unx36.htm

Linux Unix揭密.高质量电子书籍.对学习Linux有大帮助,欢迎下载学习.

<LI>Use the useradd command.

<BR>

<BR></LI>

<LI>Use the specialized Graphical User Interface (GUI) interface provided by your UNIX vendor, such as admintool under Solaris or LoginMgr under UnixWare.

<BR>

<BR></LI></UL>

<P>It is no longer recommended using the first option to prevent errors. The useradd command is very easy to use, and can handle all the internal security files directly. The GUI interfaces are also very easy to use and will guide you through the steps.

<BR></P>

<H4 ALIGN="CENTER">

<CENTER><A ID="I31" NAME="I31">

<FONT SIZE=3><B>Before Adding the User</B>

<BR></FONT></A></CENTER></H4>

<P>In any case, before actually adding the user you need to do the following:

<BR></P>

<UL>

<LI>Choose a user name&#151;Often used are the first name, the first name with the first letter of the last name, the last name, the first letter of the first name and the last name. It really doesn't matter. Each name must be unique in the network and 
consistent on all machines the user is valid to log into.

<BR>

<BR></LI>

<LI>Assign a user ID&#151;Use the grouping of user ID values previously described and choose a user ID that has never been used. It is not a good idea to recycle user IDs, as a file in the system might still be owned by the old user of that ID, and would 
then belong to the new user of that ID.

<BR>

<BR></LI>

<LI>Choose group memberships&#151;Determine which groups best fit this user as the primary group and as supplemental groups.

<BR>

<BR></LI>

<LI>Choose the location for the user's home directory&#151;Using symbolic links you can later move the home directory to any disk drive that has storage. Consider using a common /home directory and symlinks to where space is available, on an as-needed 
basis.

<BR>

<BR></LI></UL>

<H4 ALIGN="CENTER">

<CENTER><A ID="I32" NAME="I32">

<FONT SIZE=3><B>Running </B><B><I>useradd</I></B>

<BR></FONT></A></CENTER></H4>

<P>The useradd command takes many arguments that specify the answers to the questions you asked yourself in the previous section. From the man page, the command line arguments are these:

<BR></P>

<PRE>useradd [ -c comment ] [ -d dir ] [ -e expire ] [ -f inactive ] 

[ -g group ] [ -G group [, group...]]  [ -m [ -k skel_dir ]]

[   - u uid [ -o]] [ -s shell ] login</PRE>

<P>The following list goes over where each of these arguments ends up in the files:

<BR></P>

<UL>

<LI>-c comment&#151;This is the GCOS field of the /etc/passwd file. Put the full information for this field here. Use the Berkeley format if you do not need the GCOS features. Here is an example of a - c argument:

<BR>

<BR>-c &quot;Syd Weinstein, Room 101&quot;

<BR></LI>

<LI>-d dir&#151;This is the home directory field of the /etc/passwd file:

<BR>

<BR>

<BR></LI>

<LI>-e expire&#151;This is the ending date for this login. This field is not required, and if omitted no expiration date will be used. The date is converted from the input format to the days since January 1, 1970, and placed in the /etc/shadow file. Any 
input date format except a Julian date can be used. For example:

<BR>

<BR>-e &quot;January 1, 1995&quot; or -e 1/1/95

<BR>

<BR></LI>

<LI>-f inactive&#151;This is the maximum number of days this login can be inactive before being invalidated. It is stored in the number of days inactive field of the /etc/shadow file. If this argument is omitted, no checking for inactivity is performed.

<BR>

<BR></LI>

<LI>-g group&#151;This is the primary group ID field of the /etc/passwd file. Either a group name or a numeric ID may be supplied.

<BR>

<BR></LI>

<LI>-G group [, group .\x11.\x11.     ]&#151;These are the secondary groups. The user's name is added to each of these group entries in the /etc/group file. Again, either a name or a numeric ID may be supplied.

<BR>

<BR></LI>

<LI>-m [ -k skel_dir ]&#151;If no -k argument is given, create a home directory for this user and copy the files from:

<BR>

<BR>/etc/skel

<BR>

<BR>If the -k argument is given, create a home directory and copy the files from the specified directory instead of the default /etc/skel directory.

<BR>

<BR></LI>

<LI>-u uid [ -o]&#151;This is the user ID field of the /etc/passwd file. If the -o flag is given, the uid does not have to be unique. It is not recommended for more than one user to share a user ID.

