| Add comments here | |
|
|
| |
UNIX intrinsically14.1 supports
multiple users. Each user has a personal home directory
/home/<username> in which their own files are stored,
hidden from other users.
|
| |
So far you may have been using the machine as the root
user, who is the system administrator and has complete access to
every file on the system. The home directory of the
root user is /root. Note that there is
an ambiguity here: the root directory is the top most directory,
known as the / directory. The root user's home
directory is /root and is called the home
directory of root.
|
| |
Other than root, every other user has limited access to
files and directories. Always use your machine as a normal user.
Login as root only to do system administration. This
will save you from the destructive power that the root
user has. Here we will show how to manually and automatically
create new users.
|
| |
Users are also divided into sets, called groups. A user
may belong to several groups and there can be as many groups on
the system as you like. Each group is defined by a list of users
that are part of that set. In addition each user has a group of
the same name, to which only he belongs.
|
| |
|
| |
Each file on a system is owned by a particular user and
also owned by a particular group. When you do an
ls -al you can see the user that owns the file in the third
column and the group that owns the file in the fourth column
(these will often be identical indicating that the file's group
is a group to which only the user belongs). To change the
ownership of the file simply use the
chown, change ownerships, command as follows.
|
chown <user>[:<group>] <filename>
|
|
| |
|
| |
The only place in the whole system
where a user name is registered is in this file14.2. Once a user is
added to this file, they exist on the system14.3. This
is also known as the password file to administrators.
View this file with
less:
5
10
15
|
root:x:0:0:Paul Sheer:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
alias:x:501:501::/var/qmail/alias:/bin/bash
paul:x:509:510:Paul Sheer:/home/paul:/bin/bash
jack:x:511:512:Jack Robbins:/home/jack:/bin/bash
silvia:x:511:512:Silvia Smith:/home/silvia:/bin/bash
|
Above is an extract of my own password file. Each user is stored
on a separate line. Many of these are not human login
accounts, but are used by other programs.
|
| |
Each line contains seven fields separated by colons. The
account for jack looks like this:
jack- The users login name.
x- The users encrypted password. If this is an
x, it indicates that it
is stored in a separate file, /etc/shadow. This shadow password
file is a later addition to UNIX systems that contains additional information about the
user.
511- The user's user identification number, UID14.4.
512- The user's group identification number, GID14.5.
Jack Robbins- The user's full name14.6.
/home/jack- The user's home directory. The
HOME environment variable will
be set to this when the user logs in.
/bin/bash- The shell to start when the user logs in.
|
| |
|
| |
The problem with traditional passwd files is that they
had to be world readable14.7 in order for programs to extract information
about the user: such as the users full name. This means that
everyone can see the encrypted password in the second field.
Anyone can copy any other user's password field and then try
billions of different passwords to see if they match. If you
have a hundred users on the system, there is bound to be several
that chose passwords that match some word in the dictionary. The
so-called dictionary attack will simply try all 80000
English words until a match is found. If you think you are
clever to add a number in front of an easy-to-guess dictionary
word, password cracking algorithms know about these as
well14.8. To
solve this problem the shadow password file was
invented. The shadow password file is used only for
authentication14.9and is not world readable -- there is no
information in the shadow password file that a common program
will ever need -- no regular user has permission see the
encrypted password field. The fields are colon separated just
like the passwd file.
|
| |
Here is an example line from a /etc/shadow file:
|
jack:Q,Jpl.or6u2e7:10795:0:99999:7:-1:-1:134537220
|
|
| |
jack- The user's login name.
Q,Jpl.or6u2e7- The user's encrypted password known
as the hash of the password. This is the user's 8
character password with a one way hash function applied
to it. It is simply a mathematical algorithm applied to the
password that is known to produce a unique result for each
password. To demonstrate: the (rather poor) password
Loghimin hashes to :lZ1F.0VSRRucs: in the
shadow file. An almost identical password loghimin gives
a completely different hash :CavHIpD1W.cmg:.
Hence trying to guess the password from the hash
can only be done by trying every possible password, and is
therefore considered computationally expensive but not impossible.
