diff options
Diffstat (limited to 'misc/slackbook/html/essential-sysadmin-hardusers.html')
| -rw-r--r-- | misc/slackbook/html/essential-sysadmin-hardusers.html | 202 |
1 files changed, 202 insertions, 0 deletions
diff --git a/misc/slackbook/html/essential-sysadmin-hardusers.html b/misc/slackbook/html/essential-sysadmin-hardusers.html new file mode 100644 index 00000000..f9ad5448 --- /dev/null +++ b/misc/slackbook/html/essential-sysadmin-hardusers.html @@ -0,0 +1,202 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta name="generator" content="HTML Tidy, see www.w3.org" /> +<title>Users and Groups, the Hard Way</title> +<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" /> +<link rel="HOME" title="Slackware Linux Essentials" href="index.html" /> +<link rel="UP" title="Essential System Administration" href="essential-sysadmin.html" /> +<link rel="PREVIOUS" title="Essential System Administration" +href="essential-sysadmin.html" /> +<link rel="NEXT" title="Shutting Down Properly" +href="essential-sysadmin-shutdown.html" /> +<link rel="STYLESHEET" type="text/css" href="docbook.css" /> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> +</head> +<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084" +alink="#0000FF"> +<div class="NAVHEADER"> +<table summary="Header navigation table" width="100%" border="0" cellpadding="0" +cellspacing="0"> +<tr> +<th colspan="3" align="center">Slackware Linux Essentials</th> +</tr> + +<tr> +<td width="10%" align="left" valign="bottom"><a href="essential-sysadmin.html" +accesskey="P">Prev</a></td> +<td width="80%" align="center" valign="bottom">Chapter 12 Essential System +Administration</td> +<td width="10%" align="right" valign="bottom"><a href="essential-sysadmin-shutdown.html" +accesskey="N">Next</a></td> +</tr> +</table> + +<hr align="LEFT" width="100%" /> +</div> + +<div class="SECT1"> +<h1 class="SECT1"><a id="ESSENTIAL-SYSADMIN-HARDUSERS" +name="ESSENTIAL-SYSADMIN-HARDUSERS">12.2 Users and Groups, the Hard Way</a></h1> + +<p>Of course, it is possible to add, modify, and remove users and groups without using +the scripts and programs that come with Slackware. It's not really difficult, although +after reading this process, you'll probably find it much easier to use the scripts. +However, it's important to know how your password information is actually stored, in case +you ever need to recover this information and don't have the Slackware tools +available.</p> + +<p>First, we'll add a new user to the <tt class="FILENAME">/etc/passwd</tt>(5), <tt +class="FILENAME">/etc/shadow</tt>(5), and <tt class="FILENAME">/etc/group</tt>(5) files. +The <tt class="FILENAME">passwd</tt> file holds some information about the users on your +system, but (strangely enough) not their passwords. This was once the case, but was +halted long ago for security reasons. The passwd file must be readable by all users, but +you don't want encrypted passwords world-readable, as would-be intruders can use the +encrypted passwords as a starting point for decrypting a user's password. Instead, the +encrypted passwords are kept in the shadow file, which is only readable by root, and +everyone's password is entered into the <tt class="FILENAME">passwd</tt> file simply as +“<var class="LITERAL">x</var>”. The <tt class="FILENAME">group</tt> file +lists all the groups and who is in each.</p> + +<p>You can use the <tt class="COMMAND">vipw</tt> command to edit the <tt +class="FILENAME">/etc/passwd</tt> file safely, and the <tt class="COMMAND">vigr</tt> +command to edit the <tt class="FILENAME">/etc/group</tt> file safely. Use <tt +class="COMMAND">vipw -s</tt> to edit the <tt class="FILENAME">/etc/shadow</tt> file +safely. (“Safely” in this context means someone else won't be able to modify +the file you're editing at the moment. If you're the only administrator of your system, +you're probably safe, but it's best to get into good habits from the start.)</p> + +<p>Let's examine the <tt class="FILENAME">/etc/passwd</tt> file and look at how to add a +new user. A typical entry in <tt class="FILENAME">passwd</tt> looks like this:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="PROGRAMLISTING"> +chris:x:1000:100:Chris Lumens,Room 2,,:/home/chris:/bin/bash +</pre> +</td> +</tr> +</table> + +<p>Each line is an entry for one user, and fields on each line are separated by a colon. +The fields are the login name, encrypted password (“<var +class="LITERAL">x</var>” for everyone on a Slackware system, since Slackware uses +shadow passwords), user ID, group ID, the optional finger information (separated by +commas), home directory, and shell. To add a new user by hand, add a new line at the end +of the file, filling in the appropriate information.</p> + +<p>The information you add needs to meet some requirements, or your new user may have +problems logging in. First, make sure that the password field is an <var +class="LITERAL">x</var>, and that both the user name and user ID is unique. Assign the +user a group, either 100 (the “users” group in Slackware) or your default +group (use its number, not its name). Give the user a valid home directory (which you'll +create later) and shell (remember, valid shells are listed in <tt +class="FILENAME">/etc/shells</tt>).