<BR>

<BR></LI>

<LI>-s shell&#151;This is the full pathname of the login shell and is the shell field of the /etc/passwd file.

<BR>

<BR></LI>

<LI>login&#151;This is the login name you have assigned this user.

<BR>

<BR></LI></UL>

<H4 ALIGN="CENTER">

<CENTER><A ID="I33" NAME="I33">

<FONT SIZE=3><B>Creating Mail Alias Entries</B>

<BR></FONT></A></CENTER></H4>

<P>After the user is added you should update the mail alias file. Add an alias for this user for the full spelling of his name to map to his user name. After the aliases are added, run the newaliases command to compile the alias hash table.

<BR></P>

<H4 ALIGN="CENTER">

<CENTER><A ID="I34" NAME="I34">

<FONT SIZE=3><B>NIS Effects</B>

<BR></FONT></A></CENTER></H4>

<P>If you are running NIS, most of this doesn't apply to you, although understanding it will help you do what NIS needs. NIS uses a different set of configuration files that parallel the /etc/passwd file. The files used are totally under your control, but 

a common convention is to use /etc/passwd for accounts local to this machine and /etc/yppasswd for the remainder of the accounts. See Chapter 37 for more information on NIS.

<BR></P>

<H3 ALIGN="CENTER">

<CENTER><A ID="I35" NAME="I35">

<FONT SIZE=4><B>Removing a User</B>

<BR></FONT></A></CENTER></H3>

<P>The first thing to understand about removing a user is don't. When a user must be denied access to the UNIX system, disable him instead. You don't want to remove him for the following reasons:

<BR></P>

<UL>

<LI>By not deleting, you prevent reuse of user IDs

<BR>

<BR>You need to track which user IDs have been used to avoid reuse. One way of knowing this is to keep an entry in the password file with the deleted user's ID.

<BR>

<BR></LI>

<LI>You may need to recover old files

<BR>

<BR>When you recover files from an old tape, some of them might belong to the deleted user's ID. If the entry still exists, ls will be able to tell you who they belonged to so you can reassign them. This is another reason not to reuse user IDs.

<BR>

<BR></LI></UL>

<H4 ALIGN="CENTER">

<CENTER><A ID="I36" NAME="I36">

<FONT SIZE=3><B>Disabling the User's Login</B>

<BR></FONT></A></CENTER></H4>

<P>It is very easy to disable the user's login. An option to the passwd command, when run by root, will mark the login as locked. Once locked, the user will not be able to log in. The command to lock a user is:

<BR></P>

<PRE>passwd -l user</PRE>

<HR ALIGN=CENTER>

<NOTE>

<IMG SRC="caution.gif" WIDTH = 37 HEIGHT = 35><B>CAUTION: </B>Just locking the account is not enough. You need to do the following:

<BR>

<BR>Make sure the user is not logged on anywhere in the network. If so, he could use the passwd command to re-enable his login.

<BR>

<BR>Remove or move to another name the .rhosts file in his home directory to prevent him from logging in as himself from another system.

<BR>

<BR>Check the system to make sure there are no setuid programs with his user ID. This can be done with the command

<BR>

<BR>find / -user user_name -perm -04000 -print

<BR>

<BR>Any of these files should be modified to clear the setuid bit. If a production application requires these files to have this bit set, have someone verify that these files are not a security risk.

<BR>

<BR>Remember to run the find command on every system in the network.

<BR></NOTE>

<HR ALIGN=CENTER>

<H4 ALIGN="CENTER">

<CENTER><A ID="I37" NAME="I37">

<FONT SIZE=3><B>Cleaning Up Disk Space Assigned to This User</B>

<BR></FONT></A></CENTER></H4>

<P>After the user's login has been disabled, you need to clean up after him. This takes four steps:

<BR></P>

<OL>

<LI>Find files owned by this user.

<BR>

<BR>The find command traverses the file systems and prints the names of all files owned by this user. The ones in the user's home directory tree may be obvious, but there often are others elsewhere in the hierarchy. For example

<BR>

<BR>find / -user user_name -print

<BR>

<BR>prints a listing of the names of all the files owned by the user user_name. This should be run on each system in the network.

<BR>

<BR></LI>

<LI>Back up the files to tape.

