Developer Forums | About Us | Site Map
Search  
HOME > TUTORIALS > SERVER SIDE CODING > ADMINISTRATION TUTORIALS > WINDOWS TO LINUX ROADMAP: PART 4 USER ADMINISTRATION


Sponsors





Useful Lists

Web Host
site hosted by netplex

Online Manuals

Windows-to-Linux roadmap: Part 4 User Administration
By Chris Walden - 2004-06-17 Page:  1 2 3 4

How users are organized

Linux configuration is text based. So all users in Linux reside in a file called /etc/passwd. You can view the file one page at a time with the more command:

more /etc/passwd

the /etc directory
Remember that most configuration files for Linux live in the /etc directory.

The construction of this file is fairly straightforward. Each line contains a new user with parameters separated by a colon.

userid:x:75000:75000::/home/userid:/bin/bash

The first column contains the user name. The second column contains the user's password. The third column contains the user's numeric id. The fourth column contains the numeric id for the user's primary group. The fifth column contains the user's full name, or a comment. The sixth column contains the location of the user's home directory. Normally this directory lives in the /home directory and has the same name as the user id. The seventh column contains the user's default console shell.

Password file structure

Login IDPasswordUser IDGroup IDCommentHome directoryDefault shell
useridx7500075000 /home/userid/bin/bash

Notice that the example above has an "x" in the Password column. This does not mean that the user has a password of "x." At one time passwords were normally stored in plain text within this file. This configuration is still possible, but it is rare because of the implications. The solution was to create something called a shadow password. An "x" is placed in the password portion of the /etc/passwd file, and an encrypted version of the password goes into the /etc/shadow file. This technique improved the security by separating the user information from the password data. The MD5 password encryption algorithm further improved security by allowing more robust passwords. An example of a shadow password entry is below:

Shadow passwords and user rights
One of the idiosyncrasies of Linux user management that is a legacy of the UNIX style is the password file. A user who logs in must be able to read the /etc/password file to see if his username exists. Having the passwords contained in the same file would enable potential crackers to discover passwords; they could download the /etc/passwd file and have the names and scrambled passwords to work on with a separate brute force tool. A shadow password file does not need to be world readable, so crackers would not have the passwords in any form to work with.

This approach is still not optimal, because it provides some user information to a potential cracker. A better option is to keep users in a separate repository such as LDAP.

userid:$1$z2NXZR19$PZpyL84DmPKBXMeURaXXM.:12138:0:186:7:::

All of the shadow password function is handled behind the scenes, and you will rarely need to do anything more with it than turn it on.

Groups

Groups in Linux are much the same as in Windows. You create a group and add members into the group's list. Then resources can have rights assigned by group. Members of a group have access to a resource associated with that group.

Creating a group is simple, using the console command groupadd:

groupadd mygroup

This will create a group with no members called "newgroup." Groups live in a file called /etc/group. Each group is listed on a separate line like the following:

mygroup:x:527:

The first column shows the name of the group. The second column is a password. Again, the "x" indicates that the real password is stored in a shadow file called /etc/gshadow. The third column is a numeric index for the group. Everything after the third column will be the group members' user ids separated by commas.

To add members to the group, use the gpasswd command with the -a switch and the user id you wish to add:

gpasswd -a userid mygroup

Remove users from a group with the same command, but a -d switch rather than -a:

gpasswd -d userid mygroup

It is also possible to make changes to groups by editing the /etc/group file directly.

Taking care in editing the passwd file
The real danger to editing the /etc/passwd and /etc/group file directly is accidental duplication of an id number. All resources use the id number rather than the name of the user or group. If you accidentally duplicate an id number, then you may grant access to things you did not intend. For example, if you change a user's id number to 0, which is root, when userid logs in, that userid will be root! Also if you delete a user or group line in the file, that user or group is deleted.

These are errors a human would make. The tools keep that straight. However, sometimes a quick edit to the /etc/group file is the quickest fix to a simple problem. Just bear in mind that you are dealing with some real power when you edit those files. Be careful.

Groups can be created, edited, and destroyed in Webmin with the same tool used above for working with users.

User and group associations

While this is not the place for a thorough discussion on access control, you will need some idea about how users and groups are applied to files. If you look at a long directory listing of a file, you'll see something like the following.

-rw-r--r-- 1 userid mygroup 703 Jun 23 22:12 myfile

Ignoring the other columns for the moment, look at the third, fourth, and last columns. The third column contains the name of the owner of the file, userid. The fourth column contains the group associated with the file, mygroup. The last column is the file name. Each file can have only one owner and one group. It is possible to assign rights to Other, the users who don't fall into either category. Think of Other as the equivalent of the Windows group Everyone.

A single file owner is common in operating systems, but the single group ownership feels limiting to administrators new to the technique. It is not. Since users can be members of any number of groups, it is simple to create new groups to handle resource security. In Linux, group definitions tend to be based more on the resource access required than on business units. If resources are logically organized on the system, then create more groups to finely tune access to resources.

More detailed information about associating users and groups is in the Resources section at the end of this article. For details on how to change file permissions, see man chmod.



View Windows-to-Linux roadmap: Part 4 User Administration Discussion

Page:  1 2 3 4 Next Page: Summary and Resources

First published by IBM developerWorks


Copyright 2004-2017 GrindingGears.com. All rights reserved.
Article copyright and all rights retained by the author.