Adding New Users to the System
Chapter six in the red Nemeth book does a nice job describing
the process. Here is an overview:
- Introduction
- Editing the /etc/passwd file
- Creating the initial password
- Creating the home directory
- Update the /etc/group file.
- Copy default startup files into users home directory
- Update mail database or other account databases
- Establish disk quotas
- Verify everything works and you can log in.
Unix really does a horrible job of managing accounts. Most other
operating systems have much better account management tools. Ideas
like password aging, account expiration, usage statistics, are all
missing from standard Unix. Some sites have created add-on utilities
to do this but their is nothing generally available. Both VMS and
Novell have much better tools for this although none is optimal.
While the commands are straight forward managing a large number
of users is a complex task and can take up much of the System
Administrators time. Most sites create tools to help automate
the account generation process.
Password entries are stored in the file /etc/passwd.
This file is an ascii file that can be manipulated by any text editor.
However, you can create problems if you aren't careful and you
directly edit the file. For one thing, if you are editing the file
and a user updates their password entry that change may be lost.
In earlier versions of Unix the password file could become corrupted
unless locked before editing. Under Berkeley Unix, the command
vipw was created. This command will lock the password file and
invoke your editor of choice, with this in place users won't be able to
change their password.
The SGI system provides a command named passmgmt to aid in updating
the password file.
We will discuss security problems later in the semester but the fact
that the passwd file is world readable is a huge security problem. The
information in the password file greatly simplifies someone breaking
into your system and should be protected.
The password file consists of seven fields, each is seperated
by a colon.
Below a few lines from a password file:
root:pHANxgrZxfxfxf:0:0:UoMD Balt. Cnty; ACS,(410)455-2577,,:/:/bin/csh
sysadm:*LK*:0:0:System V Administration:/usr/admin:/bin/sh
jack:*:286:7:Jack Suess, x2582, ECS125:/umbc/staff/jack:/bin/tcsh
>
This is the list of fields in the file:
Creating the initial password
Never leave an account open with no password.
Use the command passwd or yppasswd to set a password for
someone. On SGI systems the passwd -l command will allow you to
lock (disable) an account.
System administrators should make sure they make a link from passwd to
whatever command actually handles password changes on your system.
However it is important to keep the original passwd command
is some location because occasionally the need arises to use it.
As root any directory you create will be owned by root. As such
you must remember to change the ownership of the directory over to
the user you are creating it for with the chown and chgrp
commands. As an example, to create the directory /users/staff/jack
for user jack you would use the commands:
mkdir /users/staff/jack
chown jack /users/staff/jack
chgrp staff /users/staff/jack
chmod 700 /users/staff/jack
I recommend creating user directories with protection of 700. Users can
always open up their account to access.
If you must add the user to additional groups or create their default group
in the /etc/group file then you must update the /etc/group file.
Here is a sample from the group file:
wwwbiol:*:223:viancour,ellis,sschne1,sandoz
iris:*:100:pauld,david,jack
The group file has four fields, groupname, password, group id, and members.
Like the password file this file uses colons to seperate the fields.
Some things to consider:
- The group password is no longer used and uses an asterisk as a place holder.
- members are added to the end of the line and comma seperated.
- Users are limited to either a maximum of 8 or 16 group memberskips.
While not required often it is useful to copy in a set of default
startup files. Which files need to be copied depend on the shell used.
In general, these three files are usually found:
.cshrc - csh command aliases, path, umask, shell varaiables
.login - terminal type, environment variables.
.profile - sh/ksh command aliases, path, umask, shell variables
One our systems we place a line at the bottom that will source another
startup file. In this fashion we can make updates without having to
propogate new startup files to everyone. Many systems have something like
this with the file /etc/cshrc. We use both of these, a problem wiht
the /etc/cshrc file is that is executes before the user executes
their .cshrc file. Thus updates to the path can be lost.
Many sites create a mail alias for each user in the file
/usr/etc/aliases. This file will contain an alias so that
firstname_lastname maps to the person's username.
Also, if you use system accounting and bill users now is the time
to update whatever database files you use to track people and set
billing rates.
Until recently, disk quotas were not part of standard Unix; however without
them it is often impossible to control disk space usage. Quotas are enabled
on a file system when the file system is mounted (we will discuss this
when we go over NFS later). To limit the space a user can have on a
filesystem it is necessary to create a disk quota value for them. The
command edquota will do this. To examine someones disk quota use
the command quota.
Edquota allows you to set a soft and hard limit. The soft limit will allow
people to create additional files but will warn them on login they are
overquota. Users have seven days to move back under their soft limit or
they will not be able to create new files. Once the hard limit is reached
no additional space will be allocated to the user. Thus the hard limit should
always be greater than the soft limit. In addition, you can control
the number of files a user can create. Edquota will invoke your default
editor and allow you to update the quota value.
Many sites create a prototype quota and then set users to that
prototype value via the command edquota -p proto-user name.