Users and Groups | The Book of Webmin: Or How I Learned to Stop Worrying and Love UNIX

UNIX is, at its very core, a multi-user operating system. It was built from the ground up to provide services to a number of simultaneous users. Because of these features, UNIX provides a simple, but effective, method for restricting users to only the parts of the system in which they should have access. The Users and Groups module in Webmin attempts to provide a nice front end for those features of the system. Each version of UNIX has differences in how users and groups are implemented. However, Webmin hides those details quite effectively so that you never have to think about it. The Webmin Users and Groups module edits several system files, depending on your OS. Usually, the files are /etc/passwd and /etc/shadow, for usernames and passwords, and /etc/group and /etc/gshadow, for groups and group passwords. Note that the shadow versions of the preceding files are far more secure than standard passwd files because they are only accessible by the root user. Shadow passwords are standard on most Linux distributions today, and many other systems as well.

Clicking a username or group name will take you to an Edit User page, allowing you to edit all facets of the account. Note that changing the user or group ID at some point in time after the account is created is risky, as permissions are set by ID, not username/group name. While the module will change these for you on the home directory, there may be user programs or even system programs that rely on the UID to remain the same. Also note that on some systems (Red Hat and probably other Linux distributions) the user and the user's primary group are always the same name by default. Red Hat Linux includes the adduser command, which will create a group of the same name and ID as the user, and therefore Webmin can do the same. You should not change this behavior, unless you really know what you're doing, as the system relies on this for much of its access control flexibility. Unlike some traditional UNIX variants, Linux users can have many secondary groups active at all times, which can be set to any group(s) you need.

Users and Groups Module Configuration

Unlike most module configuration pages, the Users and Groups module configuration contains a number of options that impact the usage and usefulness of the module significantly. While most other modules only use the module configuration to specify paths to files, display characteristics, etc., the Users and Groups module specifies many defaults that are used when creating new users.

Before and After Commands

This section includes fields for specifying commands you want to run before and after changes are made. This option allows things like a NIS make to be run after adding a user. If more than one command needs to be run, it is trivial to write a simple shell script to execute any commands that you need to run.

Webmin provides access to a number of variables within the local environment in which the command is run. This allows you to construct a command that includes the username, UID, generated password, and so on. For example, to email a notice to the system administrator when a new user is created, which contains the username and password, you could use the following:

[ "$USERADMIN_ACTION" = "CREATE_USER" ] && echo "Created user $USERADMIN_USER with  password $USERADMIN_PASS" | mail -s "New User" root

While shell scripting is beyond the scope of this book, I will point out a few things about how this script works. Using the environment variables set by Webmin when the user is created, the comparison within the test operators ([ and ]) checks to see if the command is being executed after a user creation, rather than a change to an existing user. If it is a newly created user, an email will be sent to root and contain the contents of the variables for the username and password. Below is a list of the variables exported and what they contain:

Environment Variables Exported When Saving a User

The following environment variables are always set whenever a user is created or modified:

USERADMIN_USER

The username of the user being edited. A user must have a username, and it must be unique.

USERADMIN_UID

The user ID of the user being edited. Every user must have a UID. The UID is not required to be unique, but there is rarely any reason for it not to be unique. Permissions are applied to files based on UID rather than username, so changing this will effectively change a user's permissions to that of the new UID.

USERADMIN_REAL

The real name of the user. This is not a necessary field in the passwd file, and so may be empty.

USERADMIN_SHELL

This variable contains the path and name of the shell for this user.

USERADMIN_HOME

The path to the user's home directory.

USERADMIN_GID

This variable will contain the primary GID of the user.

USERADMIN_SECONDARY

This variable will contain a comma-separated list of secondary groups the user belongs to.

USERADMIN_PASS

If the password has been changed by entering a plain text password into the password field, the new password will be contained in this variable. If the password is unchanged or pre-encrypted, the variable will be empty.

USERADMIN_ACTION

This variable contains the Webmin action being run that led to a user change. If the user is a new user being created, the variable will contain 'CREATE_USER,' while if it is an existing user being altered the value will be 'MODIFY_USER.'

