lsg16.htm

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<P>The user ID (UID) is a unique number that identifies the user to the operating system.



<BR>



</UL></UL>



<UL>



<UL>



<P>The group ID (GID) is a unique number that identifies the user's group (for file permissions).



<BR>



</UL></UL>



<UL>



<UL>



<P>The comment is usually the user's real name, but sometimes it is a phone number, department, or other information.



<BR>



</UL></UL>



<UL>



<UL>



<P>The home directory is the directory in which the user is placed when he or she logs in.



<BR>



</UL></UL>



<UL>



<UL>



<P>The login command is the command executed when the user logs in; normally, this command starts a shell program.



<BR>



</UL></UL>



<P>You should know what each field does and how other programs on your Linux system use it. Note that this type of user file is used with almost every UNIX system in the world, so once you know it for Linux, you know it for most UNIX versions.



<BR>



<BR>



<A NAME="E69E112"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>User Names</B></FONT></CENTER></H4>



<BR>



<P>The user name is a single string, usually eight characters or less, that uniquely identifies each user. Because the user name is the basis of most communications between users and other machines, the user name you use (or assign to others) should be simple and obvious. Usually, this name is a permutation of the user's real name. A typical user name may be a combination of the user's first and last names, such as tparker or timp. A user name composed of the first initial and last name is fairly common in large networks.



<BR>



<P>Note that the characters in these examples are all lowercase. Case is important in Linux (as with all UNIX versions), so tparker and Tparker are two different logins. Because most Linux commands are lowercase, the convention is to also keep user names lowercase. Underscores, periods, numbers, and some special characters are allowed, but they should be avoided because they make login names look strange and can also cause problems for some applications.



<BR>



<P>Small systems, such as one comprised of a single machine, may use more familiar names, such as the user's first name. A small system may have users with the names tim, bill, yvonne, and so on. If two users have the same name, there must be some method to differentiate between the two (such as bill and billy).



<BR>



<P>A few users like to create cryptic user names that reflect their hobbies, nicknames, pets, lifestyle, or personality. You may find user names like vader, grumpy, wizard, and hoops. This type of naming is fine on small systems that are used by one or two users, but it quickly becomes awkward on larger systems where other users may not know their coworker's user names. On the whole, if more than a couple of friends use your system, discourage this type of user name.



<BR>



<BR>



<A NAME="E69E113"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Passwords</B></FONT></CENTER></H4>



<BR>



<P>The system stores the user's encrypted password in the password field. This field is very sensitive to changes, and any modification to it can render the login useless until the system administrator performs a password change. Only the system administrator or the user can change the password by using the passwd command.



<BR>



<BLOCKQUOTE>



<BLOCKQUOTE>



<HR ALIGN=CENTER>



<BR>



<NOTE>Some versions of UNIX do not keep the passwords in the /etc/passwd file because of potential security problems. If the password fields on your system are all set to x, then another file (called a shadow password file) is in use. However, all versions of Linux currently available do use this field by default.



<BR>Systems running either Yellow Pages or NIS (Network Information Service), both of which rely on a central file of user names and passwords, do not use the password field. Few Linux systems use either YP or NIS, however, so you can ignore this distinction for the moment.</NOTE>



<BR>



<HR ALIGN=CENTER>



</BLOCKQUOTE></BLOCKQUOTE>



<P>When a user logs in, the login program logically compares the password the user typed to a block of zeros, and then compares that result to the entry in the password field. If they match, the user is granted access. Any deviation causes login to refuse access.



<BR>



<P>You can use this field to restrict access to the system. If you want to prevent a login from ever being used for access, such as a system login like lp or sync, place an asterisk between the two colons for the password field. This asterisk restricts all access. In the sample /etc/passwd file shown previously, many system logins have an asterisk as their password, effectively blocking access.



<BR>



<P>You can also use this field to allow unrestricted access by leaving it blank. If no password entry exists (the field has nothing in it), anyone using the user name is granted access immediately, with no password requested. Do not leave passwords open unless you are using your Linux system for your own pleasure and have nothing of value on the filesystem.



<BR>



<P>Don't attempt to put a password directly in the password field using an editor. You cannot recreate the encryption method, and you'll end up locking the user account out. Then only the system administrator will be able to change the password and allow access.



<BR>



<BR>



<A NAME="E69E114"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>User ID</B></FONT></CENTER></H4>



<BR>



<P>Every user name has an associated, unique user ID. Linux uses the user ID, also called the UID, to identify everything associated with the user. The user ID is preferable to the user name because numbers are easier to work with than the characters in a name and take up less space. Linux tracks all processes started by a user, for example, by the user ID and not the user name. Some utilities translate the user ID to display the user name, but utilities generally examine the /etc/passwd file to match the UID to the name.



