The users of a GNU/Linux system normally have an associated account (defined with some of their data and preferences) along with an allocated amount of space on the disk in which they can develop their files and directories. This space is allocated to the user and may only be used by the user (unless the permissions specify otherwise).
Among the accounts associated to users, we can find different types:
The administrator account, with the root identifier, which should only be used for administration operations. The root user is the one with most permissions and complete access to the machine and the configuration files. Consequently, this user is also the one that most damage can cause due to any faults or omissions. It is better to avoid using the root account as if it were that of just another user; it is therefore recommended that it should only be used for administration operations.
User accounts: the normal accounts for any of the machine's users have the permissions restricted to the use of their account files and to some particular zones (for example, the temporary files in /tmp), and to the use of the particular devices that they have been authorised to use.
Special service accounts: lp, news, wheel, www-data... accounts that are not used by people but by the system's internal services, which uses them under these user names. Some of the services are also used under the root account.
A user account is normally created by specifying a name (or user identifier), a password and a personal associated directory (the account).
The information on the system's users is included in the following files:
/etc/passwd /etc/shadow /etc/group /etc/gshadow
Example of some lines of the /etc/passwd:
juan:x:1000:1000:Juan Garcia,,,:/home/juan:/bin/bash root:x:0:0:root:/root:/bin/bash
where (if the :: appear together, the box is empty):
juan: identifier of the user of the system.
x: encoded user password; if there is an "x" then it is located in the /etc/shadow file.
1000: user code, which the system uses as the identity code of the user.
1000: code of the main group to which the user belongs, the group's information is in /etc/group.
Juan García: comment, usually the user's full name.
/home/juan: personal directory associated to his account.
/bin/bash: interactive shell that the user uses when interacting with the system, in text mode, or through the graphic shell. In this case, the GNU Bash, which is the shell used by default. The /etc/passwd file used to contain the user passwords in an encrypted form, but the problem was that any user could see this file and, at the time, cracks were designed to try and find out the passwords directly using the encrypted password as the starting point (word encoded with the crypt system).
In order to avoid this, the passwords are no longer placed in this file; only an "x" is, to indicate that they are located in another file, which can only be read by the root user, /etc/shadow, the contents of which may be something similar to the following:
juan:a1gNcs82ICst8CjVJS7ZFCVnu0N2pBcn/:12208:0:99999:7:::
where the user identifier is located, along with the encrypted password. In addition, they appear as spaces separated by ":":
Days since 1st January 1970 in which the password was changed for the last time.
Days left for it to be changed (0 it does not have to be changed).
Days after which the password must be changed (in other words, change period).
Days on which the user will be warned before the password expires.
Days, after expiry, after which the account will be disabled.
Days since 1st January 1970 that the account has been disabled.
And a reserved space.
In addition, the encryption codes can be more difficult, as it is now possible to use a system called md5 (it usually appears as an option when installing the system) to protect the users' passwords. We will examine some more details in the unit on security.
In /etc/group we will find the information on the user groups:
jose:x:1000:
where we have:
name-group:password-group:identifier-of-group:list-users
The list of the users in the group may or may not be present; given that this information is already in /etc/passwd, it is not usually placed in /etc/group. If it is placed there, it usually appears as a list of users separated by commas. The groups may also posses an associated password (although this is not that common), as in the case of the user, there is also a shadow file: /etc/gshadow.
Other interesting files are the ones in /etc/skel directory, which contains the files that are included in each user account when it is created. We must remember that, as we saw with the interactive shells, we could have some configuration scripts that execute when we enter or exit the account. The "skeletons", which are copied in user account when they are created, are saved in the skel directory. The administrator is usually in charge of creating adequate files for the users, providing the necessary execution paths, initialising the system's variables that are needed for the software etc.
We will now see a series of useful commands for the administration of users (we will mention their functions and perform some tests in the workshop):
useradd: adding a user to the system.
userdel: to delete a user from the system.
usermod: to modify a user of the system.
groupadd, groupdel, groupmod the same for groups.
newusers, chpasswd: these can be very useful in large installations with many users, as they allow us to create various accounts from the information entered into a newusers file or change the passwords for a large number of users (chpasswd).
chsh: to change the user login shell.
chfn: to change the user information present in the /etc/passwd comment file.
passwd: to change a user's password. This may be executed as a user, and it will then ask for the old password and the new one. When doing this, the root account has to specify the user whose password will be changed (otherwise, they would be changing the account's password) and the old password is not necessary. This is perhaps the command that the root most uses, when users forget their old password.
su: a kind of identity change. It is used both by users and by the root to change the current user. In the case of the administrator, it is used quite a lot to test that the user account works properly; there are different variants: su (without parameters, it serves to switch to root user, after identification, making it possible for us to pass, when we are in a user account, to the root account to perform a task). The su iduser sentence (changes the user to iduser, but leaves the environment as it is, in other words, in the same directory...). The su - iduser mandate (which performs a complete substitution, as if the second user had logged in the system).
With regard to the administration of users and groups, what we have mentioned here refers to the local administration of one sole machine. In systems with multiple machines that the users share, a different management system is used for the information on users. These systems, generically called network information systems, such as NIS, NIS+ or LDAP, use databases for storing the information on the users and groups, effectively using servers, where the database and other client machines are stored and where this information can be consulted. This makes it possible to have one single copy of the user data (or various synchronised copies) and makes it possible for them to enter any available machine of the set administered with these systems. At the same time, these systems incorporate additional concepts of hierarchies and/or domains/machine and resource zones, that make it possible to adequately represent the resources and their use in organisations with different organisational structures for their own personnel and internal departments.
We can check whether we are in a NIS-type environment by seeing if compat appears in the passwd line and group configuration file, /etc/nsswitch.conf, if we are working with local files, or nis or nisplus according to the system on which we are working. Generally, this does not involve any modification for the simple user, as the machines are managed transparently, more so if it is combined with files shared by NFS that makes the account available, regardless of the machine used. Most of the abovementioned commands can still be used without any problem under NIS or NIS+, in which they are equivalent, except for the command for changing the password, which, instead of passwd, we usually use yppasswd (NIS) or nispasswd (NIS+); although it is typical for the administrator to rename them to passwd, (through a link), which means that users will not notice the difference.
We will look at this and other methods for configuring the network administration units.