Critical Skill 2 - Understand the User Databases - Administration
This first part of chapter 5 "Module 5: Managing Users" covers understanding user properties and user databases. It also examines the technique of managing users for a single host. It starts by exploring the actual database files that contain information about users and moves on to the system tools available to manage the files automatically. (from the book Linux Administration, A Beginner's Guide, third edition by Steven Graham and Steve Shah, McGraw-Hill/Osborne, ISBN:0072225629, 2002).
If youíre already used to Windows 2000 user management, youíre familiar with the Active Directory tool that takes care of the nitty-gritty details of the user database. This tool is convenient, but it makes developing your own administrative tools trickier, since the only other way to read or manipulate user information is through a series of LDAP calls.
In contrast, Linux takes the path of traditional UNIX and keeps all user information in straight text files. This is beneficial for the simple reason that it allows you to make changes to user information without the need of any other tool but a text editor such as pico. In many instances, larger sites take advantage of these text files by developing their own user administration tools so that they can not only create new accounts but also automatically make additions to the corporate phone book, Web pages, and so on.
However, users and groups working with UNIX style for the first time may prefer to stick with the basic user management tools that come with the Linux distribution. Weíll discuss those tools in ďUtilize User Management ToolsĒ later in this module. For now, letís examine how Linuxís text files are structured.
The /etc/passwd File
The /etc/passwd file stores the userís login, encrypted password entry, UID, default GID, name (sometimes called GECOS), home directory, and login shell. The file keeps one user per line, and each entry for the user is delimited by a colon. For example:
NOTE : Although modern distributions of Linux allow for logins to be longer than eight characters, it is generally considered a bad idea to do so. This is because some tools donít work quite right with longer logins, and some versions of UNIX get quite finicky with them.
Earlier in this module, we discussed the details of the password entry. In the code listing above, you can actually see what a DES-encrypted password looks like (the information following the first column). Many sites disable accounts by altering the encrypted password entry so that when the disabled accountís user enters their password, it wonít match the value in the password file. The guaranteed method of altering passwords for this reason is to insert an asterisk (*) into the entry. The above entry, for example, could be altered to boQavhhaCKaXg*.
TIP: When disabling accounts in this manner, you may find it helpful not only to add an asterisk character, but also to add a string to indicate why the account was disabled in the first place. For example, if you catch a user downloading pirated software, you could disable his account by changing the encrypted entry to boQavhhaCKaXg*caught pirating.
The UID must be unique for every user, with the exception of the UID 0 (zero). Any user who has a UID of 0 has root (administrative) access and thus has full run of the system. Usually, the only user who has this specific UID has the login root. It is considered bad practice to allow any other users or usernames to have a UID of 0. This is notably different from the Windows NT and 2000 models, in which any number of users can have administrative privileges.
NOTE: Some distributions of Linux reserve the UID -1 (or 65535) for the user nobody.
The userís name can be any freeform text entry. Although it is possible for nonprintable characters to exist in this string, it is considered bad practice to use them. Also, the userís name may not span multiple lines.
NOTE: Although the entire line for a userís password entry may not span multiple lines, it may be longer than 80 characters.
The userís home directory appears as discussed earlier in this module. Ditto for the last entry, the userís shell. A complete password file for a system, then, might look like this:
This chapter is from Linux Administration, A Beginner's Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today. Buy this book now.