Certification Objectives 6.01Basics of User Accounts

Certification Objectives 6.01—Basics of User Accounts

Exam Objective 4.1: Explain and perform Solaris 10 OS user administration, and manage user accounts and initialization files.

Before a user can access and use a system, you need to create an account for that user on the system. A user account contains the identification and the permissions attached to it, which allows the user to access and use the system. After logging on to a system, a user can do things such as accessing files and directories according to the permissions granted to that user by the system administrator. Multiple users who need identical permission can be organized into a group, and the permissions can be granted to the group. A permission granted to a group applies to all the users who are members of the group. This makes security management more efficient. In this section, we will explore the structure of a user account and the files in which the user accounts live. Let's begin with exploring the structure of a user account.

Structure of a User Account

A user is required to have a user account on a system in order to log in and use system resources. A user account contains a set of components, such as the user login name and password. The components of a user account, described in the following sections, are summarized in Table 6-1.

Table 6-1: Components of a user account explained

Component	Description
User login name	A unique name for a user on a system; two to eight characters in length. The characters can be letters and numerals; the first character must be a letter and at least one character must be a lowercase letter.
Password	A component of a user account that must be kept secret and known only to the user. The user uses it to log into the system along with the user login name.
User ID (UID)	A required unique integer associated with the user name. The numbers from 0 to 99 are reserved for system accounts. Regular users should be assigned UIDs from 100 to 60,000, but they can go as high as the largest 32-bit signed positive number: 2147483647.
Group name	A collection of users who share the same set of permissions to the resources. The maximum length of a group name is eight characters. A group has a name, a group ID, and a list of users that belong to it.
Home directory	The root of the subtree of the file system that belongs to the user.

Multiple users can be organized into a logical group that has a group name, a group ID (GID), and of course a list of users. A user must belong to a primary group and can belong to a maximum of 15 secondary groups. Any permission for a resource granted to the group apply to each user in the group. A user must belong to at least one group called the user's primary group.

Let's further explore the components of a user account, beginning with the component called user name or login name.

User Name

A user name, also called a login name, is a mandatory component of a user account, which you, the system administrator, create. The user employs the user name and the password associated with it for logging into a local or a remote system. You should establish an organization-wide standard for specifying user names, such as the first letter from the user's first name followed by the last name truncated after seven letters (e.g., opuri for Om Puri, and sspielbe for Steven Spielberg).

On the Job

You should not use a user name identical to a mail alias known to the system or an NIS domain because it may deliver the user's mail to the alias.

You must exercise the following rules in specifying a user name:

• Each user name on a system must be unique.

• A user name should be two to eight characters long; a character being a letter or a numeral.

• A user name should begin with a letter, and it should contain at least one lowercase letter.

Exam Watch

Although allowed, it is not recommended to include a period (.), an underscore (_), or a hyphen (-) in the user name because these characters can cause problems with some software products.

In order to log in to a system, a user needs a password in addition to a login name. Let's take a closer look at the password component.

Password

A password is a secret component of a user account that is known only to the user of the account. As a system administrator, you have two choices: specify a password when you create a user, or force the user to specify a password when the user logs into the system for the first time. The following are the rules for specifying a password:

• The password length, by default, may be six to eight characters long, including letters, numerals, and special characters.

• The minimum and maximum allowed length mentioned previously may be changed by editing the files /etc/default/passwd and /etc/policy.conf, respectively.

• The first six characters of a password must contain at least one numeric or special character, and at least two alphabets.

A good password is a tradeoff between two opposing requirements: the password should be easy enough for the user to remember but hard enough to keep a hacker from guessing. With this in mind, here are some general guidelines for choosing a good password:

• Do not use the word "password" as your password, as it is too trivial to crack even if you replace the character "s" with the symbol $.

• Avoid the use of proper nouns, login names, the names of a spouse or pet, or anything related to the user that can be easily guessed.

• Avoid using car license numbers, telephone numbers, employee numbers, and Social Security numbers.

• Avoid using words related to a hobby or interest.

