Like user accounts, groups have group identificationnumbers, or GIDs, and it is common for users to be members of severalgroups.. The following command creates a new group named admins:
Trang 1Another very handy method to set or change a password, especially from ascript, is to use the passwd command’s stdin option, which allows you topipe a new, plain-text password in For example, the following commandchanges the user bubba’s password to sekritword, using the stdinoption to passwd:
# echo ‘sekritword’ | passwd stdin bubba
Changing password for user bubba Passwd: all authentication tokens updated successfully.
This command pipes the password through the passwd command Whenused with the stdin option, passwd reads its input from stdin rather thaninteractively at the keyboard Notice that the echo command embeds thepassword in single quotes because the password contains shell metacharactersthat must be protected from expansion
The chsh command changes a user’s login shell Its syntax is:
chsh [-s shell ] [-l] [username]
-s shellsets username’s login shell to shell Unless configured wise, shell can be the full pathname of any executable file on the system Onecommon way to take advantage of this feature is to disable an account by set-ting shell to /bin/false or another command that does not display a loginprompt to the user Using the -l option displays the shells listed in/etc/shells
other-The chage command changes the expiration policy for a user’s password.Its syntax is:
chage [-l] [-m mindays] [-M maxdays] [-d lastday] [-I inactive]
[-E expiredate] [-W warndays] username
Table 29-4 lists the valid options that chage accepts
Table 29-4 Options for the chage Command
OPTION DESCRIPTION
username Specifies username as the account name to query or
modify.
-l Displays expiration information for username.
-m mindays Sets mindays days as the minimum amount of time
permitted between password changes.
-M maxdays Sets maxdays days as the maximum number of days a
password is valid.
Trang 2Table 29-4 (continued)
OPTION DESCRIPTION
-d lastday Sets lastday as the date on which the password was last
changed, expressed as the number of days elapsed since 1 January 1970 lastday can be set using a more convenient date format, such as June 21, 2003, or 2003-0621.
-I inactive Sets inactive days as the number of days username’s
account may be inactive after the password has expired before the account is locked.
-E expiredate Sets expiredate as the date on which username’s
account expires.
-W warndays Sets warndays as the number of days before the password
expires that a warning message is issued.
If no options are used, chage executes in interactive mode, prompting theuser for each item of information The chage command’s -l option to obtain
a friendlier display:
# chage -l marysue
Minimum: 0 Maximum: 99999 Warning: 7 Inactive: -1 Last Change: Apr 04, 2005 Password Expires: Never Password Inactive: Never Account Expires: Never
chage does not display the fields in the order in which they appear in/etc/shadow
Modifying Multiple Accounts Simultaneously
In busy or large IT environments, system administrators often find themselvesfaced with the necessity of creating multiple user accounts Using useradd toadd one or two accounts is relatively simple, but it quickly becomes tedious if
10 or 20 accounts need to be created Fortunately, the shadow password suiteincludes the newusers utility, which can be used to create and update multi-ple user accounts As remarked on at the beginning of the chapter, one of theadvantages of command line tools is that they can be used to perform bulk ormass changes Two commands, chpasswd and newusers, make multiplechanges to the user password database in a single operation The syntax is:
Trang 3userfileis the name of a text file consisting of lines in the same format asthe standard password file, subject to the following exceptions:
■■ The password field appears as clear text — newusers encrypts itbefore adding the account
■■ The pw_age field is ignored for shadow passwords if the user alreadyexists
■■ The GID can be the name of an existing group or a nonexistent GID
If the GID is the name of an existing group, the named user is added
to that group, but if it is a nonexistent numeric value, a new group withthe specified GID is created
■■ If the specified home directory refers to a nonexistent directory,newuserscreates it If the directory already exists, ownership of thedirectory is set to that of the named user
The following code shows the contents of newusers.txt, which is passed tonewusersto create three new user accounts, bubba, joebob, and marysue:
bubba:mypass:901:901:Bubba User:/home/bubba:/bin/bash joebob:yourpass:902:902:Joe Bob:/home/joebob:/bin/bash marysue:somepass:903:903:Mary Sue:/home/marysue:/bin/bash
After executing the command newusers newusers.txt, you will see theentries in /etc/passwd, /etc/group, and /etc/ shadow, as shown in List-ing 29-1
# tail -3 /etc/passwd
bubba:x:901:901:Bubba User:/home/bubba:/bin/bash joebob:x:902:902:Joe Bob:/home/joebob:/bin/bash marysue:x:903:903:Mary Sue:/home/marysue:/bin/bash
# tail -3 /etc/group
901:x:901:bubba 902:x:902:joebob 903:x:903:marysue
# tail -3 /etc/shadow
bubba:jYNrf8iU4DM:12895:0:99999:7:::
joebob:b.hw8uEMl6eNM:12895:0:99999:7:::
marysue:R1ER36oNXeUaA:12895:0:99999:7:::
Listing 29-1 Entries in user database files after using newusers.
