[deployment-guide] Updated the chapter.
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Sep 20 18:33:31 UTC 2011
commit 0130d7c495757397ac1a2fe09ffe9eb209d34775
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Tue Sep 20 20:03:48 2011 +0200
Updated the chapter.
en-US/Managing_Users_and_Groups.xml | 1166 ++++++++++++++++++-----------------
1 files changed, 615 insertions(+), 551 deletions(-)
---
diff --git a/en-US/Managing_Users_and_Groups.xml b/en-US/Managing_Users_and_Groups.xml
index db6a38d..03602da 100644
--- a/en-US/Managing_Users_and_Groups.xml
+++ b/en-US/Managing_Users_and_Groups.xml
@@ -20,19 +20,111 @@
<secondary>GID</secondary>
</indexterm>
<para>
- The control of <firstterm>users</firstterm> and <firstterm>groups</firstterm> is a core element of &MAJOROS; system administration. Users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use. Groups are logical expressions of organization, tying users together for a common purpose. Users within a group can read, write, or execute files owned by that group.
- </para>
- <para>
- Each user is associated with a unique numerical identification number called a <firstterm>userid</firstterm> (<firstterm>UID</firstterm>); likewise, each group is associated with a <firstterm>groupid</firstterm> (<firstterm>GID</firstterm>).
- </para>
- <para>
- A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by the <systemitem class="username">root</systemitem> user, and access permissions can be changed by both the <systemitem class="username">root</systemitem> user and file owner.
- </para>
- <para>
- &MAJOROS; also supports <firstterm>access control lists</firstterm> (<firstterm>ACLs</firstterm>) for files and directories which allow permissions for specific users outside of the owner to be set. For more information about ACLs, refer to the <citetitle pubwork="chapter">Access Control Lists</citetitle> chapter of the &MAJOROS; <citetitle pubwork="book">Storage Administration Guide</citetitle>.
+ The control of users and groups is a core element of &MAJOROS; system administration. This chapter explains how to add, manage, and delete users and groups in the graphical user interface and on the command line, and covers advanced topics, such as enabling password aging or creating group directories.
</para>
+ <section id="s1-users-groups-introduction">
+ <title>Introduction to Users and Groups</title>
+ <para>
+ While users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use, groups are logical expressions of organization, tying users together for a common purpose. Users within a group can read, write, or execute files owned by that group.
+ </para>
+ <para>
+ Each user is associated with a unique numerical identification number called a <firstterm>user ID</firstterm> (<acronym>UID</acronym>). Likewise, each group is associated with a <firstterm>group ID</firstterm> (<acronym>GID</acronym>). A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by <systemitem class="username">root</systemitem>, and access permissions can be changed by both the <systemitem class="username">root</systemitem> user and file owner.
+ </para>
+ <para>
+ Additionally, &MAJOROS; supports <firstterm>access control lists</firstterm> (<acronym>ACLs</acronym>) for files and directories which allow permissions for specific users outside of the owner to be set. Refer to For more information about this feature, refer to the <ulink url="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html"><citetitle pubwork="chapter">Access Control Lists</citetitle></ulink> chapter of the <ulink url="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/index.html"><citetitle pubwork="book">Storage Administration Guide</citetitle></ulink>.
+ </para>
+ <section id="s2-users-groups-private-groups">
+ <title>User Private Groups</title>
+ <indexterm>
+ <primary>groups</primary>
+ <secondary>user private</secondary>
+ </indexterm>
+ <indexterm>
+ <primary>user private groups</primary>
+ <see>groups</see>
+ </indexterm>
+ <indexterm>
+ <primary>groups</primary>
+ <secondary>tools for management of</secondary>
+ <tertiary><command>groupadd</command></tertiary>
+ </indexterm>
+ <indexterm>
+ <primary>groups</primary>
+ <secondary>tools for management of</secondary>
+ <tertiary><application>system-config-users</application></tertiary>
+ </indexterm>
+ <para>
+ &MAJOROS; uses a <firstterm>user private group</firstterm> (<firstterm>UPG</firstterm>) scheme, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. It has the same name as the user for which it was created and that user is the only member of the user private group.
+ </para>
+ <para>
+ User private groups make it safe to set default permissions for a newly created file or directory, allowing both the user and <emphasis>the group of that user</emphasis> to make modifications to the file or directory.
+ </para>
+ <para>
+ The setting which determines what permissions are applied to a newly created file or directory is called a <firstterm>umask</firstterm> and is configured in the <filename>/etc/bashrc</filename> file. Traditionally on UNIX systems, the <command>umask</command> is set to <command>022</command>, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, <emphasis>including members of the creator's group</emphasis>, are not allowed to make any modifications. However, under the UPG scheme, this <quote>group protection</quote> is not necessary since every user has their own private group.
