summaryrefslogtreecommitdiffstats
path: root/slackbook/html/essential-sysadmin-hardusers.html
diff options
context:
space:
mode:
Diffstat (limited to 'slackbook/html/essential-sysadmin-hardusers.html')
-rw-r--r--slackbook/html/essential-sysadmin-hardusers.html202
1 files changed, 202 insertions, 0 deletions
diff --git a/slackbook/html/essential-sysadmin-hardusers.html b/slackbook/html/essential-sysadmin-hardusers.html
new file mode 100644
index 000000000..f9ad54488
--- /dev/null
+++ b/slackbook/html/essential-sysadmin-hardusers.html
@@ -0,0 +1,202 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta name="generator" content="HTML Tidy, see www.w3.org" />
+<title>Users and Groups, the Hard Way</title>
+<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
+<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
+<link rel="UP" title="Essential System Administration" href="essential-sysadmin.html" />
+<link rel="PREVIOUS" title="Essential System Administration"
+href="essential-sysadmin.html" />
+<link rel="NEXT" title="Shutting Down Properly"
+href="essential-sysadmin-shutdown.html" />
+<link rel="STYLESHEET" type="text/css" href="docbook.css" />
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+</head>
+<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
+alink="#0000FF">
+<div class="NAVHEADER">
+<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
+cellspacing="0">
+<tr>
+<th colspan="3" align="center">Slackware Linux Essentials</th>
+</tr>
+
+<tr>
+<td width="10%" align="left" valign="bottom"><a href="essential-sysadmin.html"
+accesskey="P">Prev</a></td>
+<td width="80%" align="center" valign="bottom">Chapter 12 Essential System
+Administration</td>
+<td width="10%" align="right" valign="bottom"><a href="essential-sysadmin-shutdown.html"
+accesskey="N">Next</a></td>
+</tr>
+</table>
+
+<hr align="LEFT" width="100%" />
+</div>
+
+<div class="SECT1">
+<h1 class="SECT1"><a id="ESSENTIAL-SYSADMIN-HARDUSERS"
+name="ESSENTIAL-SYSADMIN-HARDUSERS">12.2 Users and Groups, the Hard Way</a></h1>
+
+<p>Of course, it is possible to add, modify, and remove users and groups without using
+the scripts and programs that come with Slackware. It's not really difficult, although
+after reading this process, you'll probably find it much easier to use the scripts.
+However, it's important to know how your password information is actually stored, in case
+you ever need to recover this information and don't have the Slackware tools
+available.</p>
+
+<p>First, we'll add a new user to the <tt class="FILENAME">/etc/passwd</tt>(5), <tt
+class="FILENAME">/etc/shadow</tt>(5), and <tt class="FILENAME">/etc/group</tt>(5) files.
+The <tt class="FILENAME">passwd</tt> file holds some information about the users on your
+system, but (strangely enough) not their passwords. This was once the case, but was
+halted long ago for security reasons. The passwd file must be readable by all users, but
+you don't want encrypted passwords world-readable, as would-be intruders can use the
+encrypted passwords as a starting point for decrypting a user's password. Instead, the
+encrypted passwords are kept in the shadow file, which is only readable by root, and
+everyone's password is entered into the <tt class="FILENAME">passwd</tt> file simply as
+&#8220;<var class="LITERAL">x</var>&#8221;. The <tt class="FILENAME">group</tt> file
+lists all the groups and who is in each.</p>
+
+<p>You can use the <tt class="COMMAND">vipw</tt> command to edit the <tt
+class="FILENAME">/etc/passwd</tt> file safely, and the <tt class="COMMAND">vigr</tt>
+command to edit the <tt class="FILENAME">/etc/group</tt> file safely. Use <tt
+class="COMMAND">vipw -s</tt> to edit the <tt class="FILENAME">/etc/shadow</tt> file
+safely. (&#8220;Safely&#8221; in this context means someone else won't be able to modify
+the file you're editing at the moment. If you're the only administrator of your system,
+you're probably safe, but it's best to get into good habits from the start.)</p>
+
+<p>Let's examine the <tt class="FILENAME">/etc/passwd</tt> file and look at how to add a
+new user. A typical entry in <tt class="FILENAME">passwd</tt> looks like this:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+chris:x:1000:100:Chris Lumens,Room 2,,:/home/chris:/bin/bash
+</pre>
+</td>
+</tr>
+</table>
+
+<p>Each line is an entry for one user, and fields on each line are separated by a colon.
