| There are two basic types of applications you can use when managing user accounts and groups on SUSE systems: NOTE For more information about YaST, refer to Chapter 2, "Updating the Server."
While both YaST and the command-line utilities perform essentially the same task, the command-line tools have the advantage of being scriptable and, therefore, more easily automated. On the other hand, YaST provides a wizard-like graphical interface that walks you through the necessary steps. Table 4.3 describes some of the more common command-line tools used to create and manage users. Table 4.3. User Management Command-Line ToolsAPPLICATION | FUNCTION |
|---|
/usr/sbin/useradd | Creates a user account using default values from /etc/default/useradd. This tool is also used to specify a user's primary and secondary group memberships. | /usr/sbin/userdel | Deletes user accounts. | /usr/sbin/usermod | Updates account attributes including some functions related to password aging, as well as primary and secondary group membership. For more fine-grained control, use the passwd command. usermod can be used to make changes to LDAP users with the help of the -D and -r LDAP options. | /usr/bin/passwd | Sets passwords. Although primarily used to change a user's password, it also controls all aspects of password aging. It is really the "Swiss-army knife" password utility. | /usr/sbin/chpasswd | Batch changes user passwords by reading in a file consisting of username and password pairs. | /usr/bin/chage | Changes the user's password-aging policies. The passwd utility can also be used for this purpose. | /usr/bin/chfn | Changes the user's GCOS information. Can also use passwd -f instead. | /usr/bin/chsh | Changes the user's default shell. Can also use passwd -s instead. | /usr/sbin/pwck | Checks the integrity of the /etc/passwd and /etc/shadow files. |
Table 4.4 lists some of the more common command-line tools used to create and manage groups. Table 4.4. Group Management Command-Line ToolsAPPLICATION | FUNCTION |
|---|
/usr/sbin/groupadd | Creates new groups, but does not assign users to those groups. The useradd and usermod programs should then be used to assign users to and remove them from a given group. | /usr/sbin/groupdel | Deletes groups. | /usr/sbin/groupmod | Modifies group names or GIDs, but does not change group membership. The useradd and usermod programs should be used to assign users to and remove them from a given group. | /usr/bin/gpasswd | Changes group passwords (stored in /etc/group) to allow nongroup members who know the group password to join the group. Only root may change group passwords. (You can also use passwd -g to change the group password.) | /usr/sbin/grpck | Checks the integrity of the /etc/group file. (On older versions of SUSE LINUX, such as SLES 8, grpck also checks the /etc/gshadow file; SLES 9 and later no longer use a group shadow file.) |
To learn more about the utilities in Table 4.4, refer to the man page for each (for example, man grpck). NOTE The applications listed in Tables 4.3 and 4.4 do not determine what resources these users and groups have control over. For this, you must use applications that deal with file permissions, some of which are discussed in Chapter 6, "Filesystem Security."
Creating and Editing User Accounts When you need to create or modify a single user account or a small number of accounts (say, fewer than five), it is usually more convenient to use YaST for the task because of its GUI interface. Otherwise, you may want to consider creating some shell scripts for the task using command-line tools discussed later in this section. TIP Many user-creation scripts are available on the Internet. A sample skeleton bash script for creating new users (using the useradd command) can be found at http://www.osix.net/modules/article/?id=577.
Use the following steps to create a new user account using YaST: 1. | Launch YaST using one of the following methods:
From the KDE desktop, click on the YaST icon. Enter the root password if prompted. From the KDE desktop, select Applications, System, YaST. Enter the root password if prompted. From a terminal window, first run sux to become root (if not root already) and then run yast2 (the GUI version). From a terminal window, first run su to become root (if not root already) and then run yast (the ncurses version).
| 2. | From the YaST Control Center, select Security and Users, Edit and Create Users to launch the User and Group Administration module. (If the NIS, LDAP, Samba, or Kerberos authentication is configured, you will be prompted for additional passwords.)
