unx36.htm

Linux Unix揭密.高质量电子书籍.对学习Linux有大帮助,欢迎下载学习.

<BR></P>

<HR ALIGN=CENTER>

<NOTE>

<IMG SRC="note.gif" WIDTH = 35 HEIGHT = 35><B>NOTE:</B> As with user IDs, consider breaking up this numbering space as well. A numbering scheme similar to the one proposed for user IDs is just as valid.

<BR></NOTE>

<HR ALIGN=CENTER>

<H5 ALIGN="CENTER">

<CENTER><A ID="I14" NAME="I14">

<FONT SIZE=3><B>Full Name (GCOS Field)</B>

<BR></FONT></A></CENTER></H5>

<P>In the original versions of UNIX at Bell Laboratories, UNIX was also used as a front end computer to submit jobs to the GE/Honeywell mainframe. This system ran GECOS/GCOS, and this field was used to store the mainframe account information for this user.



<BR></P>

<P>This is obsolete and of little use outside the labs, so this field was usurped and used to hold the full name of the user. It is used for placing the full name on printouts and on electronic mail. It is stored in one of two formats:

<BR></P>

<UL>

<LI>System V Format: nnnn-Name(nnnn)

<BR>

<BR>The first four digits are the GCOS account number. The name is everything after the - and before the (. The number in the parentheses is the GCOS box number.

<BR>

<BR></LI>

<LI>Berkeley Format: Name, comments

<BR>

<BR>Everything in the field up to the comma is the name. After the comma can go comments about the account that are not part of the name.

<BR>

<BR></LI></UL>

<H5 ALIGN="CENTER">

<CENTER><A ID="I15" NAME="I15">

<FONT SIZE=3><B>Initial Home Directory</B>

<BR></FONT></A></CENTER></H5>

<P>The login program changes to this directory before starting the shell, and sets the HOME environment variable to its value. The user's login scripts can change this value and define a different home directory, which is why this is called the initial 
home directory.

<BR></P>

<H5 ALIGN="CENTER">

<CENTER><A ID="I16" NAME="I16">

<FONT SIZE=3><B>Shell</B>

<BR></FONT></A></CENTER></H5>

<P>This field contains the full pathname of which script or program is started by the login program as the shell. If this field is empty, the Bourne shell is used by default. For UUCP accounts, the full pathname to the uucico program is the program to be 
run by login, and it appears in this field.

<BR></P>

<H4 ALIGN="CENTER">

<CENTER><A ID="I17" NAME="I17">

<FONT SIZE=3><B>Shadow File Entry (NIS/NIS+ database entry)</B>

<BR></FONT></A></CENTER></H4>

<P>Since the passwd file is world readable, as an added measure of security, SVR4 UNIX systems use a shadow file to hold the password information. It is readable only by root. It contains the password field data in an expanded format.

<BR></P>

<P>The shadow file, as shown in Listing 36.3, is not designed to be edited directly, but instead is modified by the passwd command automatically as needed. The passwd command has the ability to convert dates from standard format to the number of days since 

January 1, 1970, as needed in the date fields in this file.

<BR></P>

<UL>

<LH><B>Listing 36.3. Excerpts from a sample </B><B>/etc/shadow</B><B> file from an SVR4 </B><B>system.</B></LH></UL>

<PRE>root:03de466J423f5:6445::::::

daemon:NP:6445::::::

bin:NP:6445::::::

sys:NP:6445::::::

adm:NP:6445::::::

lp:NP:6445::::::

smtp:NP:6445::::::

uucp:NP:6445::::::

nuucp:NP:6445::::::

listen:*LK*:::::::

Pwcsite:x3d5dtyfetonK:8774::::::

syd:43ASxete436h.:8776:0:168:7:::

nobody:NP:6445::::::

noaccess:NP:6445::::::</PRE>

<P>The shadow file consists of the following fields:

<BR></P>

<H5 ALIGN="CENTER">

<CENTER><A ID="I18" NAME="I18">

<FONT SIZE=3><B>User Name</B>

<BR></FONT></A></CENTER></H5>

<P>This name is used to match against the name in the passwd file.