+ </para>
+ </section>
+ <section id="s2-users-groups-shadow-utilities">
+ <title>Shadow Passwords</title>
+ <indexterm>
+ <primary>passwords</primary>
+ <secondary>shadow</secondary>
+ </indexterm>
+ <indexterm>
+ <primary>shadow passwords</primary>
+ <secondary>overview of</secondary>
+ </indexterm>
+ <para>
+ Especially in environments with multiple users, it is very important to use <firstterm>shadow passwords</firstterm> provided by the <package>shadow-utils</package> package to enhance the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
+ </para>
+ <para>
+ The following is a list of the advantages shadow passwords have over the traditional way of storing passwords on UNIX-based systems:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Shadow passwords improve system security by moving encrypted password hashes from the world-readable <filename>/etc/passwd</filename> file to <filename>/etc/shadow</filename>, which is readable only by the <systemitem class="username">root</systemitem> user.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Shadow passwords store information about password aging.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Shadow passwords allow the <filename>/etc/login.defs</filename> file to enforce security policies.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ Most utilities provided by the <package>shadow-utils</package> package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the <filename>/etc/shadow</filename> file, any commands which create or modify password aging information do not work. The following is a list of utilities and commands that do not work without first enabling shadow passwords:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ The <command>chage</command> utility.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <command>gpasswd</command> utility.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <command>usermod</command> command with the <option>-e</option> or <option>-f</option> option.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <command>useradd</command> command with the <option>-e</option> or <option>-f</option> option.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ </section>
<section id="sect-Managing_Users_and_Groups-User_Accounts">
- <title>User Accounts Tool</title>
+ <title>Using the User Accounts Tool</title>
<indexterm>
<primary>users</primary>
<see>user configuration</see>
@@ -189,7 +281,7 @@
</section>
</section>
<section id="s1-users-configui">
- <title>User Manager Tool</title>
+ <title>Using the User Manager Tool</title>
<indexterm>
<primary>users</primary>
<see>user configuration</see>
@@ -215,44 +307,41 @@
<see>user configuration</see>
</indexterm>
<para>
- The <application>User Manager</application> allows you to view, modify, add, and delete local users and groups.
- </para>
- <figure id="fig-Users_Groups-User_Manager">
- <title>The GNOME User Manager</title>
- <mediaobject>
- <imageobject>
- <imagedata fileref="images/user-manager.png" format="PNG" scalefit="0" />
- </imageobject>
- <textobject>
- <para>
- The GNOME User Manager allows you to manage users
- </para>
- </textobject>
- </mediaobject>
- </figure>
- <para>
- You can start the <application>User Manager</application> by clicking <menuchoice><guimenu>Applications</guimenu><guimenuitem>Other</guimenuitem><guimenuitem>Users and Groups</guimenuitem></menuchoice> from the <guimenu>Activities</guimenu> menu. Alternatively, you can enter <command>system-config-users</command> at the shell prompt to open the <application>User Manager</application>. Viewing and modifying user and group information requires superuser privileges. If you are not the superuser when you open the <application>User Manager</application>, it will prompt you for the superuser password.
- </para>
- <indexterm>
- <primary>user configuration</primary>
- <secondary>filtering list of users</secondary>
- </indexterm>
- <indexterm>
- <primary>group configuration</primary>
- <secondary>filtering list of groups</secondary>
- </indexterm>
- <para>
- To view a list of local users on the system, click the <guilabel>Users</guilabel> tab. To view a list of local groups on the system, click the <guilabel>Groups</guilabel> tab.
- </para>
- <para>
- To find a specific user or group, type the first few letters of the name in the <guilabel>Search filter</guilabel> field. Press <keycap>Enter</keycap> or click the <guibutton>Apply filter</guibutton> button. The filtered list is displayed.
- </para>
- <para>
- To sort the users, click on the column User Name and for groups click on Group Name. The users or groups are sorted according to the value of that column.
- </para>
- <para>
- &MAJOROS; reserves user IDs below 500 for system users. By default, the <application>User Manager</application> does not display system users. To view all users, including the system users, go to <menuchoice><guimenu>Edit</guimenu><guimenuitem>Preferences</guimenuitem></menuchoice> and uncheck <guilabel>Hide system users and groups</guilabel> from the dialog box.
+ The <application>User Manager</application> application allows you to view, modify, add, and delete local users and groups in the graphical user interface. To start the application, either select <menuchoice><guimenu>Applications</guimenu><guisubmenu>Other</guisubmenu><guimenuitem>Users and Groups</guimenuitem></menuchoice> from the <guimenu>Activities</guimenu> menu, or type <command>system-config-users</command> at a shell prompt. Note that unless you have superuser privileges, the application will prompt you to authenticate as <systemitem class="username">root</systemitem>.
