Managing Users, Part 2

Why can SetUID programs be a bad thing? What happens if you forget to add the home directory for a user? Get answers to these and other questions in this, part 2 of Managing Users from the book Linux Administration, A Beginner’s Guide, third edition by Steven Graham and Steve Shah (McGraw-Hill/Osborne, 0072225629, 2002). See this link for Part 1.

LinuxAdminCritical Skill 3 – Utilize User Management Tools

The wonderful part about having password database files that have a well-defined format in straight text is that it is easy for anyone to be able to write their own management tools. Indeed, many site administrators have already done this in order to integrate their tools along with the rest of their organization’s infrastructure. They can start a new user from the same form that lets them update the corporate phone and e-mail directory, LDAP servers, Web pages, and so on. Of course, not everyone wants to write their own tools, which is why Linux comes with several prewritten tools that do the job for you.

In this section, we discuss user management tools that work from both the command-line interface and the graphical user interface (GUI). Of course, learning how to use both is the preferred route, for you never know under what circumstances you may one day find yourself adding users.

Command-Line User Management

You can choose from among six command-line tools to perform the same actions performed by the GUI tool: useradd, userdel, usermod, groupadd, groupdel, and groupmod. The obvious advantage to using the GUI tool is ease of use. However, the disadvantage is that actions that can be performed with it cannot be automated. This is where the command-line tools become very handy.

NOTE:  Linux distributions other than Red Hat may have slightly different parameters than the tools used here. To see how your particular installation is different, read the man page for the particular program in question.

useradd

As the name implies, useradd allows you to add a single user to the system. Unlike the GUI tool, there are no interactive prompts. Instead, all parameters must be specified on the command line. Here’s how you use this tool:

useradd [-c comment] [-d homedir] [-e expire date] [-f inactive time]
[-g initial group][-G group[,...]] [-m [-k skeleton dir]] [-M]
[-s shell] [-u uid [-o]] [-n] [-r] login

Don’t be intimidated by this long list of options! We’ll examine them one at a time and discuss their relevance.

Before you dive into these options, take note that anything in the square brackets is optional. Thus, to add a new user with the login sshah, you could issue a command as simple as this:

[root@ford /root]# useradd sshah

Default values are used for any unspecified values. (To see the default values, simply run useradd -D; we will discuss how to change the defaults shortly.) Table 5-1 shows the command options and their descriptions.

 Option Description
-c comment Allows you to set the user’s name in the GECOS field. As with any command-line parameter, if the value includes a space, you will need to put quotes around the text. For example, to set the user’s name to Steve Shah, you would have to specify -c “Steve Shah”.
-d homedir By default, the user’s home directory is /home/login (for example, if my login is sshah, my home directory would be /home/sshah). When creating a new user, the user’s home directory gets created along with the user account. So if you want to change the default to another place, you can specify the new location with this parameter—for example, -d /home/sysadmin/sshah.
-e expire-date It is possible for an account to expire after a certain date. By default, accounts never expire. To specify a date, be sure to place it in YYYY MM DDformat. For example, use -e 2002 10 28 to expire on October 28, 2002.
-f inactive-time This option specifies the number of days after a password expires that the account is still usable. A value of 0 (zero) indicates that the account is disabled immediately. A value of -1 will never allow the account to be disabled, even if the password has expired (for example, -f 3 will allow an account to exist for three days after a password has expired). The default value is -1.
-g initial-group Using this option, you can specify the default group the user has in the password file. You can use a number or name of the group; however, if you use a name of a group, the group must exist in the /etc/group file–for example, -g project.
-G group[,...] This option allows you to specify additional groups to which the new user will belong. If you use the -G option, you must specify at least one additional group. You can, however, specify additional groups by separating the list with a comma. For example, to add a user to the project and admin groups, you should specify -G project,admin.
-m [-k skel-dir] By default, the system automatically creates the user’s home directory. This option is the explicit command to create the user’s home directory. Part of creating the directory is copying default configuration files into it. These files come from the /etc/skel directory by default. You can change this by using the secondary option -k skel dir. (You must specify -m in order to use -k.) For example, to specify the /etc/adminskel directory, you would use -m -k /etc/adminskel.
-M If you used the -m option, you cannot use -M, and vice versa. This option tells the command not to create the user’s home directory.
-n Red Hat Linux creates a new group with the same name as the new user’s login as part of the process of adding a user. You can disable this behavior by using this option.
-s shell A user’s login shell is the first program that runs when a user logs in to a system. This is usually a command-line environment, unless you are logging in from the X Window System login screen. By default, this is the Bourne Again Shell (/bin/bash), though some folks like other shells such as the Turbo C Shell (/bin/tcsh). This option lets you choose whichever shell you would like to run for the new user upon login. (A list of shells is available in /etc/shells.)
-u uid By default, the program will automatically find the next available UID and use it. If for some reason you need to force a new user’s UID to be a particular value, you can use this option. Remember that UIDs must be unique for all users.
Login Finally, the only parameter that isn’t optional! You must specify the new user’s login name.

