Adding New Users Chapter 6 Adding new users

Adding New Users Chapter 6 - Adding new users

Introduction n Adding and removing users is a routine chore. n These tasks are simple, but they are also boring. n Most administrators build tools to automate the process and then delegate the actual work to an assistant or operator. n Account hygiene is a key determinant of system security n Infrequently used accounts are prime targets for hackers, n as are accounts with easily guessed passwords Chapter 6 - Adding new users

1. The /etc/passwd file n The /etc/passwd file is a list of users recognized by the system. n Each line in the file represents one user and contains several fields separated by colons: n n n n Login name Encrypted password (unless there is a shadow password) UID number Default GID number GECOS information (full name, office, extension, phone) Home directory Login shell n The contents are often shared among systems via NIS or NIS+ Chapter 6 - Adding new users

1. The /etc/passwd file n Login name Must be unique n On some OS’s (and with NIS/NIS+) they are limited to 8 characters n Case sensitive n n (but most mail systems expect lower case) Chapter 6 - Adding new users

1. The /etc/passwd file n Encrypted password This is set by passwd (yppasswd if you use NIS) n Encryption Schemes n n Most use DES encryption n n input: first 8 characters are used output: 13 characters are produced no matter what n Red Hat and Free. BSD include support for MD 5 n n input: can be of any length output: 31 characters (first 3 are $1$) Chapter 6 - Adding new users

1. The /etc/passwd file n Shadow passwords: (Chapter 21) n places encrypted passwords in a separate file (not world readable) n Solaris requires shadow passwords n Notes: n A * in this field prevents someone from logging in. n Never leave this field empty. Chapter 6 - Adding new users

1. The /etc/passwd file n UID number n Size: n On most modern systems UIDs are a 32 bit integer n On older systems the largest UID was 32, 767 By definition, root has UID 0 n HINTS: n n avoid recycling UID’s (restoring files can be a problem) n Keep unique UID’s across your system Chapter 6 - Adding new users

1. The /etc/passwd file n Default GID number n Group ID numbers n Size: 16 or 32 bit integer (signed or unsigned) n Defined in /etc/group n Reservations n n GID 0 - reserved for the group “root” or “wheel” GID 1 - reserved for the group “daemon” n Modern versions UNIX allow users to be in up to 16 groups. Chapter 6 - Adding new users

1. The /etc/passwd file n File creation: BSD or Not? n Inherit the GID of the parent directory or the user? n If from the user, they may want to change which group they are in at the time with the command newgrp n Most OS’s do not follow the BSD semantics n But they allow it as a mount option (grpid) Chapter 6 - Adding new users

1. The /etc/passwd file n GECOS field no well defined syntax n records personal information n finger and sendmail use this info (but most others do not) n chfn lets users change their own GECOS information n n this can be abused Chapter 6 - Adding new users

1. The /etc/passwd file n Home directory Users are placed in their home directory when they log in n If the home directory is missing: n n All print an error message n Some allow the login to proceed (and put the user in /) n Some don’t allow the login to continue. n Beware: if home directories are mounted over NFS, they may be unavailable in the event of a server or network problem. Chapter 6 - Adding new users

1. The /etc/passwd file n Login shell n Normally a command interpreter such as n /bin/sh, /bin/csh, /bin/ksh, /bin/tcsh, /bin/bash sh is the default on most systems and is used if /etc/passwd does not specify a login shell n Users can change their shell with chsh n n /etc/shells contains a list that chsh will allow. Chapter 6 - Adding new users

2. The Free. BSD /etc/master. passwd File n On Free. BSD, the “real” password file is /etc/master. passwd. n The /etc/passwd file exists for backward compatibility, but it is generated from master. passwd and is never edited directly. n This file also contains fields to implement password aging n The authors of our text are not very enthusiastic about password aging. See Chapter 21 for a discussion. n It also contains information for account expiration. Chapter 6 - Adding new users

3. The Free. BSD /etc/login. conf File n The login. conf entry can set n Resource limits (max process size, open files, …) n Session accounting limits (when logins are allowed, how long) n Default environment variables n Default paths (PATH, MANPATH, …) n Location of the message of the day n Host and TTY-based access control n Default umask n Account controls (min passwd length, password aging, …) Chapter 6 - Adding new users

4. The Solaris and Red Hat /etc/shadow File n The use of a shadow password file is mandatory under Solaris. n You can also use it under Red Hat Linux if you install the shadow package. n /etc/shadow is readable only by the superuser n keeps encrypted passwords safe from prying eyes. n Has fields for password expiration, and aging. Chapter 6 - Adding new users

5. The /etc/group File Contains the names of UNIX groups and a list of each group’s members n Each line contains n n Group name n Encrypted password (vestigal and rarely used) n allows users to change to the group with the password even if not in the list of members. n GID number n List of members (comma separated) Chapter 6 - Adding new users

