUI tool: useradd, userdel, usermod, groupadd, groupdel, and groupmod.

useradd. Allows you to add a single user to the system.(cd^/usr/sbin^./adduser) Use the –D

switch for default values.

userdel. Does the opposite of user add. Use the –r parameter and you can remove all of the

files owned by the user in his home directory as well.

usermod. You can modify a users attributes.

groupadd. The groupadd command adds groups to the /etc/group file. The command-line

operation for this program are as follows. (see page 93)

groupdel. Just type in groupdel^group

groupmod. Modify parameters. –g option change the GID of the group, and –n option you

can specify a new name of a group.

======================================================================

linux5.html PAGE 5 2002/07/14

Using LinuxConf to Manipulate Users and Groups

The LinuxConf package is a remarkably powerful configuration tool that you will find

yourself using for many different tasks.

To start LinuxConf, be sure you are logged in as the root user and have started the X

Windows environment. If you are using GNOME.

Or you can type linuxconf from a terminal window.

Adding a User

To add a user, begin by clicking the Add button at the bottom of the LinuxConf opening

window. Every field except those to which the work “(opt)” for optional appears must be filled out.

Modifying a User

Select the user and make the changes. NOTE: Remember that before you change a user’s

Deleting a User

You must decide what to do with the users home directory. If you choose to archive the user’s

home directory, a gzipped tar file containing the data can be found in the /home/oldaccounts

directory.

Adding, modifying and deleting a Group

Select Group Definitions on the left side of LinuxConf opening window.

Ensure that you are in the proper screen and select, add, edit or delete.

SetUID and SETGID Programs

Normally, when a program is run by a user, it inherits all of the rights (or lack thereof) that

he user has. If the user can’t read the /var/log/messages file, neither can the program.

The ls program which is used to generate directory listings is owned by the root user.

If a user Patti runs ls, that instance of ls is bound by permissions granted to the user Patti,

to the root.

======================================================================

linux5.html PAGE 6 2002/07/14

When a File Isn’t Owned

When a user is created, it gets a new and unique UID. Any files created by that user are

owned by that user.

The system then users the /etc/passwd file to perform a mapping between the user’s UID

and login so that it can make directory listings more human readable.

Pluggable Authentication Modules (PAM)

Once of the problems with UNIX method of authentication is that it is always the same

thing no matter what – passwords. While this worked great for a very long time, people

have needed to become more sophisticated for a variety of reasons.

The idea behind PAM is that instead of applications reading the password file, they would

simply ask PAM to perform the authentication. PAM could then use whatever

authentication mechanism the system administrator wanted.

How PAM Works

PAM is to other programs as a DLL is to a Windows application, it is just a library.

When invoked, PAM checks the configuration file for that application. If there isn’t a

configuration file, it uses a default configuration file. This configuration file tells the library

what types of checks need to be done in order to authenticate the user.

Once the module has made the determination, and “authenticated/not authenticated”

message is passed back to the calling application.

Downloading and Installing PAM

Many distributions, most notably Red Hat, Calera, and SuSE Linux, come with PAM

pre-installed.

There modules start with pam_ and therefore should be easy to find.
Once there, unpack the archive with the tar command tar^-xvzf^Linux-PAM-0.72.tar.gz.
README file before you start
make will configure it.
make install

======================================================================

linux5.html PAGE 7 2002/07/14

PAMs Files and Their Locations

On a Red Hat-style installation, PAM puts her configuration files in certain places. These

file locations are their definitions are listed in page 104.

Configuring PAM

The configuration files we will be discussing here are the ones located in the /etc/pan.d

irectory.

PaM is tree to download for extra security.

Each file consists of lines in the following format:

module_type control_flag module_path aguments

Module_type represents the four types of modules: auth, account, session or password.

Control_flag. Allows us to specify how we want to deal with the success or failure of a

particular authentication module.

Module_path. Specifies the actual directory path of the module rthat performs the

authentication task.

Aguments. There are the parameters passed to the authentication module. Although the

parameters are specific to each module, there are some generic options that can be applied

to all modules.

Debugging PAM

Like many other Linux services, PAM makes excellent use of the system log files.

TIP: If you are running X Windows, you can monitor the log file in real time by using the

ail command in a window, just type:

tail^-f^/var/log/messages

======================================================================

linux5.html PAGE 8 2002/07/14

SUMMARY:

Each user gets a unique UID.
Each group gets a GID.
The /etc/passwd file maps UIDs to usernames.
Linux handles encrypted password in multiple ways.
Linux includes tools that help you administer users.
Should you decide to write your own tools to manage the user databases, you’ll now

understand the format for doing so.

PAM, the Pluggable Authentication Modules, is Linux’s generic way to handling multiple

authentication mechanisms. It is a LIBRARY.