The chpasswd command updates existing user passwords en masse It reads
a file consisting of colon-separated username:password pairs passwordmust be plain text, which will be encrypted at runtime, unless chpasswd is
Trang 4invoked with the -e option, in which case password must already beencrypted using a crypt(3)-compatible encryption algorithm.
T I P Type man 3 crypt to learn more about how the password is encrypted.
Viewing Login and Process Information
To view current and past login information and to determine what processesusers are running, you can use one of the following commands:
■■ last— Displays historical login information
■■ who— Displays information about currently logged in users
■■ w— Displays a user’s currently running processFor all logins, last prints the user name, TTY, date, time, elapsed time, andthe host name or IP address of the remote host, if applicable, from which thelogin originated of all user logins, starting with the most recent login Its syn-tax is:
last [-R | [-ai]] [-num |-n num] [username] [tty]
By default, last lists all the entries in /var/log/wtmp, so you can use -numand -n num to specify the number of output lines to display Ordinarily,lastdisplays the hostname in the third column, but using -a places the host-name in the rightmost column, -i shows the hostname’s IP address, and -Rcompletely suppresses display of the hostname To view the login activity of aspecific user, use the username argument tty enables you to view logins perTTY Multiple usernames and ttys can be listed
The who command displays information about currently logged-in users Itsdefault output includes the user name, login TTY, and the date and time eachuser logged in who’s syntax is:
who [-Hil] | [-q]
Using the -H option adds column headings to who’s output Specifying -iadds each user’s idle time to the display Use -l to force who to show fullyqualified domain names (FQDNs) To obtain the total number of logged-inusers, use the -q option by itself
The w command is very similar to who, except that it also displays the mand line of each user’s currently running process and a summary of eachuser’s CPU usage w’s syntax is:
Trang 5com-By default, w prints header information when it starts; -h disables the header.-s generates a short output format that omits the login time and the CPUusage -f disables displaying the host from which users are logged in Specify-ing username lists only username’s login session and process information.
Working with Group Accounts
Unlike user accounts, group accounts always represent some sort of logicalorganization of users Like user accounts, groups have group identificationnumbers, or GIDs, and it is common for users to be members of severalgroups Groups are used to tie one or more users together to simplify admin-istrative tasks For example, an administrator can assign a group permission toexecute a certain application, and then add and delete users from that group,rather than granting permission to individual users Handling access control
at the group level is a simpler, less labor-intensive approach Similarly, fileaccess can be controlled at the group level because files are assigned user andgroup owners when files are created and because files carry separate read,write, and execute permissions for the owner, the group assigned to the file,and any other users
In large part, the group account administration commands parallel theinterface of user administration commands with similar names, except that thegroup commands have fewer command line options As the section “Under-standing User Private Groups” later in the chapter suggests, Red Hat Linuxmakes greater use of group accounts than other Linux distributions do So,knowing how to add, modify, and delete group accounts is more important onRed Hat systems than it is with other Linux distributions
Table 29-5 lists the commands used to add, modify, and delete groupaccounts They are discussed in greater detail in the following subsections
As with the discussion of the password file in the previous section, you willfind the following discussion of working with group accounts less confusing ifyou understand the format of the group file, /etc/group It has one entry perline, and each line has the format:
groupname:password:gid:userlist
■■ groupnameis the name of the group
■■ passwordis an optional field containing the encrypted group password
■■ gidis the numeric group ID number
■■ userlistis a comma-separated list of the user account names thatcompose the group