Home Directory Options

When creating a new home directory for a user, or when modifying an existing user's home directory, Webmin can be customized to suit many different environments. The following options specify details about home directory creation and modification:

Permissions on new home directories

New directories for users will be created with the permissions specified here. The default is 0755, which means the owner of the file can read, write, and execute files in the directory assuming permission on the file itself, while the group and all other users on the system, can read and execute within the directory. In a webhosting environment, this looseness is often necessary to permit the web server to have access to a users document root. However, in most business environments, these permissions are unacceptably lax. A better choice would be 0700 or 0711. The former disallows all users, other than UID 0, from being able to list the contents of the directory or read anything within the directory, while the latter permits other users to change directory into the directory, but not necessarily to read or execute files within it. It is useful to permit other users to pass through the current directory to a directory within which is intended to be shared with other users.

Copy files into new home directories from

When creating new UNIX users, it is customary to provide a base set of configuration files to set up sensible defaults for the shell, desktop settings, path and other environment variables, and any local configuration details that would make the user's life more convenient. For example, on a machine used primarily for development, it is likely that the CVSROOT environment variable will be set on login. Similarly, a desktop machine will have icons to make it easier for the user to locate the files they need to use in day-to-day work. This file is usually called /etc/skel, where skel is short for skeleton, but it can be any directory name.

Automatic home directory base

Webmin can automatically set the home directory path for you if automatic directory creation is selected. This option allows you to specify the location of the home directory. There is rarely a good reason to stray from the tradition of using /home for this purpose.

Automatic home directory style

In most environments, the traditional home directory naming scheme of /home/ username is perfectly acceptable, but in some large-scale networks, the number of users would make managing such a directory cumbersome. So administrators have resorted to breaking down the username distribution in various ways to permit easier home directory maintenance. Webmin supports several such alternate name distributions, specifically: /home/u/username, /home/u/us/username, and /home/us/username.

New User Options

The following options specify the defaults and restrictions Webmin will use when creating new users:

Lowest UID for new users, Lowest GID for new groups

Most UNIX systems use lower-numbered user ID and group ID numbers to specify special system users like the root user, syslog, and nobody. Because these users usually have special permissions it would be dangerous to assign a new user to one of the special UID numbers accidentally. Many older UNIX systems use UID and GID numbers from 0 to 100 for the system user and group IDs. Most modern Linux distributions use 0 through 500 for this purpose. Specifying the appropriate number here makes it impossible to accidentally specify a special UID or GID for a new normal user. Some environments may have other numbering schemes for which this feature can also be helpful.

Create new group for new users?

Many modern UNIX systems use a groups system wherein every user has primary group named after themselves. In a system that supports a large number of simultaneous secondary users, this makes it possible to use permissions in very flexible ways. If your system supports this, it is useful to select Yes here, and Webmin will automatically create the new group for you. Older-style UNIX systems may use a generic users group for this purpose. In which case this option should be set to No.

Don't use MD5 passwords if missing perl MD5 module?

If MD5 passwords are the default on your system, Webmin can use them for both authentication and when creating new users or changing passwords. If this is set to Yes, Webmin will not use MD5 passwords for users if the MD5 perl module is not installed. It will use instead the older, less secure, crypt function to encrypt the passwords.

Check for sendmail alias clashes?

When creating a new user, it is possible that there might already be an alias for the new username in the sendmail aliases file. The result of this clash would be that the new user would not receive mail; instead, the mail would be delivered to whatever user or program to which the alias pointed to. If this option is selected, Webmin will warn about any clashes that exist.

Only delete files owned by user?

When removing a user, Webmin can remove the user's home directory and all of its contents. If this option is enabled, it will remove only those files that are owned by the user. If any files exist in the user's home directory that are owned by another user on the system, it will not be removed, and the home directory and any subdirectories containing the files not owned by the user will be retained. This option may be useful if the user shares a portion of his or her home directory for use by others in group projects.