Table 5-1  useradd Command-Line Options

For example, to create a new user whose name is H.D. Core, who is a member of the admin and support groups (default group admin), and who prefers using the Turbo C Shell and wants the login name hdc, you would use this line:

[root@ford /root]# useradd -c “H. D. Core” -g admin -G support -s /bin/tcsh hdc

This chapter is from Linux Administration, A Beginner’s Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today.

Buy this book now.

{mospagebreak title= Options userdel, usermod, groupadd, groupdel  and groupmod}

userdel

userdel does the exact opposite of useradd—it removes existing users. This straightforward command has only one optional parameter and one required parameter:

userdel [-r] username

By running the command with only the user’s login specified on the command line, for example, userdel sshah, all of the entries in the /etc/passwd and /etc/shadow files, and references in the /etc/group file, are automatically removed. By using the optional parameter (for example, userdel -r sshah) all of the files owned by the user in their home directory are removed as well.

usermod

usermod allows you to modify an existing user in the system. It works in much the same way as useradd. The exact command-line usage is as follows:

usermod [-c comment] [-d homedir] [-m] [-e expire date]
[-f inactive time] [-g initial group]
[-G group[,...]] [-l login] [-s shell]
[-u uid] login

Every option you specify when using this command results in that particular parameter being changed about the user. All but one of the parameters listed here are identical to the parameters documented for the useradd program. That one option is -l.

The -l option allows you to change the user’s login name. This and the -u option are the only options that require special care. Before changing the user’s login or UID, you must make sure the user is not logged in to the system or running any processes. Changing this information if the user is logged in or running processes will cause unpredictable results.

Here’s an example of using usermod to change user hdc so that their comment field reads H.D. Core instead of H.D.C:

[root@ford /root]# usermod -c “H.D. Core” hdc

groupadd

The group commands are similar to the user commands; however, instead of working on individual users, they work on groups listed in the /etc/group file. Note that changing group information does not cause user information to be automatically changed. For example, if you remove a group whose GID is 100 and a user’s default group is specified as 100, the user’s default group would not be updated to reflect the fact that the group no longer exists.

The groupadd command adds groups to the /etc/group file. The command-line options for this program are as follows:

groupadd [-g gid] [-r] [-f] group

Table 5-2 shows command options and their descriptions.

Option Description

-g gid

Specifies the GID for the new group as gid. By default, this value is automatically chosen by finding the first available value.

-r

By default, Red Hat searches for the first GID that is higher than 499. The -r options tell groupadd that the group being added is a system group and should have the first available GID under 499.

-f

When adding a new group, Red Hat Linux will exit without an error if the specified group to add already exists. By using this option, the program will not change the group setting before exiting. This is useful in scripting cases where you want the script to continue if the group already exists.

group

This option is required. It specifies the name of the group you want to add to be group.

 
Table 5-2 groupadd Commands and Options

Suppose, for example, that you want to add a new group called research with the GID 800. To do so, you would type the following command:

[root@ford /root]# groupadd -g 800 research

groupdel

Even more straightforward than userdel, the groupdel command removes existing groups specified in the /etc/group file. The only usage information needed for this command is:

groupdel group

where group is the name of the group to remove. For example, if you wanted to remove the research group, you would issue this command:

[root@ford /root]# groupdel research

groupmod

The groupmod command allows you to modify the parameters of an existing group. The options for this command are:

groupmod -g gid -n group-name group

where the -g option allows you to change the GID of the group, and the -n option allows you to specify a new name of a group. Additionally, of course, you need to specify the name of the existing group as the last parameter.

