ch41.htm

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

			<TABLE BORDER="0">

				<TR ALIGN="LEFT">

					<TD ALIGN="LEFT"></TD>

					<TD></TD>

				</TR>

			</TABLE>

		</TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD WIDTH="59" ALIGN="LEFT" VALIGN="TOP"><TT>bin</TT> </TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Owns executables. </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD WIDTH="59" ALIGN="LEFT" VALIGN="TOP"><TT>sys</TT> </TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Owns executables. </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD WIDTH="59" ALIGN="LEFT" VALIGN="TOP"><TT>adm</TT> </TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Owns accounting and log files. </TD>

	</TR>

	<TR ALIGN="LEFT" rowspan="1">

		<TD WIDTH="59" ALIGN="LEFT" VALIGN="TOP"><TT>uucp<BR>

			</TT></TD>

		<TD ALIGN="LEFT" VALIGN="TOP">Used for UUCP communication access and files.<BR>

					</TD>

	</TR>

</TABLE>



<P>The other system logins are used for specific purposes (<TT>postmaster</TT> for

mail, and so on) that are usually self-explanatory. You should not change any of

the system logins. In most cases, they have an asterisk in the password field preventing

their use for entry purposes.

<CENTER>

<H3><A NAME="Heading17<FONT COLOR="#000077">Adding Users</FONT></H3>

</CENTER>

<P>There are two ways to add users to your system: manually edit the <TT>/etc/passwd</TT>

file, or use an automated script that prompts you for the new user's details and

writes a new line to the <TT>/etc/passwd</TT> file for you. The automated approach

is handy for new system administrators who are uneasy about editing a file as important

as <TT>/etc/passwd</TT>, or for those occasions when you have to add several users

and the risk of error is thus increased. You must modify the <TT>/etc/passwd</TT>

file when you are logged in as root.



<DL>

	<DT></DT>

</DL>





<DL>

	<DD>

<HR>

<A NAME="Heading18<FONT COLOR="#000077"><B>CAUTION:</B> </FONT>Before making

	changes to your <TT>/etc/passwd</TT> file, make a copy of it! If you corrupt the

	<TT>/etc/passwd</TT> file you will not be able to log in, even as root, and your

	system is effectively useless except in system administration mode. Keep a copy of

	the <TT>/etc/passwd</TT> file on your emergency floppy or boot floppy in case of

	problems.

<HR>



</DL>



<P>To add an entry to the <TT>/etc/passwd</TT> file, use any editor that saves information

in ASCII. Add the new users to the end of the file, using a new line for each user.

Make sure you use a unique user name and user ID (UID) for each user. For example,

to add a new user called <TT>bill</TT> to the system with a UID of 103 (remember

to keep UIDs sequential for convenience) and a GID of 100 (the default group), a

home directory of <TT>/home/bill</TT>, and a startup shell of the Bourne shell, add

the following line to the <TT>/etc/passwd</TT> file:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">bill::103:100:Bill Smallwood:/home/bill:/bin/sh

</FONT></PRE>

<P>Note that we have left the password blank because you can't type in an encrypted

password yourself. As soon as you have saved the changes to <TT>/etc/passwd</TT>,

set a password for this account by running the following command:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">passwd bill

</FONT></PRE>

<P>This command prompts you for an initial password. Set the password to something

that Bill will be able to use, and ask him to change the password the first time

he works on the system. Many system administrators set the initial password to a

generic string (such as &quot;password&quot; or the login name) and then force the

new user to change the password the first time they log in. Using generic strings

is usually acceptable if the user logs in quickly, but don't leave accounts with

generic login strings sitting around too long--someone else may use the account.</P>

<P>After you have added the necessary line to the <TT>/etc/passwd</TT> file, you

should create the user's home directory. Once created, you must set the ownership

to have that user own the directory. For the preceding example, you would issue the

following commands:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">mkdir /home/bill

chown bill /home/bill

</FONT></PRE>

<P>All users must belong to a group. If your system has only one group defined, then

add the user's user name to the line in the <TT>/etc/group</TT> file that represents

that group. If the new user should belong to several groups, add the user name to

each group in the <TT>/etc/group</TT> file. The <TT>/etc/group</TT> file and groups

in general are discussed in the &quot;Groups&quot; section later in the chapter.</P>

<P>Finally, the configuration files for the users' shells should be copied into their

home directory and set to allow them access for customization. For example, if you

copy the Bourne shell's <TT>.profile</TT> file from another user called <TT>yvonne</TT>,

you would issue the following commands:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">cp /home/yvonne/.profile /home/bill/.profile

chown bill /home/bill/.profile

</FONT></PRE>

<P>You should also manually check the configuration file to ensure there are no environment

variables that will be incorrectly set when the user logs in. For example, there

may be a line defining the <TT>HOME</TT> environment variable or the spool directories

for printer and mail. Use any ASCII editor to check the configuration file. If you

are using the Korn or C shell, there are other configuration files that need to be

copied over and edited. Bourne shell compatibles need only a <TT>.profile</TT>, while

the C shell and compatibles need <TT>.login</TT> and <TT>.cshrc.</TT> The Korn shell

and compatibles need a <TT>.profile</TT> and usually another file with environment

variables embedded in it.</P>

<P>In general, this is the process for manually adding a new user to your system:



<DL>

	<DD><B>1.</B> Add an entry for the user in the <TT>/etc/passwd</TT> file.<BR>

	<BR>

	<B>2.</B> Create the user's home directory and set the ownership.<BR>

	<BR>

	<B>3.</B> Copy the shell startup files and edit their settings and ownerships.