</para>
+ <section id="s2-redhat-config-users-list">
+ <title>Viewing Users and Groups</title>
+ <indexterm>
+ <primary>user configuration</primary>
+ <secondary>filtering list of users</secondary>
+ </indexterm>
+ <indexterm>
+ <primary>group configuration</primary>
+ <secondary>filtering list of groups</secondary>
+ </indexterm>
+ <para>
+ The main window of the <application>User Manager</application> is divided into two tabs: The <guilabel>Users</guilabel> tab provides a list of local users along with additional information about their user ID, primary group, home directory, login shell, and full name. The <guilabel>Groups</guilabel> tab provides a list of local groups with information about their group ID and group members.
+ </para>
+ <figure id="fig-Users_Groups-User_Manager">
+ <title>Viewing users and groups</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="images/user-manager.png" format="PNG" scalefit="0" />
+ </imageobject>
+ <textobject>
+ <para>
+ Viewing users and groups
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
+ <para>
+ To find a specific user or group, type the first few letters of the name in the <guilabel>Search filter</guilabel> field and either press <keycap>Enter</keycap>, or click the <guibutton>Apply filter</guibutton> button. You can also sort the items according to any of the available columns by clicking the column header.
+ </para>
+ <para>
+ &MAJOROS; reserves user and group IDs below 500 for system users and groups. By default, the <application>User Manager</application> does not display the system users. To view all users and groups, select <menuchoice><guimenu>Edit</guimenu><guimenuitem>Preferences</guimenuitem></menuchoice> to open the <guilabel>Preferences</guilabel> dialog box, and clear the <guilabel>Hide system users and groups</guilabel> check box.
+ </para>
+ </section>
<section id="s2-redhat-config-users-user-new">
<title>Adding a New User</title>
<indexterm>
@@ -260,7 +349,23 @@
<secondary>adding users</secondary>
</indexterm>
<para>
- To add a new user, click the <guibutton>Add User</guibutton> button. A window as shown in <xref linkend="user-new-fig" /> appears. Type the username and full name for the new user in the appropriate fields. Type the user's password in the <guilabel>Password</guilabel> and <guilabel>Confirm Password</guilabel> fields. The password must be at least six characters.
+ To add a new user, click the <guibutton>Add User</guibutton> button. A window as shown in <xref linkend="user-new-fig" /> appears.
+ </para>
+ <figure id="user-new-fig">
+ <title>Adding a new user</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref="images/user-manager-add-user.png" format="PNG" scalefit="0" />
+ </imageobject>
+ <textobject>
+ <para>
+ Adding a new user
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
+ <para>
+ The <guilabel>Add New User</guilabel> dialog box allows you to provide information about the newly created user. In order to create a user, enter the username and full name in the appropriate fields and then type the user's password in the <guilabel>Password</guilabel> and <guilabel>Confirm Password</guilabel> fields. The password must be at least six characters long.
</para>
<note>
<title>Password security advice</title>
@@ -269,37 +374,49 @@
</para>
</note>
<para>
- Select a login shell from the pulldown list. If you are not sure which shell to select, accept the default value of <command>/bin/bash</command>. The default home directory is <filename class="directory">/home/<replaceable>username</replaceable>/</filename>. You can change the home directory that is created for the user, or you can choose not to create the home directory by unselecting <guilabel>Create home directory</guilabel>.
+ The <guilabel>Login Shell</guilabel> pulldown list allows you to select a login shell for the user. If you are not sure which shell to select, accept the default value of <guimenuitem>/bin/bash</guimenuitem>.
</para>
<para>
- If you select to create the home directory, default configuration files are copied from the <filename class="directory">/etc/skel/</filename> directory into the new home directory.
+ By default, the <application>User Manager</application> application creates the home directory for a new user in <filename class="directory">/home/<replaceable>username</replaceable>/</filename>. You can choose not to create the home directory by clearing the <guilabel>Create home directory</guilabel> check box, or change this directory by editing the content of the <guilabel>Home Directory</guilabel> text box. Note that when the home directory is created, default configuration files are copied into it from the <filename class="directory">/etc/skel/</filename> directory.
</para>
<para>
- &MAJOROS; uses a <firstterm>user private group</firstterm> (UPG) scheme. The UPG scheme does not add or change anything in the standard UNIX way of handling groups; it offers a new convention. Whenever you create a new user, by default, a unique group with the same name as the user is created. If you do not want to create this group, unselect <guilabel>Create a private group for the user</guilabel>.
+ &MAJOROS; uses a user private group (UPG) scheme. Whenever you create a new user, a unique group with the same name as the user is created by default. If you do not want to create this group, clear the <guilabel>Create a private group for the user</guilabel> check box.
</para>
<para>
- To specify a user ID for the user, select <guilabel>Specify user ID manually</guilabel>. If the option is not selected, the next available user ID above 500 is assigned to the new user. Because &MAJOROS; reserves user IDs below 500 for system users, it is not advisable to manually assign user IDs 1-499.
