63, The/etclgroup fe 101 # MALL FILE mail # Password aging controls: # PASS MAX_DAYS Maximum # of days a password may be used. # PASS_MIN_DAYS Minimum # of days allowed between password changes # PASS MINLEN Minimum acceptable paseward length # PASS_WARN_AGE Number of days waning given before a password expires PASS.MAX.DAYS 99999 PASS.MIN-DAYS 0 PASS.MINIEN 5 PASS_WARNLAGE 7 # Min/max values for automatic uid selection in useradd #1 defined, thie command is run when removing 8 user. # It should remove any at/eron/print jobs etc. owned by # the user to be removed (passed as the first argument). tp san 50 5 vb aa éeoco A 4 ivinax vals for avtomatie gid selection in groupadd 3 ap as 50 2 GID MAK éeoco a E # USERDEL.CMD —_/ust/sbin/userdel_local # If useradd should create home directories for users by default # On RH systems, we do, This option is ORed with the -m flag on # useradé command line CREATE.HOME yes 6.3 THE /ETC/GROUP FILE ‘The ete/group file contains the names of UNIX groups and alist ofeach group's members. For example: wheel:x-1O:trent;ned evi garth ynds bogs millert cxstaff~-10Dlloyd evi students=200-dotty Each line represents one group and contains four fields: + Group name «+ Encrypted password or contains an x indicating a gshadow file + GID number + List of members, separated by commas (be careful not to add spaces) Asin fete/passwd, felds are separated by colons. Group names should be limited to '8 characters for compatibility, although Linux does not actually require this. While it is possible to enter a group password (to allow users not belonging toa group to102 64 Chapter 6 ~ Adding New Users change o itby using the newgep command), thisis rarely done.* Mos sites put stars in the password field, but it is safe to leave the password field blank if you wish, The newgrp command will not change to a group without a password unless the user is already listed as being a member of that group. Allour example disteibutions come configured with /ete/gshadow files, which are analogous in concept to fete/shadow but of considerably less importance (group passwords are rarely used). As with usernames and UIDs, group names and GIDs should be kept consistent among machines that shaee files through a network filesystem. Consistency can be hard to maintain in a heterogeneous environment since different operating systems use different GIDs for the same group names, We've found that the best way to deal With this issue is to avoid using system group asthe default login group for a use. Ifa user defaults to a particular group in fete/passwd but does not appear to be in that group according to /ete/group, /ete/passwd wins the argument. The group ‘memberships granted at login time are really the union of those found in the passwd and group files. However, it’s a good idea to keep the two files consistent. ‘To minimize the potential for collisions with vendor-supplied GIDs, we suggest start- ing local groups at GID 500 or higher. ‘The UNIX tradition is to add new users to a group that represents their general cate ‘gory such a “students” or “finance” However, it’s worth noting that this convention increases the likelihood that users will he able to read one another’ files because of slipshod permission setting, even if that is not really the intention ofthe owner. To avoid this problem, we prefer to create a unique group for each user. You can use the same name for both the user and the group. You can also make the GID the same as the UID. A user's personal group should contain only that user. 'you want to let users share files by way ofthe group mechanism, create separate groups for that purpose. The idea behind personal groups is not to discourage the use of groups per se—it’ssim- ply o establish a more restrictive default group for each user so that files are not shared inadvertently ‘The useradd utilities on all of our example distributions except SUSE default to placing users in their own personal groups. ‘ADDING USERS Before you create an account for a new user ata corporate, government, or educa tional site, it’s very important thatthe user sign and date a copy of your local user agecement and policy statement. (What You don't have a user agreement and pol- icy statement? See page 946 for more information about why you need one and what to put init) “The oly reson we ae aware ofthat someone night want to use the newegrp command under Linux tosethe default group of ney crested fle.64 Adding users 103 Users have no particular reason to want to sign a policy agreement, soi’ to your advantage to secure their signatures while you still have some leverage. We find that ittakes more effort to secure a signed agreement after an account has been