7.1 Objective 1: Manage Users and
Group Accounts
Whether on a corporate server or personal
desktop machine, managing user accounts is an important aspect
of running a Linux system. The root, or superuser, account is
established when you first install Linux. Unlike single-user
systems (such as MS-DOS), multiuser
systems (such as Linux) require the notion of an owner for
files, processes, and other system objects. In many cases, an
object's owner is a human system user who created the object.
Many objects are also owned by system services, such as web
servers. Each of these owners is differentiated from others by
a unique user account, which is assigned to it by the system
administrator.
If you're building your own desktop system,
you may be tempted to use the root account for daily activity,
thus avoiding user account issues. In most cases, however, the
privileges that come with the superuser account aren't
required for much of your daily activity and can be a
double-edged sword. It is easy to make big mistakes when you
have full privileges across the entire system. Instead,
running your daily tasks with a standard user account and
reserving the use of the root account for tasks that require
those privileges is always safer, even for experts.
7.1.1 User Accounts and the
Password File
When a new user account is added to a Linux
system, an entry is added to a list of users in the password file, which is stored in
/etc/passwd. This
file gets its name from its original use, which was to store
user information including an encrypted form of the user's
password. The password file is in plain text and is readable
by everyone on the system. Each line in the password file
contains information for a single user account, with item
detail separated by colons as illustrated in Figure
7-1.
Each line in the file contains information
for a single system account and contains the following pieces
of information in colon-separated fields:
- Username
-
The first field on a line is a unique
username for the person or service using the account.
The username is usually a short form of the person's name,
such as jdean.
- Password
-
Each username has an associated
password. The password
stored in this field is in an encrypted (unreadable) form.
Despite the encryption, for security reasons, most systems
now store users passwords in a separate /etc/shadow
file. If the password is not included, its field is filled
by the letter x, which indicates that the shadow
password system is in use.
- User ID
-
Each username requires a unique user identifier, or UID. The UID is simply a
nonnegative integer. The root account is assigned the UID of
0, which affords it global privilege on the system. Other
users have a positive UID, and it is not unusual to begin
the sequence for new users at a large number like 100, or on
some Linux distributions, 500. By convention, the UID values
from to 99 are reserved for administrative use; those over
99 are for regular system users.
- Group ID
-
Each username has a default group identifier, or GID. The GID is also a nonnegative
integer. Groups are a way of allowing users to share files
through mutual group membership. Group numbers and their
associated names are specified in the /etc/group
file. The GID stored for each user in /etc/passwd is
its default group ID, though a user may belong to many
groups.
- User's name (or other
comment)
-
The user's name or other information is
stored as plain text and usually contains the user's full
name. This field may contain spaces.
- Home directory
-
The home directory is the default directory in the
filesystem for the account. If a new account is meant for a
person, a home directory will probably be created in the
filesystem with standard configuration files that the user
may then personalize. The full path to that home directory
is listed here.
- Default shell
-
This field specifies the default shell for the user or service,
which is the shell that runs when the user logs in or opens
a shell window. In most cases, the shell will be
/bin/bash or /bin/tcsh, but it can be any
shell, or even another executable program.
In looking back at Figure
7-1, the first line shows the definition of the root
account with UID and GID of 0, a name of "root," a home
directory of /root, and a default shell of
/bin/bash. The second line shows a standard user
account for Jeff Dean, with UID and GID of 500. The home
directory is /home/jdean and the default shell is
/bin/tcsh.
|
You must be prepared to name the fields
in the passwd file. |
In both cases, note that the password field
contains a single letter x. This indicates that the
password is stored in /etc/shadow and not
/etc/passwd; /etc/shadow is secured and readable
only by the root user. This technique reduces the likelihood
of an attack against passwords on your system. Shadow
passwords and the attacks they defend against are discussed
later in this Objective.
