[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ next ]

Debian GNU/Linux System Administrator's Manual (Obsolete Documentation)
Chapter 8 - Managing User Accounts

author = ?

topics = ?

8.1 Concepts

8.1.1 Usernames and User IDs

Each user of a UNIX system such as Debian has a username which uniquely identifies them. Usernames are associated with user IDs (or UIDs), and in fact it is the UID which the underlying system uses to identify users; usernames, however, are more mnemonic and tend to be used for most day-to-day purposes.

Usernames are typically composed of alphanumeric characters, that is letters and numbers. Most usernames are forms of the user's own name (for instance "jane", "janedoe", or "jdoe") or relate to a role or a pseudo-user created for the purpose of administering part of the system, for instance "root" (for the superuser account) and "www-data" (for the account which owns and runs web servers and related services under Debian).

UIDs are numbers from zero to 65534. The numbers are grouped as follows:

UIDs 0-99 are globally allocated by the Debian project and are used for system accounts. The "root" account, for instance, is UID 0.

UIDs 100-999 are for system users which have not been allocated by the Debian project.

UIDs 1000-29999 are normal user accounts.

UID 65534 is user "nobody", an account with no rights or permissions.

For more information about the allocation of UIDs, see the Debian policy manual.

Users may usually be referred to by either username or UID.

8.1.2 Groups and Group IDs

Groups are used to refer to logical groups of users on the system. Groups have group IDs (GIDs) just as users have UIDs, and the numeric ranges for different types of groups are the same as those for users.

A typical example of a group on the system might be "webadmin" where people who administer a website might be grouped together. This would allow users to create files and directories to which all of the "webadmin" group had read or write access.

Groups may usually be referred to by either their name or GID.

8.1.3 Passwords

Each user on a Debian system has a password which they must use to login to the system. This password is initially specified at the time of account creation, and may be changed at any time by the user or by the system administrator.

Passwords are stored in an encrypted format on the system. The type of encryption used is referred to as one-way or "trapdoor" encryption, meaning that it cannot be reversed to find the original password. Instead, the password typed by the user at login time is similarly encrypted, and the two encrypted versions are compared to see if they are the same.

Passwords are typically composed of alphanumeric and punctuation characters. It is considered good practice to choose a password which contains a mixture of upper and lower case characters, numbers, and punctuation, as this makes it harder to guess and less susceptible to a "dictionary" attack, whereby each word in a dictionary is encrypted and the encrypted versions compared to the encrypted passwords on the system.

Shadow passwords are used as a means of hiding even the encrypted form of password from users. The normal password file is world-readable, however the shadow password file is only readable by the superuser.

8.1.4 Quotas

A concept related to users, in that it is often part of the account creation process, is that of quotas. Quotas allow the system administrator to restrict the amount of disk space used by a user.

This subject is discussed in more detail in the filesystems chapter of this manual. See Filesystems and Storage Media, Chapter 6 for details.

8.2 Common tasks

8.2.1 Adding new users

New users are usually added using the adduser tool. Typical syntax is adduser username, which will prompt the administrator for various information such as the user's full name, initial home directory, et cetera.

There is also a useradd program, which predates adduser. Using useradd is discouraged.

8.2.2 Changing or editing user information and settings

User information (such as the user's home directory location, real name, etc) may be changed using the usermod program. The chfn program is intended specifically for changing the "full name" and other contact detail stored in the password file, while the chsh command may be used to change a user's default shell.

You may also change user information by editing the /etc/passwd file directly. The best tool for doing this is vipw program, which locks the file and brings it up for editing in your favourite editor (as found in the VISUAL or EDITOR environment variables).

8.2.3 Removing user accounts

User accounts can be removed using the userdel command.

If you are running a large system, you might want to make a policy of not deleting user accounts, instead just marking them disabled . You may have files on disk or backup tapes belonging to the user to be deleted, and if you later re-use the numeric UID those files change owner. Unix uses the UID to determine who owns files, and can not know that the user is not the same.

