To add a new user to a password-shadowed system, use the useraddutility, which handles entries to /etc/passwd,/etc/group, and /etc/shadow.
Application:useradd(/usr/sbin/useradd)
Required:useradd
Config Files:None. This is part of the shadowpackage.
Security History:useradddoeshave a significant security history. Early versions could poten- tially create a UID of 0 (root) if you didn’t explicitly specify a user’s UID with the -uoption (see the command-line option summary later in the chapter). This is an old bug (circa 1995), so it’s unlikely to affect your version. However, if you’re using an older Linux distribution, you should check. The problem was reported in shadowversion 3.3.1. Additionally, both shadow 3.3.1 and 3.3.2 were proven to have serious security issues regarding SUIDfiles and login. useraddtakes multiple arguments and options. These options are summarized in Table 5.5.
TABLE5.5 useraddCommand-Line Options
Option Purpose
-b This option is rarely used. Use it to specify an initial directory for users who have no home directory. (In other words, this directory will be the first directory they’re dropped into when they log in.)
-c [comment] Use this option to specify the user’s real name or, alternatively, a comment. (The text you provide will fill the gecosor comment field in/etc/passwd.) Password Attacks CHAPTER5 161
5
P ASSW ORD A TT A CKSDepending on your Linux distribution and how well integrated it is with shadowing, several of the preceding utilities might not be available. This includes pwchk,pwconv, and pwunconv, among others. Recent distributions handle most password administration tasks via graphical tools that greatly simplify your experience. When in doubt, try searching the manual pages
(man -k passwd,man -k shadow).
For more information on how to use the Linuxconf graphic administration tool for user accounts, please see Chapter 4. If you have a supported Linux distribution (which you almost certainly do), you can perform all shadow/non-shadow administration functions from within an easy-to-use GUI.
N
OTE-d [dir] Use this option to specify the new user’s home directory.
-e [expiration-date] Use this option to specify the date on which the new user’s password will expire. For this, you can use almost any standard data format, including MM/DD/YY, or even long format, as in January 1, 2000. However, if you do use long format or any other format that includes whitespace, you must enclose the date in quotation marks. Consider enforcing expirations at least every 90 days.
-f [inactivity-lockout] Use this option to specify how many days can pass without the user logging in before the account is disabled. This value must be expressed in days. For example:-f 90will lock the account after 90 days of inactivity.
Note: If you expect an account to be dormant for more than 120 days at a time, consider deactivating it until the user actually needs it. Dormant accounts are an open invitation to attackers. You can hide inactivity from outsiders to some extent by disabling finger, but in general, this is only marginally effective. Certainly, local users can pull the lastlogs to determine when a user last logged in (last
username.)
-G [additional-group] Use this option to assign the user to additional groups above and beyond his primary group.
-g [group] Use this option to assign the user to a particular group. This will be his primary group; one to which he’ll always belong.
-m Use this option to force useraddto create the new user’s home directory.
-s [shell] Use this option to specify the new user’s default shell (usually
/bin/bash).
-u [uid] Use this option to specify the new user’s UID.
If you call useraddwithout arguments, it prints a usage summary: usage: useradd [-u uid [-o]] [-g group] [-G group,...]
[-d home] [-s shell] [-c comment] [-m [-k template]] [-f inactive] [-e expire ] [-p passwd] [-n] [-r] name useradd –D [-g group] [-b base] [-s shell]
[-f inactice] [-e expire] Linux User Security
PARTII
162
TABLE5.5 Continued
Option Purpose
Here’s a minimal command line that will create a user entry with full name, specific userID and specific groupID:
/usr/sbin/useradd jsprat -m -c”Jack Sprat” -u510 -g100 -s/bin/bash
In/etc/passwd,jspratis added to the user list, along with his UID, GID, real name, home, and shell:
bigdave:x:100:100:Big Dave:/home/bigdave:/bin/bash jackie:x:101:100:Jackie:/home/jackie:/bin/bash jsprat:x:610:610:Jack Sprat:/home/jsprat/:/bin/bash
In/etc/shadow,jspratis also added to the user list. However, note that his password was not
automatically generated: root:lLOTWOUA.YC2o:10713:0::7:7:: bin:*:10713:0::7:7:: daemon:*:10713:0::7:7:: adm:*:10713:0::7:7:: lp:*:10713:0::7:7:: sync:*:10713:0::7:7:: shutdown:*:10713:0::7:7:: halt:*:10713:0::7:7:: mail:*:10713:0::7:7:: news:*:10713:0::7:7:: uucp:*:10713:0::7:7:: operator:*:10713:0::7:7:: games:*:10713:0::7:7:: gopher:*:10713:0::7:7:: ftp:*:10713:0::7:7:: man:*:10713:0::7:7:: majordom:*:10713:0::7:7:: postgres:*:10713:0::7:7:: nobody:*:10713:0::7:7:: bigdave:aNi7cQR3XSTmc:10713:0::7:7:: jackie:7PbiWxVa5Ar9E:10713:0:-1:7:-1:-1:1073897392 jsprat:*not set*:10715:0:-1:7:-1:-1:
Remember this when you’re creating a user:useradddoesnotgenerate passwords. Instead, you must generate the user’s passwords after creating his account. The procedure for this is precisely the same as for creating a user’s password on a non-shadowed system. Use the passwdcommand:
[root@linuxbox2 /root]# passwd jsprat Enter new UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
Password Attacks CHAPTER5 163
5
P ASSW ORD A TT A CKS 08 0672321343 CH05 5/25/01 3:32 PM Page 163Afterward, when you check /etc/shadow, you’ll find that the user’s password information has been updated:
bigdave:aNi7cQR3XSTmc:10713:0::7:7::
jackie:7PbiWxVa5Ar9E:10713:0:-1:7:-1:-1:1073897392 jsprat:cALtUMRf40VbU:10715:0:-1:7:-1:-1:1073897392
After you’ve created the new user’s account and password, your next step is to seed his directory with vital startup files. Let’s quickly cover that issue now.
Linux User Security
PARTII
164
The shadowsuite’s author has written a script that handles interaction between useraddand
passwdfor convenience. You can find this script in the shadowsuite’sHOWTOunder Section
7.1, “Adding, Modifying, and Deleting Users.”