</DL>



<P>Some distributions of the Linux system have a hold-over command from the Berkeley

BSD UNIX version. The command <TT>vipw</TT> invokes the <TT>vi</TT> editor (or whatever

the default system editor has been set to) and edits a temporary copy of the <TT>/etc/passwd</TT>

file. The use of a temporary file and file lock acts as a lock mechanism to prevent

two different users from editing the file at the same time. When the file is saved,

<TT>vipw</TT> does a simple consistency check on the changed file, and if all appears

proper, the <TT>/etc/passwd</TT> file is updated.</P>

<P>The automated scripts for Linux tend to have the names <TT>useradd</TT> or <TT>adduser</TT>.

When run, they prompt you for all the information that is necessary in the <TT>/etc/passwd</TT>

file. Both versions let you exit at any time to avoid changing the <TT>/etc/passwd</TT>

file. The automated scripts also tend to ask for an initial password, which you can

set to anything you want or leave blank. One advantage of the automated scripts is

that they copy all the configuration files for the supported shells automatically,

and in some cases, make environment variable changes for you. This can significantly

simplify the process of adding users.</P>

<P>A quick note on passwords--they are vitally important to the security of your

system. Unless you are on a standalone Linux machine with no dial-in modems, every

account should have a secure password. Passwords are assigned and changed with the

<TT>passwd</TT> command. The superuser can change any password on the system, but

a user can only change his own password.

<CENTER>

<H3><A NAME="Heading19<FONT COLOR="#000077">Deleting Users</FONT></H3>

</CENTER>

<P>Just like adding new users, deleting users can be done with an automated script

or manually. The automated scripts <TT>deluser</TT> or <TT>userdel</TT> asks which

user you want to delete, and then removes the entry from the <TT>/etc/passwd</TT>

file. Some scripts also clean out the spool and home directory files, if you want.

You must make any deletions to the <TT>/etc/passwd</TT> file when logged in as root.</P>

<P>If you delete users manually, simply remove their entries from the <TT>/etc/passwd</TT>

file. Then you can clean up their directories to clear disk space. You can completely

delete all their files and their home directory with the command<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">rm -r /home/userdir

</FONT></PRE>

<P>where <TT>/home/userdir</TT> is the full pathname of the user's home directory.

Make sure there are no files you want to keep in that directory before you blow them

all away!</P>

<P>Next, you should remove the user's mail spool file, which is usually kept in <TT>/usr/spool/mail/username</TT>.

For example, to remove the user <TT>walter</TT>'s mail file, issue the following

command:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">rm /usr/spool/mail/walter

</FONT></PRE>

<P>The spool file is a single file, so this command cleans up the entries properly.

To finish off the mail clean-up, check that the user has no entries in the mail alias

files (usually <TT>/etc/aliases</TT>) or you can force all mail for that user to

another login (such as root). To make any changes to the <TT>/etc/aliases</TT> file

effective, you must run the <TT>newaliases</TT> command.</P>

<P>Finally, clean up the user's <TT>cron</TT> and <TT>at</TT> <TT>jobs</TT>. You

can display the user's <TT>crontab</TT> file using the <TT>crontab</TT> command.</P>

<P>If you need to retain the user for some reason (such as file ownerships, a general

access account, or accounting purposes), you can disable the login completely by

placing an asterisk in the password field of the <TT>/etc/passwd</TT> file. That

login can never be used once an asterisk is in the password field. If you need to

reactivate the account, simply run the <TT>passwd</TT> command.</P>

<P>The process for manually deleting a user (or using an automated script that doesn't

clean up directories and files) involves the following steps:



<DL>

	<DD><B>1.</B> Remove the user's entry from <TT>/etc/passwd</TT> and <TT>/etc/group</TT>.<BR>

	<BR>

	<B>2.</B> Remove the user's mail file and any mail aliases.<BR>

	<BR>

	<B>3.</B> Remove any <TT>cron</TT> or <TT>at</TT> jobs.<BR>

	<BR>

	<B>4. </B>Remove the home directory if you don't want any files it holds.

</DL>



<P>Occasionally, you may want to temporarily disable a user's account, such as when

the user goes on extended leave, vacation, or because you are mad at that person!

If you want to temporarily disable the login but be able to recover it at any time

in the future, add an asterisk as the first character of the encrypted password.

Don't alter any characters in the existing password, but just add the asterisk to

the front. When you want to reactivate the account, remove the asterisk and the password

is back to whatever it was set at before you made the changes.

<CENTER>

<H3><A NAME="Heading20<FONT COLOR="#000077">Groups</FONT></H3>

</CENTER>

<P>Every user on a UNIX and Linux system belongs to a group. A group is a collection

of individuals lumped together for some reason. The users in a group may all work

in the same department, may need access to a particular programming utility, or they

may all have access to use a special device, such as a scanner or color laser printer.

Groups can be set up for any reason, and users can belong to any number of groups.

However, a user can only be a member of one group at a time, because groups are used

for determining file permissions and Linux only allows one group ID per user at any

point in time.</P>

<P>Groups can have their permissions set so that members of that group have access

to devices, files, file systems, or entire machines that other users who do not belong

to that group may be restricted from. For example, this can be useful when you have