-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathchapter_09.xml
295 lines (242 loc) · 11 KB
/
chapter_09.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
<?xml version="1.0"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"/usr/share/xml/docbook/xml-dtd-4.5/docbookx.dtd">
<chapter id="ch_users">
<title>Users and Groups</title>
<section id="users_intro">
<title>What Are Users and Groups?</title>
<para>
Slackware Linux inherits a strong multi-user tradition from its UNIX
inspiration. This means that multiple people may use the system at
once, but it also means that each of these people may have different
permissions. This allows users to prevent others from modifying their
files, or lets system administrators explicitly define what users can
and cannot do on the system. Moreover, users need not be actual people
at all. In fact, Slackware includes several dozen pre-defined user
and group accounts that are not typically used by regular users. Rather
these accounts allow the system administrator to segment the system for
security reasons. We'll see how that's done in the next chapter on
filesystem permissions.
</para>
</section>
<section id="users_managing">
<title>Managing Users and Groups</title>
<para>
The easiest way to add new users in Slackware is through the use of our
very fine <application>adduser</application> shell script.
<application>adduser</application> will prompt you to enter the details
of the new user you wish to creature and step you through the process
quickly and easily. It will even create a password for the new user.
</para>
<screen><prompt>darkstar:~# </prompt><userinput>adduser</userinput>
Login name for new user []: <userinput>david</userinput>
User ID ('UID') [ defaults to next available ]:
Initial group [ users ]:
Additional UNIX groups:
Users can belong to additional UNIX groups on the system.
For local users using graphical desktop login managers such
as XDM/KDM, users may need to be members of additional groups
to access the full functionality of removable media devices.
* Security implications *
Please be aware that by adding users to additional groups may
potentially give access to the removable media of other users.
If you are creating a new user for remote shell access only,
users do not need to belong to any additional groups as standard,
so you may press ENTER at the next prompt.
Press ENTER to continue without adding any additional groups
Or press the UP arrow to add/select/edit additional groups
: <userinput>audio cdrom floppy plugdev video</userinput>
Home directory [ /home/david ]
Shell [ /bin/bash ]
Expiry date (YYYY-MM-DD) []:
New account will be created as follows:
---------------------------------------
Login name.......: david
UID..............: [ Next available ]
Initial group....: users
Additional groups: audio,cdrom,floppy,plugdev,video
Home directory...: /home/david
Shell............: /bin/bash
Expiry date......: [ Never ]
This is it... if you want to bail out, hit Control-C. Otherwise, press
ENTER to go ahead and make the account.
Creating new account...
Changing the user information for david
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Changing password for david
Enter the new password (minimum of 5, maximum of 127 characters)
Please use a combination of upper and lower case letters and numbers.
New password:
Re-enter new password:
Password changed.
Account setup complete.
</screen>
<para>
The addition of optional groups needs a little explaining. Every user
in Slackware has a single group that it is always a member of. By
default, this is the "users" group. However, users can belong to more
than one group at a time and will inherit all the permissions of every
group they belong to. Typical desktop users will need to add several
group memberships in order to do things like play sound or access
removeable media like cdroms or USB flash drives. You can simply press
the up arrow key at this section and a list of default groups for
desktop users will magically appear. You can of course, add to or
remove groups from this listing.
</para>
<para>
Now that we've demonstrated how to use the interactive
<application>adduser</application> program, lets look at some powerful
non-interactive tools that you may wish to use. The first is
<application>useradd</application>(8).
<application>useradd</application> is a little less friendly, but much
faster for creating users in batches. This makes it ideal for use in
shell scripts. In fact, <application>adduser</application> is just such
a shell script and uses <application>useradd</application> for most of
the heavy lifting. <application>useradd</application> has many options
and we can't explain them all here, so refer to its man page for the
complete details. Now, let's make a new user.
</para>
<screen><prompt>darkstar:~# </prompt><userinput>useradd -d /data/home/alan -s /bin/bash -g users -G audio,cdrom,floppy,plugdev,video alan</userinput>
</screen>
<para>
Here I have added the user "alan". I specified the user's home
directory as <filename>/data/home/alan</filename> and used
<application>bash</application> as my shell. Also, I specified my
default group as "users" and added myself to a number of useful groups
for dekstop use. You'll note that <application>useradd</application>
does not do any prompting like <application>adduser</application>.
Unless you want to accept the defaults for everything, you'll need to
tell <application>useradd</application> what to do.
</para>
<para>
Now that we know how to add users, we should learn how to add groups.
As you might have guessed, the command for doing this is
<application>groupadd</application>(8).
<application>groupadd</application> works in the same way as
<application>useradd</application>, but with far fewer options. The
following command adds the group "slackers" to the system.