For example, if the superman research group wanted to change its name to batman, you would issue the following command:

[root@ford /root]# groupmod -n batman superman

This chapter is from Linux Administration, A Beginner’s Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today.

Buy this book now.

{mospagebreak title=GUI User Managers}

Many of the Linux distributions come with their own GUI user managers. Red Hat comes with a utility called redhat-config-users that allows you to add/edit and maintain the users on your system. You can also find linuxconf from http://www.solucorp.qc.ca/linuxconf/. It has been my experience that these GUI interfaces work just fine—just be prepared to have to manually change user settings in case the GUI isn’t working. Most of these interfaces can be found in the System Settings menu under GNOME or KDE.

Project 5-1: Adding/Editing a User

In this project, you will add a user to the system and make sure the user can log in to the system without any problems. When dealing with accounts it is always a good idea to do it right the first time, otherwise you might get the user frustrated because their shell isn’t right or their e-mail isn’t set up correctly. You will use the following steps to add the user and then change their shell to the tcsh shell.

Step by Step

1. First, add the user johndoe to the system with the adduser command:

[root@ford /root]# useradd -c “John Doe” -g admin -G support johndoe

2. Make sure to change the user’s password by running the passwd program:

[root@ford /root]# passwd johndoe

3. Try to log in to the system as that user. This will let you know if everything is working correctly for the new user.

4. After getting their new account, the user decides they want /bin/tcsh as their shell. You just need to use the usermod command to change johndoe’s properties:

[root@ford /root]# usermod -s /bin/tcsh johndoe

Project Summary

This project is simple and straightforward. If you are running your own computer, it is easy to keep all the users on your system in order. When you start having to administer many users, it is helpful to write a script to add many users at a time. There are endless possible customizations that you can make.

This chapter is from Linux Administration, A Beginner’s Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today.

Buy this book now.

{mospagebreak title=Critical Skill 5.4 – Understand SetUID and SetGID Programs}

Normally, when a program is run by a user, it inherits all of the rights (or lack thereof) that the user has. If the user can’t read the /var/log/messages file, neither can the program. Note that this permission can be different than the permissions of the user who owns the program file (usually called the binary). For example, the ls program (which is used to generate directory listings) is owned by the root user. Its permissions are set so that all users of the system can run the program. Thus, if the user sshah runs ls, that instance of ls is bound by the permissions granted to the user sshah, not root.

However, there is an exception. Programs can be tagged with what’s called a SetUID bit, which allows a program to be run with permissions from the program’s owner, not the user who is running it. Using ls as an example again, setting the SetUID bit on it and having the file owned by root means that if the user sshah runs ls, that instance of ls will run with root permissions, not with sshah’s permissions. The SetGID bit works the same way, except instead of applying the file’s owner, it is applied to the file’s group setting.

To enable the SetUID bit or the SetGID bit, you need to use the chmod command, which is covered in detail in Module 6. To make a program SetUID, prefix whatever permission value you are about to assign it with a 4. To make a program SetGID, prefix whatever permission you are about to assign it with a 2. For example, to make the /bin/ls a SetUID program (which is a bad idea, by the way), you would use this command:

[root@ford /root]# chmod 4755 /bin/ls

Module 5 Mastery Check List (for parts 1 and 2):

  1. What information is stored in the /etc/passwd file?
  2. What information is stored in the /etc/shadow file?
  3. Does Linux use the username or the UID when performing operations pertaining to that user (such as file permissions)?
  4. Why can SetUID programs be a bad thing?
  5. What is the format of a user entry in the /etc/passwd file?
  6. What is the GECOS entry?
  7. How do you disable a user so they cannot access the system?
  8. What information is stored in the /etc/group file?
  9. What is the format of an entry in the /etc/group file?
  10. What happens if you forget to add the home directory for a user?
  11. Where is the list of available shells listed?
  12. What are startup scripts?

This chapter is from Linux Administration, A Beginner’s Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today.

Buy this book now.

[gp-comments width="770" linklove="off" ]
antalya escort bayan antalya escort bayan