View and vote on the article here: Managing Linux Accounts
Managing Linux Accounts| Category | | | Summary | | | Body |
1- Introduction:
Every time a Linux system is accessed it requires an account, and each account has to be created by the Admin (except the root account and some system accounts). On most systems, there's only one account (root), created when you installed your distribution of Linux. In the most recent distributions, you are asked to create at least one more account. The main reason is because it's more secure to log on as a simple user:. The other reason for creating a user account is to allow other people to access your system and limit their actions to certain commands. While working on a user account you can't harm your system by using or misusing a command.
2- Root account:
This account is automatically created at the installation of Linux. There is nothing the root account can't do, it has no restriction. That's why you have to be sure of what you are doing when you are logged on to the root account. New Linux users often use the Root account for their daily work because it's easier, there's no problems of file permissions...etc. You should use this account only for maintenance purposes. Then you can create new accounts for specific tasks such as: Internet access, e-mail access, so on and your system will be more secure (if you specified the appropriate permissions).
3- Creating an user account:
You have to know this notion, even if you are the only person that uses the system.. Each user should have its own account and password. It will simplify the administration of the system, and you'll know who did what. The file /etc/passwd contains a lot of information concerning each user. This file should be owned by root and by the 'group 0' (GID means group identifiant and 0 means that it's a privileged group as specified in /etc/group).Change the permissions of /etc/passwd so that only root can modify it. This file is formatted like this:
account:passwd:UID:GID:comments:home_directory:command
is an example:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
nobody:x:99:99:Nobody:/:
sefo:x:100:100:sefo:/home/sefo:/bin/bash
a/ Account name:
It's a simple string. You can put numbers and punctuation, but it would be advisable to
put understandable words, so you know easily to whom each account belongs.
b/ Password:
Encrypted password (in recent distributions) are stocked in /etc/shadowYou may not alter this password directly from the file! Only from the
Admin,and the owner of the account can change the password by using the command
'passwd'.
If you want to forbid people from connecting to a certain account, put a * instead:
-> sync:x:5:0:sync:/sbin:/bin/sync
If there's no password (::) it means that anyone can log into this account:
-> root::0:0:root:/root:/bin/bash
DON't do that!
c/ UID:
Every user is linked to a number called UID (User ID). Linux uses this numberto identify everything associated with the user. For example, Linux keeps atrack of all the processes run by the user using the UID and not thename of the account. And then, by looking into the password file, the programfind the user name.Generally, Linux reserves numbers [0-99] to the system accounts, and the othersare reserved for the users. When you give UID, give 100 to the first, 101 to the second ...etc.
d/ GID:
Groups are used for the organization of the system, and to define file permissionsbut not a lot of people use it...GID are unsigned integers. Numbers [0-49] are reserved for the system and the Groupsbegins at 50. GID is related to the file permissions. You may check /etc/group(we'll see it later).
e/ Comments:
Comments make the work of an Admin easier. You can find full information on the user(his name, company, ...etc.) For example, e-mailers use these comments to identifythe sender of the message.
f/ Home directory:,br> It indicates in which directory the user goes when he connects. You're not obligedto put users in /home. You can put them wherever you want provided the directory existsand has the appropriate permissions.
g/ Command:,br>
It's the program executed when the connection ends (when you're logged in).For most users it's a shell, but sometimes only one program is run:The account UUCP uses the command uucp.By default, if 'command' is empty, the system launches the Bourne Shell.With the command chsh (or passwd -s) you can specify the login shell youwant. Only shells that appears in /etc/shells can be used. You can edit this file but make sure the permissions are the same as /etc/passwd.
4- Adding an user:
To add an user you can add a line directly in /etc/passwd or use 'useradd' (read: man useradd for more details). Here i will only explain how to do it manually.
Firstly, only the Root can do the modifications and you'd better save this file on a floppy because any mistake can damage your system.
Add each user at the end of the file with one line per account:
-each user should have an unique UID (first user = 100)
-each user should belong to a group (default group = 50)
To add an user named Simon, third user of the system:
simon::103:50:Simon Manager:/home/simon:/bin/sh
'Passwd' is empty because you can't do the encryption manually; use the command 'passwd' to create a password for this account.(#passwd simon)
Now, You have to create the home directory and change the permissions from root to simon:
#mkdir /home/simon
#chown simon /home/simon (chown = CHange the OWNer)
Every user should belong to a group. If you have only one group, add the user to :etc/group. If the user belongs to more than one group, add his name to each group.
Finally, you have to copy a .profile (.bash_profile) from another user to the new user:
#cp /home/robert/.bash_profile /home/simon/.bash_profile
chown simon /home/simon/.profile
5- Deleting an user:($man userdel)
The deletion of an account begins with the suppression of the line in /etc/passwd (only root is allowed to do that) Then you have to delete the home directory (of the user):</br>
#rm -r /home/simon
Delete the user's mailbox, usually in /usr/spool/mail or /var/spool/mail (directly in user's home directory for recent distributions):
rm /var/spool/mail/simon
Finally, check if there's no tasks (tables) for an user with the command crontab -u user_name ($man crontab for more information)
6- Groups:
Each user belongs to a group. Every user in a group can have access to certain tools, programs, etc... and one user can belong to multiple groups, but this user can only log with one GID at a time. Groups are useful when you have a lot of users working in different departments. For example, you can create a group 'Finance' and put all accountants here so as only them can access the financial database. On most systems, there's only one group (50 by default). In this case, file permissions are not managed by the group, but by the owner of a file. If you want other people (family, friends, ...) to access your system, you should create a group.
Here's an example of a group file:
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
users:x:50:
Each line contains 4 records:
Group_Name:Passwd:GID:Members
The name of the group is a string of characters, The password is not used on every Linux systems, the GID is an unique integer for each group and the members are user names separated by a ",".
During the installation, the system creates multiple groups. Do not add users in these groups or they will have root access.
a/ Adding a group: ($man groupadd)
You have to add a line in /etc/groupfinance::51:simondevel::52:simon,robert(check the /etc/group <permissions)An user belonging to more than one group can only log to a group at a time. To change, you can usethe command 'newgrp'. (see man newgrp)
b/ Deleting a group: ($man groupdel)
Just erase lines in /etc/group and check every files with GID = group_deleted. Check also the /etc/passwd and verify the GID's.
Written by: Sefo
Edited by: LtKer PixieLuv, Tr. Hotdigit
Cyberarmy University - Research and Development
|
|
This article was imported from the CyberArmy University site. (original author: )
There are no replies to this post yet.
|