diff options
Diffstat (limited to 'sag-0.6.1-www/sag-0.6.1.html/x2031.html')
| -rw-r--r-- | sag-0.6.1-www/sag-0.6.1.html/x2031.html | 537 |
1 files changed, 537 insertions, 0 deletions
diff --git a/sag-0.6.1-www/sag-0.6.1.html/x2031.html b/sag-0.6.1-www/sag-0.6.1.html/x2031.html new file mode 100644 index 0000000..8d4adf5 --- /dev/null +++ b/sag-0.6.1-www/sag-0.6.1.html/x2031.html @@ -0,0 +1,537 @@ +<!DOCTYPE HTML PUBLIC "-//Norman Walsh//DTD DocBook HTML 1.0//EN"> +<HTML +><HEAD +><TITLE +>Creating a user</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet"><LINK +REL="HOME" +TITLE="The Linux System Administrators' Guide" +HREF="book1.html"><LINK +REL="UP" +TITLE="Managing user accounts" +HREF="c2018.html"><LINK +REL="PREVIOUS" +TITLE="Managing user accounts" +HREF="c2018.html"><LINK +REL="NEXT" +TITLE="Changing user properties" +HREF="x2124.html"></HEAD +><BODY +BGCOLOR="#FFFFFF" +TEXT="#000000" +><DIV +CLASS="NAVHEADER" +><TABLE +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>The Linux System Administrators' Guide</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="c2018.html" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +>Chapter 9. Managing user accounts</TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="x2124.html" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2031" +>Creating a user</A +></H1 +><P +> The Linux kernel itself treats users are mere numbers. + Each user is identified by a unique integer, the <I +CLASS="GLOSSTERM" +>user + id</I +> or <I +CLASS="GLOSSTERM" +>uid</I +>, because numbers are + faster and easier for a computer to process than textual names. + A separate database outside the kernel assigns a textual name, + the <I +CLASS="GLOSSTERM" +>username</I +>, to each user id. The database + contains additional information as well. </P +><P +> To create a user, you need to add information about + the user to the user database, and create a home directory for + him. It may also be necessary to educate the user, and set up + a suitable initial environment for him. </P +><P +> Most Linux distributions come with a program for + creating accounts. There are several such programs available. + Two command line alternatives are <B +CLASS="COMMAND" +>adduser</B +> + and <B +CLASS="COMMAND" +>useradd</B +>; there may be a GUI tool as well. + Whatever the program, the result is that there is little if + any manual work to be done. Even if the details are many and + intricate, these programs make everything seem trivial. However, + <A +HREF="x2031.html#MANUAL-ADDUSER" +>the section called <I +>Creating a user by hand</I +></A +> describes how to do it by hand. + </P +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2042" +><TT +CLASS="FILENAME" +>/etc/passwd</TT +> and other informative files</A +></H2 +><P +> The basic user database in a Unix system is the text file, + <TT +CLASS="FILENAME" +>/etc/passwd</TT +> (called the <I +CLASS="GLOSSTERM" +>password + file</I +>), which lists all valid usernames and their + associated information. The file has one line per username, + and is divided into seven colon-delimited fields: + + <P +></P +><UL +><LI +><P +>Username.</P +></LI +><LI +><P +>Password, in an encrypted form.</P +></LI +><LI +><P +>Numeric user id.</P +></LI +><LI +><P +>Numeric group id.</P +></LI +><LI +><P +>Full name or other description of account.</P +></LI +><LI +><P +>Home directory.</P +></LI +><LI +><P +>Login shell (program to run at login).</P +></LI +></UL +> + + The format is explained in more detail on the + <TT +CLASS="FILENAME" +>passwd</TT +> manual page. </P +><P +> Any user on the system may read the password file, + so that they can, for example, learn the name of another user. + This means that the password (the second field) is also available + to everyone. The password file encrypts the password, so in + theory there is no problem. However, the encryption is breakable, + especially if the password is weak (e.g., it is short or it can + be found in a dictionary). Therefore it is not a good idea to + have the password in the password file. </P +><P +> Many Linux systems have <I +CLASS="GLOSSTERM" +>shadow passwords</I +>. This is + an alternative way of storing the password: the encrypted + password is stored in a separate file, <TT +CLASS="FILENAME" +>/etc/shadow</TT +>, + which only root can read. The <TT +CLASS="FILENAME" +>/etc/passwd</TT +> + file only contains a special marker in the second field. + Any program that needs to verify a user is setuid, and + can therefore access the shadow password file. Normal + programs, which only use the other fields in the password + file, can't get at the password. + + <A +NAME="AEN2069" +HREF="#FTN.AEN2069" +>[1]</A +> + + </P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2072" +>Picking numeric user and group ids</A +></H2 +><P +> On most systems it doesn't matter what the numeric user + and group ids are, but if you use the Network filesystem (NFS), + you need to have the same uid and gid on all systems. This + is because NFS also identifies users with the numeric uids. + If you aren't using NFS, you can let your account creation tool + pick them automatically. </P +><P +> If you are using NFS, you'll have to be invent