Maximum user and group name length

Here you may specify the longest a user and group name may be. If usernames must be exportable to a system with strict length requirements, you may have to place a limit here. For example, some old UNIX systems and legacy print- and file-sharing systems had eight- or even six- character username limits. Most modern systems have much larger hard limits, and so this is rarely necessary.

New User Defaults

The following are new user defaults:

Default primary group for new users

Normally, Webmin will create a user with a primary group appropriate for your system and based on the configuration of the earlier option Create new group for new users?. But if this is specified, Webmin will set the group specified as the primary group for the user. It may be appropriate to use this feature in some webhosting environments. Usually, however, if your system supports flexible secondary groups, you shouldn't need to use this option.

Default secondary groups for new users

You may add any number of secondary groups here, separated by spaces. Modern UNIX systems support multiple simultaneous secondary groups, although some older systems have more primitive support for secondary groups.

Note

Secondary groups are a very flexible way to utilize UNIX filesystem permissions to provide limited access to parts of the system. For example, if I needed to provide access to a shared ftp directory to all users, so everyone could drop off files in the directory but couldn't delete or modify each other's files, I could create an ftpusers group. Then I would set the public FTP directory to be owned by ftp:ftpusers, with write access by both the owner and the group and world read access. Finally, any user who needed to be able to drop files into the directory could be added to the ftpusers group. Each user would be able to write and delete their own files but no one else's files.

Default shell for new users

Most UNIX systems usually have at least two user shells available. The most common are bash, Bourne sh, cshell, ash, and kshell. While experienced users always have a preference, for most users any reasonably functional shell will be fine. The system default is probably what your users will expect, so it is the best choice in most cases. On Linux systems bash is usually the standard shell, while on Solaris the Bourne sh is the default. Because most shells are available on most operating systems, you have much flexibility in your choice if you need it.

Default minimum days for new users, Default maximum days for new users

If password timeouts are supported on your system, this option allows you to specify the default minimum and maximum number of days between password changes. As discussed earlier, a policy enforcing password timeouts is an important part of a good security policy. If your OS supports them, it is wise to use them.

Default warning days for new users

The system can warn users when they log in through a terminal if an enforced password change is approaching within the number of days specified here.

Default inactive days for new users

If a user is inactive for the specified number of days after the maximum days specified above is reached, the account will be disabled. Only a system administrator will be able to re-enable the account.

Display Options

The following options configure how the user and group information will be displayed for the system user and group list page, as well as the edit user and group pages:

Maximum number of users to display

If there are more users than the number specified here, Webmin will display a search dialog allowing you to see only the users you need to see.

Sort users and groups by

Webmin will sort the users and groups according to the selection here. The default is not to sort the names, and simply list them in the order they appear in the passwd and group files.

Number of previous logins to display

When viewing the login history of a user using the Display logins by option, this option specifies how many previous logins will be displayed. Unlimited means Webmin will display all logins that exist in the log file. Because logs are rotated at some interval, you will never see logins older than the last log rotation.

Display users and groups by

Depending on the number of users you have, and how much information you need to see on the front page, you may wish to display them by name only, or display them categorized by primary group. Displaying by name only can allow a much larger number of names to appear on screen at once and may be more convenient than the default in environments with hundreds or thousands of users.

Conceal plain-text password?

If selected, the Normal password field in the Edit User and Create User pages will display * marks in place of the characters typed. If set to No, the typed characters will be displayed. It may be a security risk to leave this option disabled, if user passwords will be entered or changed in the presence of others.

Get user and group info from

Webmin can usually gather user and group information using standard system calls. In some operating systems this may not work, or may not work as expected. In such cases, you can configure Webmin to draw the information from the appropriate files on the system. This doesn't need to be changed from its defaults by the vast majority of users, as the Webmin default is usually right for your system.

Generate password for new users?

If selected, new users will be assigned a random password when created. This password will be visible in the password entry field on the Create User page if Conceal plain-text password? is set to No.

Show office and phone details?

