File: node14.html

package info (click to toggle)
rutebook 1.0-1
links: PTS
area: non-free
in suites: sarge
size: 9,476 kB
ctags: 1,112
sloc: makefile: 47
file content (929 lines) | stat: -rw-r--r-- 37,007 bytes
parent folder | download | duplicates (2)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<!--Converted with LaTeX2HTML 99.2beta8 (1.46)
original version by:  Nikos Drakos, CBLU, University of Leeds
* revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
  Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>11. User Accounts and Ownerships</TITLE>
<META NAME="description" CONTENT="11. User Accounts and Ownerships">
<META NAME="keywords" CONTENT="rute">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v99.2beta8">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">

<LINK REL="STYLESHEET" HREF="rute.css">

<LINK REL="next" HREF="node15.html">
<LINK REL="previous" HREF="node13.html">
<LINK REL="up" HREF="rute.html">
<LINK REL="next" HREF="node15.html">
</HEAD>

<BODY BGCOLOR=#FFFFFF >
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0">
<TR><TD align=left bgcolor="#000000">
<FONT COLOR=white>
&nbsp;<A HREF="http://www.icon.co.za/~psheer/rute-purchase.html"><FONT COLOR=white>Purchase</FONT></A>&nbsp;
</FONT>
</TD><TD align=center bgcolor="#000000">
<FONT COLOR=white>
Copyright&nbsp;&#169;&nbsp;2002&nbsp;Paul Sheer. <A HREF="copying.html"><FONT COLOR=white>Click here for copying permissions.</FONT></A>
</FONT>
</TD><TD align=right bgcolor="#000000">
<FONT COLOR=white>
&nbsp;<A HREF="http://www.icon.co.za/~psheer/rute-home.html"><FONT COLOR=white>Home</FONT></A>&nbsp;
</FONT>
</TD></TR>
<TR><TD colspan=2 align=left bgcolor="#ECEBF4">
<IMG SRC="va-btn-small-light-60.png">
</TD><TD align=right bgcolor="#ECEBF4">
<IMG SRC="sflogo2-steel-60.png">
</TD></TR>
</TABLE><BR>

<!--Navigation Panel-->
<A NAME="tex2html1930"
  HREF="node15.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html1926"
  HREF="rute.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html1920"
  HREF="node13.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html1928"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html1931"
  HREF="node15.html">12. Using Internet Services</A>
<B> Up:</B> <A NAME="tex2html1927"
  HREF="rute.html">rute</A>
<B> Previous:</B> <A NAME="tex2html1921"
  HREF="node13.html">10. Mail</A>
 &nbsp <B>  <A NAME="tex2html1929"
  HREF="node1.html">Contents</A></B> 
<BR>
<BR>
<!--End of Navigation Panel-->
<!--Table of Child-Links-->
<A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A>

<UL>
<LI><A NAME="tex2html1932"
  HREF="#SECTION001410000000000000000">11.1 File Ownerships</A>
<LI><A NAME="tex2html1933"
  HREF="#SECTION001420000000000000000">11.2 The Password File <TT>
<FONT COLOR="#0000ff">/etc/passwd</FONT></TT></A>
<LI><A NAME="tex2html1934"
  HREF="#SECTION001430000000000000000">11.3 Shadow Password File: <TT>
<FONT COLOR="#0000ff">/etc/shadow</FONT></TT></A>
<LI><A NAME="tex2html1935"
  HREF="#SECTION001440000000000000000">11.4 The <TT>
<FONT COLOR="#0000ff">groups</FONT></TT> Command and <TT>
<FONT COLOR="#0000ff">/etc/group</FONT></TT></A>
<LI><A NAME="tex2html1936"
  HREF="#SECTION001450000000000000000">11.5 Manually Creating a User Account</A>
<LI><A NAME="tex2html1937"
  HREF="#SECTION001460000000000000000">11.6 Automatically: <TT>
<FONT COLOR="#0000ff">useradd</FONT></TT> and <TT>
<FONT COLOR="#0000ff">groupadd</FONT></TT></A>
<LI><A NAME="tex2html1938"
  HREF="#SECTION001470000000000000000">11.7 User Logins</A>
<UL>
<LI><A NAME="tex2html1939"
  HREF="#SECTION001471000000000000000">11.7.1 The <TT>
<FONT COLOR="#0000ff">login</FONT></TT> command</A>
<LI><A NAME="tex2html1940"
  HREF="#SECTION001472000000000000000">11.7.2 The <I>set user</I>, <TT>
<FONT COLOR="#0000ff">su</FONT></TT> command</A>
<LI><A NAME="tex2html1941"
  HREF="#SECTION001473000000000000000">11.7.3 The <TT>
<FONT COLOR="#0000ff">who</FONT></TT>, <TT>
<FONT COLOR="#0000ff">w</FONT></TT>, and <TT>
<FONT COLOR="#0000ff">users</FONT></TT> commands to see who is logged in</A>
<LI><A NAME="tex2html1942"
  HREF="#SECTION001474000000000000000">11.7.4 The <TT>
<FONT COLOR="#0000ff">id</FONT></TT> command and <I>effective</I> UID</A>
<LI><A NAME="tex2html1943"
  HREF="#SECTION001475000000000000000">11.7.5 User limits</A>
</UL></UL>
<!--End of Table of Child-Links-->
<HR>