TIP You can run yast and yast2 with the parameter users (for example, yast users) so YaST automatically launches the User and Group Administration module instead of displaying the Control Center menu. | 3. | From the User and Group Administration screen (see Figure 4.1), select Set Filter and choose the type of user accounts (such as Local Users, System Users, or LDAP Users) you want to manage. A list of current users of the selected type is displayed. You may only see Local Users and System Users available as selections under the Set Filter drop-down list. Additional selections (such as LDAP Users) will be available only after you have configured and started the services on the server.
Figure 4.1. The User and Group Administration module screen in YaST. 
TIP You can combine multiple user types (such as Local Users and LDAP Users) to be displayed under the Custom filter by editing the selections in Set Filter, Customize Filter, Custom view. | 4. | Select the Add option, and a screen similar to Figure 4.2 is displayed.
Figure 4.2. Adding a new local user. 
| 5. | Fill in the user's name, login ID, and password. Keep in mind that both login names and passwords are case sensitive. Valid passwords can be composed of any of the (7-bit) ASCII characters, including digits and upper- and lowercase letters. However, you should use only printable ASCII characters whose decimal values are between the range of 33 and 126. Spaces (dec. 32) do work if you have a pure Linux/Unix environment but may fail with connections from an X emulator or SSH client from a Windows client. Therefore, you should avoid spaces in passwords. Furthermore, depending on the encryption algorithm (such as DES, which is the default), you may be limited to use only up to eight alphanumeric characters. (See "Use a Strong Password-Hashing Algorithm" later in this chapter.)
| 6. | Click Password Settings if you want to change the settings (such as password expiration date) for the new user to something other than the defaults. In many cases, the default settings are sufficient and don't need to be modified.
| 7. | Click Details if you want to change settings such as UID, home directory location, default login shell, and group memberships; the Additional User Information field in this screen corresponds to the GCOS field in /etc/passwd. (Remember that if you plan to run the finger daemon, the information in this field must be in the particular form required by finger; see the earlier "What Is the GCOS Field?" sidebar.) The UIDs are assigned automatically, based on the previously used value, and default settings are read from /etc/default/useradd.
TIP The shells shown in the drop-down list of the Login shell are read from the /etc/shells file. Edit this file to remove any entry that you don't want to show up. Keep in mind that having an entry in /etc/shells does not necessarily mean the actual shell exists on the server. You should check to ensure the program exists before you include it in the list. This file is also referenced by chsh. You may notice an entry called /bin/bash1 in /etc/shells, but it is not listed in the drop-down list. /bin/bash1 is an old reference to version 1 of bash, and /bin/bash is a general reference to the current version of bash, which is version 2. YaST filters out /bin/bash1 using the /usr/share/YaST2/modules/Users.pm Perl script. | 8. | Click Create when you are satisfied with the user's settings.
| 9. | Repeat steps 4 through 8 to create more users. Click Finish when you are done. You must click Finish for the databases to be updated. Otherwise, if you click Abort, any changes made (including new users "added") will be discarded.
|
TIP You can select Expert Options, Write Changes Now to save the changes made thus far, without exiting the module.
The procedure for updating and deleting a user is similar: Instead of Add, select Edit or Delete after highlighting the desired user. TIP If you change a user's UID, YaST will normally change all file ownerships in the user's home directory. If for some reason YaST fails to do this automatically, you can use the chown -R username /home/username command to change the ownerships.
TIP When a user's UID is changed using YaST, only the ownership permissions for files in the home directory are adjusted. Changes to the permissions on files that may be located elsewhere on the system are not made. To find all files on a system owned by a particular user, you can use the find command: find / -uid id_number -print
find is a very powerful and useful program that can perform specific functions (via the exec switch) on found files. For instance, the following command will change all files belonging to UID 1000 to UID 1002: find / -uid 1000 -exec chown 1002 {} \;
Being familiar with it will add a great tool to your bag of tricks. See man find for more information.