6. Adding Users n Introduction n Before you create an account fo a new user, it’s very important that the user sign and date a copy of your local user agreement and policy statement. n See Chapter 27 for more info. n The process consists of: n Edit the passwd and shadow files to define the user’s account n Set an initial password n Create the user’s home directory Chapter 6 - Adding new users

6. Adding Users n For the user n Copy default startup files n Set the user’s mail home and establish mail aliases n For you: n Add the user to the /etc/group file n Config the disk quotas n Verify the account has been set up. Chapter 6 - Adding new users

6. Adding Users n Editing the passwd and shadow files n To safely edit the passwd file, run vipw to invoke a text editor on a copy of it. n vipw allows only one person to edit the passwd file at a time. n On Solaris, vipw asks if you want to edit the shadow file after you have edited the passwd file n On Free. BSD, vipw edits the master. passwd file (then runs pwd_mkdb to generate the derived passwd file) Chapter 6 - Adding new users

6. Adding Users n Setting the initial password n Root can change any user’s password with the passwd command. n passwd user Different implementations of passwd do/require different things n NEVER leave a new account - or any account that has access to a shell - without a password. n Chapter 6 - Adding new users

6. Adding Users n Creating the user’s home directory Any directory you create is intially owned by root, so you must change its owner and group with the chown and chgrp commands n The following is an example of their usage: n n mkdir /home/staff/tyler n chown tyler /home/staff/tyler n chgrp staff /home/staff/tyler n chmod 700 /home/staff/tyler Chapter 6 - Adding new users

6. Adding Users n Copying the default startup files n You can customize commands and utilities by placing configuration files in a user’s home directory. n Startup files traditionally begin with a dot n n ls ignores these files unless it is given a “-a” option Some vendors supply a starting point set n /etc/skel or /usr/share/skel n Depending upon a user’s shell, /etc may contain system-wide startup files that are processed before the user’s own startup files Chapter 6 - Adding new users

6. Adding Users n Setting the user’s mail home n It is convenient for each user to receive email on only one machine. n This scheme is often implemented with an entry in the global aliases file /etc/mail/aliases or the sendmail user. DB n See Chapter 19 for general information about email Chapter 6 - Adding new users

6. Adding Users n Editing the /etc/group file When you added a new user (in /etc/passwd) you placed them in a group. n /etc/group should be updated to reflect this n n and any other groups you wish to add them to. Chapter 6 - Adding new users

6. Adding Users n Setting disk quotas n If your site uses disk quotas, you should set quota limits for each new account with the edquota command n edquota can be done interactively, or with a “-p” to make a user just like someone else. n edquota -p someone_else new_user Chapter 6 - Adding new users

6. Adding Users n Verifying the new login n To verify that a new account has been properly configured, first log out, then log in as the new user and execute the following commands: n pwd n ls n -la If your site requires users to sign a written contract, n be sure this step has been completed before releasing the account n Be sure to remind new users to change their password immediately Chapter 6 - Adding new users

7. Removing Users n When a user leaves your organization, that user’s login account must be removed from the system. n This procedure involves removing all references to the login name that were added by you or your adduser program: n Before you remove a user’s home directory, it’s always a good idea to make an extra backup of their directory (and mail spool) before deleting them Chapter 6 - Adding new users

7. Removing Users n You may want to use the following checklist: n Set user’s disk quota to 0 n Remove the user from any local user database n Remove the user from the n aliases file (or add a forwarding address) n Remove the user’s crontab file and pending at jobs n Kill any of the user’s processes that are still running. n Remove any temporary files owned by the user passwd and group files n Remove the user’s home directory n Remove the user’s mail spool n Remove the user from the Chapter 6 - Adding new users

7. Removing Users n Once you have removed a user, be sure to verify that the user’s old UID owns no more files on the system. n A fast way to do this is with the n n n quot command Example: quot /home quot does not require disk quotas to be active quot only works on local disks (not over NFS mounts) n If there are, you can find their exact path with n find -x /home -nouser -print Chapter 6 - Adding new users

8. Disabling Logins n On occasion, a user’s login must be temporarily disabled. n Some people just put a * in the password file for the encrypted password. However, some setups allow net logins without a password. n These days you should replace the user’s shell with a program that explains why the login has been disabled (and how to rectify the situation) Chapter 6 - Adding new users

8. Disabling Logins n Be careful about this placing this pseudo-shell in the /etc/shells file n do you want them to have ftp access? n ftpd checks to see if the user’s login shell is in /etc/shells n Do you want them to continue to receive email n sendmail does also…. Chapter 6 - Adding new users

9. Vendor-Supplied Account Management Utilities n Solaris, HP-UX, and Red Hat provide a similar set of utilities to help automate the creation, deletion, and modification of users and groups n Users: n useradd adds users to the passwd file (and shadow) n usermod and userdel modify and delete users n Groups: n groupadd, groupmod, and groupdel operate on /etc/group Chapter 6 - Adding new users

Chapter 6 - Adding new users