Adding Users

This contains links to information used in the lectures.

This is a routine operation and may well be automated either using scripts or a vendor supplied Systems Administration tool, such as SAM in HP-UX. The specific details will depend on the platform and on whether NIS is running or secure passwords are implemented. On a generic system without these added features, adding a user consists of operations such as:

Required:
- Add an entry in the password file (/etc/passwd)
- Set an initial password
- Create the user's home directory and set the ownership, group and permissions correctly
To create a standard environment for user:
- Copy default startup files (.login, .profile, .cshrc) to user's home directory
- Set user's mail home and establish mail aliases
To assist the systems administrator :
- Add the user to /etc/group file
- Set disk quotas
- Record accounting information (if needed)
- Enter the user in the site-wide user database
- Enter contact information in local phone book
- Verify that the account is setup correctly

The CD-ROM contains an adduser script which attempts to automate these processes.

Add an entry in the password file (/etc/passwd)

/etc/passwd contains the following information for each user:

login name
encrypted password
numerical user ID (UID)
numerical group ID (GID)
reserved field, which can be used for identification (GECOS field)
initial working directory (home directory)
program to use as shell

The format is


root:*:0:3:The Big Guy,143 MSB:/:/bin/sh
daemon:*:1:5::/:/bin/sh
farrell:*:100:15:Paul Farrell,258 MSB,x258,:/users/research/farrell/farrell:/bin/csh
stack:*:101:15:Olaf P. Stackelberg,MSB 347,x347,6785793:/users/fac/stack:/bin/csh
pwang:*:102:15:Paul S. Wang,MSB 236A,x110,:/users/research/wang/pwang:/usr/local/bin/tcsh

Note that each entry in /etc/passwd must be on one line. Each field within each user's entry is separated from the next by a colon.

Login name

These must be unique and no more than 8 characters long. They may include numbers, except in position 1. They are case sensitive. A login name with only uppercase letters cause Unix to set the terminal to upper case only (a artifact of the early days). It is a good idea to have some standard way of forming login names. In the case of long names, or when otherwise desired, /etc/aliases can be used to equate 2 versions of a name. Many sites have a global mail alias file, for example on a mail server (such as ns here). Note that each new login name must be unique not only in the password file, but also with respect to any aliases in a local or global mail alias file. On a network, login names should be doubly unique that is

a user should have the same login name on each machine
a particular login name should always belong to the same user

Failure to observe this rule can lead to serious security problems.

Encrypted password

If the password field is null and the system has not been converted to a trusted system, no password is demanded. When setting up an account, either copy a standard encrypted password or set the password to "*" to prevent unauthorized use of the account. Then use passwd to set the password appropriately.

/etc/passwd is world readable. This provides an opportunity to collect and try to break encrypted passwords (for example using a password cracker). Many systems now implement secure passwords. In this case the password is not stored in the password file, but in some other file, which is not world readable. This is very system dependent both in name and format.

User ID

uid is the user's numerical ID for the system, which must be unique. uid is generally a value between 0 and 32767. A particular uid should always refer to the same user on all machines on a network. UID 0 is reserved for root, and traditionally the lower number are kept for systems programs. It is recommended that the human users start at 100. It is a good idea to avoid reusing UIDs, since this avoids confusion when backups are restored.

Group ID

gid is the numerical ID of the group that the user belongs to. gid is generally a value between 0 an 32767. GID 0 is reserved for root (wheel) and 1 is usually reserved for daemon. Groups are defined in /etc/groups.

GECOS or GCOS field

Originally used for batch submission information for mainframes running GECOS, now it is used for the user's real name, along with information to pass along in a mail-message heading. On BSD systems a & in this field stands for the login name (in cases where the login name appears in a user's real name). The finger command expects one to have comma delimited fields with

Full name
Office number and building
Office phone extension
Home phone number

These fields can be changed with chfn. They are not reliable, since users can add what they wish.


Richard S. Varga,MSB 236C,x113,8422763
Leo Holmberg, ,7966,
Parthasarathy Rajagopal, , ,
Greg Madey,BSA, ,
Gerhard Starke,,,
Rob Leggett,linux1.3.2,829-7523,499-0510
HasNoName,,,

Home directory

Users are placed in their home directory when they log in. If it is missing a message such as "no home directory" will be printed. Logins may be disallowed or the user may be put in the root directory.

