FSU

Mainstays of management: people and data

Managing users and data are two of the most important categories of system administration duties. We will look at what it means to add and remove both people and data.

Adding local (real) users: Unix/Linux

Adding local (real) users: Unix

Adding local (real) users: Unix

$ w
 06:44:59 up 2 days,  1:45,  6 users,  load average: 0.00, 0.00, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
testtest tty2     -                06:41    2:41   0.00s  0.00s -bash
testtest tty3     -                06:42    1:57   0.00s  0.00s -bash
$ who
testtest01 tty2         2008-06-04 06:41
testtest02 tty3         2008-06-04 06:42
[fsucs@acer1 Slides]$ 

Adding local (real) users: Unix

For example:

user1:f9cPz5ilB5N0o:501:501:USER1:/home/faculty/user1:/bin/tcsh

langley:$6$k6H7I90O5bOvcUi/$cCYlXCnSkTj6cZnFV35FCpO.xFXqQMVKExjnA
qfFi2tO53pxDdx1lKxxd30eFXEYWgaq3x/.M7os3ehrFpL1W0:USER1:/home/fac
ulty/user1:/bin/tcsh

Adding users: Unix

Unix users: grouping them

Unix users: grouping them

Unix users: grouping them

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root

Unix/Linux: making user accounts

Unix: making user accounts

mkdir /home/faculty/user1
cp /etc/skel/.[A-Za-z]* /home/faculty/user1
chmod 700 /home/faculty/user1 
chown -R user1:user1 /home/faculty/user1
 
  ## OR, IF YOU DON'T HAVE THE ':' SYNTAX ##
  
chown -R user1 /home/faculty/user1
chgrp -R user1 /home/faculty/user1

Unix: making user accounts

You can do these steps manually, use a vendor-supplied script/program, or write your own.

Also, there are often GUIs, or you can use webmin.

Unix/Linux: shadow password files

Most Unix/Linux distributions now use a ``shadow'' password file in addition to the main password file -- a shadow password file moves the encrypted password out of the publicly-readable /etc/passwd file and into a root-accessible-only file. Why is this a good idea? See ``John the Ripper'' or ``LOPHTCRACK'' -- any hacker can try to systematically guess passwords with such programs.

Unix/Linux: shadow password files

Also allows for creation of new fields to support password rules, password aging, etc. Examples:

Unix/Linux: removing users

Removing Unix/Linux users -- you can just undo the steps above!

However, it can be problematic to find all files owned by the user, if you gave them access to directories outside of their home directory.

Or, find / -user USERNAME -print -- but that only works as long as the username is still in the password file. Otherwise, you need to use find / -uid UID -print

Unix: removing users

Unix/Linux: removing users

You usually will want to archive (or otherwise preserve) the user data. These days, a memory stick can be one of these ways to give users permanent copies of their user data.

Unix/Linux: disabling user accounts

The easiest is usually to disable their login shell:
user1:x:501:501:USER1:/home/user1:/sbin/nologin 
user2:x:502:502:USER2:/home/user2:/bin/false

You can put text into /etc/nologin.txt to modify the message from the nologin program, but it isn't customizable per user.

Unix/Linux /etc/shells

/etc/shells keeps a list of trusted shells users can change to via ``chsh'' /etc/shells is also consulted by other programs to make sure that a shell is a ``legitimate'' one for that system; in the past, even sendmail used to consult this file.

Unix/Linux /etc/shells

In general, this file is becoming much less used than it was in the past. Here's a current Fedora /etc/shells, which is very minimalistic:

$ cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin

/bin/passwd binary

treating /etc/passwd as a critical file

On a busy machine, you might create a cron script to make backups, something like:

cp /saved/passwd.1 /saved/passwd.2
cp /saved/passwd.0 /saved/passwd.1
cp /etc/passwd /saved/passwd.0 

treating /etc/passwd as a critical file

treating /etc/passwd as a critical file

[root@sophie root]# pwck
user adm: directory /var/adm does not exist
user gopher: directory /var/gopher does not exist
user ident: directory /home/ident does not exist
user pcap: directory /var/arpwatch does not exist
user vmail: directory /home/vmail does not exist
pwck: no changes

treating /etc/passwd as a critical file

You can occasionally run password crackers to see if your users are putting in obvious passwords (notice this is less of a problem if you require them to have good passwords).

Setting up specialized accounts

Sometimes it is desirable to create limited accounts that serve only a single purpose, such as with the old "sync" user login, or as we saw with the "postgres" account.