Managing users and data are two of the most important categories of system administration duties. We will look at what it means to add and remove both people and data.
$ w 06:44:59 up 2 days, 1:45, 6 users, load average: 0.00, 0.00, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT testtest tty2 - 06:41 2:41 0.00s 0.00s -bash testtest tty3 - 06:42 1:57 0.00s 0.00s -bash $ who testtest01 tty2 2008-06-04 06:41 testtest02 tty3 2008-06-04 06:42 [fsucs@acer1 Slides]$
For example:
user1:f9cPz5ilB5N0o:501:501:USER1:/home/faculty/user1:/bin/tcsh langley:$6$k6H7I90O5bOvcUi/$cCYlXCnSkTj6cZnFV35FCpO.xFXqQMVKExjnA qfFi2tO53pxDdx1lKxxd30eFXEYWgaq3x/.M7os3ehrFpL1W0:USER1:/home/fac ulty/user1:/bin/tcsh
root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root lp:x:7:daemon,lp mem:x:8: kmem:x:9: wheel:x:10:root
mkdir /home/faculty/user1 cp /etc/skel/.[A-Za-z]* /home/faculty/user1 chmod 700 /home/faculty/user1 chown -R user1:user1 /home/faculty/user1 ## OR, IF YOU DON'T HAVE THE ':' SYNTAX ## chown -R user1 /home/faculty/user1 chgrp -R user1 /home/faculty/user1
You can do these steps manually, use a vendor-supplied script/program, or write your own.
Also, there are often GUIs, or you can use webmin.
Most Unix/Linux distributions now use a ``shadow'' password file in addition to the main password file -- a shadow password file moves the encrypted password out of the publicly-readable /etc/passwd file and into a root-accessible-only file. Why is this a good idea? See ``John the Ripper'' or ``LOPHTCRACK'' -- any hacker can try to systematically guess passwords with such programs.
Also allows for creation of new fields to support password rules, password aging, etc. Examples:
Removing Unix/Linux users -- you can just undo the steps above!
However, it can be problematic to find all files owned by the user, if you gave them access to directories outside of their home directory.
Or, find / -user USERNAME -print -- but that only works as long as the username is still in the password file. Otherwise, you need to use find / -uid UID -print
You usually will want to archive (or otherwise preserve) the user data. These days, a memory stick can be one of these ways to give users permanent copies of their user data.
user1:x:501:501:USER1:/home/user1:/sbin/nologin user2:x:502:502:USER2:/home/user2:/bin/false
You can put text into /etc/nologin.txt to modify the message from the nologin program, but it isn't customizable per user.
/etc/shells keeps a list of trusted shells users can change to via ``chsh'' /etc/shells is also consulted by other programs to make sure that a shell is a ``legitimate'' one for that system; in the past, even sendmail used to consult this file.
In general, this file is becoming much less used than it was in the past. Here's a current Fedora /etc/shells, which is very minimalistic:
$ cat /etc/shells /bin/sh /bin/bash /sbin/nologin
On a busy machine, you might create a cron script to make backups, something like:
cp /saved/passwd.1 /saved/passwd.2 cp /saved/passwd.0 /saved/passwd.1 cp /etc/passwd /saved/passwd.0
[root@sophie root]# pwck user adm: directory /var/adm does not exist user gopher: directory /var/gopher does not exist user ident: directory /home/ident does not exist user pcap: directory /var/arpwatch does not exist user vmail: directory /home/vmail does not exist pwck: no changes
You can occasionally run password crackers to see if your users are putting in obvious passwords (notice this is less of a problem if you require them to have good passwords).
Sometimes it is desirable to create limited accounts that serve only a single purpose, such as with the old "sync" user login, or as we saw with the "postgres" account.