Purchase	Copyright © 2002 Paul Sheer. Click here for copying permissions.	Home

11. User Accounts and User Ownerships

UNIX intrinsically supports multiple users. Each user has a personal home directory /home/<username> in which the user's files are stored, hidden from other users.

So far you may have been using the machine as the root user, who is the system administrator and has complete access to every file on the system. The root is also called the superuser. The home directory of the root user is /root. Note that there is an ambiguity here: the root directory is the topmost directory, known as the / directory. The root user's home directory is /root and is called the home directory of root.

Other than the superuser, every other user has limited access to files and directories. Always use your machine as a normal user. Log in as root only to do system administration. This practice will save you from the destructive power that the root user has. In this chapter we show how to manually and automatically create new users.

Users are also divided into sets, called groups. A user can belong to several groups and there can be as many groups on the system as you like. Each group is defined by a list of users that are part of that set. In addition, each user may have a group of the same name (as the user's login name), to which only that user belongs.

11.1 File Ownerships

Each file on a system is owned by a particular user and also owned by a particular group. When you run ls -al, you can see the user that owns the file in the third column and the group that owns the file in the fourth column (these will often be identical, indicating that the file's group is a group to which only the user belongs). To change the ownership of the file, simply use the chown, change ownerships, command as follows.

chown <user>[:<group>] <filename>

11.2 The Password File /etc/passwd

The only place in the whole system where a user name is registered is in this file. [Exceptions to this rule are several distributed authentication schemes and the Samba package, but you needn't worry about these for now.] Once a user is added to this file, that user is said to exist on the system. If you thought that user accounts were stored in some unreachable dark corner, then this should dispel that idea. This is also known as the password file to administrators. View this file with less:

5          10          15

root:x:0:0:Paul Sheer:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: alias:x:501:501::/var/qmail/alias:/bin/bash paul:x:509:510:Paul Sheer:/home/paul:/bin/bash jack:x:511:512:Jack Robbins:/home/jack:/bin/bash silvia:x:511:512:Silvia Smith:/home/silvia:/bin/bash

Above is an extract of my own password file. Each user is stored on a separate line. Many of these are not human login accounts but are used by other programs.

Each line contains seven fields separated by colons. The account for jack looks like this:

jack

The user's login name. It should be composed of lowercase letters and numbers. Other characters are allowed, but are not preferable. In particular, there should never be two user names that differ only by their capitalization.

x

The user's encrypted password. An x in this field indicates that it is stored in a separate file, /etc/shadow. This shadow password file is a later addition to UNIX systems. It contains additional information about the user.

511

The user's user identification number, UID. [This is used by programs as a short alternative to the user's login name. In fact, internally, the login name is never used, only the UID.]

512

The user's group identification number, GID. [Similarly applies to the GID. Groups will be discussed later.]

Jack Robbins

The user's full name. [Few programs ever make use of this field.]

/home/jack

The user's home directory. The HOME environment variable will be set to this when the user logs in.

/bin/bash

The shell to start when the user logs in.

11.3 Shadow Password File: /etc/shadow

The problem with traditional passwd files is that they had to be world readable [Everyone on the system can read the file.] in order for programs to extract information, such as the user's full name, about the user. This means that everyone can see the encrypted password in the second field. Anyone can copy any other user's password field and then try billions of different passwords to see if they match. If you have a hundred users on the system, there are bound to be several that chose passwords that matched some word in the dictionary. The so-called dictionary attack will simply try all 80,000 common English words until a match is found. If you think you are clever to add a number in front of an easy-to-guess dictionary word, password cracking algorithms know about these as well. [And about every other trick you can think of.] To solve this problem the shadow password file was invented. The shadow password file is used only for authentication [Verifying that the user is the genuine owner of the account.]and is not world readable--there is no information in the shadow password file that a common program will ever need--no regular user has permission to see the encrypted password field. The fields are colon separated just like the passwd file.

Here is an example line from a /etc/shadow file:

jack:Q,Jpl.or6u2e7:10795:0:99999:7:-1:-1:134537220

jack

The user's login name.