• Avoid using any word in the dictionary.

• Avoid using any of the preceding choices spelled backwards.

• Words with numbers or special characters embedded in them make good passwords—for example, goofyboys is a bad password but g00fyboy$ is a good one.

Each user account has a user ID, and each group of users has a group ID, both of which we explore next.

User ID and Group ID

The user ID (UID) is a unique integer associated with a user and is used by the system to keep track of the user account. Theoretically speaking, a UID is any positive integer that you can make out of a signed 32-bit (i.e., 2³¹ -1 = 2147483647). However, some of these numbers are reserved, as shown in Table 6-2.

Table 6-2: Integers used to specify user ID

UID	Accounts
0–99	System accounts such as root, sys, daemon, and bin.
100–60,000	General-purpose accounts for regular users.
60,000–2,147,483,647	Accounts that do not have full functionality such as anonymous users.

The numbers from 0 to 99 are reserved for system accounts such as root, daemon, sys, and bin: 0 for root, 1 for daemon, 2 for bin. The accounts with UID number greater than 60,000 do not have full functionality—for example, 60,001 for the anonymous user nobody, 65,534 for the anonymous user nobody4, and 60,002 for the non-trusted user noaccess. A general-purpose user account should be assigned a UID number within the range from 100 to 60,000.

Exam Watch

The maximum value of a UID can be 2³¹ - 1. A regular user account has a UID number within the range of 100 to 60,000, and the UID numbers in the range from 0 to 99 belong to the system accounts—for example, the root account has a UID of 0.

Just like a user, a group has an ID too, called the group ID (GID). The rules for the GID numbers are the same as for the UID numbers; a GID on a system should be unique and should not be greater than 60,000.

A user account is created to let the user use the system resources including the file system. The user enters the file system through the home directory, which we explore next.

Home Directory

Users have their own subtrees, which are parts of the whole directory tree on the system. The home directory for a user makes the root of this subtree. The user can access the home directory locally or remotely. The naming convention for the home directory is: /export/home/<username>; thus, a user jkerry on a system will have the home directory /export/home/jkerry.

A user should access the home directory through a mount point /home/<username>. Furthermore, because /export/home/<username> is machine specific, the home directories should always be referred to by the environment variable $HOME in order to use them anywhere on the network. The symbolic links created in the user home directory should use relative paths and not absolute paths to make them independent of the home directory's mount point. In this case, changing the mount point will not invalidate the links.

On the Job

If you have a large number of user accounts on a server, distribute them over different file systems and use a different name /export/<homen> for each file system for the home directories—for example, /export/home1 on one file system, /export/home2 on another file system, and so on. This facilitates tasks such as backing up and restoring the home directories.

You will learn further on in this chapter how to create user accounts. First, let's explore where the existing user accounts are stored on the system.

Where User Accounts Live

Once a user account has been created, the account information is saved in three files in the /etc directory: passwd, shadow, and group. Let's examine these files one by one.

The passwd File

Most of the information about a user account is stored in the /etc/passwd file. Each line in this file represents a user account and contains multiple fields with the following syntax:

 <username>:<password>:<uid>:<gid>:<comment>:<home directory>:<login shell> 

Any two fields are separated by a colon (:). For example, an entry in the passwd file is explained in Figure 6-1. The fields of an entry in the passwd file are described in Table 6-3.

Table 6-3: Fields of an entry in the passwd file

Field Name	Description
<username>	The unique user name, also called the login name, for the account.
<password>	The user password for this account.
<UID>	A unique user ID number for the user account. Each account has a UID.
<GID>	A unique group ID number for the group to which the user of this account belongs.
<comment>	An optional informational field. You can basically type any information here; usually it contains the user's full name.
<home directory>	Home directory for the user of this account.
<login shell>	The default login shell for the user such as /bin/sh or /bin/csh.