Trang 6Table 29-5 Group Account Administrative Commands
admins:x:507:joebob,marysue,bubba
groupnameis admins; password is empty, meaning no group passwordhas been set; gid is 503; and userlist is joebob,marysue,bubba
Creating Groups
To create a new group, use the groupadd command Its syntax is:
groupadd [[-g gid [-o]] [-r] [-f] groupname
groupname is the only required argument and must be the name of anonexistent group When invoked with only the name of the new group,groupaddcreates the group and assigns it the first unused GID that is bothgreater than 500 and not already in use Specify -f to force groupadd toaccept an existing groupname Use the -g gid option if you want to specifythe new group’s GID, replacing gid with a unique GID (use the -o option toforce groupadd to accept a nonunique GID) To create system group, one thathas special privileges, use the -r option
The following command creates a new group named admins:
# groupadd admins
Here is the resulting entry created in /etc/group:
admins:x:507:
As this point, admins has no members and the password field has an x in
it, meaning that no one (which is everyone at this point) except root can jointhe group using newgrp
Trang 7Modifying and Deleting Groups
After creating a new group, you will likely want to add user accounts to it.Two commands modify group accounts, each serving different purposes.groupmod enables you to change a group’s GID or name, and gpasswdenables you to set and modify a group’s authentication and membership infor-mation You should rarely need to change a group’s name or GID; you’re onyour own to read the groupmod’s short manual page We’re more interested ingpasswd, which enables the root user to administer all aspects of a groupaccount and to delegate some administrative responsibilities to a groupadministrator For simplicity’s sake, the following discussion explains the uses
of gpasswd only available to root Then it covers the gpasswd calls a group
administrator can perform
From root’s perspective, gpasswd’s syntax is:
gpasswd [-A username] [-M username] groupname
Root can use -A username to assign username as groupname’s groupadministrator -M username adds username to groupname’s membershiproster Assigning a group administrator using -A does not make the adminis-trator a member of the group; you have to use -M to add the administrator as
a member of the group Multiple username’s can be specified with -A and -M The following command shows how to add marysue and joebob to theadminsgroup:
# gpasswd -M marysue,joebob admins
N OT E To use the -A option, the shadow group file, /etc/gshadow must exist Read the subsection titled “Using a Shadowed Group File” to understand the implications of using shadowed group files.
After this change, the admins entries in /etc/group should resemble thefollowing:
admins:!:507:marysue,joebob
Notice that adding users to the admins group account replaced x with ! inthe password field, meaning that password-based access to the group (usingnewgrp) is disabled
For group administrators, gpasswd’s syntax is:
gpasswd [-R] [-r] [-a username] [-d username] groupname
Trang 8gpasswdcalled with only groupname changes the group password Once
a group password is set, group members can still use newgrp to join the groupwithout a password, but nonmembers of the group must supply the password.For example, the following commands show what happens when the userbubba uses newgrp to join the admins group after root sets a group pass-word, which, for the record, is secret:
N OT E newgrp groupnamechanges the group identification of the calling user
to groupname After calling newgrp successfully, file access permissions are calculated based on the new GID If groupname is omitted, the GID is changed
to the calling user’s primary (login) GID.
$ newgrp admins
Password:
$ groups
admins bubba
By contrast, here is what happens when joebob, who is a member of
admins, uses newgrp to join the admins group Notice that joebob is notprompted for a password as bubba was:
$ newgrp admins
$ groups admins joebob
Conversely, if no group password is set, only group members can use
newgrpto join the group To remove a group password, use the -r option.The next snippet shows what happens when bubba tries to join admins afterthe group password is removed Keep in mind that the password field in thegroup file will be empty after the password is removed using -r:
$ newgrp admins
newgrp: Permission denied.