a mechanism + for synchronizing account information. One alternative is to + the NIS system (see XXX network-admin-guide). </P +><P +> However, you should try to avoid re-using numeric uid's + (and textual usernames), because the new owner of the uid (or + username) may get access to the old owner's files (or mail, + or whatever). </P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="AEN2077" +>Initial environment: <TT +CLASS="FILENAME" +>/etc/skel</TT +></A +></H2 +><P +> When the home directory for a new user is created, it is + initialized with files from the <TT +CLASS="FILENAME" +>/etc/skel</TT +> + directory. The system administrator can create files in + <TT +CLASS="FILENAME" +>/etc/skel</TT +> that will provide a nice + default environment for users. For example, he might create a + <TT +CLASS="FILENAME" +>/etc/skel/.profile</TT +> that sets the EDITOR + environment variable to some editor that is friendly towards + new users. </P +><P +> However, it is usually best to try to keep + <TT +CLASS="FILENAME" +>/etc/skel</TT +> as small as possible, since it + will be next to impossible to update existing users' files. For + example, if the name of the friendly editor changes, all existing + users would have to edit their <TT +CLASS="FILENAME" +>.profile</TT +>. The + system administrator could try to do it automatically, with a + script, but that is almost certain going to break someone's file. + </P +><P +> Whenever possible, it is better to put global configuration + into global files, such as <TT +CLASS="FILENAME" +>/etc/profile</TT +>. This + way it is possible to update it without breaking users' + own setups. </P +></DIV +><DIV +CLASS="SECT2" +><H2 +CLASS="SECT2" +><A +NAME="MANUAL-ADDUSER" +>Creating a user by hand</A +></H2 +><P +> To create a new account manually, follow these steps: + + + <P +></P +><UL +><LI +><P +> Edit <TT +CLASS="FILENAME" +>/etc/passwd</TT +> with + <B +CLASS="COMMAND" +>vipw</B +> and add a new line for the new account. Be + careful with the syntax. <I +CLASS="EMPHASIS" +>Do not edit directly with an + editor!</I +> <B +CLASS="COMMAND" +>vipw</B +> locks the file, so + that other commands won't try to update it at the same time. You + should make the password field be `<TT +CLASS="LITERAL" +>*</TT +>', so + that it is impossible to log in. </P +></LI +><LI +><P +> Similarly, edit <TT +CLASS="FILENAME" +>/etc/group</TT +> + with <B +CLASS="COMMAND" +>vigr</B +>, if you need to create a new group + as well. </P +></LI +><LI +><P +> Create the home directory of the user with + <B +CLASS="COMMAND" +>mkdir</B +>. </P +></LI +><LI +><P +> Copy the files from + <TT +CLASS="FILENAME" +>/etc/skel</TT +> to the new home directory. + </P +></LI +><LI +><P +> Fix ownerships and permissions with + <B +CLASS="COMMAND" +>chown</B +> and <B +CLASS="COMMAND" +>chmod</B +>. The + <SPAN +CLASS="OPTION" +>-R</SPAN +> option is most useful. The correct + permissions vary a little from one site to another, but usually + the following commands do the right thing: + +<PRE +CLASS="SCREEN" +><TT +CLASS="USERINPUT" +><B +>cd /home/newusername +chown -R username.group . +chmod -R go=u,go-w . +chmod go= .</B +></TT +></PRE +> + + </P +></LI +><LI +><P +> Set the password with <B +CLASS="COMMAND" +>passwd</B +>. + </P +></LI +></UL +> + </P +><P +> After you set the password in the last step, the account + will work. You shouldn't set it until everything else has been + done, otherwise the user may inadvertently log in while you're + still copying the files. </P +><P +> It is sometimes necessary to create dummy + accounts + + <A +NAME="AEN2122" +HREF="#FTN.AEN2122" +>[2]</A +> + + that are not used by people. For example, to set up an anonymous + FTP server (so that anyone can download files from it, without + having to get an account first), you need to create an account + called ftp. In such cases, it is usually not necessary to set + the password (last step above). Indeed, it is better not to, so + that no-one can use the account, unless they first become root, + since root can become any user. </P +></DIV +></DIV +><H3 +>Notes</H3 +><TABLE +BORDER="0" +CLASS="FOOTNOTES" +WIDTH="100%" +><TR +><TD +ALIGN="LEFT" +VALIGN="TOP" +WIDTH="5%" +><A +NAME="FTN.AEN2069" +HREF="x2031.html#AEN2069" +>[1]</A +></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +WIDTH="95%" +><P +>Yes, this means that the + password file has all the information about a user + <I +CLASS="EMPHASIS" +>except</I +> his password. The wonder + of development.</P +></TD +></TR +><TR +><TD +ALIGN="LEFT" +VALIGN="TOP" +WIDTH="5%" +><A +NAME="FTN.AEN2122" +HREF="x2031.html#AEN2122" +>[2]</A +></TD +><TD +ALIGN="LEFT" +VALIGN="TOP" +WIDTH="95%" +><P +>Surreal users?</P +></TD +></TR +></TABLE +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="c2018.html" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="book1.html" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="x2124.html" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +>Managing user accounts</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="c2018.html" +>Up</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Changing user properties</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file |