Next: 12. Using Internet Services Up: rute Previous: 10. Mail   Contents
UNIX intrinsically supports multiple users. Each user has a personal home directory /home/<username> in which the user's files are stored, hidden from other users.
So far you may have been using the machine as the root user, who is the system administrator and has complete access to every file on the system. The root is also called the superuser. The home directory of the root user is /root. Note that there is an ambiguity here: the root directory is the topmost directory, known as the / directory. The root user's home directory is /root and is called the home directory of root.
Other than the superuser, every other user has limited access to files and directories. Always use your machine as a normal user. Log in as root only to do system administration. This practice will save you from the destructive power that the root user has. In this chapter we show how to manually and automatically create new users.
Users are also divided into sets, called groups. A user can belong to several groups and there can be as many groups on the system as you like. Each group is defined by a list of users that are part of that set. In addition, each user may have a group of the same name (as the user's login name), to which only that user belongs.
Each file on a system is owned by a particular user and also owned by a particular group. When you run ls -al, you can see the user that owns the file in the third column and the group that owns the file in the fourth column (these will often be identical, indicating that the file's group is a group to which only the user belongs). To change the ownership of the file, simply use the chown, change ownerships, command as follows.
The only place in the whole system where a user name is registered is in this file. [Exceptions to this rule are several distributed authentication schemes and the Samba package, but you needn't worry about these for now.] Once a user is added to this file, that user is said to exist on the system. If you thought that user accounts were stored in some unreachable dark corner, then this should dispel that idea. This is also known as the password file to administrators. View this file with less:
Above is an extract of my own password file. Each user is stored on a separate line. Many of these are not human login accounts but are used by other programs.
Each line contains seven fields separated by colons. The account for jack looks like this:
The problem with traditional passwd files is that they had to be world readable [Everyone on the system can read the file.] in order for programs to extract information, such as the user's full name, about the user. This means that everyone can see the encrypted password in the second field. Anyone can copy any other user's password field and then try billions of different passwords to see if they match. If you have a hundred users on the system, there are bound to be several that chose passwords that matched some word in the dictionary. The so-called dictionary attack will simply try all 80,000 common English words until a match is found. If you think you are clever to add a number in front of an easy-to-guess dictionary word, password cracking algorithms know about these as well. [And about every other trick you can think of.] To solve this problem the shadow password file was invented. The shadow password file is used only for authentication [Verifying that the user is the genuine owner of the account.]and is not world readable--there is no information in the shadow password file that a common program will ever need--no regular user has permission to see the encrypted password field. The fields are colon separated just like the passwd file.
Here is an example line from a /etc/shadow file:
On a UNIX system you may want to give a number of users the same access rights. For instance, you may have five users that should be allowed to access some privileged file and another ten users that are allowed to run a certain program. You can group these users into, for example, two groups previl and wproc and then make the relevant file and directories owned by that group with, say,
Permissions [Explained later.] dictate the kind of access, but for the meantime, the file/directory must at least be owned by that group.
The /etc/group file is also colon separated. A line might look like this:
You can obviously study the group file to find out which groups a user belongs to, [That is, not ``which users does a group consist of?'' which is easy to see at a glance.] but when there are a lot of groups, it can be tedious to scan through the entire file. The groups command prints out this information.
The following steps are required to create a user account:
The above process is tedious. The commands that perform all these updates automatically are useradd, userdel, and usermod. The man pages explain the use of these commands in detail. Note that different flavors of UNIX have different commands to do this. Some may even have graphical programs or web interfaces to assist in creating users.
In addition, the commands groupadd, groupdel, and groupmod do the same with respect to groups.
It is possible to switch from one user to another, as well as view your login status and the status of other users. Logging in also follows a silent procedure which is important to understand.
A user most often gains access to the system through the login program. This program looks up the UID and GID from the passwd and group file and authenticates the user.
The following is quoted from the login man page, and explains this procedure in detail:
login is used when signing onto a system. It can also be used to switch from one user to another at any time (most modern shells have support for this feature built into them, however).
If an argument is not given, login prompts for the username.
If the user is not root, and if /etc/nologin exists, the contents of this file are printed to the screen, and the login is terminated. This is typically used to prevent logins when the system is being taken down.