+ To specify a user ID for the user, select <guilabel>Specify user ID manually</guilabel>. If the option is not selected, the next available user ID above 500 is assigned to the new user. Because &MAJOROS; reserves user IDs below 500 for system users, it is not advisable to manually assign user IDs 1–499.
</para>
<para>
- Click <guibutton>OK</guibutton> to create the user.
+ Clicking the <guibutton>OK</guibutton> button creates the new user. To configure more advanced user properties, such as password expiration, modify the user's properties after adding the user.
</para>
- <figure id="user-new-fig">
- <title>Creating a new user</title>
+ </section>
+ <section id="s2-redhat-config-users-group-new">
+ <title>Adding a New Group</title>
+ <indexterm>
+ <primary>group configuration</primary>
+ <secondary>adding groups</secondary>
+ </indexterm>
+ <para>
+ To add a new user group, select <guibutton>Add Group</guibutton> from the toolbar. A window similar to <xref linkend="group-new-fig" /> appears. Type the name of the new group. To specify a group ID for the new group, select <guilabel>Specify group ID manually</guilabel> and select the GID. Note that &MAJOROS; also reserves group IDs lower than 500 for system groups.
+ </para>
+ <figure id="group-new-fig">
+ <title>New Group</title>
<mediaobject>
<imageobject>
- <imagedata fileref="images/user-manager-add-user.png" format="PNG" scalefit="0" />
+ <imagedata fileref="images/user-manager-add-group.png" format="PNG" scalefit="0" />
</imageobject>
<textobject>
<para>
- Creating a new user with the Create New User dialog
+ Creating a new group
</para>
</textobject>
</mediaobject>
</figure>
<para>
- To configure more advanced user properties, such as password expiration, modify the user's properties after adding the user.
+ Click <guibutton>OK</guibutton> to create the group. The new group appears in the group list.
</para>
- <bridgehead>Modifying User Properties</bridgehead>
+ </section>
+ <section id="s2-redhat-config-users-user-properties">
+ <title>Modifying User Properties</title>
<indexterm>
<primary>user configuration</primary>
<secondary>modifying users</secondary>
@@ -366,32 +483,6 @@
</listitem>
</itemizedlist>
</section>
- <section id="s2-redhat-config-users-group-new">
- <title>Adding a New Group</title>
- <indexterm>
- <primary>group configuration</primary>
- <secondary>adding groups</secondary>
- </indexterm>
- <para>
- To add a new user group, select <guibutton>Add Group</guibutton> from the toolbar. A window similar to <xref linkend="group-new-fig" /> appears. Type the name of the new group. To specify a group ID for the new group, select <guilabel>Specify group ID manually</guilabel> and select the GID. Note that &MAJOROS; also reserves group IDs lower than 500 for system groups.
- </para>
- <figure id="group-new-fig">
- <title>New Group</title>
- <mediaobject>
- <imageobject>
- <imagedata fileref="images/user-manager-add-group.png" format="PNG" scalefit="0" />
- </imageobject>
- <textobject>
- <para>
- Creating a new group
- </para>
- </textobject>
- </mediaobject>
- </figure>
- <para>
- Click <guibutton>OK</guibutton> to create the group. The new group appears in the group list.
- </para>
- </section>
<section id="s2-redhat-config-users-group-properties">
<title>Modifying Group Properties</title>
<indexterm>
@@ -424,7 +515,7 @@
</section>
</section>
<section id="s1-users-tools">
- <title>User and Group Management Tools</title>
+ <title>Using Command Line Tools</title>
<indexterm>
<primary>users</primary>
<secondary>tools for management of</secondary>
@@ -446,47 +537,69 @@
<tertiary><command>groupadd</command></tertiary>
</indexterm>
<para>
- Managing users and groups can be tiresome; this is why &MAJOROS; provides tools and conventions to make this task easier to manage.
- </para>
- <para>
- The easiest way to manage users and groups is through the graphical application, <application>User Manager</application> (<command>system-config-users</command>). For more information on <application>User Manager</application>, refer to <xref linkend="s1-users-configui" />.
+ The easiest say to manage users and groups on &MAJOROS; is to use the <application>User Manager</application> application as described in <xref linkend="s1-users-configui" />. However, if you prefer command line tools or do not have the X Window System installed, you can use command line utilities that are listed in <xref linkend="table-users-tools" />.