<H1><A NAME="SECTION001400000000000000000">
11. User Accounts and User Ownerships</A>
</H1>

<P>
<A NAME="chap:useraccounts"></A>
<P>
U<SMALL>NIX</SMALL> intrinsically supports
multiple users. Each user has a personal <I>home</I> directory
<TT>
<FONT COLOR="#0000ff">/home/&lt;username&gt;</FONT></TT> in which the user's files are stored,
hidden from other users.

<P>
So far you may have been using the machine as the <TT>
<FONT COLOR="#0000ff">root</FONT></TT>
user, who is the system administrator and has complete access to
every file on the system.
The <TT>
<FONT COLOR="#0000ff">root</FONT></TT> is also called the <I>superuser</I>.
The home directory of the
<TT>
<FONT COLOR="#0000ff">root</FONT></TT> user is <TT>
<FONT COLOR="#0000ff">/root</FONT></TT>. <I>Note that there is
an ambiguity here: the <I>root</I> directory is the topmost directory,
known as the <TT>
<FONT COLOR="#0000ff">/</FONT></TT> directory. The <TT>
<FONT COLOR="#0000ff">root</FONT></TT> user's home
directory is <TT>
<FONT COLOR="#0000ff">/root</FONT></TT> and is called the <I>home
directory of <TT>
<FONT COLOR="#0000ff">root</FONT></TT></I>.</I>

<P>
Other than the superuser, every other user has <I>limited</I> access to
files and directories. Always use your machine as a normal user.
Log in as <TT>
<FONT COLOR="#0000ff">root</FONT></TT> only to do system administration. This practice
will save you from the destructive power that the <TT>
<FONT COLOR="#0000ff">root</FONT></TT>
user has. In this chapter we show how to manually and automatically
create new users.

<P>
Users are also divided into sets, called <I>groups</I>. A user
can belong to several groups and there can be as many groups on
the system as you like. Each group is defined by a list of users
that are part of that set. In addition, each user may have a group of
the same name (as the user's login name), to which only that user belongs.

<P>

<H1><A NAME="SECTION001410000000000000000">
11.1 File Ownerships</A>
</H1>

<P>
Each file on a system is <I>owned</I> by a particular user and
also <I>owned</I> by a particular group. When you run
<TT>
<FONT COLOR="#0000ff">ls -al</FONT></TT>, you can see the user that owns the file in the third
column and the group that owns the file in the fourth column
(these will often be identical, indicating that the file's group
is a group to which only the user belongs). To change the
ownership of the file, simply use the
<TT>
<FONT COLOR="#0000ff">chown</FONT></TT>, <I>change ownerships</I>, command as follows.

<P><TABLE nowrap="1" width="100%" border="0" cellspacing="0" cellpadding="0">
<TR>
<TD valign="top" class="source" width="2%"><FONT color=red>
<code>&nbsp;</code><br>
</FONT></TD><TD valign="top" class="source" bgcolor="#FFE0C0"><FONT color=blue>
<code>chown&nbsp;&#060;user&#062;[:&#060;group&#062;]&nbsp;&#060;filename&#062;</code><br>
</FONT></TD></TR></TABLE><P>

<P>

<H1><A NAME="SECTION001420000000000000000">
11.2 The Password File <TT>
<FONT COLOR="#0000ff">/etc/passwd</FONT></TT></A>
</H1>

<P>
The only place in the whole system where a user name is registered is
in this file.  <FONT COLOR="#ffa500">[Exceptions to this rule are several distributed
authentication schemes and the Samba package, but you needn't worry
about these for now.]</FONT> Once a user is added to this file, that user is said
to <I>exist</I> on the system. If you thought that user
accounts were stored in some unreachable dark corner, then this should
dispel that idea. This is also known as the <I>password</I> file to
administrators. View this file with
<TT>
<FONT COLOR="#0000ff">less</FONT></TT>:

<P><TABLE nowrap="1" width="100%" border="0" cellspacing="0" cellpadding="0">
<TR>
<TD valign="top" class="source" width="2%"><FONT color=red>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<font size="-1"><code>5</code></font><code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<font size="-1"><code>10</code></font><code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<font size="-1"><code>15</code></font><code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
</FONT></TD><TD valign="top" class="source" bgcolor="#FFE0C0"><FONT color=blue>
<code>root:x:0:0:Paul&nbsp;Sheer:/root:/bin/bash</code><br>
<code>bin:x:1:1:bin:/bin:</code><br>
<code>daemon:x:2:2:daemon:/sbin:</code><br>
<code>adm:x:3:4:adm:/var/adm:</code><br>
<code>lp:x:4:7:lp:/var/spool/lpd:</code><br>
<code>sync:x:5:0:sync:/sbin:/bin/sync</code><br>
<code>shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown</code><br>
<code>halt:x:7:0:halt:/sbin:/sbin/halt</code><br>
<code>mail:x:8:12:mail:/var/spool/mail:</code><br>
<code>news:x:9:13:news:/var/spool/news:</code><br>
<code>uucp:x:10:14:uucp:/var/spool/uucp:</code><br>
<code>gopher:x:13:30:gopher:/usr/lib/gopher-data:</code><br>
<code>ftp:x:14:50:FTP&nbsp;User:/home/ftp:</code><br>
<code>nobody:x:99:99:Nobody:/:</code><br>
<code>alias:x:501:501::/var/qmail/alias:/bin/bash</code><br>
<code>paul:x:509:510:Paul&nbsp;Sheer:/home/paul:/bin/bash</code><br>
<code>jack:x:511:512:Jack&nbsp;Robbins:/home/jack:/bin/bash</code><br>
<code>silvia:x:511:512:Silvia&nbsp;Smith:/home/silvia:/bin/bash</code><br>
</FONT></TD></TR></TABLE><P>

<P>
Above is an extract of my own password file. Each user is stored
on a separate line. Many of these are not human login
accounts but are used by other programs.

<P>
Each line contains seven <I>fields</I> separated by colons. The
account for <TT>
<FONT COLOR="#0000ff">jack</FONT></TT> looks like this:
<DL>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">jack</FONT></TT></STRONG></DT>
<DD>The user's login name. It should be composed of
lowercase letters and numbers.
Other characters are allowed, but
are not preferable. In particular, there should <I>never</I> be two
user names that differ only by their capitalization.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">x</FONT></TT></STRONG></DT>
<DD>The user's encrypted password. An <TT>
<FONT COLOR="#0000ff">x</FONT></TT> in this field indicates that it
is stored in a separate file, <TT>
<FONT COLOR="#0000ff">/etc/shadow</FONT></TT>. This <I>shadow</I> password
file is a later addition to U<SMALL>NIX</SMALL> systems. It contains additional information about the
user.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">511</FONT></TT></STRONG></DT>
<DD>The user's user identification number, <I>UID</I>. <FONT COLOR="#ffa500">[This is used by programs as a short alternative to the user's login name. In fact, internally, the login name is never used, only the UID.]</FONT>
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">512</FONT></TT></STRONG></DT>
<DD>The user's group identification number, <I>GID</I>. <FONT COLOR="#ffa500">[Similarly applies to the GID. Groups will be discussed later.]</FONT>
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">Jack Robbins</FONT></TT></STRONG></DT>
<DD>The user's full name. <FONT COLOR="#ffa500">[Few programs ever make use of this field.]</FONT>
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">/home/jack</FONT></TT></STRONG></DT>
<DD>The user's home directory. The <TT>
<FONT COLOR="#0000ff">HOME</FONT></TT> environment variable will
be set to this when the user logs in.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">/bin/bash</FONT></TT></STRONG></DT>
<DD>The shell to start when the user logs in.
</DD>
</DL>

<P>

<H1><A NAME="SECTION001430000000000000000">
11.3 Shadow Password File: <TT>
<FONT COLOR="#0000ff">/etc/shadow</FONT></TT></A>
</H1>

<P>
<A NAME="sec:shadowpasfiletcsh"></A>
<P>
The problem with traditional <TT>
<FONT COLOR="#0000ff">passwd</FONT></TT> files is that they
had to be <I>world readable</I> <FONT COLOR="#ffa500">[Everyone on the system
can read the file.]</FONT> in order for programs to extract information,
such as the user's full name, about the user. This means that
everyone can see the encrypted password in the second field.
Anyone can copy any other user's password field and then try
billions of different passwords to see if they match. If you
have a hundred users on the system, there are bound to be several
that chose passwords that matched some word in the dictionary. The
so-called <I>dictionary</I> attack will simply try all 80,000
common English words until a match is found. If you think you are
clever to add a number in front of an easy-to-guess dictionary
word, password cracking algorithms know about these as
well. <FONT COLOR="#ffa500">[And about every other trick you can think of.]</FONT> To
solve this problem the <TT>
<FONT COLOR="#0000ff">shadow</FONT></TT> password file was
invented. The shadow password file is used only for
<I>authentication</I> <FONT COLOR="#ffa500">[Verifying that the user is the genuine owner of the account.]</FONT>and is not world readable--there is no
information in the shadow password file that a common program
will ever need--no regular user has permission to see the
encrypted password field. The fields are colon separated just
like the <TT>
<FONT COLOR="#0000ff">passwd</FONT></TT> file.