released, your process allows for it, have the paperwork precede the creation of the account. Mechanically, the process of adding a new user consists of four steps required by the system, two steps that establish a useful environment forthe new user, and several cexra steps for Your own convenience as an administrator. Required: + Edit the passwd and shadow files to define the users account. ‘+ Add the user tothe /ete/group file. «Set an initial password, + Create, chown, and chmod the users home directory. For the user: + Copy default startup files to the users home directory. + Set the user’s mail home and establish mail aliases. For you: «Verify thatthe account is set up correctly. ‘= Add the user's contact information and account status to your database. ‘Starting on page 108, we discuss the useradd command and its brethren, which au- tomate some of these steps. However in the next few sections we go over the steps as you'd execute them by hand. This is mostly so that you can see what the supplied tools are doing. In real life i's generally preferable (faster and less error prone) to run useradd or a similar home-geown script ‘You must perform each step as root or use a program such as sudo that allows you to run commands as root. See page 4l for more information about sudo, Editing the passwd and shadow files ‘To safely edit the passwd file, run vipw to invoke a text editor on a copy oft. The default editor is vi but you can speciya different editor by setting the value of your EDITOR environment variable, The existence of the temporary edit fle serves asa lock; vipwallows only one person to edit the passwd file ata time, and it prevents users from changing their passwords while the passwd fle is checked out. When the editor terminates, vipw replaces the original passwd file with your edited copy. ‘On Fedora and RHEL systems, vipw automatically asks if you would like to edit the shadow file after you have edited the passwd lle. SUSE, Debian, and Ubuntu sys- tems use vipw-- for this function, For example, adding the following line to fete/passwd would define an account called “tyler” tylers:2422-2422-Tyler Stevens, ECEE 3-27, x7918;/home/tyler/bin/sh108 Ralesforsecting good pasomordaegivenon page 57, Chapter 6 ~ Adding New Users Wel also add a matching entry to /ete/shadow: tylerseiss 14974 ‘This shadow line for tyler has no encrypted password or password aging, and it sets the account to expire on December 31, 2010, Editing the /etc/group file We should neat create an entry in the fete/group file for tyler’ personal group, which we will also call “tylee". This eoup should have GID 2422 to match tyler UID of 2422. Thsis the default GID we assigned to him in the passwd file” tyler:24a2:tyler Strietly speaking, tyler will be in group 2422 whether or not heislisted in /ete/group, because his passwd entry has already given him this membership. The kernel doesn’t care about the contents of fete/passwd and fete/group; it only cares about UID and GID numbers. The main purpose of recording personal groups in the group fie is to make sure that commands such as Is display the names of these groups correctly. Of course, it’ always nice to have an authoritative list of the groups you have created and the users they include, If we wanted to assign tyler to additional groups, we would simply add his login ‘name to additional groups within the fetefgroup file. Setting an initial password, Root can change any user's password with the passwd command: pasewd user S$ sudo passwd user passwd prompts you to enter a new password and asks you to repeat it. ’you choose a short all-lowercase, or otherwise obviously unsuitable password, passwd will complain and ask you to use something more complex. Most Linux systems also check prospective passwords against a dictionary for added security ‘The mkpasswid utility that comes with Don Libes’ expeet package makes it easy to ‘generate random passwords for new users. For beter oF worse, the assignment ofa random password “forces” new users to change their passwords immediately, asthe random ones ate dificult to remember Don't confuse expects mkpasswd with the standard mkpasswd command, which simply encodes a given string asa password. ‘Thisnaming and numbering is putly conventional seepage 102 ‘The passwordsate not truly random, but eather pseudorandom. one or mor passwords ina pseudo- randomly generated sequence are cracked, it may be pss to revese-engineer the sequence and discover addtional passwords Possible, but probably unlikely in the rea world Were relatively com ovale with thi rikTable 6.1 64 Adding users 10s Never leave a new account—or any account that has access to ashell—\ password. Creating the user's