<BR></P>

<H5 ALIGN="CENTER">

<CENTER><A ID="I19" NAME="I19">

<FONT SIZE=3><B>Password</B>

<BR></FONT></A></CENTER></H5>

<P>The user's password, encrypted with a one-way cipher, is stored in the second field. Only the first 8 characters of the password are used. These are mixed with a 2-character salt to produce a 13-character encrypted password. When it is necessary to 
compare a password, the plain text is encrypted with the salt, and a comparison is made against the encrypted version. If the passwd field is empty, the account has no password, and none is required to log in.

<BR></P>

<H5 ALIGN="CENTER">

<CENTER><A ID="I20" NAME="I20">

<FONT SIZE=3><B>Password Last Changed Date</B>

<BR></FONT></A></CENTER></H5>

<P>The number of days between January 1, 1970, and the date that the password was last modified. It is stored as an integer value. All the remaining day fields are relative to this date.

<BR></P>

<H5 ALIGN="CENTER">

<CENTER><A ID="I21" NAME="I21">

<FONT SIZE=3><B>Minimum Number of Days Between Password Changes</B>

<BR></FONT></A></CENTER></H5>

<P>The user is not allowed to change his password until the number of days specified in this field after the last password change. The number of days is specified by the system administrator. 0 means that no limit is enforced, and the user may change his 
password at anytime.

<BR></P>

<H5 ALIGN="CENTER">

<CENTER><A ID="I22" NAME="I22">

<FONT SIZE=3><B>Maximum Number of Days a Password Is Valid</B>

<BR></FONT></A></CENTER></H5>

<P>The user is required to change his password when the number of days specified in this field has passed since the last change. An empty field means the password never expires.

<BR></P>

<HR ALIGN=CENTER>

<NOTE>

<IMG SRC="imp.gif" WIDTH = 68 HEIGHT = 35><B>TIP: </B>Do not enable password aging (leave this field blank) for UUCP accounts. The UUCP chat script cannot handle requests to change an expired password.

<BR></NOTE>

<HR ALIGN=CENTER>

<H5 ALIGN="CENTER">

<CENTER><A ID="I23" NAME="I23">

<FONT SIZE=3><B>Number of Days to Warn User to Change </B><B><I>passwd</I></B>

<BR></FONT></A></CENTER></H5>

<P>Beginning this many days before password expiration, on login the user is warned that his password is about to expire and will need to be changed.

<BR></P>

<H5 ALIGN="CENTER">

<CENTER><A ID="I24" NAME="I24">

<FONT SIZE=3><B>Number of Days the Login May Be Inactive</B>

<BR></FONT></A></CENTER></H5>

<P>If the account is inactive for more than this number of days, the login is considered locked and requires administrative action to reset a new date.

<BR></P>

<H5 ALIGN="CENTER">

<CENTER><A ID="I25" NAME="I25">

<FONT SIZE=3><B>Date When the Login Is No Longer Valid</B>

<BR></FONT></A></CENTER></H5>

<P>After this date, again specified as the number of days since January 1, 1970, the account is locked and may not be used for login.

<BR></P>

<H4 ALIGN="CENTER">

<CENTER><A ID="I26" NAME="I26">

<FONT SIZE=3><B>The </B><B><I>/etc/group</I></B><B> File</B>

<BR></FONT></A></CENTER></H4>

<P>A user can belong to more than one group. He has access rights to files in every group of which he is a member. The groups file, like the passwd file, is delimited by colons as shown in Listing 36.4.

<BR></P>

<UL>

<LH><B>Listing 36.4. A sample </B><B>/etc/group</B><B> file from an SVR4 system.</B></LH></UL>

<PRE>root::0:root

other::1:

bin::2:root,bin,daemon

sys::3:root,bin,sys,adm

adm::4:root,adm,daemon

uucp::5:root,uucp

mail::6:root

tty::7:root,tty,adm

lp::8:root,lp,adm

nuucp::9:root,nuucp

staff::10:

daemon::12:root,daemon

nobody::60001:

noaccess::60002:</PRE>

<P>The following are the fields in the group file:

<BR></P>

<UL>

<LI>Group name&#151;text name of the group, up to eight alphanumeric characters. Again, to avoid confusion with IDs it's best to begin with a letter.