</para>
<screen><prompt>darkstar:~# </prompt><userinput>groupadd slackers</userinput>
</screen>
<para>
Deleting users and groups is easy as well. Simply run the
<application>userdel</application>(8) and
<application>groupdel</application>(8) commands. By default,
<application>userdel</application> will leave the user's home directory
on the system. You can remove this with the <arg>-r</arg> argument.
</para>
</section>
<section>
<title>Other User and Group Tools</title>
<para>
Several other tools exist for managing users and groups. Perhaps the
most important one is <application>passwd</application>(1). This
command changes a user account's password. Normal users may change
their own passwords only, but root can change anyone's password. Also,
root can lock a user account with the <arg>-l</arg> argument. This
doesn't actually shutout the account, but instead changes the user's
encrypted password to a value that can't be matched.
</para>
<para>
The easiest way for modifying a user's information is the
<application>usermod</application>(8) utility which is capable of
modifying everything from group membership to home directories. A full
listing of its features won't be given here, so check the man page.
<application>usermod</application> is perhaps the best tool to use for
modifying a user's group members. The <arg>-s</arg> and <arg>-G</arg>
arguments accomplish this.
</para>
<screen><prompt>darkstar:~# </prompt><userinput>usermod -a -G wheel alan</userinput>
<prompt>darkstar:~# </prompt><userinput>usermod -G wheel alan</userinput>
</screen>
<para>
It important to note the differences in the two commands above. The
first command adds the user "alan" to the "wheel" group without
modifying any other groups "alan" belongs to. The second command also
makes "alan" a member of the "wheel" group, but also removes the user's
membership from any other groups, something you will very rarely want
to do!
</para>
<para>
Another useful tool is <application>chsh</application>(1) which changes a
user's default shell. Like <application>passwd</application>, normal
users can only change their own shell, but the root user can change
anyone's.
</para>
<para>
The last tool we're going to discuss is
<application>chfn</application>(1). This is used to enter identifying
information on the user such as his phone number and real name. This
information is stored in the <filename>passwd</filename>(5) file and
retrieved using <application>finger</application>(1).
</para>
</section>
<section>
<title>Managing Users and Groups Manually</title>
<para>
Like most things in Slackware Linux, users and groups are stored in
plain-text files. This means that you can edit all the details of a
user, or even create a new user or group simply by editing these files
and doing a few other tasks like creating the user's home directory. Of
course, after you see how this is done you'll appreciate just how
simple the included tools make this task.
</para>
<para>
Our first stop is the <filename>/etc/passwd</filename> file. Here, all
the information about a user is stored, except for (oddly enough) the
user's password. The reason for this is rather simple.
<filename>/etc/passwd</filename> must be readable by all users on the
system, so you wouldn't want passwords stored there, even if they are
encrypted. Let's take a quick look at my entry in this file.
</para>
<screen>
alan:x:1000:100:,,,:/home/alan:/bin/bash
</screen>
<para>
Each line in this file contains a number of fields seperated by a
colon. They are, from left to right: username, password, UID, GUID, a
comment field, home directory, and shell. You'll notice that the
password field for every entry is an <keycap>x</keycap>. That is
because Slackware uses shadow passwords, so the actual encrypted
password is stored in <filename>/etc/shadow</filename>. Let's take a
look there.
</para>
<screen>
alan:$1$HlR?M3fkL@oeJmsdLfhsLFM*4dflPh8:14197:0:99999:7:::
</screen>
<para>
The <filename>shadow</filename> file contains more than just the
encrypted password as you'll notice. The fields here, again from left
to right, are: username, encrypted password, last day the password was
changed, days before the password may be changed again, how many days
before the password expires, days that the account will be disabled
after expiring, when the account was disabled, and a reserved field.
You may notice on some accounts that the various "days" fields often
include very large numbers. The reason for this is that Slackware
counts time from the "Epoch" which is January 1, 1970 for historical
reasons.
</para>
<para>
To create a new user account, you'll just need to open these files
using <application>vipw</application>(8). This will open
<filename>/etc/passwd</filename> in the editor
defined by your VISUAL variable or your EDITOR variable if VISUAL isn't
defined. If neither is present, it will fall back to
<application>vi</application> by default. If you pass the <arg>-s</arg>
argument, it will open <filename>/etc/shadow</filename> instead. It's
important to use <application>vipw</application> instead of using any
other editor, because <application>vipw</application> will lock the
file and prevent other programs from editing it right underneath your feet.
</para>
<para>
That isn't all you'll need to do however; you must also create the
user's home directory and change the user's password using
<application>passwd</application>.
</para>
</section>
</chapter>