Q,Jpl.or6u2e7

The user's encrypted password known as the hash of the password. This is the user's 8-character password with a one-way hash function applied to it. It is simply a mathematical algorithm applied to the password that is known to produce a unique result for each password. To demonstrate: the (rather poor) password Loghimin hashes to :lZ1F.0VSRRucs: in the shadow file. An almost identical password loghimin gives a completely different hash :CavHIpD1W.cmg:. Hence, trying to guess the password from the hash can only be done by trying every possible password. Such a brute force attack is therefore considered computationally expensive but not impossible. To check if an entered password matches, just apply the identical mathematical algorithm to it: if it matches, then the password is correct. This is how the login command works. Sometimes you will see a * in place of a hashed password. This means that the account has been disabled.

10795

Days since January 1, 1970, that the password was last changed.

0

Days before which password may not be changed. Usually zero. This field is not often used.

99999

Days after which password must be changed. This is also rarely used, and will be set to 99999 by default.

7

Days before password is to expire that user is warned of pending password expiration.

-1

Days after password expires that account is considered inactive and disabled. -1 is used to indicate infinity--that is, to mean we are effectively not using this feature.

-1

Days since January 1, 1970, when account will be disabled.

134537220

Flag reserved for future use.

11.4 The groups Command and /etc/group

On a UNIX system you may want to give a number of users the same access rights. For instance, you may have five users that should be allowed to access some privileged file and another ten users that are allowed to run a certain program. You can group these users into, for example, two groups previl and wproc and then make the relevant file and directories owned by that group with, say,

chown root:previl /home/somefile chown root:wproc /usr/lib/wproc

Permissions [Explained later.] dictate the kind of access, but for the meantime, the file/directory must at least be owned by that group.

The /etc/group file is also colon separated. A line might look like this:

wproc:x:524:jack,mary,henry,arthur,sue,lester,fred,sally

wproc

The name of the group. There should really also be a user of this name as well.

x

The group's password. This field is usually set with an x and is not used.

524

The GID group ID. This must be unique in the group's file.

jack,mary,henry,arthur,sue,lester,fred,sally

The list of users that belong to the group. This must be comma separated with no spaces.

You can obviously study the group file to find out which groups a user belongs to, [That is, not ``which users does a group consist of?'' which is easy to see at a glance.] but when there are a lot of groups, it can be tedious to scan through the entire file. The groups command prints out this information.

11.5 Manually Creating a User Account

The following steps are required to create a user account:

/etc/passwd entry

To create an entry in this file, simply edit it and copy an existing line. [When editing configuration files, never write out a line from scratch if it has some kind of special format. Always copy an existing entry that has proved itself to be correct, and then edit in the appropriate changes. This will prevent you from making errors.] Always add users from the bottom and try to preserve the ``pattern'' of the file--that is, if you see numbers increasing, make yours fit in; if you are adding a normal user, add it after the existing lines of normal users. Each user must have a unique UID and should usually have a unique GID. So if you are adding a line to the end of the file, make your new UID and GID the same as the last line but incremented by 1.

/etc/shadow entry

Create a new shadow password entry. At this stage you do not know what the hash is, so just make it a *. You can set the password with the passwd command later.

/etc/group entry

Create a new group entry for the user's group. Make sure the number in the group entry matches that in the passwd file.

/etc/skel

This directory contains a template home directory for the user. Copy the entire directory and all its contents into /home directory, renaming it to the name of the user. In the case of our jack example, you should have a directory /home/jack.

Home directory ownerships

You need to now change the ownerships of the home directory to match the user. The command chown -R jack:jack /home/jack will accomplish this change.

Setting the password

Use passwd <username> to set the user's password.

11.6 Automatically Creating a User Account: useradd and groupadd

The above process is tedious. The commands that perform all these updates automatically are useradd, userdel, and usermod. The man pages explain the use of these commands in detail. Note that different flavors of UNIX have different commands to do this. Some may even have graphical programs or web interfaces to assist in creating users.

In addition, the commands groupadd, groupdel, and groupmod do the same with respect to groups.

11.7 User Logins

It is possible to switch from one user to another, as well as view your login status and the status of other users. Logging in also follows a silent procedure which is important to understand.

11.7.1 The login command

A user most often gains access to the system through the login program. This program looks up the UID and GID from the passwd and group file and authenticates the user.

The following is quoted from the login man page, and explains this procedure in detail:

login is used when signing onto a system. It can also be used to switch from one user to another at any time (most modern shells have support for this feature built into them, however).

If an argument is not given, login prompts for the username.

If the user is not root, and if /etc/nologin exists, the contents of this file are printed to the screen, and the login is terminated. This is typically used to prevent logins when the system is being taken down.