Server or network problems may results in NFS mounted home directories being unavailable.

Home directories are usually named with the user's login name, and should be read, write and executable by the user.

Shell

Normally a standard shell (sh, csh, tcsh, ksh, etc.), but can be a restricted shell, or a program


http:*:71:5::/usr/local/http-data:/bin/false
uucp:*:5:3::/usr/spool/uucppublic:/usr/lib/uucp/uucico

If the shell field is null, /usr/bin/sh is used. To prevent use as a login account set to /bin/false. chsh is a command similar to passwd, but is used to change the login shell field of the password file rather than the password entry (see passwd(1)). shell, if given, must be an absolute path name.

On HP-UX systems, if the file /etc/shells exists, the new login shell must be listed in that file. Otherwise one of the shells listed in the getusershell(3C) manual entry can be specified as the shell. If no shell is specified, the shell reverts to the default login shell /bin/sh. On SunOS systems, if /etc/shells does not exist, the only shells that may be specified are /bin/sh and /bin/csh.

vipw edits the password file while setting the appropriate locks, and does any necessary processing after the password file is unlocked. If the password file is already being edited, you will be told to try again later. The vi editor is used unless the environment variable EDITOR indicates an alternate editor. vipw performs a number of consistency checks on the password entry for root, and does not allow a password file with an incorrectly formatted root entry to be installed.

Set an initial password

Root can change any user's password with passwd username. Acceptable choices depend on the system. BSD will usually relent after 3 attempts, but System V systems will not.

Create the user's home directory and set the ownership, group and permissions

Home directories are usually named with the user's login name, and should be read, write and executable by the user. Use the chown, chgrp and chmod commands to set ownership, group and permissions on the directory.


mkdir /users/fac/stack
chown stack /users/fac/stack
chgrp faculty /users/fac/stack
chmod 700 /users/fac/stack

Copy default startup files (.login, .profile, .cshrc, etc)

Startup files traditionally start with period (.) and end with rc (run command from CTSS). It is useful to have system defaults for these and to copy either the systems defaults or skeletons which source the system defaults to each new user account. For example, a skeleton .cshrc could be


source /etc/local/ksu.cshrc

Appropriate files differ with systems. Remember to set the ownership, group and permissions on these files also. Avoid the error of doing


chown stack /users/fac/stack/.*

since this would cause stack to own .. (the parent directory), which would be a security problem.

Set user's mail home and establish mail aliases

Global mail aliases are set in the /etc/aliases file. This can be used to direct mail to one machine on the net, as well as to set aliases, for example:


pwang: pwang@monkey
paulw: pwang

Add the user to /etc/group file

/etc/group defines groups. Entries are of the form:


gtwotd:*:666:bennett,bailey

Each line has, 4 colon separated fields,

Group name
password - never used
GID - group ID number
list of members

In practice, users are in the group given in the password file whether or not they are entered in that group in /etc/group.

Set disk quotas

This is done using edquota either in interactive mode or in prototype mode to set the quota using another user as prototype. If these are implemented one can also:

Record accounting information
Enter the user in the site-wide user database
Enter contact information in local phone book

Verify that the account is setup correctly

One should log out, then login as the new user and execute:


pwd
ls -la  (on ATT systems)
ls -lag (on BSD systems)

Removing Users

Reverse the above procedure. Do not recycle the UID. Be careful to run accounting before removing the login.

Disabling Users

Traditional to do by placing star (*) in front of password. However this will not necessarily work in a network environment. One option is to replace the user's login shell with a program which prints a message indicating the reason for disabling the login.

Password Aging

Will be discussed later (maybe).

Pseudo-logins

Sometimes useful to have more, such as "who", "hostname" that execute the corresponding commands.

Secure Password Files or Systems

Since the password file is world readable, the encrypted passwords are available to users who can try to break them using password crackers. Modern UNIX systems avoid this by not placing the passwords in the world readable password file but in a secure file (commonly called a shadow password file) or files elsewhere. The format and location differs between systems, as does the entry in the password section of the normal password file.

SunOS 4.1.X

The password file contains ## followed by the login name, for example :

 
ftp:##ftp:99:400:anonymous ftp:/usr/ftp:/bin/false
farrell:##farrell:100:15:Paul Farrell,258 MSB,x258,:/users/research/farrell/farrell:/bin/csh

A secure password file which is only root readable is in /etc/security/passwd.adjunct. The format is:

 
ftp:*:::::
farrell:PRmdiLNkVaJA.:::::

HP-UX 9.XX

The password file contains a star (*) in the encrypted password field. A secure password file which is only root readable is in /.secure/etc/passwd. The format is:


tftp:*:9:1
farrell:PRmdiLNkVaJA.:100:1

The last two numbers are the audit ID and an audit flag.