<P>
Here is an example line from a <TT>
<FONT COLOR="#0000ff">/etc/shadow</FONT></TT> file:

<P><TABLE nowrap="1" width="100%" border="0" cellspacing="0" cellpadding="0">
<TR>
<TD valign="top" class="source" width="2%"><FONT color=red>
<code>&nbsp;</code><br>
</FONT></TD><TD valign="top" class="source" bgcolor="#FFE0C0"><FONT color=blue>
<code>jack:Q,Jpl.or6u2e7:10795:0:99999:7:-1:-1:134537220</code><br>
</FONT></TD></TR></TABLE><P>

<P>
<A NAME="page:passwdhash"></A><DL>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">jack</FONT></TT></STRONG></DT>
<DD>The user's login name.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">Q,Jpl.or6u2e7</FONT></TT></STRONG></DT>
<DD>The user's encrypted password known
as the <I>hash</I> of the password. This is the user's 8-character
password with a <I>one-way hash function</I> applied
to it. It is simply a mathematical algorithm applied to the
password that is known to produce a unique result for each
password. To demonstrate: the (rather poor) password
<TT>
<FONT COLOR="#0000ff">Loghimin</FONT></TT> hashes to <TT>
<FONT COLOR="#0000ff">:lZ1F.0VSRRucs:</FONT></TT> in the
shadow file. An almost identical password <TT>
<FONT COLOR="#0000ff">loghimin</FONT></TT> gives
a completely different hash <TT>
<FONT COLOR="#0000ff">:CavHIpD1W.cmg:</FONT></TT>.
Hence, trying to guess the password from the hash
can only be done by trying every possible password. Such
a <I>brute force attack</I> is
therefore considered computationally expensive <I>but not impossible</I>.
To check if an entered password matches, just apply the
identical mathematical algorithm to it: if it matches, then the
password is correct. This is how the login command works.
Sometimes you will see a <TT>
<FONT COLOR="#0000ff">*</FONT></TT> in place of a hashed password.
This means that the account has been disabled.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">10795</FONT></TT></STRONG></DT>
<DD>Days since January 1, 1970, that the
password was last changed.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">0</FONT></TT></STRONG></DT>
<DD>Days before which password may not be changed.
Usually zero. This field is not often used.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">99999</FONT></TT></STRONG></DT>
<DD>Days after which password must be changed.
This is also rarely used, and will be set to 99999 by default.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">7</FONT></TT></STRONG></DT>
<DD>Days before password is to expire that user is
warned of pending password expiration.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">-1</FONT></TT></STRONG></DT>
<DD>Days after password expires that account is
considered inactive and disabled. <TT>
<FONT COLOR="#0000ff">-1</FONT></TT> is used to
indicate infinity--that is, to mean we are effectively not using this
feature.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">-1</FONT></TT></STRONG></DT>
<DD>Days since January 1, 1970, when
account will be disabled.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">134537220</FONT></TT></STRONG></DT>
<DD>Flag reserved for future use.
</DD>
</DL>

<P>

<H1><A NAME="SECTION001440000000000000000">
11.4 The <TT>
<FONT COLOR="#0000ff">groups</FONT></TT> Command and <TT>
<FONT COLOR="#0000ff">/etc/group</FONT></TT></A>
</H1>

<P>
On a U<SMALL>NIX</SMALL> system you may want to give a number of users the same
access rights. For instance, you may have five users that should be
allowed to access some privileged file and another ten users that are
allowed to run a certain program. You can <I>group</I> these
users into, for example, two groups <TT>
<FONT COLOR="#0000ff">previl</FONT></TT> and <TT>
<FONT COLOR="#0000ff">wproc</FONT></TT>
and then make the relevant file and directories owned by that group
with, say,

<P><TABLE nowrap="1" width="100%" border="0" cellspacing="0" cellpadding="0">
<TR>
<TD valign="top" class="source" width="2%"><FONT color=red>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
</FONT></TD><TD valign="top" class="source" bgcolor="#FFE0C0"><FONT color=blue>
<code>chown&nbsp;root:previl&nbsp;/home/somefile</code><br>
<code>chown&nbsp;root:wproc&nbsp;/usr/lib/wproc</code><br>
</FONT></TD></TR></TABLE><P>
<I>Permissions</I> <FONT COLOR="#ffa500">[Explained later.]</FONT> dictate the
kind of access, but for the meantime, the file/directory must
at least be <I>owned</I> by that group.

