ch41.htm

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

		<TD ALIGN="LEFT">The user's password (encrypted). </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT"><TT>user ID</TT> (UID) </TD>

		<TD ALIGN="LEFT">A unique number that identifies the user to the operating system. </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT"><TT>group ID</TT> (GID) </TD>

		<TD ALIGN="LEFT">A unique number that identifies the user's group (for file permissions). </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT"><TT>comment</TT> </TD>

		<TD ALIGN="LEFT">Usually the user's real name, but sometimes phone numbers, departments, and so on.

					</TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT"><TT>home directory</TT> </TD>

		<TD ALIGN="LEFT">The directory in which users are placed when they log in. </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD ALIGN="LEFT"><TT>login command<BR>

			</TT></TD>

		<TD ALIGN="LEFT">The command executed when the user logs in, normally a shell.<BR>

					</TD>

	</TR>

</TABLE>

We can look at each field in a little more detail. You should know what each field

does and how it is used by other programs on your Linux system. Note that this type

of user file is used with almost every UNIX system in the world, so once you know

it for Linux, you know it for most UNIX versions.

<CENTER>

<H4><A NAME="Heading8<FONT COLOR="#000077">User Names</FONT></H4>

</CENTER>

<P>The user name is a single string, usually eight characters or less, that uniquely

identifies each user. Since the user name is the basis of most communications between

users and other machines, the user name you use (or assign to others) should be simple

and obvious. Usually, this means a permutation of the user's real name. A typical

user name may be a combination of the user's first and last names, such as <TT>tparker</TT>

or <TT>timp</TT>. The former example, composed of the first initial and last name,

is fairly common in large networks.</P>

<P>Note that the characters in these examples are all lowercase. Case is important

in Linux (as with all UNIX versions), so <TT>tparker</TT> and <TT>Tparker</TT> are

two different logins. Since most Linux commands are lowercase, convention is to also

keep user names lowercase. Underscores, periods, numbers, and some special characters

are allowed, but should be avoided.</P>

<P>Small systems, such as on a single machine, may use more familiar names, such

as the user's first name only. A small system may have users with the names <TT>tim</TT>,

<TT>bill</TT>, <TT>yvonne</TT>, and so on. If two users have the same name, then

there must be some method found to differentiate between the two (such as <TT>bill</TT>

and <TT>billy</TT>).</P>

<P>A few users like to create cryptic user names that reflect their hobbies, nicknames,

pets, lifestyle, or personality. You may find user names such as <TT>vader</TT>,

<TT>grumpy</TT>, <TT>wizard</TT>, and <TT>hoops</TT>. This type of naming is fine

on small systems that are used by one or two users, but quickly becomes awkward on

larger systems where other users may not know their coworkers' user names. On the

whole, if your system is used by more than a couple of friends, discourage this type

of user name.

<CENTER>

<H4><A NAME="Heading9<FONT COLOR="#000077">Passwords</FONT></H4>

</CENTER>

<P>The system stores the user's encrypted password in this field. (Actually, the

password is encoded, not encrypted, although the convention has always been to use

the term encrypted.) This field is very sensitive to changes, and any modification

whatsoever can render the login useless until the system administrator performs a

password change. A user's password can only be changed by the system administrator

by using the <TT>passwd</TT> command when logged in as root (or by the users themselves).



<DL>

	<DT></DT>

</DL>





<DL>

	<DD>

<HR>

<A NAME="Heading10<FONT COLOR="#000077"><B>NOTE:</B> </FONT>Some versions of

	UNIX do not keep the passwords in the <TT>/etc/passwd</TT> file because of potential

	security problems. If the password fields on your system are all set to <TT>x</TT>,

	then another file (called a shadow password file) is in use. However, all versions

	of Linux currently available do use this field normally. Systems running either Yellow

	Pages or NIS (Network Information Service), both of which rely on a central file

	of user names and passwords, do not use this field. However, few Linux systems will

	use either YP or NIS, so this distinction can be ignored for the moment.

<HR>



</DL>



<P>When a user logs in, the <TT>login</TT> program logically compares the password

the user typed to a block of zeros, and then compares that result to the entry in

the password field. If they match, the user is granted access. Any deviation causes

<TT>login</TT> to refuse access.</P>



<P>This field can be used to restrict access to the system. If you want a login to

never be used for access, such as a system login like <TT>lp</TT> or <TT>sync</TT>,

place an asterisk between the two colons for this field. This restricts all access.

In the example <TT>/etc/passwd</TT> file shown earlier, you can see that many system

logins have an asterisk as their password, effectively blocking access.</P>

<P>This field can also be used to allow unrestricted access by leaving it blank.

If there is no password, anyone using the user name is granted access immediately,

with no password requested. This is a very bad habit to get into! Do not leave passwords

open unless you are using your Linux system for your own pleasure and have nothing

of value on the file system.</P>

<P>Don't attempt to put a password in the password field--you cannot recreate the

encryption method, and you'll end up locking the user out. Then, only the system

administrator is able to change the password and allow access.

