Critical Skill 2 - Understand the User Databases - Administration

If you’re already used to Windows 2000 user management, you’re familiar with the Active Directory tool that takes care of the nitty-gritty details of the user database. This tool is convenient, but it makes developing your own administrative tools trickier, since the only other way to read or manipulate user information is through a series of LDAP calls.

In contrast, Linux takes the path of traditional UNIX and keeps all user information in straight text files. This is beneficial for the simple reason that it allows you to make changes to user information without the need of any other tool but a text editor such as pico. In many instances, larger sites take advantage of these text files by developing their own user administration tools so that they can not only create new accounts but also automatically make additions to the corporate phone book, Web pages, and so on.

However, users and groups working with UNIX style for the first time may prefer to stick with the basic user management tools that come with the Linux distribution. We’ll discuss those tools in “Utilize User Management Tools” later in this module. For now, let’s examine how Linux’s text files are structured.

The /etc/passwd File

The /etc/passwd file stores the user’s login, encrypted password entry, UID, default GID, name (sometimes called GECOS), home directory, and login shell. The file keeps one user per line, and each entry for the user is delimited by a colon. For example:

sshah:boQavhhaCKaXg:100:102:Steve Shah:/home/sshah:/bin/tcsh

NOTE : Although modern distributions of Linux allow for logins to be longer than eight characters, it is generally considered a bad idea to do so. This is because some tools don’t work quite right with longer logins, and some versions of UNIX get quite finicky with them.

Earlier in this module, we discussed the details of the password entry. In the code listing above, you can actually see what a DES-encrypted password looks like (the information following the first column). Many sites disable accounts by altering the encrypted password entry so that when the disabled account’s user enters their password, it won’t match the value in the password file. The guaranteed method of altering passwords for this reason is to insert an asterisk (*) into the entry. The above entry, for example, could be altered to boQavhhaCKaXg*.

TIP: When disabling accounts in this manner, you may find it helpful not only to add an asterisk character, but also to add a string to indicate why the account was disabled in the first place. For example, if you catch a user downloading pirated software, you could disable his account by changing the encrypted entry to boQavhhaCKaXg*caught pirating.

The UID must be unique for every user, with the exception of the UID 0 (zero). Any user who has a UID of 0 has root (administrative) access and thus has full run of the system. Usually, the only user who has this specific UID has the login root. It is considered bad practice to allow any other users or usernames to have a UID of 0. This is notably different from the Windows NT and 2000 models, in which any number of users can have administrative privileges.

NOTE: Some distributions of Linux reserve the UID -1 (or 65535) for the user nobody.

The user’s name can be any freeform text entry. Although it is possible for nonprintable characters to exist in this string, it is considered bad practice to use them. Also, the user’s name may not span multiple lines.

NOTE: Although the entire line for a user’s password entry may not span multiple lines, it may be longer than 80 characters.

The user’s home directory appears as discussed earlier in this module. Ditto for the last entry, the user’s shell. A complete password file for a system, then, might look like this:

root:AgQ/IJgASeW1M:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/var/spool/news:
uucp:*:10:14:uucp:/var/spool/uucp:
operator:*:11:0:operator:/root:
games:*:12:100:games:/usr/games:
gopher:*:13:30:gopher:/usr/lib/gopher-data:
ftp:*:14:50:FTP User:/home/ftp:
pop:*:15:15:APOP Admin:/tmp:/bin/tcsh
nobody:*:99:99:Nobody:/:
sshah:Kss9Ere9b1Ejs:500:500:Steve Shah:/home/sshah:/bin/tcsh
hdc:bfCAblvZBIbFM:501:501:H. D. Core:/home/hdc:/bin/bash
jyom:*:502:502:Mr. Yom:/home/jyom:/bin/bash