<P>
The <TT>
<FONT COLOR="#0000ff">/etc/group</FONT></TT> file is also colon separated. A line might look like this:

<P><TABLE nowrap="1" width="100%" border="0" cellspacing="0" cellpadding="0">
<TR>
<TD valign="top" class="source" width="2%"><FONT color=red>
<code>&nbsp;</code><br>
</FONT></TD><TD valign="top" class="source" bgcolor="#FFE0C0"><FONT color=blue>
<code>wproc:x:524:jack,mary,henry,arthur,sue,lester,fred,sally</code><br>
</FONT></TD></TR></TABLE><P>

<P>
<DL>
<DT><STRONG>wproc</STRONG></DT>
<DD>The name of the group. There should really also be a user of this name as well.
</DD>
<DT><STRONG>x</STRONG></DT>
<DD>The group's password. This field is usually set with an <TT>
<FONT COLOR="#0000ff">x</FONT></TT> and is not used.
</DD>
<DT><STRONG>524</STRONG></DT>
<DD>The GID <I>group ID</I>. This must be unique in the group's file.
</DD>
<DT><STRONG>jack,mary,henry,arthur,sue,lester,fred,sally</STRONG></DT>
<DD>The list of users that belong
to the group. This must be comma separated with no spaces.
</DD>
</DL>

<P>
You can obviously study the <TT>
<FONT COLOR="#0000ff">group</FONT></TT> file to find out which
groups a user belongs to, <FONT COLOR="#ffa500">[That is, <I>not</I> ``which users does a group consist of?''
which is easy to see at a glance.]</FONT> but
when there are a lot of groups, it can be tedious to scan through
the entire file. The <TT>
<FONT COLOR="#0000ff">groups</FONT></TT> command prints out this
information.

<P>

<H1><A NAME="SECTION001450000000000000000">
11.5 Manually Creating a User Account</A>
</H1>

<P>
The following steps are required to create a user account:
<DL>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">/etc/passwd</FONT></TT> entry</STRONG></DT>
<DD>To create an entry in this file, simply edit it and
copy an existing line. <FONT COLOR="#ffa500">[When editing configuration files,
never write out a line from scratch if it has some kind of
special format. Always copy an existing entry that has proved
itself to be correct, and then edit in the appropriate changes.
This will prevent you from making errors.]</FONT> Always add users from
the bottom and try to preserve the ``pattern'' of the file--that is,
if you see numbers increasing, make yours fit in; if you
are adding a normal user, add it after the existing lines of
normal users. Each user must have a unique UID and should usually have
a unique GID. So if you are adding a line to the end of the
file, make your new UID and GID the same as the last line but
incremented by 1.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">/etc/shadow</FONT></TT> entry</STRONG></DT>
<DD>Create a new shadow password entry.
At this stage you do not know what the hash is, so just make it
a <TT>
<FONT COLOR="#0000ff">*</FONT></TT>. You can set the password with the
<TT>
<FONT COLOR="#0000ff">passwd</FONT></TT> command later.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">/etc/group</FONT></TT> entry</STRONG></DT>
<DD>Create a new group entry for the user's group.
Make sure the number in the group entry matches that in the
<TT>
<FONT COLOR="#0000ff">passwd</FONT></TT> file.
</DD>
<DT><STRONG><TT>
<FONT COLOR="#0000ff">/etc/skel</FONT></TT></STRONG></DT>
<DD>This directory contains a template home directory
for the user. Copy the entire directory and all its contents
into <TT>
<FONT COLOR="#0000ff">/home</FONT></TT> directory, renaming it to the name of the
user. In the case of our <TT>
<FONT COLOR="#0000ff">jack</FONT></TT> example, you should have
a directory <TT>
<FONT COLOR="#0000ff">/home/jack</FONT></TT>.
</DD>
<DT><STRONG>Home directory ownerships</STRONG></DT>
<DD>You need to now change the
ownerships of the home directory to match the user. The command
<TT>
<FONT COLOR="#0000ff">chown -R jack:jack /home/jack</FONT></TT> will accomplish this change.
</DD>
<DT><STRONG>Setting the password</STRONG></DT>
<DD>Use <TT>
<FONT COLOR="#0000ff">passwd &lt;username&gt;</FONT></TT> to
set the user's password.
</DD>
</DL>

<P>

<H1><A NAME="SECTION001460000000000000000">
11.6 Automatically Creating a User Account: <TT>
<FONT COLOR="#0000ff">useradd</FONT></TT> and <TT>
<FONT COLOR="#0000ff">groupadd</FONT></TT></A>
</H1>

<P>
The above process is tedious. The commands that perform all
these updates automatically are <TT>
<FONT COLOR="#0000ff">useradd</FONT></TT>,
<TT>
<FONT COLOR="#0000ff">userdel</FONT></TT>, and <TT>
<FONT COLOR="#0000ff">usermod</FONT></TT>. The man pages
explain the use of these commands in detail. Note that different
flavors of U<SMALL>NIX</SMALL> have different commands to do this. Some may
even have graphical programs or web interfaces to assist in
creating users.

<P>
In addition, the commands <TT>
<FONT COLOR="#0000ff">groupadd</FONT></TT>, 
<TT>
<FONT COLOR="#0000ff">groupdel</FONT></TT>, and <TT>
<FONT COLOR="#0000ff">groupmod</FONT></TT> do the same with
respect to groups.

<P>

<H1><A NAME="SECTION001470000000000000000">
11.7 User Logins</A>
</H1>

<P>
<A NAME="sec:loginprogram"></A>
<P>
It is possible to switch from one user to another, as well as view your
login status and the status of other users. Logging in also follows
a silent procedure which is important to understand.