This time, bubba was not even prompted for a password joebob, ever, has no problem:
how-$ newgrp admins
$ groups admins joebob
Calling gpasswd with the -R option disables access to a group using thenewgrpcommand Oddly, if you use this option, gpasswd places a ! in thepassword field in the group file, so nonmembers of the group get a passwordprompt but no password works
Trang 9To add a user to the group, a group administrator must use the -a usernameoption The -d username option removes a user from a group The next exam-ple shows how to add and remove bubba using gpasswd’s -a and -d options:
# gpasswd -a bubba admins
Adding user bubba to group admins
# grep admins /etc/group
admins:!:507:marysue,joebob,bubba
# gpasswd -d bubba admins
Removing user bubba from group admins
# grep admins /etc/group
admins:!:507:marysue,joebob
Using a Shadowed Group File
Much of the behavior described in the previous subsection does not apply ifthe shadow group file, /etc/gshadow, is present In particular, if the shadowgroup file is in use:
■■ Adding a group creates an entry for that group in the shadow groupfile that resembles the following:
admins:x:507:
admins:!::
■■ Adding a user to a group adds that user to both the standard group fileand the shadow group file:
# gpasswd -M marysue admins
# grep admins /etc/group /etc/gshadow
group:admins:x:507:marysue gshadow:admins:!::marysue
■■ The third field in the shadow group file holds the name of the groupadministrator, not the GID, if an administrator is added usinggpasswd’s -A username option:
# gpasswd -A marysue admins
# grep admins /etc/gshadow
admins:!:marysue:marysue
■■ A group administrator cannot join the group unless the administrator’saccount is also a member of the group Similarly, a group administratorcan add and delete her user account from the group without affectingher administrative function
Trang 10■■ Only group members can use newgrp to join the group To put itanother way, nonmembers of a group cannot use newgrp to join groups
of which they are not members, even if they know the group password
In fact, passwords are irrelevant because they do not work for members and members do not need to use them
non-Deleting a group is quite simple Use the groupdel command, which takes
no options except the name of the group to delete For example, the followingcommand deletes the admins group:
# groupdel admins
N OT E Those of you who find typing commands tedious, the next section,
“Administering Users and Groups with User Manager,” shows you how to use User Manager, Red Hat’s new GUI tool for administering user and group accounts.
Using User Private Groups
You need to understand the user private group (UPG) scheme and how theUPG scheme uses the semantics of set-GID directories The UPG scheme asadopted in early Red Hat Linux distributions and carried forward into FedoraCore and RHEL UPGs are intended to make Linux groups easier to use.Although the UPG scheme does not add or change the normal Linux way of
handling groups, it does introduce a new convention that is different from
tra-ditional Linux user and group idioms: when you create a new user, FedoraCore and RHEL create a unique group for that user Although it is unusual and
a departure from traditional norms, after you become accustomed to the UPGscheme, you will find that it is very natural to use and makes good sense
The UPG scheme has the following salient characteristics:
■■ Each user has a primary group with the same name as the user account.For example, the user named bubba has a primary or initial group ofbubba
■■ Each user is the only member of her primary group Thus, the userbubbais the only member of the group bubba
■■ Each user’s umask defaults to 002; because every user has her own vate group in the UPG scheme, the group protection afforded by thenormal Linux umask of 022 is unnecessary
Trang 11pri-■■ Group-specific directories, such as project directories, have the set-GID(set group ID) bit enabled If you set the set-GID bit on a directory, allfiles created in that directory have their group set to the directory’sgroup The behavior of set-GID directories is not specific to UPGs,but the UPG scheme does take advantage of set-GID features.
T I P The default umask is set in /etc/profile.
