Section 14.6. Maintaining User Accounts

14.6. Maintaining User Accounts

One of a system administrator's most common tasks is to add a new user to the system. To do this, you must:

• Add a new entry to the password file (and shadow password file if in use).

• Add a new entry to the group file.

• Create a home directory for the user.

• Provide the user with some appropriate startup files.

Most distributions of Linux provide the useradd command to take care of the details, so you don't have to do this manually. Others provide a GUI-based method in addition to useradd or in its place. To run useradd, you must be the super-user.

To delete a user, use the userdel command:

You should always remove old accounts from a system. An unused but active account represents a security risk.

14.6.1. The Password File

Every user of the system has an entry in the password file (usually "/etc/passwd") in the following format:

username:password:userId:groupId:personal:homedir:startup

where each field has the meaning given in Figure 14-9.

Since the password field is an encrypted value, putting any single character in that field is equivalent to disallowing logins on that account. Since there is no string you could type which would encrypt into the text "*" (for example), nothing that could be typed will match when encrypted and compared against such a password field. Here's a snippet from a real-life password file:

$ head -5 /etc/passwd       ...look at first five lines. root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin $ _ 

I used grep to find my own entry:

$ grep ables /etc/passwd            ...find my line. ables:x:500:500:King Ables:/home/ables:/bin/bash $ _ 

The "x" in the password field indicates that a shadow password file ("/etc/shadow") is in use. A shadow password file is an extra security mechanism to prevent regular users from reading even the encrypted strings in the standard password file. While difficult, it is possible to crack a given encrypted password by repetitively encrypting random (or systematic) strings until a match is found. A shadow password file eliminates this option for a would-be intruder by storing the encrypted password in a separate file that is inaccessible to regular users.

14.6.2. The Group File

To add a new user, you must decide which group the user will belong to and then search the group file to find the associated group ID. As an example, I'll show you how to add a new user called "simon" into the "cs4395" group.

Every group in the system has an entry in the group file ("/etc/group") in the following format:

groupname:groupPassword:groupId:users 

where each field is defined as in Figure 14-10.

Here's a snippet from a real-life "/etc/group" file:

$ head -5 /etc/group     ...look at start of group file. cs4395:*:91:glass cs5381:*:92:glass wheel:*:0:posey,aicklen,shrid,dth,moore,lippke,rsd,garner daemon:*:1:daemon sys:*:3: $ _ 

As you can see, the "cs4395" group has an associated group ID number of 91. To add Simon as a new user, I allocated him the unique user ID number 10, a group ID of 91, and left his password field empty. Here's what his entry looked like:

simon::101:91:Simon Pritchard:/home/simon:/bin/ksh

Once the entry was added to the password file, I added Simon onto the end of the "cs4395" list in the "/etc/group" file.