<P>

<H2><A NAME="SECTION001471000000000000000">
11.7.1 The <TT>
<FONT COLOR="#0000ff">login</FONT></TT> command</A>
</H2>

<P>
A user most often gains access to the system through the
<TT>
<FONT COLOR="#0000ff">login</FONT></TT> program. This program looks up the UID
and GID from the <TT>
<FONT COLOR="#0000ff">passwd</FONT></TT> and <TT>
<FONT COLOR="#0000ff">group</FONT></TT> file
and authenticates the user. 

<P>
The following is quoted from the <TT>
<FONT COLOR="#0000ff">login</FONT></TT> man page, and
explains this procedure in detail:

<P>

<BLOCKQUOTE><FONT SIZE="-1"><B>login</B>  is used when signing onto a system.  It can also
be used to switch from one user to another at any time  (most
modern  shells  have  support  for this feature built into them,
however).
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">If an argument is not given, <B>login</B> prompts for  the  
username.
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">If  the  user is <I>not</I> root, and if <I>/etc/nologin</I>
exists, the contents of this file are printed to the screen, 
and  the login  is  terminated.   This is typically used to
prevent logins when the system is being taken down.
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">If special access restrictions are specified for the  user in 
<I>/etc/usertty</I>, these must be met, or the login attempt
will be denied and a <B>syslog</B> <FONT COLOR="#ffa500">[System error
log program--<TT>
<FONT COLOR="#0000ff">syslog</FONT></TT> writes all system messages to the file
<TT>
<FONT COLOR="#0000ff">/var/log/messages</FONT></TT>.]</FONT> message will be generated. See the
section on "Special Access Restrictions."
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">If the user is <TT>
<FONT COLOR="#0000ff">root</FONT></TT>, then the login must be occuring on a tty
listed in <I>/etc/securetty</I>. <FONT COLOR="#ffa500">[If this file is not
present, then root logins will be allowed from anywhere. It is
worth deleting this file if your machine is protected by a
firewall and you would like to easily login from another machine
on your LAN. 
If <TT>
<FONT COLOR="#0000ff">/etc/securetty</FONT></TT> is present, then logins
are only allowed from the terminals it lists.]</FONT>  Failures  will 
be logged with the <B>syslog</B> facility.
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">After  these  conditions have been checked, the password will be
requested and checked (if a password is required  for  this
username).   Ten  attempts  are allowed before <B>login</B> dies, but
after the first three, the response starts to get very slow.  
Login  failures are reported via the <B>syslog</B> facility.   This
facility is also used to report any  successful root logins.
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">If  the  file  <I>.hushlogin</I>  exists, then a "quiet" login
is performed (this disables the checking  of
mail  and  the printing of the last login time and message of
the day).  Otherwise, if <I>/var/log/lastlog</I>  exists,  the
last  login  time  is  printed  (and  the current login is
recorded).
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">Random administrative things, such as setting the UID  and GID 
of the tty are performed.  The TERM environment variable  is
preserved, if it exists (other  environment  variables   are 
preserved if the <B>-p</B> option is used).  Then the HOME,
PATH, SHELL, TERM,
MAIL,  and  LOGNAME  environment variables     
are      set.      PATH     defaults     to
<I>/usr/local/bin:/bin:/usr/bin:</I><B><TT>
<FONT COLOR="#0000ff">.</FONT></TT></B> <FONT COLOR="#ffa500">[Note that the <B><TT>
<FONT COLOR="#0000ff">.</FONT></TT></B> &nbsp;--the current directory--is listed in the <TT>
<FONT COLOR="#0000ff">PATH</FONT></TT>. This is only the default <TT>
<FONT COLOR="#0000ff">PATH</FONT></TT> however.]</FONT>  for normal users,  and  to
<I>/sbin:/bin:/usr/sbin:/usr/bin</I>  for root.  Last, if this is
not a "quiet" login, the message of the day is printed and
the  file  with the user's name in <I>/usr/spool/mail</I> will be
checked, and a message printed if it has non-zero  length.
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">The  user's  shell is then started.  If no shell is specified
for the user in <B>/etc/passwd</B>, then  <B>/bin/sh</B>  is 
used. If there is no directory specified in <I>/etc/passwd</I>,
then <I>/</I> is used (the home directory is checked for the 
<I>.hushlogin</I> file described above).
</FONT></BLOCKQUOTE>

<P>

<H2><A NAME="SECTION001472000000000000000">
11.7.2 The <I>set user</I>, <TT>
<FONT COLOR="#0000ff">su</FONT></TT> command</A>
</H2>

<P>
To temporarily become another user, you can use the <TT>
<FONT COLOR="#0000ff">su</FONT></TT>
program:

<P><TABLE nowrap="1" width="100%" border="0" cellspacing="0" cellpadding="0">
<TR>
<TD valign="top" class="source" width="2%"><FONT color=red>
<code>&nbsp;</code><br>
</FONT></TD><TD valign="top" class="source" bgcolor="#FFE0C0"><FONT color=blue>
<code>su&nbsp;jack</code><br>
</FONT></TD></TR></TABLE><P>
This command prompts you for a password (unless you are the root user
to begin with). It does nothing more than change the
current user to have the access rights of <TT>
<FONT COLOR="#0000ff">jack</FONT></TT>. Most
environment variables will remain the same. The <TT>
<FONT COLOR="#0000ff">HOME</FONT></TT>,
<TT>
<FONT COLOR="#0000ff">LOGNAME</FONT></TT>, and <TT>
<FONT COLOR="#0000ff">USER</FONT></TT> environment variables will be
set to <TT>
<FONT COLOR="#0000ff">jack</FONT></TT>, but all other environment variables will
be inherited. <TT>
<FONT COLOR="#0000ff">su</FONT></TT> is, therefore, not the same as a
normal login.

<P>
To get the equivalent of a login with <TT>
<FONT COLOR="#0000ff">su</FONT></TT>, run

<P><TABLE nowrap="1" width="100%" border="0" cellspacing="0" cellpadding="0">
<TR>
<TD valign="top" class="source" width="2%"><FONT color=red>
<code>&nbsp;</code><br>
</FONT></TD><TD valign="top" class="source" bgcolor="#FFE0C0"><FONT color=blue>
<code>su&nbsp;-&nbsp;jack</code><br>
</FONT></TD></TR></TABLE><P>
This will cause all initialization scripts (that are normally run
when the user logs in) to be executed. <FONT COLOR="#ffa500">[What actually
happens is that the subsequent shell is started with a
<TT>
<FONT COLOR="#0000ff">-</FONT></TT> in front of the zero'th argument. This makes the shell read the
user's personal profile. The <TT>
<FONT COLOR="#0000ff">login</FONT></TT> command also does this.]</FONT> Hence, after running
<TT>
<FONT COLOR="#0000ff">su</FONT></TT> with the <TT>
<FONT COLOR="#0000ff">-</FONT></TT> option, you logged in as if with the <TT>
<FONT COLOR="#0000ff">login</FONT></TT> command.

<P>

<H2><A NAME="SECTION001473000000000000000">
11.7.3 The <TT>
<FONT COLOR="#0000ff">who</FONT></TT>, <TT>
<FONT COLOR="#0000ff">w</FONT></TT>, and <TT>
<FONT COLOR="#0000ff">users</FONT></TT> commands to see who is logged in</A>
</H2>

<P>
<TT>
<FONT COLOR="#0000ff">who</FONT></TT> and <TT>
<FONT COLOR="#0000ff">w</FONT></TT> print a list of users logged in to the
system, as well as their CPU consumption and other statistics.
<TT>
<FONT COLOR="#0000ff">who &#45;&#45;help</FONT></TT> gives:

<P><TABLE nowrap="1" width="100%" border="0" cellspacing="0" cellpadding="0">
<TR>
<TD valign="top" class="source" width="2%"><FONT color=red>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<font size="-1"><code>5</code></font><code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<font size="-1"><code>10</code></font><code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<font size="-1"><code>15</code></font><code>&nbsp;</code><br>
</FONT></TD><TD valign="top" class="source" bgcolor="#FFE0C0"><FONT color=blue>
<code>Usage:&nbsp;who&nbsp;[OPTION]...&nbsp;[&nbsp;FILE&nbsp;|&nbsp;ARG1&nbsp;ARG2&nbsp;]</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;&nbsp;-H,&nbsp;--heading&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;line&nbsp;of&nbsp;column&nbsp;headings</code><br>
<code>&nbsp;&nbsp;-i,&nbsp;-u,&nbsp;--idle&nbsp;&nbsp;&nbsp;&nbsp;add&nbsp;user&nbsp;idle&nbsp;time&nbsp;as&nbsp;HOURS:MINUTES,&nbsp;.&nbsp;or&nbsp;old</code><br>
<code>&nbsp;&nbsp;-m&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;only&nbsp;hostname&nbsp;and&nbsp;user&nbsp;associated&nbsp;with&nbsp;stdin</code><br>
<code>&nbsp;&nbsp;-q,&nbsp;--count&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;all&nbsp;login&nbsp;names&nbsp;and&nbsp;number&nbsp;of&nbsp;users&nbsp;logged&nbsp;on</code><br>
<code>&nbsp;&nbsp;-s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(ignored)</code><br>
<code>&nbsp;&nbsp;-T,&nbsp;-w,&nbsp;--mesg&nbsp;&nbsp;&nbsp;&nbsp;add&nbsp;user's&nbsp;message&nbsp;status&nbsp;as&nbsp;+,&nbsp;-&nbsp;or&nbsp;?</code><br>
<code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--message&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;same&nbsp;as&nbsp;-T</code><br>
<code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--writable&nbsp;&nbsp;&nbsp;&nbsp;same&nbsp;as&nbsp;-T</code><br>
<code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--help&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;display&nbsp;this&nbsp;help&nbsp;and&nbsp;exit</code><br>
<code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--version&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;output&nbsp;version&nbsp;information&nbsp;and&nbsp;exit</code><br>
<code>&nbsp;</code><br>
<code>If&nbsp;FILE&nbsp;is&nbsp;not&nbsp;specified,&nbsp;use&nbsp;/var/run/utmp.&nbsp;&nbsp;/var/log/wtmp&nbsp;as&nbsp;FILE&nbsp;is&nbsp;common.</code><br>
<code>If&nbsp;ARG1&nbsp;ARG2&nbsp;given,&nbsp;-m&nbsp;presumed:&nbsp;`am&nbsp;i'&nbsp;or&nbsp;`mom&nbsp;likes'&nbsp;are&nbsp;usual.</code><br>
</FONT></TD></TR></TABLE><P>