Webmin can use the comment field in the /etc/passwd to store phone numbers and office information. If this option is selected, it displays the information when you view the user details. Modern implementations of the finger command can also display this information.

Display user email from

Webmin can be used to send and receive mail by users who have access to the mail module. This option should be set to your active mail server. If using postfix, choose the sendmail option, because it use the same mailbox format and locations.

Password Restrictions

The following options specify the restrictions that Webmin will place on passwords when creating a new user, or modifying an existing user password:

Minimum password length

When users change their passwords through the Webmin interface, it is possible for Webmin to enforce a minimum password length. It is recommended to enforce at least a minimum password length of six characters if security is at all a concern. Shorter passwords are easier to guess, and are weaker when assaulted with a brute force attack. Operating systems using the older crypt encryption mechanism are limited to passwords of eight characters or less, but MD5-based systems usually have no limit or a much larger limit.

Prevent dictionary word passwords?

Because a common method of attack against computer systems is to attempt logins using passwords pulled from a dictionary file, it is often wise to require passwords that do not match words in the system dictionary. This option will cause Webmin to display an error message if a user chooses a password found in the dictionary.

Perl regexp to check password against

Here you may enter any Perl regular expression against which you would like passwords to be compared. For example, if you fear your users will often choose the company name, or the name of a local sports mascot, for their password, you may create a regular expression to match those terms.

Prevent passwords containing username?

Users have a bad habit of choosing really bad passwords. Some even choose their own user name as a password. If enabled, this option will prevent a user from such a mistake. Unfortunately, in current versions of Webmin, it will not make jokes about the lack of intelligence of the user.

System Configuration

The following options specify the locations of the system user and group information files:

Password file

The password file is the location of the list of users, and it contains information about their home directory, their login shell, and their primary group. Usually, this is /etc/passwd. On modern systems this file does not contain user passwords. Passwords usually reside in the shadow file.

Group file

The group file is the location of the file that contains the names and membership information of groups on the system. Usually, this is /etc/group.

Shadow password file

The shadow password file is the file that contains the actual passwords. It is only readable by users with root permissions, and therefore is a more secure location than the /etc/passwd file, because the password file must be readable by everyone in order to allow groups and commands like finger to work. Usually, this is /etc/shadow.

BSD master password file

Much like the shadow password file on Linux and some other UNIX variants, the BSD master password file is only readable by root and is usually the location of passwords on a BSD system rather than the /etc/passwd file. This is usually /etc/ master.passwd.

Shadow group file

If group passwords are in use on a system that supports shadow passwords, there will be a group shadow password file in addition to the shadow password file. This is usually named /etc/gshadow.

Creating a New User

Creating a user with Webmin is a simple task. The steps can be simplified further through careful configuration of the module to set up users to suit your environment. Webmin can create a user manually, or it can import a text file list of new users or users to modify in an automated batch mode. This can be used, for example, to migrate an existing user list from a legacy system. Batch mode can also be useful for large organizations with a constantly shifting user base, such as a university or military installation.

To create a user manually, click the Create a new user link. Fill in the appropriate details. If you've chosen your defaults in the module configuration file wisely, you should be able to get away with entering just a few details for each user. In Figure 5-12 below, I've added a few extras just to make the example more interesting.

click to expand
Figure 5-12: Creating a new user

A username is always necessary, and because our user's name is Seymour, I've given him the username seymour. I've let Webmin choose the UID for me, which is the next available UID on the system above the minimum that is set in the module configuration. I've also entered Seymour's real name and his work telephone number. The password that appears in the normal password text entry box was selected at random by Webmin. It appears secure enough to me, so we'll leave that one alone. In the password options section, I've specified some reasonable timeout information. Finally, I've selected for Seymour to be a member of the users group, because I think he will be involved in many group projects that require him to be able to share files with co-workers easily.

Create User and Edit User Options

When creating a new user or editing an existing user, the following options are available:

Username

This is simply the username under which the user will log in. UNIX has a long tradition of using all lowercase letters for usernames, but capitalized names will work if you feel a strong urge to go against 30 years of tradition. Usernames may contain all alphanumeric characters, but no spaces or other special characters. Names must be unique and begin with a letter.