</p> + +<p>Next, we'll need to add an entry in the /etc/shadow file, which holds the encrypted +passwords. A typical entry looks like this:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="PROGRAMLISTING"> +chris:$1$w9bsw/N9$uwLr2bRER6YyBS.CAEp7R.:11055:0:99999:7::: +</pre> +</td> +</tr> +</table> + +<p>Again, each line is an entry for one person, with each field delimited by a colon. The +fields are (in order) login name, encrypted password, days since the Epoch (January 1, +1970) that the password was last changed, days before the password may be changed, days +after which the password must be changed, days before password expiration that the user +is notified, days after expiration that the account is disabled, days since the Epoch +that the account is disabled, and a reserved field.</p> + +<p>As you can see, most of that is for account expiration information. If you aren't +using expiration information, you only need to fill in a few fields with some special +values. Otherwise, you'll need to do some calculations and decision making before you can +fill those fields in. For a new user, just put some random garbage in the password field. +Don't worry about what the password is right now, because you're going to change it in a +minute. The only character you cannot include in the password field is a colon. Leave the +“days since password was changed” field blank as well. Fill in <var +class="LITERAL">0</var>, <var class="LITERAL">99999</var>, and <var +class="LITERAL">7</var> just as you see in the example entry, and leave the other fields +blank.</p> + +<p>(For those of you who think you see my encrypted password above and believe you've got +a leg up on breaking into my system, go right ahead. If you can crack that password, +you'll know the password to a firewalled test system. Now that's useful :) )</p> + +<p>All normal users are members of the “<tt class="USERNAME">users</tt>” +group on a typical Slackware system. However, if you want to create a new group, or add +the new user to additional groups, you'll need to modify the <tt +class="FILENAME">/etc/group</tt> file. Here is a typical entry:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="PROGRAMLISTING"> +cvs::102:chris,logan,david,root +</pre> +</td> +</tr> +</table> + +<p>The fields are group name, group password, group ID, and group members, separated by +commas. Creating a new group is a simple matter of adding a new line with a unique group +ID, and listing all the users you want to be in the group. Any users that are in this new +group and are logged in will have to log out and log back in for those changes to take +effect.</p> + +<p>At this point, it might be a good idea to use the <tt class="COMMAND">pwck</tt> and +<tt class="COMMAND">grpck</tt> commands to verify that the changes you've made are +consistent. First, use <tt class="COMMAND">pwck -r</tt> and <tt class="COMMAND">grpck +-r</tt>: the <var class="OPTION">-r</var> switch makes no changes, but lists the changes +you would be asked to make if you ran the command without the switch. You can use this +output to decide whether you need to further modify any files, to run <tt +class="COMMAND">pwck</tt> or <tt class="COMMAND">grpck</tt> without the <var +class="OPTION">-r</var> switch, or to simply leave your changes as they are.</p> + +<p>At this point, you should use the <tt class="COMMAND">passwd</tt> command to create a +proper password for the user. Then, use <tt class="COMMAND">mkdir</tt> to create the new +user's home directory in the location you entered into the <tt +class="FILENAME">/etc/passwd</tt> file, and use <tt class="COMMAND">chown</tt> to change +the owner of the new directory to the new user.</p> + +<p>Removing a user is a simple matter of deleting all of the entries that exist for that +user. Remove the user's entry from <tt class="FILENAME">/etc/passwd</tt> and <tt +class="FILENAME">/etc/shadow</tt>, and remove the login name from any groups in the <tt +class="FILENAME">/etc/group</tt> file. If you wish, delete the user's home directory, the +mail spool file, and his crontab entry (if they exist).</p> + +<p>Removing groups is similar: remove the group's entry from <tt +class="FILENAME">/etc/group</tt>.</p> +</div> + +<div class="NAVFOOTER"> +<hr align="LEFT" width="100%" /> +<table summary="Footer navigation table" width="100%" border="0" cellpadding="0" +cellspacing="0"> +<tr> +<td width="33%" align="left" valign="top"><a href="essential-sysadmin.html" +accesskey="P">Prev</a></td> +<td width="34%" align="center" valign="top"><a href="index.html" +accesskey="H">Home</a></td> +<td width="33%" align="right" valign="top"><a href="essential-sysadmin-shutdown.html" +accesskey="N">Next</a></td> +</tr> + +<tr> +<td width="33%" align="left" valign="top">Essential System Administration</td> +<td width="34%" align="center" valign="top"><a href="essential-sysadmin.html" +accesskey="U">Up</a></td> +<td width="33%" align="right" valign="top">Shutting Down Properly</td> +</tr> +</table> +</div> +</body> +</html> + |