7.1.2 Groups and the Group
File
In addition to ownership by individual system
users, filesystem objects have separate ownership settings for
groups of users. This group ownership allows an additional level of
user-specific access control beyond that of a file's
individual owner. Groups are similar to users in their
administration and are defined in the file /etc/group. Like the passwd file, the
group file contains colon-separated fields:
- Group name
-
Each group must have a unique
name.
- Group password
-
Just as user accounts have passwords,
groups can have passwords for their membership. If the
password field is empty, the group does not require a
password.
- Group ID
-
Each group requires a unique GID. Like a
UID, a GID is a nonnegative integer.
- Group member list
-
The last field is a list of group members
by username, separated by commas.
Together, these pieces of information define
a group; colons separate the fields. Here are a few sample
lines from a group file: root:x:0:root
pppusers:x:230:jdean,jdoe
finance:x:300:jdean,jdoe,bsmith
jdean:x:500:
jdoe:x:501:
bsmith:x:502:
|
Remember that some distributions assign
all accounts to the users group while others
assign a group for each account. Red Hat Linux, for
example, creates single-user groups for all users. In
contrast, SuSE Linux assigns the users group (GID
100) as the default for all users.
|
In this example, both jdean and
jdoe are members of the pppusers group (GID
230), and jdean, jdoe, and bsmith
are all members of the finance group (GID 300). The remaining
groups, root, jdean, jdoe, and
bsmith are single-user groups. These groups are not
intended for multiple users and do not contain additional
members. For security purposes, it is common to create new
users with their own personal single-user group. Doing this
enhances security because new files and directories will not
have group privileges for other users.
7.1.3 The Shadow Password and
Shadow Group Systems
At one time, the encryption used on passwords
in the world-readable /etc/passwd file was a roadblock
to anyone trying to break into a Unix system account. The
encrypted passwords were meaningless, and there was no way to
reverse-engineer them. However, improved computer performance
has led to tools that can process encrypted passwords through
what is known as a dictionary
attack. In this form of attack, a list of common words
and typical passwords is encrypted. The encrypted words are
then compared against the publicly available encrypted
passwords. If a match is found, the account in question is
compromised and can then be used by someone other than its
owner.
7.1.3.1 Shadow passwords
Encrypted passwords must be secure from all
users on the system, while leaving the remainder of the
information in /etc/passwd world-readable. To do this,
the encrypted password is moved to a new file that "shadows"
the password file line for line. The file is aptly called
/etc/shadow and is generally said to contain shadow passwords. Here are a few
example lines from a shadow file: root:$1$oxEaSzzdXZESTGTU:10927:0:99999:7:-1:-1:134538444
jdean:$1$IviLopPn461z47J:10927:0:99999:7::11688:134538412
The first two fields contain the username and
the encrypted passwords. The remaining fields contain optional
additional information on password aging information.
7.1.3.2 Group passwords and shadow
groups
Just as user accounts listed in
/etc/passwd are protected by encrypted passwords,
groups listed in /etc/group can also be protected by
passwords. A group password can be used to allow access to a
group by a user account that is not actually a member of the
group. Account
users can use the newgrp
command to change their default group and enter the group
password. If the password is correct, the account is granted
the group privileges, just as a group member would be.
The group definition file, like the password
file, is readable by everyone on the system. If group
passwords are stored there, a dictionary attack could be made
against them. To protect against such attacks, passwords in
/etc/group can be shadowed. The protected passwords are
stored in /etc/gshadow, which is readable only by root. Here are a few sample lines
from a gshadow file: root:::root
pppusers:x::
finance:0cf7ipLtpSBGg::
jdean:x::
jdoe:x::
bsmith:x::
In this example, the groups
pppusers, jdean, jdoe, and
bsmith do not have group passwords as indicated by
the x in the password field. The
finance group is the only one with a password,
which is encrypted.
|
A major contrast between
passwd/group and shadow/gshadow is the
permissions on the files. The standard files are
readable by everyone on the system, but the shadow files
are readable only by root, which protects encrypted
passwords from theft and possible cracking. |
7.1.4 User and Group Management
Commands
Although possible, it is rarely necessary (or
advised) to manipulate the account and group definition files
manually with a text editor. Instead, a family of convenient
administrative commands is available for managing accounts,
groups, password shadowing, group shadowing, and password
aging.
