slackware-current/slackbook/html/essential-sysadmin-hardusers.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Users and Groups, the Hard Way</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
<link rel="UP" title="Essential System Administration" href="essential-sysadmin.html" />
<link rel="PREVIOUS" title="Essential System Administration"
href="essential-sysadmin.html" />
<link rel="NEXT" title="Shutting Down Properly"
href="essential-sysadmin-shutdown.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">Slackware Linux Essentials</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="essential-sysadmin.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 12 Essential System
Administration</td>
<td width="10%" align="right" valign="bottom"><a href="essential-sysadmin-shutdown.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="ESSENTIAL-SYSADMIN-HARDUSERS"
name="ESSENTIAL-SYSADMIN-HARDUSERS">12.2 Users and Groups, the Hard Way</a></h1>

<p>Of course, it is possible to add, modify, and remove users and groups without using
the scripts and programs that come with Slackware. It's not really difficult, although
after reading this process, you'll probably find it much easier to use the scripts.
However, it's important to know how your password information is actually stored, in case
you ever need to recover this information and don't have the Slackware tools
available.</p>

<p>First, we'll add a new user to the <tt class="FILENAME">/etc/passwd</tt>(5), <tt
class="FILENAME">/etc/shadow</tt>(5), and <tt class="FILENAME">/etc/group</tt>(5) files.
The <tt class="FILENAME">passwd</tt> file holds some information about the users on your
system, but (strangely enough) not their passwords. This was once the case, but was
halted long ago for security reasons. The passwd file must be readable by all users, but
you don't want encrypted passwords world-readable, as would-be intruders can use the
encrypted passwords as a starting point for decrypting a user's password. Instead, the
encrypted passwords are kept in the shadow file, which is only readable by root, and
everyone's password is entered into the <tt class="FILENAME">passwd</tt> file simply as
&#8220;<var class="LITERAL">x</var>&#8221;. The <tt class="FILENAME">group</tt> file
lists all the groups and who is in each.</p>

<p>You can use the <tt class="COMMAND">vipw</tt> command to edit the <tt
class="FILENAME">/etc/passwd</tt> file safely, and the <tt class="COMMAND">vigr</tt>
command to edit the <tt class="FILENAME">/etc/group</tt> file safely. Use <tt
class="COMMAND">vipw -s</tt> to edit the <tt class="FILENAME">/etc/shadow</tt> file
safely. (&#8220;Safely&#8221; in this context means someone else won't be able to modify
the file you're editing at the moment. If you're the only administrator of your system,
you're probably safe, but it's best to get into good habits from the start.)</p>

<p>Let's examine the <tt class="FILENAME">/etc/passwd</tt> file and look at how to add a
new user. A typical entry in <tt class="FILENAME">passwd</tt> looks like this:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
chris:x:1000:100:Chris Lumens,Room 2,,:/home/chris:/bin/bash
</pre>
</td>
</tr>
</table>

<p>Each line is an entry for one user, and fields on each line are separated by a colon.
The fields are the login name, encrypted password (&#8220;<var
class="LITERAL">x</var>&#8221; for everyone on a Slackware system, since Slackware uses
shadow passwords), user ID, group ID, the optional finger information (separated by
commas), home directory, and shell. To add a new user by hand, add a new line at the end
of the file, filling in the appropriate information.</p>

<p>The information you add needs to meet some requirements, or your new user may have
problems logging in. First, make sure that the password field is an <var
class="LITERAL">x</var>, and that both the user name and user ID is unique. Assign the
user a group, either 100 (the &#8220;users&#8221; group in Slackware) or your default
group (use its number, not its name). Give the user a valid home directory (which you'll
create later) and shell (remember, valid shells are listed in <tt
class="FILENAME">/etc/shells</tt>).</p>

<p>Next, we'll need to add an entry in the /etc/shadow file, which holds the encrypted
passwords. A typical entry looks like this:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
chris:$1$w9bsw/N9$uwLr2bRER6YyBS.CAEp7R.:11055:0:99999:7:::
</pre>
</td>
</tr>
</table>

<p>Again, each line is an entry for one person, with each field delimited by a colon. The
fields are (in order) login name, encrypted password, days since the Epoch (January 1,
1970) that the password was last changed, days before the password may be changed, days
after which the password must be changed, days before password expiration that the user
is notified, days after expiration that the account is disabled, days since the Epoch
that the account is disabled, and a reserved field.</p>

<p>As you can see, most of that is for account expiration information. If you aren't
using expiration information, you only need to fill in a few fields with some special
values. Otherwise, you'll need to do some calculations and decision making before you can
fill those fields in. For a new user, just put some random garbage in the password field.
Don't worry about what the password is right now, because you're going to change it in a
minute. The only character you cannot include in the password field is a colon. Leave the
&#8220;days since password was changed&#8221; field blank as well. Fill in <var
class="LITERAL">0</var>, <var class="LITERAL">99999</var>, and <var
class="LITERAL">7</var> just as you see in the example entry, and leave the other fields
blank.</p>

<p>(For those of you who think you see my encrypted password above and believe you've got
a leg up on breaking into my system, go right ahead. If you can crack that password,
you'll know the password to a firewalled test system. Now that's useful :) )</p>

<p>All normal users are members of the &#8220;<tt class="USERNAME">users</tt>&#8221;
group on a typical Slackware system. However, if you want to create a new group, or add
the new user to additional groups, you'll need to modify the <tt
class="FILENAME">/etc/group</tt> file. Here is a typical entry:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
cvs::102:chris,logan,david,root
</pre>
</td>
</tr>
</table>

<p>The fields are group name, group password, group ID, and group members, separated by
commas. Creating a new group is a simple matter of adding a new line with a unique group
ID, and listing all the users you want to be in the group. Any users that are in this new
group and are logged in will have to log out and log back in for those changes to take
effect.</p>

<p>At this point, it might be a good idea to use the <tt class="COMMAND">pwck</tt> and
<tt class="COMMAND">grpck</tt> commands to verify that the changes you've made are
consistent. First, use <tt class="COMMAND">pwck -r</tt> and <tt class="COMMAND">grpck
-r</tt>: the <var class="OPTION">-r</var> switch makes no changes, but lists the changes
you would be asked to make if you ran the command without the switch. You can use this
output to decide whether you need to further modify any files, to run <tt
class="COMMAND">pwck</tt> or <tt class="COMMAND">grpck</tt> without the <var
class="OPTION">-r</var> switch, or to simply leave your changes as they are.</p>

<p>At this point, you should use the <tt class="COMMAND">passwd</tt> command to create a
proper password for the user. Then, use <tt class="COMMAND">mkdir</tt> to create the new
user's home directory in the location you entered into the <tt
class="FILENAME">/etc/passwd</tt> file, and use <tt class="COMMAND">chown</tt> to change
the owner of the new directory to the new user.</p>

<p>Removing a user is a simple matter of deleting all of the entries that exist for that
user. Remove the user's entry from <tt class="FILENAME">/etc/passwd</tt> and <tt
class="FILENAME">/etc/shadow</tt>, and remove the login name from any groups in the <tt
class="FILENAME">/etc/group</tt> file. If you wish, delete the user's home directory, the
mail spool file, and his crontab entry (if they exist).</p>

<p>Removing groups is similar: remove the group's entry from <tt
class="FILENAME">/etc/group</tt>.</p>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="essential-sysadmin.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="essential-sysadmin-shutdown.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Essential System Administration</td>
<td width="34%" align="center" valign="top"><a href="essential-sysadmin.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Shutting Down Properly</td>
</tr>
</table>
</div>
</body>
</html>