User ID

The user ID is usually chosen automatically by Webmin, although you may enter a specific UID instead.

Note

Recycling a UID or GID, i.e., reusing a deleted users old ID, can be dangerous, because file ownership is maintained at the OS level by the UID and GID number of the file rather than the name of the user. Thus if you create a new user with an old users UID or GID, and any files remain on the system owned by the previous user, the new user will have access to the files at the same level as the old user. There are reasonably reliable methods of locating such file permission problems using the find command, although it is beyond the scope of this book. A better choice is to never delete old users. Instead, disable their account by turning off logins, and if the user will never need to be re-enabled you may delete their home directory and other files. By doing this you ensure that Webmin will never reuse an old ID, unless you force it to.

Office, Work phone, Home Phone, Extra options

The UNIX passwd file has a comment field that may be used for mostly free-form text entry. Many programs, however, have standardized on a few comma-separated field values for the comment. For example, running the finger command on a username that has provided these extra fields will result in these numbers being displayed in addition to the usual information, such as recent logins. The Extra options field may be used on some systems to configure the initial umask, nice level, and ulimit values for the user.

Home directory

Users on a UNIX system generally have a directory that belongs to them called their home directory. Within their home directory, a user may read, write, delete, or execute files with no permissions restrictions. Quotas may limit the amount of space available to the user, but the user can otherwise work unrestricted in their home directory. The UNIX tradition places home directories in a partition labeled /home, with each user having their home directory named after their own username within it. For example, if our system has a user named slim it would not be unreasonable to expect his home directory to be /home/slim. As discussed previously, if you let it, Webmin will select the home directory for you based on the policy selected in the module configuration.

Shell

UNIX has a very long and diverse history and has seen the rise of a number of similar tools for any given task. Nowhere is this more evident than in the proliferation of command shells that have been developed. Today, the most popular shells are bash or the Bourne Again Shell, csh or C shell, and kshell or the Korn shell. Many other shells are also in use, including traditional sh or the original Bourne shell, ash, zsh, and many others. The choice of what shell to use is highly personal, though most average users will never know the difference between them. Leaving this at the OS default is probably wise, barring any strong reasons to choose otherwise. New users will learn whatever shell is provided for them, while experienced users will know how to choose an alternate shell for themselves.

Scattered amongst the real user shells are a number of shell replacements, which provide the ability to lock out a user or the ability to create special users to perform certain tasks remotely. Depending on the OS, you may have a nologin or false shell option, which simply closes the connection when the user attempts to log in. Other possibilities include shutdown, which will cause the system to shutdown when the user logs in, assuming the user has appropriate permissions to shut down the system. Similarly, the sync user will run the sync command to cause all disks to flush unwritten data. This could be used in anticipation of a shutdown or as a means to ensure some important data has been committed to disk. sync is not in common use today, because modern UNIX systems automatically sync disks when shutting down.

No password required

This option means that the user need not provide a password to log in. You don't want this option for any user that has shell access, as it means anyone that can reach a login prompt or the su command can become the user.

No login allowed

If set to this option, the system will never allow a user to log in under this username. This is often used for system users, like the syslog or nobody users. It is also used to lock an account, temporarily or permanently, without deleting it. This helps prevent accidental reuse of a user and group ID, which can have security implications.

Normal password

Here you may enter a new password for the user in plain text. If creating a new user, and you have configured Webmin to generate a password automatically, it will be prefilled with the generated password. If the configuration is set to hide plain-text passwords, the letters of the password will be replaced with asterisks. Existing passwords will never appear in this field, as the encryption used by the system is a one-way hash. There is no way, short of a brute force attack, to convert the encrypted password to a plain-text password.

Pre-encrypted password

If a password exists for this user, either in crypt or MD5 hash format, it will appear in this field. If you are importing UNIX users from an existing UNIX system, you may simply copy the password verbatim into this field. In most cases, the old password will continue to work on the new system. If importing many users, it may be more efficient to use the batch user creation feature instead of adding each user manually.