For example, suppose that the finance department maintains a large number
of files in the /opt/finance directory and that many people work with thesefiles on a daily basis If you want to use set-GID directories and the UPG scheme,you first create a group named, say, finance, use the chgrp command tochange the group ownership on /opt/finance to the finance group, use thechmodcommand to set the set-GID bit on /opt/finance, and then add theappropriate users to the finance group As a result, all users in the financegroup can edit existing files in the /opt/finance directory Similarly, whennew files are created in the /opt/finance directory, the files’ group owner-ships are automatically assigned to the finance group, and all users who aremembers of the finance group can edit them without taking any special steps.Another benefit of set-GID directories is that any users who work on multi-ple projects do not have to change their umask or group as they move fromproject to project or directory to directory Each project directory’s set-GID bitautomatically sets the proper group for all files created in that directory and itssubdirectories
At the user level, each user’s home directory is owned by the user and herprivate group Although it is safe to set the set-GID bit on the home directory, it
is unnecessary Why? By default, files are created with the primary group of theuser and that user is the only member of the primary group Thus, the set-GIDbit is redundant with respect to a user’s home directory and its subdirectories.The following steps illustrate the scenario and process just described Thepoint of this exercise is to provide a concrete illustration of Red Hat’s UPGscheme, so a later section discusses the commands and options used
1 Create the finance group:
# /usr/sbin/groupadd finance
2 Change the group ownership of /opt/finance to the finance group
to associate the directory contents with the finance group:
# /bin/chgrp -R finance /opt/finance
3 Add the proper users to the group (add the user bubba in this case):
# /usr/bin/gpasswd -a bubba finance
Trang 124 To enable the finance group’s members to create, make the directorywritable by the group:
$ ls -ld /opt/finance
drwxrwsr-x 2 root finance 6 Apr 20 19:26 /opt/finance
With the default umask set to 002, files that bubba creates in/opt/financeare owned by the user bubba and the group financeand are read/write for both the user and group owner, enabling otherfinanceusers to modify the file:
$ touch /opt/finance/20050420
$ ls -l /opt/finance/20050420
-rw-rw-r 1 bubba finance 0 Apr 20 19:29 /opt/finance/20050420
To summarize, the set-GID bit on directories, combined with the Red HatUPG scheme, makes it trivial to create project groups that permit members ofthose groups to write files in the groups’ common directory without undulyburdening users
Administering Users and Groups with User Manager
User Manager is a graphical tool for administering user and group accounts
To use it, you must be logged in as root or otherwise have root access To startUser Manager, click Main Menu ➪ System Settings ➪ Users and Groups Youcan start from a command line using the command system-config-users
in a terminal window The initial screen resembles Figure 29-1
From this screen you can view, modify, and delete existing user and groupaccounts or create new ones To reduce the list of displayed accounts or tosearch for a specific account, type the first few letters of an account name in theFilter by text box and click the Apply filter button You can update most win-dows by clicking the Refresh button on the toolbar To get context-sensitivehelp, click the toolbar’s Help button or, to view the entire User Manager man-ual, select Help ➪ Manual from the toolbar
Trang 13Figure 29-1 The main Red Hat User Manager dialog box.
Creating User Accounts
To add a new user:
1 Click the Add User button The Create New User dialog box, shown inFigure 29-2, appears
2 Type the new account name in the User Name text box
3 Type the user’s full name in the Full Name text box
Figure 29-2 Adding a new user.
Trang 144 Type the user’s password in the Password and Confirm Passwordfields The password must be at least six characters.
5 Select a login shell If you choose not to accept the default shell, select
an alternative shell from the Login Shell drop-down box
6 As noted earlier in this chapter, the default home directory is/home/username You can change the home directory by editingthe Home Directory text box or not create a home directory at all byclearing the Create home directory check box
7 To prevent creation of a user private group, remove the check from theCreate new group for the user check box A completed Create New Userdialog box might resemble Figure 29-3
8 Click OK to create the user
Modifying and Deleting User Accounts
After you have created a user account, you can configure additional properties
by clicking User Manager’s User tab, selecting the user, and clicking the erties button to open the User Properties dialog box To add the user to addi-tional groups, click the Groups tab (see Figure 29-4) Click the check box next tothe groups of which the user should be a member, then click the Apply button
Prop-Figure 29-3 A newly created user account in User Manager.
Trang 15Figure 29-4 Adding a user to additional groups.
Other account data you can modify from the User Properties windowincludes the basic user information you supplied when you created the user(the User Data tab), account information (the Account Info tab), and passwordexpiration information (the Password Info tab) On the Password Info tab,click the Enable account expiration check box to set the user account’s expira-tion date if you want the account to expire on a certain date To prevent thisuser account from logging in, place a check mark in the User account is lockedcheck box
Click the Password Info tab to view and change the account password ration information (See Figure 29-5.) The date that the user last changed herpassword appears across the top of the tab Click Enable password expiration
expi-to force a password change after a certain number of days, and then enter thenumber of days between required password changes in the Days beforechange required text box You can also set the number of days before the usercan change her password, the number of days before the user is warned tochange her password, and the number of days before the account becomesinactive When you have finished modifying the user account properties, click
OK to apply the changes and close the User Properties dialog box
Finally, to delete a user account, click the account to delete on User ager’s Users tab, and then click the Delete button
Man-Creating Group Accounts
To add a new user group, click the Add Group button In the Create NewGroup dialog box, shown in Figure 29-6, type the name of the new group, andthen click OK to create the group