Setting User Defaults

The useradd command and User Manager window both determine the default values for new accounts by reading the /etc/login.defs file. You can modify those defaults by either editing that file manually with a standard text editor or by running the useradd command with the -D option. If you choose to edit the file manually, here is what you face:

 # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password # expires . # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 500 UID_MAX 60000 # # Min/max values for automatic gid selection in groupadd # GID_MIN 500 GID_MAX 60000 # # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local # # If useradd should create home directories for users by default. # On RH systems, we do. This option is ORed with the -m flag on # useradd command line. # CREATE_HOME yes

Blank lines and comments beginning with a pound sign (#) are ignored. All other lines contain keyword/value pairs. For example, the keyword MAIL_DIR is followed by some white space and the value /var/spool/mail . This tells useradd that the initial user e-mail mailbox is created in that directory. Following that are lines that enable you to customize the valid range of automatically assigned user ID numbers or group ID numbers . A comment section that explains that keyword's purpose precedes each keyword. Altering a default value is as simple as editing the value associated with that keyword and then saving the login.defs file.

If you want to view the defaults, type the useradd command with the -D option as follows :

 #  useradd -D  GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel

You can also use the -D option to change defaults. When run with this flag, useradd refrains from actually creating a new user account; instead, it saves any additionally supplied options as the new default values in /etc/login.defs . Not all useradd options can be used in conjunction with the -D option. You can use only the five options listed in Table 11-2.

Table 11-2: useradd Options for Changing User Defaults
Open table as spreadsheet
*Options*	*Description*
-b default_home	Set the default directory in which user home directories will be created. Replace default_home with the directory name to use. Usually this is /home .
-e default_expire_date	Set the default expiration date on which the user account is disabled. The default_expire_date value should be replaced with a date in the form MM/DD/YYYY - for example, 10/15/2007.
-f default_inactive	Set the number of days after a password has expired before the account is disabled. Replace default_inactive with a number representing the number of days.
-g default_group	Set the default group that new users will be placed in. Normally useradd creates a new group with the same name and ID number as the user. Replace default_group with the group name to use.
-s default_shell	Set the default shell for new users. Normally this is /bin/bash . Replace default_shell with the full path to the shell that you want as the default for new users.

To set any of the defaults, give the -D option first; then add any of the defaults you want to set. For example, to set the default home directory location to /home/everyone and the default shell to /bin/tcsh , type the following:

 #  useradd -D -b /home/everyone -s /bin/tcsh

Besides setting up user defaults, an administrator can create default files that are copied to each user's home directory for use. These files can include login scripts and shell configuration files (such as .bashrc ). The following sections describe some of these files.

Supplying Initial Login Scripts

Many Linux applications, including the command shell itself, read a configuration file at startup. It is traditional practice that these configuration files are stored in the users' home directories. In this way, each user can customize the behavior of the command shell and other applications without affecting that behavior for other users. In this way, global defaults can be assigned from /etc/profile , then those settings can be enhanced by a user's personal files.

The bash command shell, for example, looks for a file called .bashrc in the current user's home directory whenever it starts up. Similarly, the tcsh command shell looks for a file called .tcshrc in the user's home directory. You may see a repeating theme here. Startup scripts and configuration files for various applications usually begin with a dot (.) character and end in the letters rc (which stands for run commands ). You can supply initial default versions of these and other configuration files by placing them in the /etc/skel directory. When you run the useradd command, these scripts and configuration files are copied to the new user's home directory.

Supplying initial .bashrc and .bash_profile Files

By supplying your users with initial .bashrc and .bash_profile files, you give them a starting point from which they can further customize their shell environment. Moreover, you can be sure that files are created with the appropriate access permissions so as not to compromise system security.

The .bash_profile script is run each time the user starts a new bash shell and, in turn , runs the .bashrc script . So, security is a concern. The .bash_profile file sets the original PATH used by the user, so it is a good place to add directories containing binaries you want the user to be able to run at your location. You can also add other start-up programs you want to run automatically for every user. Here's an example of the .bash_profile file.

 # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin export PATH unset USERNAME

The .bashrc file is a good place to supply useful command aliases and additions to the command search path. Here's an example:

 # .bashrc # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi # User specific aliases and functions alias rm='rm -i' alias cp='cp -i' alias mv='mv -i'

This sample .bashrc executes /etc/bashrc (if it exists) to read any further global bash values. Next, the file creates aliases for the rm, cp , and mv commands that result in a -i option always being used (unless overridden with the -f option). This protects against the accidental deletion of files.

Supplying an initial .tcshrc File

The following example .tcshrc file does basically the same thing as the preceding .bashrc example. However, this file (which is for the root user) has the additional task of setting the appearance of the command prompt:

 # .tcshrc # User specific aliases and functions alias rm 'rm -i' alias cp 'cp -i' alias mv 'mv -i' setenv PATH "$PATH:/usr/bin:/usr/local/bin" set prompt='[%n@%m %c]# '

Instead of using the export command to set environment variables , the tcsh shell uses the setenv command. In the example, setenv is used to set the PATH variable. The shell prompt is set to include your user name ( %n ), your computer name ( %m ), and the name of the current directory ( %c ). So, if you were to use the tcsh shell as the root user on a computer named maple with /tmp as your current directory, your prompt would appear as follows:

 [root@maple /tmp]#

The .tcshrc file can also be named . cshrc . The tcsh shell is really an extended version of the csh shell (in fact, you can invoke it by the csh name). When a tcsh shell is started, it first looks for a .tcshrc file in the current user's home directory. If it can't find a file by that name, it looks for the other name, .cshrc . Thus, either name is appropriate.