HP-UX 10.0

The password file contains a star (*) in the encrypted password field. Instead of a single secure password file HP-UX 10.XX uses a protected password database. This consists of multiple directories in /tcb/files/auth/, named after the first letter of login names A-Z and a-z, together with a system directory which holds default information and a hash table (?).

The protected password database stores user authentication profiles, which include the password, in files named with the username. For example farrell is:


farrell:u_name=farrell:u_id#100:\
        :u_pwd=PRmdiLNkVaJA.:\
        :u_auditid#11:\
        :u_auditflag#1:\
        :u_succhg#818142428:u_unsucchg#818142340:u_suclog#823759827:u_suctty=ttyp9:\
        :u_unsuclog#822983479:u_unsuctty=ttyp3:u_lock@:chkent:

There is also a directory system with default values in the file default, for example:


default:\
        :d_name=default:\
        :d_boot_authenticate:\
        :u_pwd=*:\
        :u_owner=root:u_auditid#579:\
        :u_auditflag#-1:\
        :u_minchg#0:u_maxlen#8:u_exp#0:u_life#0:\
        :u_llogin#0:u_pw_expire_warning#0:u_pswduser=root:u_pickpw:\
        :u_genpwd:u_restrict:u_nullpw@:u_genchars@:\
        :u_genletters:u_suclog#0:u_unsuclog#0:u_maxtries#3:\
        :u_lock:\
        :t_logdelay#2:t_maxtries#10:t_login_timeout#0:\
        :chkent:

Trusted systems also support:

owner - user name accountable for the account
boot_auth field is used when the system default file specifies boot authorization is required
maxlen is the maximum password length (in characters) for the user.
expire is the time, in seconds, until the user's password expires.
lifetime is the number of seconds that must elapse before the password dies. The account is considered locked if the password is dead.
succhg and unsucchg record the last successful and unsuccessful password change times.
acct_expire field specifies the absolute period of time in seconds that the account can be used. An absolute expiration date may be specified, which is then converted into seconds stored in this field.
max_llogin specifies the maximum time in seconds allowed since the last login before the account becomes locked.
The next flag fields control password generation. fd_pick_pwd, if set, allows the user to pick his or her own password. fd_nullpw, if set, allows the account to be used without a password. fd_gen_pwd enables the use of the random pronounceable password generator for passwords for this account. fd_gen_chars and fd_gen_letters allow the password generator to generate passwords composed of random printable characters and random letters, neither of which is easy to remember. The password change software allows the user to pick from whichever options are available for his or her account. One of these three fields (fd_gen_pwd, fd_gen_chars, or fd_gen_letters) must be set.
The next fields are used to protect against login spoofing, listing the time and location of last login. fd_slogin and fd_ulogin are time stamps of the last successful and unsuccessful login attempts. fd_suctty and fd_unsuctty are the terminal device or (if supported) host names of the terminal or host from which the last login attempt occurred.
fd_nlogins is the number of unsuccessful login attempts since the last successful login. It is reset to zero after a successful login. fd_max_tries is the number of unsuccessful attempts until the account is considered locked.
fd_lock indicates whether the administrative lock on the account is set. The account is considered disabled (locked) if one or more of these activities has occurred:
1. if the password is dead,
2. if the maximum number of unsuccessful attempts has been exceeded,
3. if the administrative lock is set,
4. if the account expiration is reached, or
5. if the time since last login is exceeded.

System calls such as getprpwent are provided to return the information in a C structure.

HP-UX 10.XX supports arbitrary length passowrds (well actually 80 characters). The password is encrypted in eight character segments, so the size of this field is a multiple of the number of characters in an encrypted segment (AUTH_CIPHERTEXT_SIZE macro). After three unsuccessful login attempts, a HANGUP signal is issued. On a trusted system, the login program prints the last successful and unsuccessful login times and terminal devices. If the account does not have a password, and the authentication profile for the account requires one, login starts the passwd program to establish one for the account.

Paul A. Farrell
Thu Feb 1 04:34:17 EST 1996