<BR>

<BR>In case you make a mistake, or there is a question later, make a tape backup of all of this user's files.

<BR>

<BR></LI>

<LI>Reassign the ownership of files you desire to retain.

<BR>

<BR>This is performed with the chown command.

<BR>

<BR></LI>

<LI>Remove the remaining files you wish to discard.

<BR>

<BR>You can use the xargs command with the files left on the list after you have deleted all the ones you reassigned ownership with the command

<BR>

<BR>xargs rm &lt; remaining_list

<BR></LI></OL>

<H4 ALIGN="CENTER">

<CENTER><A ID="I38" NAME="I38">

<FONT SIZE=3><B>Final User Removal After All Files Are Handled</B>

<BR></FONT></A></CENTER></H4>

<P>When you are sure you no longer need to access this user ID, because all the files have been handled and the home directory is removed, it's time to make the remaining password entry totally unusable by any shell program.

<BR></P>

<HR ALIGN=CENTER>

<NOTE>

<IMG SRC="caution.gif" WIDTH = 37 HEIGHT = 35><B>CAUTION: </B>After you do this you will be unable to su to this user ID, so be sure you really do not need to be this user anymore before clearing the entry.

<BR></NOTE>

<HR ALIGN=CENTER>

<P>To make sure that the password entry is only used as a uid placeholder, four fields in the entry should be changed:

<BR></P>

<UL>

<LI>User name&#151;While the user name is available, it can still receive mail. This can cause any mail being received for this now-deleted user to clutter up your mail spool directory. Changing the user name will cause any mail received for this user to 
bounce back to the sender.

<BR>

<BR>So that you know the entry is now a placeholder, use a pattern for the login name, perhaps d_uid, to indicate that this is a deleted entry for <I>uid uid.</I>

<BR>

<BR></LI>

<LI>GCOS (comment/full name)&#151;Update the full name field to show when this entry was deleted. Leave the old user's name in there so you know who it belonged to when files are recovered that have this owner ID.

<BR>

<BR></LI>

<LI>Home directory&#151;To prevent logging in to this user, set the login directory to a known nonexistent directory. This will prevent others from using su to use this user ID.

<BR>

<BR></LI>

<LI>Login shell&#151;Finally, change the shell to /usr/bin/false. This will also prevent any accesses by remote commands for this user. This is accomplished with the usermod command:

<BR>

<BR>usermod -l d_100 -c &quot;Syd Weinstein, deleted 4/1/94 by ssw&quot;\

<BR> -d /nodir -s /usr/bin/false syd

<BR>

<BR></LI></UL>

<P>The last step is to remove this user from any mail aliases to which he was a member. This is done by editing the alias file and searching for all occurrences of the user name. Remember also to remove occurrences of alternatives to his name listed in the 

alias file.

<BR></P>

<P>When the backups have rolled around, such that there are no longer any tapes from when this user was around, and you are sure you will never need the ID again, you can remove the placeholder from the /etc/passwd file to reduce the clutter in that file.

<BR></P>

<H3 ALIGN="CENTER">

<CENTER><A ID="I39" NAME="I39">

<FONT SIZE=4><B>Summary</B>

<BR></FONT></A></CENTER></H3>

<P>Dealing with user accounts is much easier once you know where everything is located. This chapter shows you where the UNIX system keeps the information on the user's account. With this information you can decide which options to the useradd, usermod, 
groupadd, and groupmod commands you need to use. You can even decide if you need to directly edit the files and go around these commands (but be cautious if you do so!).

<BR></P>

<P>The new user's account starts with the skeleton. It's from the skeleton that the initial contents of his home directory are created. You have to create the skeleton to meet your local needs. A simple default is delivered with the UNIX system, but it is 

up to you to modify that to fit local conventions.

<BR></P>

<P>Finally, eventually you need to remove users. This chapter gives a set of steps you can follow when that becomes necessary.

<BR></P>

<P><A HREF="unx35.htm"><IMG SRC="bluprev.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="Previous Page"></A>

<A HREF="index.htm"><IMG SRC="blutoc.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="TOC"></A>

<A HREF="unx37.htm"><IMG SRC="blunext.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="Next Page"></A>

<A HREF="index.htm"><IMG SRC="bluprev.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="Home"></A>

</P></BODY></HTML>