When you use YaST, you can manage most aspects of the user account within the single application, except you cannot use YaST to enable or disable a user accountyou must do this using command-line tools. In addition, because YaST is a menu-driven utility, it does not lend itself to batch creation or modification of user accounts easily. Therefore, we highlight the multistep user-creation process necessary when using the command-line tools. The following steps illustrate what happens when you issue the command /usr/sbin/useradd -m carol: - A new entry for carol is created in /etc/passwd. The line begins with the username carol, and an "x" is placed in the password field indicating that the system is using shadow passwords. A UID at or above 1000 is created, and the primary GID is set to 100 (group users). The optional GCOS information is left blank. The home directory is created (because of the -m switch) and set as /home/carol, and the default shell is set to /bin/bash as specified by /etc/default/useradd.
NOTE If you need to create a system user (that is, one with a UID between 0 and 499), include the -r and -u switches. For example, useradd -m -r -u 200 -c "db admin user" -g 0 db_admin
creates a user called db_admin whose UID is 200 and primary GID is 0 (that is, the root group), sets the GCOS field, sets the default shell to /bin/bash, and creates /home/db_admin as the home directory. In some cases, you may not want to include the -m switch to create a home directory, such as when the account is used by a daemon instead of a real-life user. - A new entry for carol is created in /etc/shadow. The line begins with the username carol, and an exclamation point (!) is placed in the password field, which locks the account. The related password policy (such as expiration date) is set according to the values found in /etc/default/useradd.
- Group memberships in /etc/group are updated to include carol in the appropriate groups, such as dialout, uucp, video, and audio. User carol is not added to the group users because it is her primary group.
- A directory for carol is created in the /home directory. This directory's ownership is set to user carol and group users. Full privileges (read, write, and execute) are granted to carol, while group and others have only read and execute privileges.
- The files (including subdirectories) within the /etc/skel directory (which contain default user settings, such as .bashrc) are copied into the new /home/carol directory. If useradd is used without the -m option, the home directory is not created; thus, files from /etc/skel are not copied. You can override settings in /etc/default/useradd using additional command-line switches, such as -g and -d. Refer to man useradd for more information.
TIP You can define additional actions to be performed when useradd and userdel are used. For example, before removing a user using userdel, execute a scriptfor example, find / -uid id_number -exec rm {} \;to remove all files owned by the user. Refer to the USERADD_CMD, USERDEL_PRECMD, and USERDEL_POSTCMD directives in /etc/login.defs for more information.
At this point, a locked account called carol exists on the system. To activate it, you must next assign a password to the account using the passwd command and, optionally, set password-aging guidelines. It is also possible to configure the account so that during the first login, the user is asked to change his or her password. To configure a user account in this manner, follow these steps: 1. | Create the user account using the useradd command. At this point, the account is created but locked (with an invalid password assigned).
| 2. | Use chage -d0 username or passwd -e username to force immediate password expiration. This step sets the value for the date the password was last changed to the Epoch. This value forces immediate password expiration no matter what password-aging policy, if any, is in place.
| 3. | Unlock the account by setting a valid password using passwd. You can assign an initial password that will be given to the user, or you can assign a null password (the user just needs to press Enter at the password prompt):
passwd -d username
|
CAUTION You can also change a user's password by using usermod. However, when using usermod, you need to first hash the password before using it. Unlike passwd, usermod does not perform the hashing.
In either case, upon initial login, the user is prompted for a new password. CAUTION Although using a null password is convenient for both you and the user, there is a slight risk that a third party can log in first and access the system. To minimize this threat, you can lock the account from being accessed by using the procedure discussed in the following paragraphs and unlock it just before the user is ready to log in.
In some instances, you may need to temporarily disable some accounts and reenable them at a later time. You can both disable an account and reenable it with passwd (but not with YaST). To disable an account, do the following: passwd -l carol
This command inserts a ! character at the beginning of carol's password, making it unmatchable to any hashed value. Then, to enable the account with the original password, do the following: passwd -u carol
The previously inserted ! character is removed, so carol can log in again using the assigned password. TIP If you have to manage LDAP user passwords, it is best to use YaST, or some LDAP-based tools (such as ldapmodify), instead of passwd. passwd can change only local passwords, even though the -D option can be used to specify binding to LDAPit cannot authenticate to the LDAP server.