</para>
- <para>
- The following command line tools can also be used to manage users and groups:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <command>useradd</command>, <command>usermod</command>, and <command>userdel</command> — Industry-standard methods of adding, deleting and modifying user accounts
- </para>
- </listitem>
- <listitem>
- <para>
- <command>groupadd</command>, <command>groupmod</command>, and <command>groupdel</command> — Industry-standard methods of adding, deleting, and modifying user groups
- </para>
- </listitem>
- <listitem>
- <para>
- <command>gpasswd</command> — Industry-standard method of administering the <filename>/etc/group</filename> file
- </para>
- </listitem>
- <listitem>
- <para>
- <command>pwck</command>, <command>grpck</command> — Tools used for the verification of the password, group, and associated shadow files
- </para>
- </listitem>
- <listitem>
- <para>
- <command>pwconv</command>, <command>pwunconv</command> — Tools used for the conversion of passwords to shadow passwords and back to standard passwords
- </para>
- </listitem>
- </itemizedlist>
- <section id="s2-users-cmd-line">
- <title>Command Line Configuration</title>
- <indexterm>
- <primary>user configuration</primary>
- <secondary>command line configuration</secondary>
- </indexterm>
+ <table id="table-users-tools">
+ <title>Command line utilities for managing users and groups</title>
+ <tgroup cols="2">
+ <colspec colname="utilities" colnum="1" colwidth="35*" />
+ <colspec colname="description" colnum="2" colwidth="65*" />
+ <thead>
+ <row>
+ <entry>
+ Utilities
+ </entry>
+ <entry>
+ Description
+ </entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ <command>useradd</command>, <command>usermod</command>, <command>userdel</command>
+ </entry>
+ <entry>
+ Standard utilities for adding, modifying, and deleting user accounts.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>groupadd</command>, <command>groupmod</command>, <command>groupdel</command>
+ </entry>
+ <entry>
+ Standard utilities for adding, modifying, and deleting groups.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>gpasswd</command>
+ </entry>
+ <entry>
+ Standard utility for administering the <filename>/etc/group</filename> configuration file.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>pwck</command>, <command>grpck</command>
+ </entry>
+ <entry>
+ Utilities that can be used for verification of the password, group, and associated shadow files.
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>pwconv</command>, <command>pwunconv</command>
+ </entry>
+ <entry>
+ Utilities that can be used for the conversion of passwords to shadow passwords, or back from shadow passwords to standard passwords.
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <section id="s2-users-tools-users-add">
+ <title>Adding a New User</title>
<indexterm>
<primary><command>useradd</command> command</primary>
<secondary>user account creation using</secondary>
@@ -495,45 +608,35 @@
<primary>adding</primary>
<secondary>user</secondary>
</indexterm>
+ <indexterm>
+ <primary>user configuration</primary>
+ <secondary>command line configuration</secondary>
+ <tertiary><command>useradd</command></tertiary>
+ </indexterm>
<para>
- If you prefer command line tools or do not have the X Window System installed, use following to configure users and groups.
+ To add a new user to the system, typing the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <bridgehead>Adding a User</bridgehead>
+ <synopsis><command>useradd</command> <optional><replaceable>options</replaceable></optional> <replaceable>username</replaceable></synopsis>
<para>
- To add a user to the system:
+ …where <replaceable>options</replaceable> are command line options as described in <xref linkend="table-useradd-options" />.
</para>
<indexterm>
<primary>user configuration</primary>
<secondary>command line configuration</secondary>
- <tertiary><command>useradd</command></tertiary>
+ <tertiary><command>passwd</command></tertiary>
</indexterm>
- <procedure>
- <step>
- <para>
- Issue the <command>useradd</command> command to create a locked user account:
- </para>
- <screen><command>useradd</command> <replaceable>username</replaceable></screen>
- </step>
- <step>
- <para>
- <indexterm>
- <primary>user configuration</primary>
- <secondary>command line configuration</secondary>
- <tertiary><command>passwd</command></tertiary>
- </indexterm>
- Unlock the account by issuing the <command>passwd</command> command to assign a password and set password aging guidelines:
- </para>
- <screen><command>passwd</command> <replaceable>username</replaceable></screen>
- </step>
- </procedure>
<para>
- Command line options for <command>useradd</command> are detailed in <xref linkend="table-useradd-options" />.
+ By default, the <command>useradd</command> command creates a locked user account. To unlock the account, run the following command as <systemitem class="username">root</systemitem> to assign a password:
+ </para>
+ <synopsis><command>passwd</command> <replaceable>username</replaceable></synopsis>
+ <para>
+ Optionally, you can set password aging policy. Refer to <xref linkend="s2-users-tools-password-aging" /> for information on how to enable password aging.