To check if an entered password matches, just apply the
identical mathematical algorithm to it: if it matches then the
password is correct. This is how the login command works.
Sometimes you will see a * in place of a hashed password.
This means that the account has been disabled.
10795- Days since the January 1, 1970 that the
password was last changed.
0- Days before which password may not be changed.
Usually zero. This field is not often used.
99999- Days after which password must be changed.
This is also rarely used, and will be set to 99999 by default.
7- Days before password is to expire that user is
warned of pending password expiration.
-1- Days after password expires that account is
considered inactive and disabled.
-1 is used to
indicate infinity -- i.e. to mean we are effectively not using this
feature.
-1- Days since January 1, 1970 when
account will be disabled.
134537220- Flag reserved for future use.
|
| |
|
| |
On a UNIX system you may want to give a number of users the same
access rights. For instance, you may have five users that should be
allowed to access some privileged file, and another ten users that are
allowed to run a certain program. You can group these
users into, for example, two groups previl and wproc
and then make the relevant file and directories owned by that group
with, say,
|
chown root:previl /home/somefile
chown root:wproc /usr/lib/wproc
|
Permissions14.10 will dictate the
kind of access, but for the mean time, the file/directory must
at least be owned by that group.
|
| |
The /etc/group file is also colon separated. A line might look like this:
|
wproc:x:524:jack,mary,henry,arthur,sue,lester,fred,sally
|
|
| |
- wproc
- The name of the group. There should really also be a user of this name as well.
- x
- The groups password. This field is usually set with an
x and is not used.
- 524
- The GID group ID. This must be unique in the groups file.
- jack,mary,henry,arthur,sue,lester,fred,sally
- The list of users that belong
to the group. This must be comma separated with no spaces.
|
| |
|
| |
You can obviously study the group file to find out which
groups a user belongs to14.11, but
when there are a lot of groups it can be tedious to scan through
the entire file. The groups command prints out this
information.
|
| |
|
| |
The following steps will create a user account:
/etc/passwd entry- To create an entry in this file, simply edit it and
copy an existing line14.12. Always add users from
the bottom and try to preserve the ``pattern'' of the file --
i.e. if you see numbers increasing, make yours fit in; if you
are adding a normal user, add it after the existing lines of
normal users. Each user must have a unique UID and should usually have
a unique GID. So if you are adding a line to the end of the
file, make your new UID and GID the same as the last line but
incremented by one.
/etc/shadow entry- Create a new shadow password entry.
At this stage you do not know what the hash is, so just make it
a
*. You can set the password with the
passwd command later.
/etc/group entry- Create a new group entry for the user's group.
Make sure the number in the group entry matches that in the
passwd file.
/etc/skel- This directory contains a template home directory
for the user. Copy the entire directory and all its contents
into
/home directory, renaming it to the name of the
user. In the case of our jack example, you should have
a directory /home/jack.
- Home directory ownerships
- You need to now change the
ownerships of the home directory to match the user. The command
chown -R jack:jack /home/jack will accomplish this.
- Setting the password
- Use
passwd <username> to
set the users password.
|
| |
|
| |
The above process is tedious. Two commands that perform all
these updates automatically are useradd,
userdel and usermod. The man pages will
explain the use of these commands in detail. Note that different
flavours of UNIX have different commands to do this. Some may
even have graphical programs or web interfaces to assist in
creating users.
|
| |
In addition, there are the commands groupadd,
groupdel and groupmod which do the same with
respect to groups.
|
| |
|
| |
|
| |
A user most often gains access to the system through the
login program. This looks up the UID and GID from the
passwd and group file, and authenticates the
user.
|
| |
The following is quoted from the login man page:
|
| |
login is used when signing onto a system. It can also
be used to switch from one user to another at any time (most
modern shells have support for this feature built into them,
however).
|
| |
If an argument is not given, login prompts for the
username.
|
| |
If the user is not root, and if /etc/nologin
exists, the contents of this file are printed to the screen,
and the login is terminated. This is typically used to
prevent logins when the system is being taken down.
|
| |
If special access restrictions are specified for the user in
/etc/usertty, these must be met, or the log in attempt
will be denied and a syslog14.13 message will be generated. See the
section on "Special Access Restrictions".
|
| |
If the user is root, then the login must be occuring on a tty
listed in /etc/securetty14.14. Failures will
be logged with the syslog facility.
|
| |
After these conditions are checked, the password will be
requested and checks (if a password is required for this
username). Ten attempts are allowed before login dies, but
after the first three, the response starts to get very slow.