<CENTER>

<H4><A NAME="Heading11<FONT COLOR="#000077">User ID</FONT></H4>

</CENTER>

<P>Every user name has an associated, unique user ID. The user ID, also called the

UID, is used by Linux to identify everything associated with the user. The user ID

is preferable to the user name because numbers are easier to work with than the characters

in a name, and they take up much less space. Linux tracks all processes started by

a user, for example, by the user ID and not the user name. A translation can take

place in some utilities to display the user name, but the utility generally examines

the <TT>/etc/passwd</TT> file to match the UID to the name.</P>

<P>The user ID numbers are usually assigned in specific ranges. Most UNIX systems,

for example, allocate the numbers from zero to 99 for machine-specific logins, and

the user ID numbers from 100 and up for users. This is a good working model and makes

your system consistent with others. In the example <TT>/etc/passwd</TT> file shown

earlier, you can see that root has a UID of <TT>0</TT>, while the other system-created

logins have numbers ranging upward. The login <TT>nobody</TT> is a special login

used for NFS (Network File System) and has a UID of <TT>-1</TT>, an invalid number.

When you assign user ID numbers, it is a good idea to assign them sequentially, so

the first user is 100, the second 101, and so on.

<CENTER>

<H4><A NAME="Heading12<FONT COLOR="#000077">Group ID</FONT></H4>

</CENTER>

<P>The group ID (GID) is used to track the users' startup group (in other words,

the ID of the group the users belongs to when they log in). A group, as you will

see later, is used for organization purposes to set file permissions, although many

organizations don't bother with them. Group ID numbers range from zero and upwards.

Linux systems assign a group called users with the group number 100 for this purpose.</P>

<P>The GID is used by the system when tracking file permissions, access, and file

creation and modification specifications. If your system has only a single user group,

then you need not worry about the GID. If you work with several groups (as might

be implemented on a large system), then you need to examine the <TT>/etc/group</TT>

file.

<CENTER>

<H4><A NAME="Heading13<FONT COLOR="#000077">Comments</FONT></H4>

</CENTER>

<P>This field is used for the system administrator to add any information necessary

to make the entry more self-explanatory. Typically, this area is used to enter the

user's full name, although some system administrators like to add department or extension

numbers for convenience. (This field is sometimes called the <TT>GECOS</TT> field,

after the operating system that first used it.)</P>

<P>The comment field is used by some utilities to display information about users,

so make sure you don't place any sensitive information there. Electronic mail systems,

for example, can access this field to show who is sending mail. While you don't have

to use the field, on larger systems it can make things much easier for administrators

and other users when they can discover the real name of the person the user name

belongs to.

<CENTER>

<H4><A NAME="Heading14<FONT COLOR="#000077">Home Directory</FONT></H4>

</CENTER>

<P>The home directory field indicates to the login process where to place users when

they log in. This is usually their home directory. Each user on the system should

have her own dedicated home directory, and then the startup files will initialize

the environment variable <TT>HOME</TT> to this value. The directory indicated in

this field is the user's initial working directory only, and places no restrictions

on the user (unless file permissions have been set to restrict movement).</P>

<P>For the most part, user home directories are located in a common area. Linux tends

to use the <TT>/home</TT> directory, so you will find home directories such as <TT>/home/tparker</TT>,

<TT>/home/ychow</TT>, and so on. Other versions use <TT>/usr</TT>, <TT>/user</TT>,

or <TT>/u</TT> as user home directories. In some cases where the system administrator

has experience with another type of UNIX that uses an alternate directory structure,

you may find the home directories changed to make life easier (and more familiar)

for that administrator. As far as Linux is concerned, it doesn't care what the name

of the home directory is, as long as it can be entered.

<CENTER>

<H4><A NAME="Heading15<FONT COLOR="#000077">Login Command</FONT></H4>

</CENTER>

<P>The login command is the command to be executed when login terminates. In most

cases this is a shell command that is started, such as the C Shell or Bourne Shell,

to provide the user with a shell environment. In some cases, it may be a single application

or front-end system that restricts what the user can do. For example, the <TT>uucp</TT>

login (used for e-mail and other simple networking tasks) executes the <TT>uucp</TT>

command only. If the login command field is left empty, the operating system usually

defaults to the Bourne shell (although this may change depending on the manner in

which the operating system is set up).</P>

<P>Many versions of Linux enable users to change their login shell with the command

<TT>chsh</TT> or <TT>passwd -s</TT>. When either command is used, the file <TT>/etc/shells</TT>

is searched for a match. Only those commands in the <TT>/etc/shells</TT> file are

allowed as valid entries when the user tries to change his startup shell. (You can

add or remove lines in the <TT>/etc/shells</TT> file using any editor.) This helps

you keep tighter security on the system. The superuser account has no restrictions

on the entry in this field (or any other user's field). If your system uses the <TT>/etc/shells</TT>

file, make sure it has the same file permissions and ownership as the <TT>/etc/passwd</TT>

file, or a user can sneak through the system security by modifying the startup command

for her login.

<CENTER>

<H3><A NAME="Heading16<FONT COLOR="#000077">Default System User Names</FONT></H3>

</CENTER>

<P>The extract from the <TT>/etc/passwd</TT> file shown in the preceding section

lists over a dozen system-dependent user names. These all serve special purposes

on the Linux system. A few of these logins are worth noting because they have specific

uses for the operating system and for system administrators: 

<TABLE BORDER="0">

	<TR ALIGN="LEFT" rowspan="1">

		<TD WIDTH="59" ALIGN="LEFT" VALIGN="TOP"><TT>root</TT> </TD>

		<TD ALIGN="LEFT" VALIGN="TOP">The superuser account (UID <TT>0</TT>) with unrestricted access and owns many system

			files. </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD WIDTH="59" ALIGN="LEFT" VALIGN="TOP"><TT>daemon</TT> </TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Used for system processes. This login is used only to own the processes and set their

			permissions properly. <BR>