</para>
<table id="table-useradd-options">
- <title><command>useradd</command> Command Line Options</title>
+ <title>useradd command line options</title>
<tgroup cols="2">
- <colspec colname="option" colnum="1" colwidth="20*" />
- <colspec colname="description" colnum="2" colwidth="50*" />
+ <colspec colname="option" colnum="1" colwidth="30*" />
+ <colspec colname="description" colnum="2" colwidth="70*" />
<thead>
<row>
<entry>
@@ -652,7 +755,178 @@
</tbody>
</tgroup>
</table>
- <bridgehead>Adding a Group</bridgehead>
+ <bridgehead id="bh-users-tools-users-add-explanation">
+ Explaining the Process
+ </bridgehead>
+ <para>
+ The following steps illustrate what happens if the command <command>useradd juan</command> is issued on a system that has shadow passwords enabled:
+ </para>
+ <procedure>
+ <step>
+ <para>
+ A new line for <systemitem class="username">juan</systemitem> is created in <filename>/etc/passwd</filename>:
+ </para>
+ <programlisting>juan:x:501:501::/home/juan:/bin/bash</programlisting>
+ <para>
+ The line has the following characteristics:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ It begins with the username <systemitem class="username">juan</systemitem>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ There is an <literal>x</literal> for the password field indicating that the system is using shadow passwords.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A UID greater than 499 is created. Under &MAJOROS;, UIDs below 500 are reserved for system use and should not be assigned to users.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A GID greater than 499 is created. Under &MAJOROS;, GIDs below 500 are reserved for system use and should not be assigned to users.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The optional <firstterm>GECOS</firstterm> information is left blank.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The home directory for <systemitem class="username">juan</systemitem> is set to <filename class="directory">/home/juan/</filename>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The default shell is set to <command>/bin/bash</command>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+ <step>
+ <para>
+ A new line for <systemitem class="username">juan</systemitem> is created in <filename>/etc/shadow</filename>:
+ </para>
+ <programlisting>juan:!!:14798:0:99999:7:::</programlisting>
+ <para>
+ The line has the following characteristics:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ It begins with the username <systemitem class="username">juan</systemitem>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Two exclamation marks (<literal>!!</literal>) appear in the password field of the <filename>/etc/shadow</filename> file, which locks the account.
+ </para>
+ <note>
+ <title>Note</title>
+ <para>
+ If an encrypted password is passed using the <option>-p</option> flag, it is placed in the <filename>/etc/shadow</filename> file on the new line for the user.
+ </para>
+ </note>
+ </listitem>
+ <listitem>
+ <para>
+ The password is set to never expire.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+ <step>
+ <para>
+ A new line for a group named <systemitem class="groupname">juan</systemitem> is created in <filename>/etc/group</filename>:
+ </para>
+ <programlisting>juan:x:501:</programlisting>
+ <para>
+ A group with the same name as a user is called a <firstterm>user private group</firstterm>. For more information on user private groups, refer to <xref linkend="s2-users-groups-private-groups" />.
+ </para>
+ <para>
+ The line created in <filename>/etc/group</filename> has the following characteristics:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ It begins with the group name <systemitem class="username">juan</systemitem>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ An <literal>x</literal> appears in the password field indicating that the system is using shadow group passwords.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The GID matches the one listed for user <systemitem class="username">juan</systemitem> in <filename>/etc/passwd</filename>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+ <step>
+ <para>
+ A new line for a group named <systemitem class="groupname">juan</systemitem> is created in <filename>/etc/gshadow</filename>:
+ </para>
+ <programlisting>juan:!::</programlisting>
+ <para>
+ The line has the following characteristics:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ It begins with the group name <systemitem class="groupname">juan</systemitem>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ An exclamation mark (<literal>!</literal>) appears in the password field of the <filename>/etc/gshadow</filename> file, which locks the group.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ All other fields are blank.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </step>
+ <step>
+ <para>
+ A directory for user <systemitem class="username">juan</systemitem> is created in the <filename class="directory">/home/</filename> directory:
+ </para>
+ <screen>~]# <command>ls -l /home</command>
+total 4
+drwx------. 4 juan juan 4096 Mar 3 18:23 juan</screen>
+ <para>
+ This directory is owned by user <systemitem class="username">juan</systemitem> and group <systemitem class="groupname">juan</systemitem>. It has <firstterm>read</firstterm>, <firstterm>write</firstterm>, and <firstterm>execute</firstterm> privileges <emphasis>only</emphasis> for the user <systemitem class="username">juan</systemitem>. All other permissions are denied.
+ </para>
+ </step>
+ <step>
+ <para>
+ The files within the <filename class="directory">/etc/skel/</filename> directory (which contain default user settings) are copied into the new <filename class="directory">/home/juan/</filename> directory:
+ </para>
+ <screen>~]# <command>ls -la /home/juan</command>
+total 28
+drwx------. 4 juan juan 4096 Mar 3 18:23 .
+drwxr-xr-x. 5 root root 4096 Mar 3 18:23 ..
+-rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout
+-rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile
+-rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc
+drwxr-xr-x. 2 juan juan 4096 Jul 14 2010 .gnome2
+drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla</screen>
+ </step>
+ </procedure>
+ <para>
+ At this point, a locked account called <systemitem>juan</systemitem> exists on the system. To activate it, the administrator must next assign a password to the account using the <command>passwd</command> command and, optionally, set password aging guidelines.