<BR>

<BR></LI>

<LI>Group password&#151;a password that users can use with the newgrp command to make this group their current default group ID.

<BR>

<BR></LI>

<LI>Group ID&#151;the numeric representation of the group name.

<BR>

<BR></LI>

<LI>Members&#151;names of users who are members of this group. It is this section that is scanned to determine the other groups to which a user belongs.

<BR>

<BR></LI></UL>

<HR ALIGN=CENTER>

<NOTE>

<IMG SRC="caution.gif" WIDTH = 37 HEIGHT = 35><B>CAUTION: </B>Many systems have a limit as to the number of groups to which a user can belong. The most common limit is 16. Placing a user in more than this number of groups prevents the user from being able 

to log in at all.

<BR></NOTE>

<HR ALIGN=CENTER>

<H3 ALIGN="CENTER">

<CENTER><A ID="I27" NAME="I27">

<FONT SIZE=4><B>Building the Skeleton</B>

<BR></FONT></A></CENTER></H3>

<P>Rather than building all of the configuration files by hand for each user as you create the user, UNIX provides the concept of a skeleton user. The files created for the skeleton are copied automatically to the home directory of the newly created user. 

The skeleton is located in /etc/skel. Any files found in this directory are copied by the useradd command to the newly created home directory. Note that the useradd command allows using alternate skeletons via the -k argument.

<BR></P>

<H4 ALIGN="CENTER">

<CENTER><A ID="I28" NAME="I28">

<FONT SIZE=3><B>Creating Skeleton Shell Files</B>

<BR></FONT></A></CENTER></H4>

<P>In the /etc/skel directory there are the following files:

<BR></P>

<UL>

<LI>.login, .cshrc, .profile

<BR>

<BR>These are in the SVR4 version of the directory. They are the default files provided by the vendor. You can use a text editor to customize them as necessary.

<BR>

<BR></LI>

<LI>local.login, local.cshrc, local.profile

<BR>

<BR>This is the Solaris version of the directory. These files must be edited and renamed .login, .cshrc, and .profile.

<BR>

<BR></LI></UL>

<P>Edit these files to alter the path lines for local conventions, and to add any local start-up options desired.

<BR></P>

<P>Samples named .login, .cshrc, and .profile can be found on the CD-ROM, along with a file named .ksh_env.

<BR></P>

<H4 ALIGN="CENTER">

<CENTER><A ID="I29" NAME="I29">

<FONT SIZE=3><B>Additional Files You May Wish to Create</B>

<BR></FONT></A></CENTER></H4>

<P>In addition to the default shell files, a user skeleton should consider adding the following:

<BR></P>

<UL>

<LI>.mailrc&#151;mailx start-up script&#151;In this file it is helpful to set some local mail options, such as when to use an external pager (set crt=22). See the Mail or mailx command page.

<BR>

<BR></LI>

<LI>.mwmrc&#151;motif window manager start-up script&#151;You might want to provide a localized main menu for motif.

<BR>

<BR></LI>

<LI>.openwin-menu&#151;openlook window manager root menu&#151;You might want to provide a localized main menu for openlook window manager.

<BR>

<BR></LI></UL>

<P>You add these files not just to change the defaults but to show the users what files they can customize and what the current values are.

<BR></P>

<H3 ALIGN="CENTER">

<CENTER><A ID="I30" NAME="I30">

<FONT SIZE=4><B>Adding a User</B>

<BR></FONT></A></CENTER></H3>

<P>There are three ways to add a user:

<BR></P>

<UL>

<LI>Edit the passwd, shadow, and associated files yourself by hand.

<BR>

<BR></LI>