home directory Any directory you create as root is initially owned by root, so you must change its ‘owner and group with the chown and chgrp commands. The following sequence of ‘commands would create a home directory appropriate for our example user # mkdir /homeltyler # chown tyler:staff /home/tyler # chmod 700 /homeltyler Copying in the default startup files You can customize some commands and utilities by placing configuration files ina users home directory. Startup files traditionally begin with a dot and end with the letters re, short for “run command,’ a relic ofthe CTSS operating system. The initial dot causes Is to elide these files from directory listings unless the -a option is used; the files are considered “uninteresting” Table 6.1 ists some common startup files. Common startup files and their uses ‘Command Filename Typical uses ‘hitch Jogin Sets the terminal type (fneeded) Sets biffand mesg suitches, she Sets up environment variables Sets command aliases Sets the search path Sets the umask value to contol permissions Sets cdpath for flename searches Sets the prompt, history, and savehist variables baa ashre Simiar to she Tor bash tbash_profile _Similarto Jogin forbash vin wine Sets vim editor options ‘emacs emacs Sets emacs editor options Sets emacs key bindings Tmailimaie mall Defines personal mail aliases Sets mall eader options db Kdefaulte Specifies X11 contiguration: Tonks, color et “stars xinitre Specifies the initial X17 environment Xeients Specifies the initial X11 envionment (RHEL, Fedora) Tid xsession Specifies the intial XIV environment 5 bash wil ao e0d profil or eefprofln emulation of th 2 Bact etal ox Windows vary with he implementation and window manage nus; see Chapter ‘ormore detaChapter 6 ~ Adding New Users I you don’t already have a set of good default startup files, usr/local/ib/skel isa reasonable place to put them. Copy in some files to use as starting point and mod- ify them with a text editor. You may wish to start with vendor-supplied files from the {Jetclskel directory, if your system provides them. Be sure to seta reasonable default value for umask; we suggest 077,027, or 022, depending on the friendliness and size of your site Depending on the user's shell, fete may contain system-wide startup files that are processed before the user’s own startup files. For example, bash reads fete/profile before processing ~/.bash_profile. For other shell, see the man page for the shell in question for details. thas become common for the system-wide startup files for shells to look inthe {Jetcl profiled directory for additional configuration snippets to execute. This con- vention provides a clean way for software packages to specify shell-level default. For example, the /ete/profile.d/colorls.* files on Fedora and RHEL are responsible for the technicolor Is output on those systems. (Yes, they can be safely deleted.) ‘The command sequence for installing startup files forthe new user tyler would look something like this: # ep fust/localib/skel/fa-2A-Z}¥ -tyler # chown tylerstaff -tyler/[2-28-Z|¥ # chmod 600 ~tyler/{a-2A-Z|= Note that we cannot use # chown tylerstaff -tyler/.* because tyler would then own not only his own fies but also the parent directory *.” (Jhome) as well. This isa very common and dangerous sysadmin mistake. Setting the user's mail home Wis convenient for each user to receive email on only one machine. This scheme is often implemented with an entry in the global aliases file /ete/mail/aliases or the sendmail userD8 on the central mail server. See Chapter 18 for general information about email; the various ways to implement mail homes are discussed starting on page 542, Verifying the new login ‘To verify that a new account has been properly configured, first log out, then log in as the new user and execute the following commands: Spwd —/+ To verify the h Sls-la—/+ Check owner/er You will need to notify new users oftheir login names and initial passwords. Many sites send thisinformation by email, but for security reasons that's usually nota good idea. A new user's account can be compromised and back-doored before the user hasSeepage 946 for more Information about 6.5 65. Removing users 107 ‘even logged in. Thisis also a good time to point users toward additional documenta- tion on local customs, ifyou have any. your site requires users to sign a written policy agreement of appropriate use pol- icysbe sue this step has been completed before releasing the account. This check will prevent oversights and strengthen the legal basis of any sanctions you might later need toimpose.Be sure to remind new users to change their passwordsimmediatly you wish, you can enforce this by setting the password to expire