File: x2320.html

package info (click to toggle)
sysadmin-guide 0.8-2
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k, sarge
  • size: 840 kB
  • ctags: 2
  • sloc: makefile: 27; sh: 12
file content (218 lines) | stat: -rw-r--r-- 4,195 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
 
<HTML
><HEAD
><TITLE
>Access control</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="The Linux System Administrator's Guide"
HREF="index.html"><LINK
REL="UP"
TITLE="Logging In And Out"
HREF="log-in-and-out.html"><LINK
REL="PREVIOUS"
TITLE="X and xdm"
HREF="x2317.html"><LINK
REL="NEXT"
TITLE="Shell startup"
HREF="x2337.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Linux System Administrator's Guide: </TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x2317.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 10. Logging In And Out</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x2337.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="AEN2320"
></A
>10.5. Access control</H1
><P
> The user database is traditionally contained in the
	<TT
CLASS="filename"
>/etc/passwd</TT
> file.	Some systems use
	<I
CLASS="glossterm"
>shadow passwords</I
>, and have moved the
	passwords to <B
CLASS="command"
>/etc/shadow</B
>.  Sites with many
	computers that share the accounts use NIS or some other method
	to store the user database; they might also automatically copy
	the database from one central location to all other computers.
	</P
><P
> The user database contains not only the passwords, but
	also some additional information about the users, such as their
	real names, home directories, and login shells.  This other
	information needs to be public, so that anyone can read it.
	Therefore the password is stored encrypted.  This does have
	the drawback that anyone with access to the encrypted password
	can use various cryptographic methods to guess it, without
	trying to actually log into the computer.  Shadow passwords try
	to avoid this by moving the password into another file, which
	only root can read (the password is still stored encrypted).
	However, installing shadow passwords later onto a system that
	did not support them can be difficult.	</P
><P
> With or without passwords, it is important to make
	sure that all passwords in a system are good, i.e., not easily
	guessed.  The <B
CLASS="command"
>crack</B
> program can be used
	to crack passwords; any password it can find is by definition
	not a good one.  While <B
CLASS="command"
>crack</B
> can be run
	by intruders, it can also be run by the system administrator
	to avoid bad passwords.  Good passwords can also be enforced
	by the <B
CLASS="command"
>passwd</B
> program; this is in fact more
	effective in CPU cycles, since cracking passwords requires quite
	a lot of computation.  </P
><P
> The user group database is kept in
	<TT
CLASS="filename"
>/etc/group</TT
>; for systems with shadow
	passwords, there can be a <TT
CLASS="filename"
>/etc/shadow.group</TT
>.
	</P
><P
> root usually can't login via most terminals
	or the network, only via terminals listed in the
	<TT
CLASS="filename"
>/etc/securetty</TT
> file.  This makes it necessary
	to get physical access to one of these terminals.  It is, however,
	possible to log in via any terminal as any other user, and use
	the <B
CLASS="command"
>su</B
> command to become root.  </P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x2317.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x2337.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>X and xdm</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="log-in-and-out.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Shell startup</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>