+The fields are the login name, encrypted password (&#8220;<var
+class="LITERAL">x</var>&#8221; for everyone on a Slackware system, since Slackware uses
+shadow passwords), user ID, group ID, the optional finger information (separated by
+commas), home directory, and shell. To add a new user by hand, add a new line at the end
+of the file, filling in the appropriate information.</p>
+
+<p>The information you add needs to meet some requirements, or your new user may have
+problems logging in. First, make sure that the password field is an <var
+class="LITERAL">x</var>, and that both the user name and user ID is unique. Assign the
+user a group, either 100 (the &#8220;users&#8221; group in Slackware) or your default
+group (use its number, not its name). Give the user a valid home directory (which you'll
+create later) and shell (remember, valid shells are listed in <tt
+class="FILENAME">/etc/shells</tt>).</p>
+
+<p>Next, we'll need to add an entry in the /etc/shadow file, which holds the encrypted
+passwords. A typical entry looks like this:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+chris:$1$w9bsw/N9$uwLr2bRER6YyBS.CAEp7R.:11055:0:99999:7:::
+</pre>
+</td>
+</tr>
+</table>
+
+<p>Again, each line is an entry for one person, with each field delimited by a colon. The
+fields are (in order) login name, encrypted password, days since the Epoch (January 1,
+1970) that the password was last changed, days before the password may be changed, days
+after which the password must be changed, days before password expiration that the user
+is notified, days after expiration that the account is disabled, days since the Epoch
+that the account is disabled, and a reserved field.</p>
+
+<p>As you can see, most of that is for account expiration information. If you aren't
+using expiration information, you only need to fill in a few fields with some special
+values. Otherwise, you'll need to do some calculations and decision making before you can
+fill those fields in. For a new user, just put some random garbage in the password field.
+Don't worry about what the password is right now, because you're going to change it in a
+minute. The only character you cannot include in the password field is a colon. Leave the
+&#8220;days since password was changed&#8221; field blank as well. Fill in <var
+class="LITERAL">0</var>, <var class="LITERAL">99999</var>, and <var
+class="LITERAL">7</var> just as you see in the example entry, and leave the other fields
+blank.</p>
+
+<p>(For those of you who think you see my encrypted password above and believe you've got
+a leg up on breaking into my system, go right ahead. If you can crack that password,
+you'll know the password to a firewalled test system. Now that's useful :) )</p>
+
+<p>All normal users are members of the &#8220;<tt class="USERNAME">users</tt>&#8221;
+group on a typical Slackware system. However, if you want to create a new group, or add
+the new user to additional groups, you'll need to modify the <tt
+class="FILENAME">/etc/group</tt> file. Here is a typical entry:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+cvs::102:chris,logan,david,root
+</pre>
+</td>
+</tr>
+</table>
+
+<p>The fields are group name, group password, group ID, and group members, separated by
+commas. Creating a new group is a simple matter of adding a new line with a unique group
+ID, and listing all the users you want to be in the group. Any users that are in this new
+group and are logged in will have to log out and log back in for those changes to take
+effect.</p>
+
+<p>At this point, it might be a good idea to use the <tt class="COMMAND">pwck</tt> and
+<tt class="COMMAND">grpck</tt> commands to verify that the changes you've made are
+consistent. First, use <tt class="COMMAND">pwck -r</tt> and <tt class="COMMAND">grpck
+-r</tt>: the <var class="OPTION">-r</var> switch makes no changes, but lists the changes
+you would be asked to make if you ran the command without the switch. You can use this
+output to decide whether you need to further modify any files, to run <tt
+class="COMMAND">pwck</tt> or <tt class="COMMAND">grpck</tt> without the <var
+class="OPTION">-r</var> switch, or to simply leave your changes as they are.</p>
+
+<p>At this point, you should use the <tt class="COMMAND">passwd</tt> command to create a
+proper password for the user. Then, use <tt class="COMMAND">mkdir</tt> to create the new
+user's home directory in the location you entered into the <tt
+class="FILENAME">/etc/passwd</tt> file, and use <tt class="COMMAND">chown</tt> to change
+the owner of the new directory to the new user.</p>
+
+<p>Removing a user is a simple matter of deleting all of the entries that exist for that
+user. Remove the user's entry from <tt class="FILENAME">/etc/passwd</tt> and <tt
+class="FILENAME">/etc/shadow</tt>, and remove the login name from any groups in the <tt
+class="FILENAME">/etc/group</tt> file. If you wish, delete the user's home directory, the
+mail spool file, and his crontab entry (if they exist).</p>
+
+<p>Removing groups is similar: remove the group's entry from <tt
+class="FILENAME">/etc/group</tt>.</p>
+</div>
+
+<div class="NAVFOOTER">
+<hr align="LEFT" width="100%" />
+<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
+cellspacing="0">
+<tr>
+<td width="33%" align="left" valign="top"><a href="essential-sysadmin.html"
+accesskey="P">Prev</a></td>
+<td width="34%" align="center" valign="top"><a href="index.html"
+accesskey="H">Home</a></td>
+<td width="33%" align="right" valign="top"><a href="essential-sysadmin-shutdown.html"
+accesskey="N">Next</a></td>
+</tr>
+
+<tr>
+<td width="33%" align="left" valign="top">Essential System Administration</td>
+<td width="34%" align="center" valign="top"><a href="essential-sysadmin.html"
+accesskey="U">Up</a></td>
+<td width="33%" align="right" valign="top">Shutting Down Properly</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
+