Syntaxuseradd [options] user
Description
Create the account
useron the system. Both system defaults and specified
options define how the account is configured. All
system account files are updated as required. An initial
password must subsequently be set for new users using the
passwd command. It is the
user's responsibility to go back and change that password when
he first logs in to the system.
Frequently used options
- -c "comment"
-
Define the comment field, probably the
user's name.
- -d homedir
-
Use homedir as the user's home
directory.
- -D
-
List (and optionally change) system default
values.
- -m
-
Create and populate the home
directory.
- -s shell
-
Use shell as the default for the
account.
Examples
Add a new user, bsmith, with all
default settings: # useradd bsmith
Add a new user, jdoe, with a name,
default home directory, and the tcsh shell: # useradd -mc "Jane Doe" -s /bin/tcsh jdoe
Syntaxusermod [options] user
Description
Modify an existing
user account. The usermod
command accepts many of the same options as useradd does.
Frequently used options
- -L
-
Lock the password, disabling the
account.
- -U
-
Unlock the user's password, enabling the
user to once again log into the system.
Examples
Change jdoe's name in the comment
field: # usermod -c "Jane Deer-Doe" jdoe
Lock the password for bsmith: # usermod -L bsmith
Syntaxuserdel [-r] user
Description
Delete an existing
user account. When combined with the -r option, the user's home directory
is deleted. Note that completely deleting accounts may lead to
confusion when files owned by the deleted user remain in other
system directories. For this reason, it is common to disable
an account rather than delete it. Accounts can be disabled
using the chage, usermod, and passwd commands.
Example
Delete the user bsmith, including the
home directory: # userdel -r bsmith
Syntaxgroupadd group
Description
Add groupto
the system. In the rare case that a group password is desired
on group, it must be added using the gpasswd command after the group is
created.
Syntaxgroupmod [option] group
Description
Modify the
parameters of group.
Option
- -n name
-
Change the name of group to
name.
Syntaxgroupdel group
Description
Delete group
from the system. Deleted groups can lead to the same confusion
in the filesystem as described previously for deleting a user
(see userdel).
Syntaxpasswd [options] username
Description
Interactively set
the password for username. The password cannot be
entered on the command line.
Option
- -l
-
Available only to the superuser, this
option locks the password for the account.
Syntaxgpasswd groupname
Description
Interactively set
the group password for groupname. The password cannot
be entered on the command line.
7.1.4.1 Additional user and group
management commands
While they are not specifically required for
this Objective, this discussion would not be complete without
a few additional commands for managing users and groups.
Syntaxpwconv
Description
Convert a standard
password file to a password and shadow password combination,
enabling shadow passwords on the system.
Syntaxpwunconv
Description
Revert from a shadow
password configuration to a standard password file.
Syntaxgrpconv
Description
Convert a standard
group file to a group and shadow group combination, enabling
shadow groups on the system. Shadow passwords are rarely
necessary.
Syntaxgrpunconv
Description
Revert from a shadow
group configuration to a standard group file.
Syntaxchage [options] user
Description
Modify password
aging and expiration settings for user. Nonprivileged users may use
this command with the -l option
for their username only.
Frequently used options
- -E expiredate
-
Set the account to expiration date
expiredate in the form MM/DD/YY or MM/DD/YYYY.
- -l
-
List a user's password
settings.
Example 1
Display password settings for user
jdoe (including nonprivileged user jdoe): $ chage -l jdoe
Example 2
Set jdoe's account expiration date to
January 1, 2002: # chage -E 01/01/2002 jdoe
|
You must be familiar with these account
management commands as well as be ready to specify
methods for adding, removing, and modifying user
accounts. |
|