<P>
A little more information can be gathered from the <TT>
<FONT COLOR="#0000ff">info</FONT></TT>
pages for this command. The idle time indicates how long since
the user has last pressed a key. Most often, one just types
<TT>
<FONT COLOR="#0000ff">who -Hiw</FONT></TT>.

<P>
<TT>
<FONT COLOR="#0000ff">w</FONT></TT> is similar. An extract of the <TT>
<FONT COLOR="#0000ff">w</FONT></TT> man page says:

<BLOCKQUOTE><FONT SIZE="-1"><TT>
<FONT COLOR="#0000ff">w</FONT></TT>  displays  information  about the users currently on
the machine, and their processes.  The header shows, in this
order,  the current time, how long the system  has  been 
running,  how many  users  are  currently logged on, and the
system load averages for the past 1, 5, and 15 minutes.
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">The following entries are displayed for each user: login name,
the tty name, the remote host, login time, idle time, JCPU,
PCPU, and the command  line of their current process.
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">The  JCPU  time  is  the time used by all processes attached to
the tty.  It does not include past background jobs, but does
include currently running background jobs.
</FONT></BLOCKQUOTE>
<P>
<BLOCKQUOTE><FONT SIZE="-1">The PCPU time is the time used by the current process, named in
the "what" field.
</FONT></BLOCKQUOTE>

<P>
Finally, from a shell script the <TT>
<FONT COLOR="#0000ff">users</FONT></TT> command is useful
for just seeing who is logged in. You can use in a shell script, for example:

<P><TABLE nowrap="1" width="100%" border="0" cellspacing="0" cellpadding="0">
<TR>
<TD valign="top" class="source" width="2%"><FONT color=red>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
<code>&nbsp;</code><br>
</FONT></TD><TD valign="top" class="source" bgcolor="#FFE0C0"><FONT color=blue>
<code>for&nbsp;user&nbsp;in&nbsp;`users`&nbsp;&#059;&nbsp;do</code><br>
<code>&nbsp;&nbsp;&nbsp;&nbsp;&#060;etc&#062;</code><br>
<code>done</code><br>
</FONT></TD></TR></TABLE><P>

<P>

<H2><A NAME="SECTION001474000000000000000">
11.7.4 The <TT>
<FONT COLOR="#0000ff">id</FONT></TT> command and <I>effective</I> UID</A>
</H2>

<P>
<TT>
<FONT COLOR="#0000ff">id</FONT></TT> prints your <I>real</I> and <I>effective</I> UID and
GID. A user normally has a UID and a GID but may also have
an effective UID and GID as well. The real UID and GID are what
a process will generally think you are logged in as. The
effective UID and GID are the actual access permissions that you
have when trying to read, write, and execute files.

<P>

<H2><A NAME="SECTION001475000000000000000">
11.7.5 User limits</A>
</H2>

<P>
<A NAME="sec:userlimits"></A>
<P>
There is a file <TT>
<FONT COLOR="#0000ff">/etc/security/limits.conf</FONT></TT> that stipulates the
limitations on CPU usage, process consumption, and other resources
on a per-user basis. The documentation for this config file is
contained in
<BR><TT>
<FONT COLOR="#0000ff">/usr/[share/]doc/pam-&lt;version&gt;/txts/README.pam_limits</FONT></TT>.

<P>
<HR>
<!--Navigation Panel-->
<A NAME="tex2html1930"
  HREF="node15.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html1926"
  HREF="rute.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html1920"
  HREF="node13.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html1928"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html1931"
  HREF="node15.html">12. Using Internet Services</A>
<B> Up:</B> <A NAME="tex2html1927"
  HREF="rute.html">rute</A>
<B> Previous:</B> <A NAME="tex2html1921"
  HREF="node13.html">10. Mail</A>
 &nbsp <B>  <A NAME="tex2html1929"
  HREF="node1.html">Contents</A></B> 
<!--End of Navigation Panel-->

</BODY>
</HTML>