From 5a12e7c134274dba706667107d10d231517d3e05 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Wed, 26 Aug 2009 10:00:38 -0500 Subject: Slackware 13.0 Wed Aug 26 10:00:38 CDT 2009 Slackware 13.0 x86_64 is released as stable! Thanks to everyone who helped make this release possible -- see the RELEASE_NOTES for the credits. The ISOs are off to the replicator. This time it will be a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. We're taking pre-orders now at store.slackware.com. Please consider picking up a copy to help support the project. Once again, thanks to the entire Slackware community for all the help testing and fixing things and offering suggestions during this development cycle. As always, have fun and enjoy! -P. --- slackbook/html/essential-sysadmin-hardusers.html | 202 +++++++++++++++++++++++ 1 file changed, 202 insertions(+) create mode 100644 slackbook/html/essential-sysadmin-hardusers.html (limited to 'slackbook/html/essential-sysadmin-hardusers.html') diff --git a/slackbook/html/essential-sysadmin-hardusers.html b/slackbook/html/essential-sysadmin-hardusers.html new file mode 100644 index 000000000..f9ad54488 --- /dev/null +++ b/slackbook/html/essential-sysadmin-hardusers.html @@ -0,0 +1,202 @@ + + + + +Users and Groups, the Hard Way + + + + + + + + + + + +
+

12.2 Users and Groups, the Hard Way

+ +

Of course, it is possible to add, modify, and remove users and groups without using +the scripts and programs that come with Slackware. It's not really difficult, although +after reading this process, you'll probably find it much easier to use the scripts. +However, it's important to know how your password information is actually stored, in case +you ever need to recover this information and don't have the Slackware tools +available.

+ +

First, we'll add a new user to the /etc/passwd(5), /etc/shadow(5), and /etc/group(5) files. +The passwd file holds some information about the users on your +system, but (strangely enough) not their passwords. This was once the case, but was +halted long ago for security reasons. The passwd file must be readable by all users, but +you don't want encrypted passwords world-readable, as would-be intruders can use the +encrypted passwords as a starting point for decrypting a user's password. Instead, the +encrypted passwords are kept in the shadow file, which is only readable by root, and +everyone's password is entered into the passwd file simply as +“x”. The group file +lists all the groups and who is in each.

+ +

You can use the vipw command to edit the /etc/passwd file safely, and the vigr +command to edit the /etc/group file safely. Use vipw -s to edit the /etc/shadow file +safely. (“Safely” in this context means someone else won't be able to modify +the file you're editing at the moment. If you're the only administrator of your system, +you're probably safe, but it's best to get into good habits from the start.)

+ +

Let's examine the /etc/passwd file and look at how to add a +new user. A typical entry in passwd looks like this:

+ + + + + +
+
+chris:x:1000:100:Chris Lumens,Room 2,,:/home/chris:/bin/bash
+
+
+ +

Each line is an entry for one user, and fields on each line are separated by a colon. +The fields are the login name, encrypted password (“x” for everyone on a Slackware system, since Slackware uses +shadow passwords), user ID, group ID, the optional finger information (separated by +commas), home directory, and shell. To add a new user by hand, add a new line at the end +of the file, filling in the appropriate information.

+ +

The information you add needs to meet some requirements, or your new user may have +problems logging in. First, make sure that the password field is an x, and that both the user name and user ID is unique. Assign the +user a group, either 100 (the “users” group in Slackware) or your default +group (use its number, not its name). Give the user a valid home directory (which you'll +create later) and shell (remember, valid shells are listed in /etc/shells).

+ +

Next, we'll need to add an entry in the /etc/shadow file, which holds the encrypted +passwords. A typical entry looks like this:

+ + + + + +
+
+chris:$1$w9bsw/N9$uwLr2bRER6YyBS.CAEp7R.:11055:0:99999:7:::
+
+
+ +

Again, each line is an entry for one person, with each field delimited by a colon. The +fields are (in order) login name, encrypted password, days since the Epoch (January 1, +1970) that the password was last changed, days before the password may be changed, days +after which the password must be changed, days before password expiration that the user +is notified, days after expiration that the account is disabled, days since the Epoch +that the account is disabled, and a reserved field.

+ +

As you can see, most of that is for account expiration information. If you aren't +using expiration information, you only need to fill in a few fields with some special +values. Otherwise, you'll need to do some calculations and decision making before you can +fill those fields in. For a new user, just put some random garbage in the password field. +Don't worry about what the password is right now, because you're going to change it in a +minute. The only character you cannot include in the password field is a colon. Leave the +“days since password was changed” field blank as well. Fill in 0, 99999, and 7 just as you see in the example entry, and leave the other fields +blank.

+ +

(For those of you who think you see my encrypted password above and believe you've got +a leg up on breaking into my system, go right ahead. If you can crack that password, +you'll know the password to a firewalled test system. Now that's useful :) )

+ +

All normal users are members of the “users” +group on a typical Slackware system. However, if you want to create a new group, or add +the new user to additional groups, you'll need to modify the /etc/group file. Here is a typical entry:

+ + + + + +
+
+cvs::102:chris,logan,david,root
+
+
+ +

The fields are group name, group password, group ID, and group members, separated by +commas. Creating a new group is a simple matter of adding a new line with a unique group +ID, and listing all the users you want to be in the group. Any users that are in this new +group and are logged in will have to log out and log back in for those changes to take +effect.

+ +

At this point, it might be a good idea to use the pwck and +grpck commands to verify that the changes you've made are +consistent. First, use pwck -r and grpck +-r: the -r switch makes no changes, but lists the changes +you would be asked to make if you ran the command without the switch. You can use this +output to decide whether you need to further modify any files, to run pwck or grpck without the -r switch, or to simply leave your changes as they are.

+ +

At this point, you should use the passwd command to create a +proper password for the user. Then, use mkdir to create the new +user's home directory in the location you entered into the /etc/passwd file, and use chown to change +the owner of the new directory to the new user.

+ +

Removing a user is a simple matter of deleting all of the entries that exist for that +user. Remove the user's entry from /etc/passwd and /etc/shadow, and remove the login name from any groups in the /etc/group file. If you wish, delete the user's home directory, the +mail spool file, and his crontab entry (if they exist).

+ +

Removing groups is similar: remove the group's entry from /etc/group.

+
+ + + + + -- cgit v1.2.3