User Accounts

 < Day Day Up > 

Three kinds of users are at work in the typical Fedora system environment: the superuser, the regular user, and the system user. All three have important roles and must work cooperatively to accomplish their tasks.

All users have accounts. Fedora Core uses the /etc/passwd file to hold user account information. Each user, regardless of type, will have a one-line entry of account information stored in the /etc/passwd text file. Each account entry contains a username (used for logging in), a password field containing an x (as passwords are actually contained in /etc/shadow), a User ID (UID), and a Group ID (GID). The fifth field contains optional human ID information, such as real name, office location, phone number, and so on. The last two fields are the location of the user's home directory and the user's default login shell. See the section "The Password File" later in this chapter for more information.

Fedora uses the traditional form of Unix file ownership and permissions. Each file (which includes directories and devices) can be assigned read, write, and/or execution permission to an owner, a member of a group, or anyone on the system. This information can be viewed with the ls command, using -l for files or -ld for directories. Fedora's file security is derived by combining ownerships and permissions. It is the superuser's responsibility to make sure that all users have proper filename, UIDs, and GIDs and that sensitive system files are protected from improperly permissive write permission assignment.

Although many system administrators might exist on a large system, only one root user has (and grants) all privileges on the system. The root user is defined as having a User ID of zero and a Group ID of zero. (We will discuss those IDs later in the chapter, but you can see how that ID is unique to root.)

The root user can use any program, manipulate any file, go anywhere in the file system, and do anything within the Fedora Core Linux system. For reasons of security, that kind of raw power should only be given to a single trusted individual.

It is often practical for that power to be delegated by the root user to other users. This delegation is referred to as an elevation of privileges, and these individuals are known as superusers because they enjoy the same powers that root enjoys. This approach is normally only used on large systems in which one person cannot effectively act as the system administrator.

NOTE

On your Fedora system, when you log in as root, you are root or the superuser. In this chapter, the terms root, superuser, system administrator, and sysadmin are used interchangeably, although they need not all refer to a single person.


The regular user is a person who logs onto and uses the computer to accomplish some non-administrative task. Regular users do not participate in the management or administration of the computer on a global scale, but they may be permitted to manage their own personal settings and configurations if the root user does not take that privilege away.

The superuser grants privileges to regular users by means of file and directory permissions. (Those are covered in Chapter 5, "First Steps with Fedora.") For example, if the superuser does not want you to change your settings in ~/.profile (the ~ is a shell shortcut representing your home directory; see Chapter 14, "Automating Tasks"), root can alter the permissions so that you may read from, but not write to, that file.

CAUTION

Because of the potential for making a catastrophic error as the superuser (using the command rm -rf /* is the classic example, but do not ever try it!), always use your system as a regular user and become root only temporarily to do sysadmin duties. While you are on a multiuser system, you should consider this advice an absolute rule; if root were to delete the wrong file or kill the wrong process, the results could be disastrous for the business. On your home system, you can do as you please and running as root makes many things easier, but less safe. In any setting, however, the risks of running as root are significant.


The system user is not a person, but a process running on the computer. The system user requires ownership of files and processes so that it can do its job in a secure manner. (Fedora calls these users logical users.) For example, the system user named apache owns the web server (assuming that you are using Apache) and all the associated files. No one else (except root) may have access to those files in a way that Apache does not permit. Unlike regular users, system users do not have a home directory or password and cannot log in like a regular user.

You will find a list of all the users on a system in the /etc/passwd file. Fedora refers to these users as the standard users because they will be found on every Fedora computer as the default set of system (or logical) users provided during the initial installation. This "standard" set differs between Linux distributions.

User IDs and Group IDs

A computer is a number oriented machine. It identifies users and groups by numbers known as the User ID (UID) and Group ID (GID) . The alphabetic names displayed on your screen are there exclusively for the convenience of the biological entities that so often annoy the computer.

As was already mentioned, the root user is UID 0. Numbers from 1 through 499 and 65,534 are the system, or logical, users. Regular users have UIDs beginning with 500; Fedora assigns them sequentially beginning with this number.

With only a few exceptions, the GID is the same as the UID. Those exceptions are system users who need to act with root permissions: sync, shutdown, halt, and operator.

Fedora creates a private GID for every UID of 500 and greater. The system administrator can add other users to a GID or create a totally new group and add users to it. Unlike Windows NT and some Unix variants, a group cannot be a member of another group in Linux.

File Permissions

As you learned in Chapter 5, permissions are of three types: read, write, and execute (r, w, x). For any file or directory, permissions can be established in three categories: user, group, and global. In this section, we focus on group permissions, buthere's a highlight of the commands used to change the group, user, or access permissions of a file or directory:

  • chgrp Changes the group ownership of a file or directory.

  • chown Changes the owner of a file or directory.

  • chmod Changes the access permissions of a file or directory.

These commands, which modify file ownerships and permissions, can be used to model organizational structure and permissions in the real world onto your Fedora system (see the next section, "Managing Groups"). For example, a human resources department can share health-benefit memos to all company employees by making the files readable (but not writable) by anyone in an accessible directory. On the other hand, programmers in the company's research and development section, while being able to access each other's source code files, would not have read or write access to HR pay-scale or personnel files (and certainly would not want HR or Marketing poking around R&D).

These commands are used to manage group and file ownerships and permissions from the command line. Use the chgrp command to allow (or restrict) groups of users access to specific directories and files. The chown command can be used to set ownerships, but may only be used by root. Use the chmod command to set read and write permissions for files you own. Refer to Chapter 5 of this book or the man page of each command for details on these commands.

User Stereotypes

As is the case in many professions, exaggerated characterizations (stereotypes or caricatures) have emerged for users and system administrators. Many stereotypes contain elements of truth mixed with generous amounts of hyperbole and humor and serve to assist us in understanding the characteristics of and differences in the stereotyped subjects. The stereotypes of the "luser" and the "BOFH" (users and administrators, respectively) also serve as cautionary tales describing what behavior is acceptable and unacceptable in the computing community.

Understanding these stereotypes allows you to better define the appropriate and inappropriate roles of system administrators, users, and others. The canonical reference to these terms is found in the alt.sysadmin.recovery FAQ found at http://www.ctrl-c.liu.se/~ingvar/asr/overview.html.


     < Day Day Up > 


    Red Hat Fedora 4 Unleashed
    Red Hat Fedora 4 Unleashed
    ISBN: 0672327929
    EAN: 2147483647
    Year: 2006
    Pages: 361

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net