<BR>



<P>The user ID numbers are usually assigned in specific ranges. Most UNIX systems, for example, allocate the numbers from 0 to 99 for machine-specific logins and the user ID numbers from 100 and up for users. Using this model will make your system consistent with others. In the sample /etc/passwd file shown previously, you can see that root has a UID of 0, and the other system-created logins have larger numbers. The login nobody is a special login used for NFS (Network File System) and has a UID of -1, an invalid number. When you assign user ID numbers, assign them sequentially so that the first user is 100, the second 101, and so on.



<BR>



<BR>



<A NAME="E69E115"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Group ID</B></FONT></CENTER></H4>



<BR>



<P>The group ID (GID) is used to track the user's startup group (in other words, the ID of the group the user belongs to when he or she logs in). A group is used for organizational purposes to set file permissions, although many organizations don't bother with groups. Group ID numbers range upwards from zero. Most UNIX systems have system groups numbered from 0 to 49 (some operating system versions use only the numbers 0 to 9 for the system) and user groups from 50 on up. The default group, called group, is assigned number 50.



<BR>



<P>The system uses the GID when tracking file permissions, access, and file creation and modification specifications. If your system has only a single-user group, you need not worry about the GID. If you work with several groups (as might be implemented on a large system), you need to examine the /etc/group file (discussed later in this chapter).



<BR>



<BR>



<A NAME="E69E116"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Comments</B></FONT></CENTER></H4>



<BR>



<P>The system administrator uses the comment field to add any information necessary to make the entry more explanatory. Typically, this area is used to enter the user's full name, although some system administrators like to add department or extension numbers for convenience. (This field is sometimes called the GECOS field, after the operating system that first used it.)



<BR>



<P>Some utilities use the comment field to display information about users, so make sure you don't place any sensitive information there. E-mail systems, for example, can access this field to show who is sending mail. Although you don't have to use the field, it can make things much easier for administrators and other users on larger systems when they can discover the real name behind the user name.



<BR>



<BR>



<A NAME="E69E117"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Home Directory</B></FONT></CENTER></H4>



<BR>



<P>The home directory field indicates to the login process where to place the user when he or she logs in. This place is usually the user's home directory. Each user on the system should have a dedicated home directory, and the user's startup files initialize the environment variable HOME to this value. The directory indicated in this field is the user's initial working directory only and places no restrictions on the user (unless file permissions have been set to restrict movement).



<BR>



<P>For the most part, user home directories are located in a common area. Linux tends to use the /home directory, so you will find home directories like /home/tparker, /home/ychow, and so on. Other versions use /usr, /user, or /u as user home directories. In some cases where the system administrator has experience with another version of UNIX that uses an alternate directory structure, you may find the home directories changed to make life easier (and more familiar) for that administrator. Linux doesn't care what the name of the home directory is as long as it can be entered.



<BR>



<BR>



<A NAME="E69E118"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Login Command</B></FONT></CENTER></H4>



<BR>



<P>The login command is the command to be executed when login terminates. In most cases, this command is a shell command that starts a program such as the C shell or Bourne shell to provide the user with a shell environment. In some cases, it may be a single application or front-end system that restricts what the user can do. For example, the uucp login (used for e-mail and other simple networking tasks) only executes the uucp command. If the login command field is left empty, the operating system usually defaults to the Bourne shell (although this default may change depending on the manner in which the operating system is set up).



<BR>



<P>Many versions of Linux allow users to change their login shell with the commands chsh or passwd -s. When you use these commands, Linux searches the file /etc/shells for a match. Only those commands in the /etc/shells file are allowed as valid entries when the user tries to change his or her startup shell, which helps you keep tighter security on the system. (You can add or remove lines in the /etc/shells file using any editor.) The superuser account has no restrictions on the entry in this field (or any other user's field). If your system uses the /etc/shells file, make sure this file has the same file permissions and ownership as the /etc/passwd file, or a user can sneak through the system security by modifying the startup command for his or her login.



<BR>



<BR>



<A NAME="E68E89"></A>



<H3 ALIGN=CENTER>



<CENTER>



<FONT SIZE=5 COLOR="#FF0000"><B>Understanding Default System User Names</B></FONT></CENTER></H3>



<BR>



<P>The previous extract from the /etc/passwd file lists over a dozen system-dependent user names. These names serve special purposes on the Linux system. A few of these logins are worth noting as they have specific uses for the operating system and system administrators:



<BR>



<UL>



<UL>



<P>The root login is the superuser account (UID 0) and has unrestricted access. It owns many system files.



<BR>



</UL></UL>



<UL>



<UL>



<P>The daemon login is used for system processes. This login is used only to own the processes and set their permissions properly.



<BR>



</UL></UL>



<UL>



<UL>



<P>The bin login owns executables.



<BR>



</UL></UL>



<UL>



<UL>



<P>The sys login owns executables.



<BR>



</UL></UL>



<UL>



<UL>



<P>The adm login owns accounting and log files.