CAUTION You should train your nonadministrator users to use passwd or the desktop password utility (Applications, System, Change Password) to change their passwords, and not to use YaST. When nonprivileged users use YaST to make changes, even to their own accounts, they receive errors indicating some values cannot be updated (for example, "The directory /home is not writable.").
Some Linux distributions, such as Red Hat, use a so-called user private group (UPG) scheme. The UPG scheme does not add or change anything in the standard Linux/Unix way of handling groups; instead, it offers a new convention. Under UPG, whenever you create a new user, by default, a unique group with the same name as the user is created and is assigned as the user's primary group. This group contains only this particular user, hence, the name "private group." Usually, this group has the same name as the user login name, and its GID is the same as the user's UID; this can be a bit confusing at times. UPG is meant to make file permission management a little easier. You can find additional discussion of the pros and cons of UPG in Chapter 6. SUSE LINUX does not make use of UPG; therefore, you do not see any groups created concurrently when you create new users. Setting Default User Account Properties As discussed in the preceding section, default values for the user account are stored in /etc/default/useradd. Both useradd and YaST use this file. Additional settings, such as password-aging policies, are stored in /etc/login.defs. These two files, however, govern only local usersthose defined in /etc/passwd. The files have no effect when you are creating LDAP or other nonlocal users because settings for those users are stored in their respective databases. NOTE Refer to Chapter 8 for information about setting up and configuring services such as LDAP and NIS.
Shown in Listing 4.1 is the default /etc/default/useradd file. The default settings for a new user are as follows: The primary GID for the user is 100 (group users). The user is made a member of the dialout, uucp, video, and audio groups. The user's home directory will be created under /home. The user can log in using the expired password, indefinitely. There is no preset account expiration date. The user's default shell is /etc/bash. Files and subdirectories in /etc/skel will be copied to the user's home directory after it has been created.
Listing 4.1. The Default /etc/default/useradd File GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel GROUPS=dialout,uucp,video,audio
You can customize this file to suit your specific requirements. For instance, if you need the new user to be a member of video, audio, helpdesk, and support groups, change the GROUPS= line to read: GROUPS=video,audio,helpdesk,support
If some site-specific configuration files (such as a configuration file containing the name of the SQL database server) need to be placed in the user's home directory, simply place them in /etc/skel, and they will be copied when the home directory is created. TIP Settings in /etc/default/useradd can be edited using YaST. From the User and Group Administration screen, select Expert Options, Defaults for New Users.
Default user account, group, and password-aging policy settings, such as the life span of a password, are found in the /etc/login.defs file. This file also contains settings used by the login process (such as the amount of time delay before being allowed another attempt after a failed login). Shown in Listing 4.2 are user account and group-related directives. Listing 4.2. User and Group-Related Directives in /etc/login.defs # # Password aging controls (used by useradd): # # PASS_MAX_DAYS # - Maximum number of days a password may be used. # PASS_MIN_DAYS # - Minimum number of days allowed between password changes. # PASS_WARN_AGE # - Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # # SYSTEM_UID_MIN to SYSTEM_UID_MAX inclusive is the range for # UIDs for dynamically allocated administrative and system # accounts. # UID_MIN to UID_MAX inclusive is the range of UIDs of # dynamically allocated user accounts. # SYSTEM_UID_MIN 100 SYSTEM_UID_MAX 499 UID_MIN 1000 UID_MAX 60000 # # Min/max values for automatic gid selection in groupadd # # SYSTEM_GID_MIN to SYSTEM_GID_MAX inclusive is the range for # GIDs for dynamically allocated administrative and system # groups. # GID_MIN to GID_MAX inclusive is the range of GIDs of # dynamically allocated groups. # SYSTEM_GID_MIN 100 SYSTEM_GID_MAX 499 GID_MIN 1000 GID_MAX 60000 # # User/group names must match the following regex expression. # The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? # CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? # # Umask which is used by useradd and newusers for creating # new home directories. # UMASK 022 # # If defined, this command is run when adding a user. # It should rebuild any NIS database etc. to add the # new created account. # USERADD_CMD /usr/sbin/useradd.local # # If defined, this command is run before removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed. # USERDEL_PRECMD /usr/sbin/userdel-pre.local # # If defined, this command is run after removing a user. # It should rebuild any NIS database etc. to remove the # account from it. # USERDEL_POSTCMD /usr/sbin/userdel-post.local
CAUTION It is best not to change the SYSTEM_UID_* and SYSTEM_GID_* directive settings as that may cause some application not to function properly.