Login failures are reported via the syslog facility. This
facility is also used to report any successful root logins.
|
| |
If the file .hushlogin exists, then a "quiet" login
is performed (this disables the checking of the checking of
mail and the printing of the last login time and message of
the day). Otherwise, if /var/log/lastlog exists, the
last login time is printed (and the current login is
recorded).
|
| |
Random administrative things, such as setting the UID and GID
of the tty are performed. The TERM environment variable is
preserved, if it exists (other environment variables are
preserved if the -p option is used). Then the HOME,
PATH, SHELL, TERM, MAIL, and LOGNAME environment variables
are set. PATH defaults to
/usr/local/bin:/bin:/usr/bin:.14.16 for normal users, and to
/sbin:/bin:/usr/sbin:/usr/bin for root. Last, if this is
not a "quiet" login, the message of the day is printed and
the file with the user's name in /usr/spool/mail will be
checked, and a message printed if it has non-zero length.
|
| |
The user's shell is then started. If no shell is specified
for the user in /etc/passwd, then /bin/sh is
used. If there is no directory specified in /etc/passwd,
then / is used (the home directory is checked for the
.hushlogin file described above).
|
| |
|
| |
To temporarily become another user, you can use the su
program:
This will prompt you for a password unless you are the root user
to start off with. This does nothing more than change the
current user to have the access rights of jack. Most
environment variables will remain the same. The HOME,
LOGNAME and USER environment variables will be
set to jack, but all other environment variables will
be inherited. su is therefore not the same as a normal
login.
|
| |
To use su to give you the equivalent of a login, do
This will cause all initialisation scripts that are normally run
when the user logs in to be executed14.17. Hence after running
su with the - option, you are as though you had
logged in with the login command.
|
| |
|
| |
who and w gives list of users logged into the
system and how much CPU they are using etc. who -help
gives:
5
10
15
|
Usage: who [OPTION]... [ FILE | ARG1 ARG2 ]
-H, --heading print line of column headings
-i, -u, --idle add user idle time as HOURS:MINUTES, . or old
-m only hostname and user associated with stdin
-q, --count all login names and number of users logged on
-s (ignored)
-T, -w, --mesg add user's message status as +, - or ?
--message same as -T
--writable same as -T
--help display this help and exit
--version output version information and exit
If FILE is not specified, use /var/run/utmp. /var/log/wtmp as FILE is common.
If ARG1 ARG2 given, -m presumed: `am i' or `mom likes' are usual.
|
|
| |
A little more information can be gathered from the info
pages for this command. The idle time indicates how long since
the user has last pressed a key. Most often, one just types
who -Hiw.
|
| |
w is similar. Its man page says:
w displays information about the users currently on
the machine, and their processes. The header shows, in this
order, the current time, how long the system has been
running, how many users are currently logged on, and the
system load averages for the past 1, 5, and 15 minutes.
|
| |
The following entries are displayed for each user: login name,
the tty name, the remote host, login time, idle time, JCPU,
PCPU, and the command line of their current process.
|
| |
The JCPU time is the time used by all processes attached to
the tty. It does not include past background jobs, but does
include currently running background jobs.
|
| |
The PCPU time is the time used by the current process, named in
the "what" field.
|
| |
Finally, from a shell script the users command is useful
for just seeing who is logged in. You can use in a shell script, for example:
|
for user in `users` ; do
<etc>
|
|
| |
|
| |
id prints your real and effective UID and
GID. A user will normally have a UID and a GID but may also have
an effective UID and GID as well. The real UID and GID are what
a process will generally think you are logged in as. The
effective UID and GID are the actual access permissions that you
have when trying to read, write and execute files. These will be
discussed in more detail later (possibly unwritten) chapters.
|
| |
|