If special access restrictions are specified for the user in /etc/usertty, these must be met, or the login attempt will be denied and a syslog [System error log program-- syslog writes all system messages to the file /var/log/messages.] message will be generated. See the section on "Special Access Restrictions."
If the user is root, then the login must be occuring on a tty listed in /etc/securetty. [If this file is not present, then root logins will be allowed from anywhere. It is worth deleting this file if your machine is protected by a firewall and you would like to easily login from another machine on your LAN. If /etc/securetty is present, then logins are only allowed from the terminals it lists.] Failures will be logged with the syslog facility.
After these conditions have been checked, the password will be requested and checked (if a password is required for this username). Ten attempts are allowed before login dies, but after the first three, the response starts to get very slow. Login failures are reported via the syslog facility. This facility is also used to report any successful root logins.
If the file .hushlogin exists, then a "quiet" login is performed (this disables the checking of mail and the printing of the last login time and message of the day). Otherwise, if /var/log/lastlog exists, the last login time is printed (and the current login is recorded).
Random administrative things, such as setting the UID and GID of the tty are performed. The TERM environment variable is preserved, if it exists (other environment variables are preserved if the -p option is used). Then the HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment variables are set. PATH defaults to /usr/local/bin:/bin:/usr/bin: . [Note that the . --the current directory--is listed in the PATH. This is only the default PATH however.] for normal users, and to /sbin:/bin:/usr/sbin:/usr/bin for root. Last, if this is not a "quiet" login, the message of the day is printed and the file with the user's name in /usr/spool/mail will be checked, and a message printed if it has non-zero length.
The user's shell is then started. If no shell is specified for the user in /etc/passwd, then /bin/sh is used. If there is no directory specified in /etc/passwd, then / is used (the home directory is checked for the .hushlogin file described above).
To temporarily become another user, you can use the su program:
This command prompts you for a password (unless you are the root user to begin with). It does nothing more than change the current user to have the access rights of jack. Most environment variables will remain the same. The HOME, LOGNAME, and USER environment variables will be set to jack, but all other environment variables will be inherited. su is, therefore, not the same as a normal login.
To get the equivalent of a login with su, run
This will cause all initialization scripts (that are normally run when the user logs in) to be executed. [What actually happens is that the subsequent shell is started with a - in front of the zero'th argument. This makes the shell read the user's personal profile. The login command also does this.] Hence, after running su with the - option, you logged in as if with the login command.
who and w print a list of users logged in to the system, as well as their CPU consumption and other statistics. who --help gives:
A little more information can be gathered from the info pages for this command. The idle time indicates how long since the user has last pressed a key. Most often, one just types who -Hiw.
w is similar. An extract of the w man page says:
w displays information about the users currently on the machine, and their processes. The header shows, in this order, the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.
The following entries are displayed for each user: login name, the tty name, the remote host, login time, idle time, JCPU, PCPU, and the command line of their current process.
The JCPU time is the time used by all processes attached to the tty. It does not include past background jobs, but does include currently running background jobs.
The PCPU time is the time used by the current process, named in the "what" field.
Finally, from a shell script the users command is useful for just seeing who is logged in. You can use in a shell script, for example:
id prints your real and effective UID and GID. A user normally has a UID and a GID but may also have an effective UID and GID as well. The real UID and GID are what a process will generally think you are logged in as. The effective UID and GID are the actual access permissions that you have when trying to read, write, and execute files.
There is a file
/etc/security/limits.conf that stipulates the
limitations on CPU usage, process consumption, and other resources
on a per-user basis. The documentation for this config file is
Next: 12. Using Internet Services Up: rute Previous: 10. Mail   Contents
Dies ist ein Mirror des RUTE-Projekts von Paul Sheer (RUTE = Rute User's Tutorial and Exposition). Die offizielle Projekt-Homepage findet sich im Web unter www.icon.co.za/~psheer/rute-home.html. Dieser Mirror wurde zuletzt aktualisiert auf die Version 1.0.0 am Samstag, 28 Januar 2006 22:06 +0100. Das RUTE-Tutorial kann auch zum Offline-Lesen in verschiedenen Dateiformaten heruntergeladen werden.