Linux Administrator Handbook (7) _unix Linux

This chapter explains how to generate new user accounts, how to modify the properties of accounts, and how to delete accounts. Different Linux systems have different tools to implement.

What is an account?

When a computer is used by multiple people, it is often necessary to differentiate users, for example, to keep personal files personal. Even if the computer is used by only one person at a time, it is also important, such as most microcomputers. Therefore, each user is given a separate user name, which is used to log in.

Users have more than just names. An account is all the files, resources, and information that belongs to this user. This is implied by the bank, in a business system, where each account is usually related to some money, and the money depends on how much the user uses the system to be spent at different speeds. For example, disk space may have a daily price per MB, and processing time may have a price per second.

Create a user

The Linux core itself simply sees the user as a number. Each user is identified with a single integer, the user ID or UID, because the number is faster and easier for the computer to process than the text name. A separate database outside the core arranges the name of the text for each user ID, that is, the username username. This database also contains some additional information.

To create a user, you need to add information about the user to the user's database and create a home directory for him. It is also necessary to train users and establish an appropriate initialization environment.

Most Linux distributions have programs that generate accounts, and there are multiple. AddUser and Useradd are 2 of them; there are probably GUI tools. Whatever the program, the ' result ' is ' that ' there is little if ' manual work to being done. Even if the details are many and intricate, these are programs make everything seem. However, section 8.2.4 describes, and it by hand.

/etc/passwd and other information files
The basic user database for UNIX systems is a text file,/etc/passwd (called a password file) that lists all valid user names and their associated information. Each user row of the file is divided into 7 fields separated by:

User name
Password in encrypted format
The user ID of the number
Group ID of the number
Full name or other description of account
Home Directory
Log on to the shell (Programs that run at logon)

The detailed format description is in passwd (5).

Any user in the system can read the password file, so they can get the names of other users. That is, anyone can get a password (the second domain). The password file encrypts the password, so there should be no problem with the profit. However, encryption can be cracked, especially if the password is simpler (for example, it is too short or can be found in a dictionary). Therefore, passwords are not good in password files.

Many Linux systems have shadow passwords shadow passwords files. This method will have the encrypted password in another file/etc/shadow, and this file can only be read by root. The/etc/passwd file has only one special marker in the second domain. You can access the shadow password file if you are setuid by program so needs to verify a user. And only use password file other domain normal program, can not get password.

Gets the user and group ID of the number

Most systems do not care about the number of user and group IDs, but if you use a network file system (NFS), all systems must use the same UID and GID. Because NFS also authenticates users with UID. If you do not use NFS, you can automatically obtain the UID using the Account generation tool.

If you use NFS, you must use a mechanism to synchronize your account information. One approach is to use NIS systems (see [Kir]).

Initial environment:/etc/skel

Initializes a file with the/etc/skel directory when the new user's home directory is generated. The system administrator can generate/etc/skel files to provide a good default environment for the user. For example, create a/etc/skel/.profile setting editor environment variable that provides a friendly editor for new users.

However, it is usually best to keep/etc/skel as small as possible because it would be next to impossible to update existing users ' files. For example, if the name of the friendly editor changes, all existing users must edit their. Profile. The system administrator can do this automatically with a script, but it can still corrupt a user's file.

Whenever possible, it is best to put global settings in a global file, such as/etc/profile. This can be upgraded to avoid damaging the user's own settings.

Create a user manually

Follow these steps to create a new user manually:

Edit/etc/passwd with VIPW (8) to add a new row for the new user. Pay attention to grammar. Do not edit directly with editor! VIPW locked the file, and other commands cannot update it at this time. Set password field to "*" so that you cannot log in.

Similarly, if you want to create a new group, edit the/etc/group with VIGR.

Use mkdir to generate a user's home directory.

Copy the files from the/etc/skel to the new home directory.

Modify the owner and permissions with Chown and chmod. The-r option is most useful. The correct permissions vary a little from one site to another, but usually the following the "right" commands:

Cd/home/newusername
Chown-r Username.group.
Chmod-r go=u,go-w.
chmod go=.

Use passwd (1) to set the password.

The last step is to set the password and the account will be available. You should not set the password before everything else is done, otherwise this user may not be allowed to log in while you ' re still copying the files.

Sometimes it is necessary to generate a false (dummy) account that is not used for anyone, for example, to create an anonymous FTP server (so that anyone can download files from it without having to get an account), you must generate an account called FTP. In this case, there is usually no need for a subsequent password setting. And, it's best not to, so no one can use this account unless it becomes root first, because root can become any user.

Changing user Properties

There are several commands that change the different attributes of the account (that is, the related fields in/etc/passwd):

Chfn
Change the full Name field.
Chsh
Change the login shell.
passwd
Change the password.

Superuser can use these passwords to change the properties of any account. Ordinary users can only change the properties of their own accounts. Sometimes it may be necessary to make these commands unavailable to ordinary users (with chmod), for example in an environment with many novices.

Other tasks need to be done manually. For example, to change the user name, you need to edit/etc/passwd (remember: with VIPW). Similarly, to add or remove users to the more groups, you need to edit/etc/group (with Vigr). This task is less and needs to be handled with care: for example, by changing the username, an e-mail message cannot reach the user unless you create a message alias at the same time.

Delete User

To remove a user, you must first delete all of his files and then delete the related rows from/etc/passwd and/etc/group. Some Linux distributions with specific commands to see if there are any deluser or Userdel. However, manual deletion is also very simple.

Temporarily prohibit a user

It is sometimes necessary to temporarily block a user without deleting it. For example, the user does not pay, or the system administrator suspects that the hacker has a password for an account.

The best way to disable a user is to change its shell to a specific program that prints only one piece of information, in which case anyone who wants to log on to this account will not be able to log in and know why. This information can tell the user to contact the system administrator to handle any problems.

You can also change the username or password, but then the user doesn't know what's going on. Confused users mean more work.

An easy way to produce this particular program is to write "tail scripts":

#!/usr/bin/tail +2
This account has been closed due to a security breach.
Please call 555-1234 and wait for the men in black to arrive.
First 2 characters ("#!") Tell the other parts of the core bank that the command to run the file is explained. The tail command then handles everything from the first line to the standard output.
If BILLG is suspected to be a security breach, the system administrator can do this:

# chsh-s/usr/local/lib/no-login/security Billg
# Su-tester
This account has been closed due to a security breach.
Please call 555-1234 and wait for the men in black to arrive.
#
The purpose of SU is to change whether or not to work at this time.
Tail scripts should be placed in a separate directory so that their names do not interfere with ordinary user commands.