within a short time. Another option is to have a script check up on new users and be sue theie ‘encrypted passwords in the shadow file have changed.” Recon the uzrstatus and contact Information Ian enonenent eich yuk he ur pron relent teopwsckafwhdsaangesyarmandyiy buifsamamgsiag antares EE Sibucerbarcyaullacd sae termaay weep tnckofcca sinang A nba at ana notion nds steel lp ou Sgt cat wh tome issn hy thy anes acon one th sto aig hem are from memory. I'sa good idea to keep complete contact information on andso that |= you can reach users inthe event of problems or misbehavior. = REMOVING USERS ‘When a user leaves your organization, that users login account and files should be removed from the system. This procedure involves the removal of ll references to the login name that were added by you or your useradd program. Ifyou removea user by hand, you may want to use the following checklist ‘+ Remove the user from any local user databases or phone lists ‘+ Remove the user from the aliases file or add a forwarding address. ‘+ Remove the user's crontab file and any pending at jobs, + Kill any of the user's processes that are still running, ‘+ Remove the user from the passwd, shadow, group, and gshadow files. ‘+ Remove the user's home directory. ‘= Remove the user's mail spool Before you remove a user's home directory, be sure to relocate any files that are needed by other users. Since you often cant be sure which files those might be, its always a good idea to make an extra backup of the user's home directory and mail spool before deleting them, ‘Once you have removed a user, you may want to verify thatthe user's old UID owns ‘no more files on the system, To find the paths of orphaned fils, you can use the find ‘command with the -nouser argument. Because find has a way of “escaping” onto ‘cause the ame password can have many encrypted representations, this method verifies only that ‘the user has eset he preaword, ot hat tha actualy Been changed ta diferent password Theres no practical way lo force ert actually change thet pasewords excep by maintaining «database of Mlprioe values6.6 67 Chapter 6 ~ Adding New Users network servers if youre not careful, it’s usually best to check filesystems individu- ally with -xdev: # find filesystem -xdev -nouser If your organization assigns individual workstations to users it’s generally simplest and most efficient to reinstall the entire system from a master template before turn- ing the system over to a new user. Before you do the reinstallation, however, it’s a ‘good idea to back up any local files on the system's hard disk in case they are needed in the future DISABLING LOGINS On occasion, a user’ login must be temporarily disabled. A straightforward way to do this i to puta star or some other character infront ofthe user’s encrypted pass word in the fete/shadow file. This measure prevents most types of password-regu lated access because the password no longer decrypts to anything sensible, Com- ‘mands such as ssh that do not necessarily check the system password may continue to function, however. On all of our example distributions except SUSE, the usermed -L user and usermod U user commands provide an easy way to lock and unlock passwords. ‘An alternative (and perhaps more secure) way to achieve a similar end io replace the user's shel with a progeam that prints a message explaining why the login has been disabled and provides inteuctions for rectifying the situation, Ths pseudo- shell should not be listed in fete/shells; many daemons that provide nonlogin access tothe ystem (eg. ftpd) check tose ifa user’ login shells sted in etefshells and will deny access iit snot (which i the behavior you want) Unfortunately, this mes- sage may not be seen ifthe use tries to log in through a window system. ‘There isanother problem with this method of disabling logins, however. By default, sendmail will not deliver mail toa user whose shell does not appear in /ete/shells. Ws generally abad idea to interfere with the flow of mail, even if the recipient is not able to read itimmediately. You can defeat sendmail’s default behavior by adding a fake shell named /SENDMAIL/ANY/SHELL/ to the /ete/shells fle (although there ‘may be unwanted side effects from doing so). MANAGING ACCOUNTS “The useradd command adds user to the passwd file (and to the shadow file ifap plicable) I provides a command-line driven interface that is easy to run by hand or to all from a home-grown adduser script. The usermod command changes the passwd entries of existing users. The userdel command removes a user from the system, optionally deleting the user's home dieectory. The groupadd, groupmod, and groupdel commands operate on the fetegroup ile