[ Pobierz całość w formacie PDF ]
passwords, and have moved the passwords to /etc/shadow. Sites with many computers that share the
accounts use NIS or some other method to store the user database; they might also automatically copy
the database from one central location to all other computers.
The user database contains not only the passwords, but also some additional information about the users,
such as their real names, home directories, and login shells. This other information needs to be public, so
81
Chapter 8. Logging In And Out
that anyone can read it. Therefore the password is stored encrypted. This does have the drawback that
anyone with access to the encrypted password can use various cryptographical methods to guess it,
without trying to actually log into the computer. Shadow passwords try to avoid this by moving the
password into another file, which only root can read (the password is still stored encrypted). However,
installing shadow passwords later onto a system that did not support them can be difficult.
With or without passwords, it is important to make sure that all passwords in a system are good, i.e., not
easily guessable. The crack program can be used to crack passwords; any password it can find is by
definition not a good one. While crack can be run by intruders, it can also be run by the system
adminstrator to avoid bad passwords. Good passwords can also be enforced by the passwd program; this
is in fact more effective in CPU cycles, since cracking passwords requires quite a lot of computation.
The user group database is kept in/etc/group; for systems with shadow passwords, there can be a
/etc/shadow.group.
root usually can t login via most terminals or the network, only via terminals listed in the
/etc/securettyfile. This makes it necessary to get physical access to one of these terminals. It is,
however, possible to log in via any terminal as any other user, and use the su command to become root.
Shell startup
When an interactive login shell starts, it automatically executes one or more pre-defined files. Different
shells execute different files; see the documentation of each shell for further information.
Most shells first run some global file, for example, the Bourne shell (/bin/sh) and its derivatives execute
/etc/profile; in addition, they execute.profilein the user s home directory. /etc/profile
allows the system administrator to have set up a common user environment, especially by setting the
PATH to include local command directories in addition to the normal ones. On the other hand,
.profileallows the user to customize the environment to his own tastes by overriding, if necessary, the
default environment.
Notes
1. Good Linux distributions do this out of the box.
82
Chapter 9. Managing user accounts
The similarities of sysadmins and drug dealers: both measure stuff in K s, and both have users. (Old, tired
computer joke.)
This chapter explains how to create new user accounts, how to modify the properties of those accounts,
and how to remove the accounts. Different Linux systems have different tools for doing this.
What s an account?
When a computer is used by many people it is usually necessary to differentiate between the users, for
example, so that their private files can be kept private. This is important even if the computer can only be
1
used by a single person at a time, as with most microcomputers. Thus, each user is given a unique
username, and that name is used to log in.
There s more to a user than just a name, however. An account is all the files, resources, and information
belonging to one user. The term hints at banks, and in a commercial system each account usually has
some money attached to it, and that money vanishes at different speeds depending on how much the user
stresses the system. For example, disk space might have a price per megabyte and day, and processing
time might have a price per second.
Creating a user
The Linux kernel itself treats users are mere numbers. Each user is identified by a unique integer, the
user id or uid, because numbers are faster and easier for a computer to process than textual names. A
separate database outside the kernel assigns a textual name, the username, to each user id. The database
contains additional information as well.
[ Pobierz całość w formacie PDF ]