+ </para>
+ </section>
+ <section id="s2-users-tools-groups-add">
+ <title>Adding a New Group</title>
<indexterm>
<primary>group configuration</primary>
<secondary><command>groupadd</command></secondary>
@@ -662,17 +936,17 @@
<secondary>group</secondary>
</indexterm>
<para>
- To add a group to the system, use the command <command>groupadd</command>:
+ To add a new group to the system, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>groupadd</command> <replaceable>group_name</replaceable></screen>
+ <synopsis><command>groupadd</command> <optional><replaceable>options</replaceable></optional> <replaceable>group_name</replaceable></synopsis>
<para>
- Command line options for <command>groupadd</command> are detailed in <xref linkend="table-groupadd-options" />.
+ …where <replaceable>options</replaceable> are command line options as described in <xref linkend="table-groupadd-options" />.
</para>
<table id="table-groupadd-options">
- <title><command>groupadd</command> Command Line Options</title>
+ <title>groupadd command line options</title>
<tgroup cols="2">
- <colspec colnum="1" colname="option" colwidth="20*" />
- <colspec colnum="2" colname="description" colwidth="50*" />
+ <colspec colnum="1" colname="option" colwidth="30*" />
+ <colspec colnum="2" colname="description" colwidth="70*" />
<thead>
<row>
<entry>
@@ -735,7 +1009,9 @@
</tbody>
</tgroup>
</table>
- <bridgehead>Password Aging</bridgehead>
+ </section>
+ <section id="s2-users-tools-password-aging">
+ <title>Enabling Password Aging</title>
<indexterm>
<primary>password</primary>
<secondary>expire</secondary>
@@ -757,22 +1033,31 @@
<tertiary>forcing expiration of</tertiary>
</indexterm>
<para>
- For security reasons, it is advisable to require users to change their passwords periodically. This can be done when adding or editing a user on the <guilabel>Password Info</guilabel> tab of the <application>User Manager</application>.
- </para>
- <para>
- To configure password expiration for a user from a shell prompt, use the <command>chage</command> command with an option from <xref linkend="table-chage-options" />, followed by the username.
+ For security reasons, it is advisable to require users to change their passwords periodically. This can either be done when adding or editing a user on the <guilabel>Password Info</guilabel> tab of the <application>User Manager</application> application, or by using the <command>chage</command> command.
</para>
<important>
<title>Shadow passwords must be enabled to use chage</title>
<para>
- Shadow passwords must be enabled to use the <command>chage</command> command. For more information, see <xref linkend="s1-users-groups-shadow-utilities" />.
+ Shadow passwords must be enabled to use the <command>chage</command> command. For more information, see <xref linkend="s2-users-groups-shadow-utilities" />.
</para>
</important>
+ <indexterm>
+ <primary>user configuration</primary>
+ <secondary>command line configuration</secondary>
+ <tertiary><command>chage</command></tertiary>
+ </indexterm>
+ <para>
+ To configure password expiration for a user from a shell prompt, run the following command as <systemitem class="username">root</systemitem>:
+ </para>
+ <synopsis><command>chage</command> <optional><replaceable>options</replaceable></optional> <replaceable>username</replaceable></synopsis>
+ <para>
+ …where <replaceable>options</replaceable> are command line options as described in <xref linkend="table-chage-options" />. When the <command>chage</command> command is followed directly by a username (that is, when no command line options are specified), it displays the current password aging values and allows you to change them interactively.
+ </para>
<table id="table-chage-options">
- <title><command>chage</command> Command Line Options</title>
+ <title>chage command line options</title>
<tgroup cols="2">
- <colspec colnum="1" colname="option" colwidth="20*" />
- <colspec colnum="2" colname="description" colwidth="50*" />
+ <colspec colnum="1" colname="option" colwidth="30*" />
+ <colspec colnum="2" colname="description" colwidth="70*" />
<thead>
<row>
<entry>
@@ -843,28 +1128,22 @@
</tbody>
</tgroup>
</table>
- <note>
- <title>chage interactivity</title>
- <para>
- If the <command>chage</command> command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed interactively.
- </para>
- </note>
<para>
You can configure a password to expire the first time a user logs in. This forces users to change passwords immediately.
</para>
<procedure>
<step>
<para>
- <emphasis>Set up an initial password</emphasis> — There are two common approaches to this step: the administrator can assign a default password, or he can use a null password.
+ Set up an initial password. There are two common approaches to this step: you can either assign a default password, or you can use a null password.
