An account, in the more specific sense, consists of the following: • A valid username and password
• A home directory • Shell access
When a user attempts to log in, Linux checks whether these prerequisites are met by examin- ing the passwdfile.
passwd
You can find passwdin the directory /etc. If you’ve been using Linux in a purely graphical environment and haven’t yet mastered command-line navigation, please see Figure 4.2. /etc/passwdconsists of user account entries. For example:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
Basic Linux System Administration
CHAPTER4 99
4
B ASIC L INUX S YSTEM A DMINISTRA TION 06 0672321343 CH04 5/25/01 3:35 PM Page 99halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: man:x:15:15:Manuals Owner:/: majordom:x:16:16:Majordomo:/:/bin/false postgres:x:17:17:Postgres User:/home/postgres:/bin/bash nobody:x:65534:65534:Nobody:/:/bin/false snoop:x:100:100:Nosey User:/home/snoop:/bin/bash
matt:x:500:500:Caldera OpenLinux User:/home/matt:/bin/bash Linux Security Basics
PARTI
100
FIGURE4.2
Finding /etc/passwdusing a graphical file manager.
Each line stores one account record, and each record consists of seven fields. (Account fields are colon-delimited.) Let’s look at each field using the account assigned to user matt(the last line). Please see Figure 4.3.
Table 4.1 describes each field and its significance.
FIGURE4.3
/etc/passwdis broken into seven colon-delimited fields:username,password,userID,groupID,real name,user home, anduser shell.
TABLE4.1 /etc/passwdFields and What They Signify
Field Significance
username Stores the user’s username. Consider creating usernames that closely resemble users’ real names. For example, if a user’s real name is Jack Sprat, make his user- namejsprat. This isn’t required, but it makes it easier to recognize users by their usernames. This is especially important in a business environment. Usernames can be only eight characters long and must be in lowercase letters.
password Stores the user’s login password. Different versions of Linux store the user pass- word differently. Older Linux distributions store the user password in encrypted form (such as x1mmmFtgA8), whereas newer ones that employ shadowing store only a password token (x) and hide the encrypted password elsewhere. Learn more about password shadowing in Chapter 5, “Password Attacks.”
userID Stores the user’s user identification number (UID). This number attaches to the user’s processes. When you’re choosing a new user’s UID, you can assign any unique, arbitrary number from 0 to 65534 (do not use 0, which is root). However, it’s good practice not to make UIDs too arbitrary. Instead, reserve a block of num- bers specifically for users and assign them sequentially. For example, you can restrict UIDs to numbers from 500–700. Your first user is 501, your second is 502, and so forth. That way, you can tell from a glance at a process list who is doing what. If the process list reports UIDs in the 500–700 range, you know which users own which processes. (In most cases, you won’t need to bother choosing the UID because many recent Linux administration tools do it for you.)
Basic Linux System Administration
CHAPTER4 101
4
B ASIC L INUX S YSTEM A DMINISTRA TIONmatt : x : 500 : 500 : CalderaOpenLinux User : /home/matt : /bin/bash Colons are field separators
Field 1 username Field 6 user home Field 7 user shell Field 5 Real name Field 3 user ID (UID) Field 4 Group ID (GID) Field 2 Encrypted password or password token. 06 0672321343 CH04 5/25/01 3:35 PM Page 101
groupID Stores the user’s group identification number, which reflects the user’s native group. A user might or might not belong to other groups, but he always belongs to his native group. Different Linux distributions assign this field differently. Most distrib- utions place all users in the same default group (users, for example). Caldera and Red Hat assign each user his or her own group, called a private group. Later in this chapter, we’ll explore groups in greater depth. Again, do not use 0 because it is root.
Real name This field is traditionally called the General Electric Comprehensive Operating System field (GECOS), which stores the user’s real name, among other things. If you don’t set this, Linux will fill it in for you (as OpenLinux did in matt’s case). This field is mainly for reporting purposes, such as in response to finger queries. Note that you can define other information in the GECOS field, including the user’s work or home telephone number.
user home Stores the user’s home directory location (in this case,/home/matt). If, during installation, you created a special partition and directory (other than /home) for users, choose that. However, be sure to keep all user directories on the same parti- tion under the same directory hierarchy. Unless you have a reason not to, you really should store user directories in /home.
user shell Stores the user’s default shell. This is the shell that the user is dropped into when he first logs in. If you loaded the entire Linux distribution, you have several choices here:ash,csh,bash,ksh,tcsh,zsh, and so on. However, try to restrict all users to a common shell. The more offbeat the shells you provide, the greater chance that crackers will find a hole in one of them.
But an entry in /etc/passwdis not the whole story. During the account creation process, you or your automated account management tool must also create directories, including the new user’s home directory, typically /home/user.
Furthermore, if you add accounts manually, you’ll need to copy default startup files (located in /etc/skel) to the new user’s home directory (and set the correct permissions).
/etc/skelon Red Hat 7.x resembles the following:
-rw-r--r-- 1 root root 24 Aug 22 12:46 .bash_logout -rw-r--r-- 1 root root 230 Aug 22 12:46 .bash_profile -rw-r--r-- 1 root root 124 Aug 22 12:46 .bashrc -rw-r--r-- 1 root root 688 Aug 24 16:15 .emacs drwxr-xr-x 3 root root 4096 Jan 8 19:51 .kde -rw-r--r-- 1 root root 321 Aug 14 05:11 .kderc -rw-r--r-- 1 root root 3651 Aug 15 12:10 .screenrc drwxr-xr-x 5 root root 4096 Jan 8 19:51 Desktop Linux Security Basics
PARTI
102
TABLE4.1 Continued
Field Significance 06 0672321343 CH04 5/25/01 3:35 PM Page 102
In their original state, these files are owned by root (see the earlier discussion). To prepare them for use by the new user, try this:
cp –r /etc/skel /home/newuser
chown –R newuser:newuser /home/newuser
chmod –R 644 /home/newuser
chmod 755 /home/newuser