Configuring System-Wide Shell Options

Allowing individually customizable shell startup files for each user is a very flexible and useful practice. But sometimes you need more centralized control than that. You may have an environment variable or other shell setting that you want set for every user, without exception. If you add that setting to each individual shell, the user has the ability to edit that file and remove it. Furthermore, if that setting must be changed in the future, you must change it in every single user's shell startup file.

Fortunately, there is a better way. There are default startup files that apply to all users of the computer that each command shell reads before reading the user-specific files. In the case of the bash command shell, it reads the /etc/bashrc file before doing anything else.

Similarly, the tcsh shell reads the /etc/csh.cshrc file before processing the .cshrc or .tcshrc file found in the user's home directory. The following /etc/csh.cshrc file ships with Fedora and RHEL:

 # /etc/cshrc # # csh configuration for all shell invocations. # by default, we want this to get set. # Even for non-interactive, non-login shells . [ 'id -gn' = 'id -un' -a 'id -u' -gt 99 ] if $status then umask 022 else umask 002 endif if ($?prompt) then if ($?tcsh) then set prompt='[%n@%m %c]$ ' else set prompt=\['id -nu'@'hostname -s'\]\$\ endif endif

The /etc/cshrc and /etc/bashrc files set a variety of shell environment options. If you want to modify or add to the shell environment supplied to every single user on the system, the /etc/bashrc or /etc/cshrc files are the place to do it.

Setting System Profiles

Some of the most basic information assigned to each user is added from the /etc/profile file. So, if you want to change any of the following information, you can start from /etc/profile . The contents of the /etc/profile file is sourced into each user's shell only to the initial login shell. Here are some values contained in /etc/profile :

PATH - Assigns the default PATH for the root user and for all other users. You might change this value to add paths to local directories containing applications all users need.
ulimit -S -c 0 - The -c 0 option to ulimit prevents core files (normally created when a process crashes) from being created. The -S makes this a "soft" option, so the user has the ability to turn on the core file feature if they choose to.
Environment variables - Shell environment variables that are needed for standard operation are assigned in this file. These include USER (set by the id -un command), LOGNAME (same as USER ), MAIL (set to /var/spool/mail/$USER ), HOSTNAME (set to the output of the command /bin/hostname ), and HISTSIZE (which sets shell command history to 1000 items).
INPUTRC - Sets keyboard mappings for particular situations, based on the contents of the /etc/inputrc file. In particular, the inputrc file makes sure that the Linux console and various Terminal windows ( xterm and rxvt ) all behave sanely.

The last thing that the /etc/profile file does is look at the contents of the /etc/profile.d directory and source in the files that it finds. Each file contains settings that define environment variables or aliases that affect how users can use the shell. For example, the lang.sh and lang.csh files identify the locations of foreign language files. The vim files create aliases that cause vim to be used when vi is typed. The which-2.sh file defines a set of options used by the which command. You can modify the profile.d files or add your own to have environment variables and aliases set for all of your users.

Adding User Accounts to Servers

When you set up a server, you often want to allow people to either upload files to it or download files or messages from it. However, you may not want to allow those people access to the entire server. You can begin limiting access to those users when you first create their user accounts.

To prevent a remote user from logging in and accessing a shell (via ssh, telnet, or other login service), you can set the default shell for a user to nologin . For example:

 #  useradd -s /sbin/nologin jerryb

With the shell set to nologin , this user would not be able to log in to the server to open a shell. However, the user could still use this account to log in to an FTP service on the server (if the service is available and the user has a password). By default, the user's home directory in this example when he logged in via FTP would be /home/jerryb . (See Chapter 20 for ways in which you could restrict this user to access only his home directory in a chroot environment.)

Another approach to FTP-only access to a server is to use /usr/lib/sftp-server as a user's login shell. While this allows the user access to the entire file system that is available to the user account, it restricts them to only access the server via secured FTP.

A common practice with Web hosting is to allow a user to place content on the server, often in that user's /home/ username /public_html directory, using FTP (but no shell login). However, the administrator could choose to assign the location for the Web content to be any directory, including the system-wide Web server directory. The following command assigns the user named webuser to use /var/www/html as his home directory (you should also change ownership of the files to belong to webuser for this to work):

 #  useradd -s /sbin/nologin -d /var/www/html webuser

If you were adding a user for mail service access only, you might choose to prevent any access to FTP as well. One way to do that is to point the user's home directory to /dev/null . For example:

 #  useradd -s /sbin/nologin -d /dev/null jerryb

Once you have set up a limited user account, you can further define what your server's users can and cannot access, using features associated with the particular service.