Note

As the Password options and Group Membership options have already been covered in the module configuration section they will not be covered again here.

Upon Save . . .

When saving user information, Webmin can be configured to perform additional actions, based on the following configuration options:

Move home directory if changed?

If selected, and you have modified the value of the Home directory field, the path of the user's home directory will be altered to the new location. If unselected, the contents of the old home directory will remain unaltered. The default is Yes.

Note

Webmin attempts to rename the home directory rather than copy its contents. Because of this, the change must occur on the same filesystem, otherwise the change will fail.

Change user ID on files?, Change group ID on files?

If you have altered the users User ID field and/or Group ID field, and these options are enabled, Webmin will change the user or group ownership of the files selected to the new UID or GID. If you have selected Home directory, only files within the user's current home directory will have ownership altered, while the All files option will change ownership of all files on the system that are currently owned by the user. Changing all files may take a very long time, depending on the size of the filesystems to be searched.

Modify user in other modules?

Because a UNIX system may maintain more than one user and password database for various services, Webmin provides a means to synchronize passwords and user creation across multiple files. For example, Samba and Squid may have their own user files and if configured to synchronize, Webmin will make changes to those files automatically when changes are made to system users. If this option is selected, changes made here will be made to all other modules that are configured for user synchronization.

Creating or Editing a Group

Groups are used in UNIX to provide means of providing access to common resources to more than one user. For example, if a group of users is working on the same project, the directories and files for that project can be owned by a common group that has read and write access. Modern UNIX systems use a two layered approach to groups, including a single Primary group and some number of Secondary groups, also called supplementary groups. When a user creates a new file, the ownership will probably default to the user and her primary group. The default group membership of newly created users varies quite a bit between OS vendors and versions. Most modern UNIX versions create a new group whenever a new user is created that shares a name with the user. This becomes the primary group of the user. Because modern systems support a large number of Secondary groups transparently, this provides a very flexible means of configuring permissions. Many UNIX variants that have been around longer than Linux, like Solaris and the BSD-derived systems, may set the Primary group of new users to a users group or something similar.

Note

Linux, and most other recent UNIX systems, support at least 32 groups per user. However, because the NFS protocol only supports 16 groups, most of them have imposed a soft limit of 16 groups. There are very rarely circumstances that require more than 16 groups, but it is usually possible to use more if the system will not be exporting or using NFS mounted filesystems.

Creating or editing a group (Figure 5-13) is performed by clicking the Create a new group link or clicking the name of an existing group in group list.

click to expand
Figure 5-13: Editing a group

Group Details

When creating a new group of editing and existing groups, the following options are available:

Group name

Like the username, this is a unique alphanumeric identifier. The name must follow the same rules as usernames, so must start with a letter and contain no non-alphanumeric characters. If editing the group, the name will be shown but cannot be edited.

Group ID

This is the numeric identifier that the system uses to identify this group. It is not necessary for this ID to be unique, but there is very rarely a reason to have multiple groups with the same GID. When creating a new group, Webmin can select a new unused ID for you.

Password

A little known and even less used feature of groups under most UNIX variantsis that they can have a password just like users. When using this option, a user who normally is not part of a group can log in to a group using the newgrp command and providing the password. Because of the flexibility now available with the supplemental groups system, this feature is rarely used, but is still widely available.

Members

This field lists all current members of the group and allows adding any number of new members. The ... browse button allows you to choose from a selector popup containing all existing users.

Upon Save . . .

When saving group information, Webmin can be configured to perform additional actions, based on the following configuration options:

Change group ID on files?

Much like the similarly named option for users, this provides the option to change the group ownership of files in either home directories or all files on the system. Selecting Home directories will cause Webmin to search all user home directories for files owned by this group, and change the group ownership to match the new group ID. Choosing All files will search the entire system, which may take a very long time, depending on the size and speed of the mounted disks. This change does not impact the user ownership of files. A file owned by seymour:users will still be owned by seymour after the change (and still owned by users for that matter, just under a different GID).