If special access restrictions are specified for the user in /etc/usertty, these must be met, or the login attempt will be denied and a syslog [System error log program-- syslog writes all system messages to the file /var/log/messages.] message will be generated. See the section on "Special Access Restrictions."

If the user is root, then the login must be occuring on a tty listed in /etc/securetty. [If this file is not present, then root logins will be allowed from anywhere. It is worth deleting this file if your machine is protected by a firewall and you would like to easily login from another machine on your LAN. If /etc/securetty is present, then logins are only allowed from the terminals it lists.] Failures will be logged with the syslog facility.

After these conditions have been checked, the password will be requested and checked (if a password is required for this username). Ten attempts are allowed before login dies, but after the first three, the response starts to get very slow. Login failures are reported via the syslog facility. This facility is also used to report any successful root logins.

If the file .hushlogin exists, then a "quiet" login is performed (this disables the checking of mail and the printing of the last login time and message of the day). Otherwise, if /var/log/lastlog exists, the last login time is printed (and the current login is recorded).

Random administrative things, such as setting the UID and GID of the tty are performed. The TERM environment variable is preserved, if it exists (other environment variables are preserved if the -p option is used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment variables are set. PATH defaults to /usr/local/bin:/bin:/usr/bin: . [Note that the .  --the current directory--is listed in the PATH. This is only the default PATH however.] for normal users, and to /sbin:/bin:/usr/sbin:/usr/bin for root. Last, if this is not a "quiet" login, the message of the day is printed and the file with the user's name in /usr/spool/mail will be checked, and a message printed if it has non-zero length.

The user's shell is then started. If no shell is specified for the user in /etc/passwd, then /bin/sh is used. If there is no directory specified in /etc/passwd, then / is used (the home directory is checked for the .hushlogin file described above).

11.7.2 The set user, su command

To temporarily become another user, you can use the su program:

su jack

This command prompts you for a password (unless you are the root user to begin with). It does nothing more than change the current user to have the access rights of jack. Most environment variables will remain the same. The HOME, LOGNAME, and USER environment variables will be set to jack, but all other environment variables will be inherited. su is, therefore, not the same as a normal login.

To get the equivalent of a login with su, run

su - jack

This will cause all initialization scripts (that are normally run when the user logs in) to be executed. [What actually happens is that the subsequent shell is started with a - in front of the zero'th argument. This makes the shell read the user's personal profile. The login command also does this.] Hence, after running su with the - option, you logged in as if with the login command.

11.7.3 The who, w, and users commands to see who is logged in

who and w print a list of users logged in to the system, as well as their CPU consumption and other statistics. who --help gives:

5          10          15

Usage: who [OPTION]... [ FILE | ARG1 ARG2 ]     -H, --heading     print line of column headings   -i, -u, --idle    add user idle time as HOURS:MINUTES, . or old   -m                only hostname and user associated with stdin   -q, --count       all login names and number of users logged on   -s                (ignored)   -T, -w, --mesg    add user's message status as +, - or ?       --message     same as -T       --writable    same as -T       --help        display this help and exit       --version     output version information and exit   If FILE is not specified, use /var/run/utmp.  /var/log/wtmp as FILE is common. If ARG1 ARG2 given, -m presumed: `am i' or `mom likes' are usual.

A little more information can be gathered from the info pages for this command. The idle time indicates how long since the user has last pressed a key. Most often, one just types who -Hiw.

w is similar. An extract of the w man page says:

w displays information about the users currently on the machine, and their processes. The header shows, in this order, the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.

The following entries are displayed for each user: login name, the tty name, the remote host, login time, idle time, JCPU, PCPU, and the command line of their current process.

The JCPU time is the time used by all processes attached to the tty. It does not include past background jobs, but does include currently running background jobs.

The PCPU time is the time used by the current process, named in the "what" field.

Finally, from a shell script the users command is useful for just seeing who is logged in. You can use in a shell script, for example:

for user in `users` ; do     <etc> done

11.7.4 The id command and effective UID

id prints your real and effective UID and GID. A user normally has a UID and a GID but may also have an effective UID and GID as well. The real UID and GID are what a process will generally think you are logged in as. The effective UID and GID are the actual access permissions that you have when trying to read, write, and execute files.

11.7.5 User limits

There is a file /etc/security/limits.conf that stipulates the limitations on CPU usage, process consumption, and other resources on a per-user basis. The documentation for this config file is contained in
/usr/[share/]doc/pam-<version>/txts/README.pam_limits.