8.2.4 Changing user passwords

The system administrator may change any user's password by typing passwd username.

8.2.5 Setting and changing password expiry times

If you are using shadow passwords, you can set up the system so that passwords expire after a certain number of days. When a password is due for expiry, the user is warned and must change their password to avoid having their account locked or disabled.

The tool used to set password expiry times is chage.

8.2.6 Creating groups

Groups may be created by using the addgroup tool. Typical syntax for the addgroup command is addgroup groupname.

Administrators may also choose to add groups to the /etc/group directly. The best tool for doing this is the vigr program, which locks the file and brings it up for editing in your favourite editor (as found in the VISUAL or EDITOR environment variables).

8.2.7 Editing groups

Groups may be edited using the groupmod tool.

Administrators may also choose to edit the /etc/group directly. The best tool for doing this is the vigr program, which locks the file and brings it up for editing in your favourite editor (as found in the VISUAL or EDITOR environment variables).

8.2.8 Deleting groups

Groups may be deleted using the groupdel tool.

Administrators may also choose to delete groups from the /etc/group directly. The best tool for doing this is the vigr program, which locks the file and brings it up for editing in your favourite editor (as found in the VISUAL or EDITOR environment variables).

8.2.9 Setting up quotas

8.2.10 Using shadow passwords

Shadow passwords can be turned on and off using the shadowconfig tool.

See also shadowconfig(8)

8.3 Tools reference

8.3.1 Command-line tools

8.3.1.1 adduser, addgroup

In the short form, these commands can be used by simply typing adduser username or addgroup groupname. This provides an interactive interface which will prompt the administrator for various values, such as a user's home directory. There are also a number of command line options which can be used to specify these values.

See also adduser(1).

8.3.1.2 chage

See also chage(1).

8.3.1.3 chfn

The chfn command may be used to change a user's "full name" or other information stored in the password file. If no command line options are used, the command runs in an interactive fashion, prompting for input for each field.

See also chfn(1).

8.3.1.4 chsh

The basic syntax of the chsh command is chsh -s shell username. However, if the -s parameter is omitted, the administrator will be prompted for which shell to use. The username is also optional: only the superuser may change other users' shells; ordinary users may change their own shell simply by typing chsh

See also chsh(1).

8.3.1.5 passwd

The basic form of the passwd command (as used by the system administrator) is passwd username, which will prompt for the user's new password.

See also passwd(1).

8.3.1.6 userdel

The basic syntax of the userdel command is userdel username.

See also userdel(8).

8.3.1.7 vipw, vigr

See also vipw(1).

8.3.2 Graphical tools

8.4 Files reference

8.4.1 /etc/passwd

The /etc/passwd file consists of user records, one to a line. Each record contains multiple fields, separated by colons (:). The fields are:

• username

• encrypted password (or x if shadow passwords are in use)

• UID

• default GID

• real name (also known as the GECOS field)

• home directory

• default shell

See also passwd(5).

8.4.2 /etc/group

The /etc/group file consists of group records, one to a line. Each record contains multiple fields, separated by colons (:). The fields are:

• group name

• encrypted group password (or x if shadow passwords are in use)

• GID

• group members' usernames, comma-separated

See also group(5).

8.4.3 /etc/shadow

If shadow passwords are being used, the /etc/shadow file contains users' encrypted passwords and other information about the passwords. Its fields are colon-separated as for /etc/passwd, and are as follows:

• username

• encrypted password

• Days since Jan 1, 1970 that password was last changed

• Days before password may be changed

• Days after which password must be changed

• Days before password is to expire that user is warned

• Days after password expires that account is disabled

• Days since Jan 1, 1970 that account is disabled

• A reserved field

The password expiry related fields are modified by the chage program.

See also: shadow(5)

[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ next ]

Debian GNU/Linux System Administrator's Manual (Obsolete Documentation)