The UMASK directive in /etc/login.defs is used by useradd and YaST to set the proper file permissions on the home directory. Refer to Chapter 6 for information about file ownership and permissions. The USERDEL_PRECMD and USERDEL_POSTCMD directives point to two templates that you can customize for your particular needs. For instance, you may want to copy the user's home directory elsewhere before you delete the user ID. The default script for the USERDEL_PRECMD directive deletes any cron jobs belonging to the user, whereas the default USERDEL_POSTCMD does nothing. TIP Settings in /etc/login.defs can be edited using YaST. From the YaST Control Center, select Security and Users, Security Settings. If the Current Security Setting is one of Level 1 through Level 3, click Details. If the selection is Custom Settings, click Next. You are then presented with a series of screens, each dealing with a different set of directives found in /etc/login.defs.
Where redundancy exists between /etc/login.defs and /etc/default/useradd, the settings in /etc/login.defs take precedence. Creating and Editing Groups The process for managing groups is similar to that for users. Rather than listing many of the same steps again, we've listed the salient differences here instead: - From the YaST Control Center, select Security and Users, Edit and Create Groups to launch the User and Group Administration module. If you are already in the User and Group Administration module, click on the Groups radio button near the top of the screen; you can use the Users and Groups radio buttons to switch back and forth between managing users and groups.
- When launching YaST from a terminal session, you can use yast groups or yast2 groups to skip over the YaST Control Center and go directly to the User and Group Administration module.
- Shown in Figure 4.3 is the screen for adding a new local group. You need to provide a group name and optionally select one or more users who will be members of this group.
Figure 4.3. Adding a new local group. 
NOTE The list of users available in the Add New Local Group screen includes all known users, which includes those from local, LDAP, NIS, and so on. However, if you are adding, for instance, a new LDAP group, only LDAP users are shown for selection. - The GID is automatically assigned, using the lowest non-used GID. You can change it to a different value if you like. YaST will warn you if the newly specified value is already in use.
- Group passwords are optional. They allow users who are not members of the group to use newgrp to switch their active GID to that groupif they know the group's password.
- When editing an existing group, you will also see a list of users for which this group is their default. You cannot modify this list in YaST. To remove a user from this list, you need to assign a different primary GID to that user.
There are three commonly used command-line utilities for managing groups: groupadd This application creates a new group by adding a new entry to /etc/group. Common usage is simply groupadd groupname where the next available GID will be assigned. If you want to use a specific GID for the new group, include the -g id_number switch; for a system group (that is, a group whose GID is within the range of SYSTEM_GID_MIN and SYSTEM_GID_MAX as defined in /etc/login.defs), include the -r switch. You can assign a group password using the -p password switch; or you can add it later using passwd -g groupname, gpasswd groupname, or groupmod -p password groupname. It is generally preferred that you use passwd -g or gpasswd to set the password because the password will not be seen on the command line. groupmod This utility allows you to modify a group's name, GID, its list of members, and its password. Keep in mind that if you change the GID, you need to manually change the group ownership of any files owned by the old GID using chgrp; changing the name has no effect on the group ownership. You can use the find command as previously discussed in "Creating and Editing User Accounts." groupdel Use this utility to delete a group from /etc/group: groupdel groupname. Note that you can delete a group only when no user has this group as his or her primary group.
You will not find a /etc/gshadow file on SLES 9 and later systems because it is no longer used. |