Figure 6-1: Entry in the /etc/passwd file corresponding to a user account

The default passwd file created by Solaris 10 is shown here.

 root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:X:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:X:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico smmsp:x:25:25:SendMail Message Submission Program:/: listen:x:37:4:Network Admin:/usr/net/nls: gdm:x:50:50:GDM Reserved UID:/: webservd:x:80:80:Webserver Reserved UID:/: nobody:x:60001:60001:NFS Anonymous Access User:/: noaccess:x:60002:60002:No Access User:/: riobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: 

On the Job

The comment field in the passwd file is also called the GECOS field for historical reasons; it was originally used to hold the login information needed to submit batch jobs to a mainframe computer running the operating system called GECOS (for General Electric Computer Operating System) from UNIX systems at Bell Labs.

The default passwd file contains entries for standard processes, also called daemons, that are usually started at boot time to perform system-level tasks such as printing, network administration, and port monitoring. Two adjacent colons (::) in the passwd file represents a blank field. This is also true for other files such as the shadow file and the group file.

If the password for a user is encrypted, the entry in the passwd file contains only an x. The encrypted password along with other user information goes into the shadow file, which we examine next.

The shadow File

The shadow file contains detailed information about the password. The syntax for an entry in the shadow file is similar to that of the passwd file and is shown here:

 <username>:<password>:<lastchg>:<min>:<max>:<warn>:<inactive>:<expire> 

As an example, an entry in the shadow file is explained in Figure 6-2. The fields in the shadow file entries are described in Table 6-4.

Table 6-4: Fields in the /etc/shadow file entries

Field Name	Description
<username>	The unique user name, also called the login name, for the account.
<password>	The user password. May contain one of the following: an encrypted user password 13 characters long, the string *LK* indicating that the account is locked and hence not accessible, or the string NP indicating that this account has no password.
<lastchg>	The number of days between January 1, 1970, and the date when the password was modified last.
<min>	The minimum number of days required between two consecutive password changes.
<warn>	The number of days before the password expiration date when the user is warned.
<inactive>	The number of days for which a user account can be inactive before being locked.
<expire>	The user account expiration date, after which the user will be unable to log into the system using this account,

Figure 6-2: Entry in the /etc/shadow file corresponding to a user account

Remember that the shadow file can be viewed only by a superuser (e.g., the root account).

The /etc/passwd file contains most of the user account information, including a place holder for the password, whereas the detailed password information is contained in the /etc/shadow file. The passwd file and the shadow file contain the user account information, and the group file contains the information about user groups. We discuss the group file next.

The group File

Multiple users can be organized into a group for ease of administration. Entries in the group file contain information about groups. The syntax of an entry in the /etc/group file is similar to an entry in the passwd file and is shown here:

    <group name>:<group password>:<gid>:<user-list> 

As an example, an entry in the group file is shown in Figure 6-3. The fields in a group file entry are described in Table 6-5.

Table 6-5: Fields in the /etc/group file

Field Name	Description
<group name>	The name assigned to the group: maximum length eight characters.
<group password>	Optional field, usually contains an asterisk or is left empty.
<GID>	The group ID number.
<user list>	The list of users who are members of this group; any two members are separated by a comma.

Figure 6-3: Entry in the group file corresponding to a group of users

The group password field is generally not used—that is, it is left empty. It is a legacy from the earlier days of UNIX. If a group does have a group password, the newgrp command will prompt the user to enter the password. However, note that there is no utility to set the group password. The default group file created by the Solaris 10 system is shown here.

    root::0:    other::1:    bin::2:root,daemon    sys::3:root,bin,adm    adm::4:root,daemon    uucp::5:root    mail::6:root    tty::7:root,adm    lp::8:root,adm    nuucp::9:root    staff::10:    daemon::12:root    smmsp::25:    sysadmin::14:    gdm::50:    webservd::80:    nobody::60001:    noaccess::60002:    nogroup::65534: 

The default group file contains the system groups that support some system level tasks—printing, network administration, and email. Note that many of these groups have corresponding entries in the passwd file.

Now that you have explored the structure of a user account and you know where the user account information is stored, it is time to get more practical, that is, to learn how to create, modify, and delete user accounts.