</para>
<para>
- To assign a default password, type the following at a shell prompt:
+ To assign a default password, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>passwd</command> <replaceable>username</replaceable></screen>
+ <synopsis><command>passwd</command> <replaceable>username</replaceable></synopsis>
<para>
To assign a null password instead, use the following command:
</para>
- <screen><command>passwd</command> <option>-d</option> <replaceable>username</replaceable></screen>
+ <synopsis><command>passwd</command> <option>-d</option> <replaceable>username</replaceable></synopsis>
<warning>
<title>Avoid using null passwords whenever possible</title>
<para>
@@ -874,9 +1153,9 @@
</step>
<step>
<para>
- <emphasis>Force immediate password expiration</emphasis> — Type the following command:
+ Force immediate password expiration by running the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>chage</command> <option>-d</option> <option>0</option> <replaceable>username</replaceable></screen>
+ <synopsis><command>chage</command> <option>-d</option> <option>0</option> <replaceable>username</replaceable></synopsis>
<para>
This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
</para>
@@ -886,174 +1165,113 @@
Upon the initial log in, the user is now prompted for a new password.
</para>
</section>
- <section id="s2-redhat-config-users-process">
- <title>Explaining the Process</title>
+ <section id="s2-users-tools-users-logout">
+ <title>Enabling Automatic Logouts</title>
<para>
- The following steps illustrate what happens if the command <command>useradd juan</command> is issued on a system that has shadow passwords enabled:
+ Especially when the user is logged in as <systemitem class="username">root</systemitem>, an unattended login session may pose a significant security risk. To reduce this risk, you can configure the system to automatically log out idle users after a fixed period of time:
</para>
<procedure>
<step>
<para>
- A new line for <systemitem class="username">juan</systemitem> is created in <filename>/etc/passwd</filename>:
+ Make sure the <package>screen</package> package is installed. You can do so by running the following command as <systemitem class="username">root</systemitem>:
+ </para>
+ <synopsis><command>yum</command> <option>install</option> <option>screen</option></synopsis>
+ <para>
+ For more information on how to install packages in &MAJOROS;, refer to <xref linkend="sec-Installing" />.
</para>
- <screen>juan:x:501:501::/home/juan:/bin/bash</screen>
- <para>
- The line has the following characteristics:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- It begins with the username <literal>juan</literal>.
- </para>
- </listitem>
- <listitem>
- <para>
- There is an <literal>x</literal> for the password field indicating that the system is using shadow passwords.
- </para>
- </listitem>
- <listitem>
- <para>
- A UID greater than 499 is created. Under &MAJOROS;, UIDs and GIDs below 500 are reserved for system use. These should not be assigned to users.
- </para>
- </listitem>
- <listitem>
- <para>
- A GID greater than 499 is created.
- </para>
- </listitem>
- <listitem>
- <para>
- The optional GECOS information is left blank.
- </para>
- </listitem>
- <listitem>
- <para>
- The home directory for <systemitem class="username">juan</systemitem> is set to <filename class="directory">/home/juan/</filename>.
- </para>
- </listitem>
- <listitem>
- <para>
- The default shell is set to <command>/bin/bash</command>.
- </para>
- </listitem>
- </itemizedlist>
- </step>
- <step>
- <para>
- A new line for <systemitem class="username">juan</systemitem> is created in <filename>/etc/shadow</filename>:
- </para>
- <screen>juan:!!:14798:0:99999:7:::</screen>
- <para>
- The line has the following characteristics:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- It begins with the username <systemitem class="username">juan</systemitem>.
- </para>
- </listitem>
- <listitem>
- <para>
- Two exclamation marks (<literal>!!</literal>) appear in the password field of the <filename>/etc/shadow</filename> file, which locks the account.
- </para>
- <note>
- <title>Note</title>
- <para>
- If an encrypted password is passed using the <option>-p</option> flag, it is placed in the <filename>/etc/shadow</filename> file on the new line for the user.
- </para>
- </note>
- </listitem>
- <listitem>
- <para>
- The password is set to never expire.
- </para>
- </listitem>
- </itemizedlist>
</step>
<step>
<para>
- A new line for a group named <systemitem class="groupname">juan</systemitem> is created in <filename>/etc/group</filename>:
+ As <systemitem class="username">root</systemitem>, add the following line at the beginning of the <filename>/etc/profile</filename> file to make sure the processing of this file cannot be interrupted:
</para>
- <screen>juan:x:501:</screen>
+ <programlisting language="Bash">trap "" 1 2 3 15</programlisting>
+ </step>
+ <step>
<para>
- A group with the same name as a user is called a <firstterm>user private group</firstterm>. For more information on user private groups, refer to <xref linkend="s2-redhat-config-users-user-new" />.
+ Add the following lines at the end of the <filename>/etc/profile</filename> file to start a <command>screen</command> session each time a user logs in to a virtual console or remotely:
</para>
+ <programlisting language="Bash">SCREENEXEC="screen"
+if [ -w $(tty) ]; then
+ trap "exec $SCREENEXEC" 1 2 3 15
+ echo -n 'Starting session in 10 seconds'
+ sleep 10
+ exec $SCREENEXEC
+fi</programlisting>
<para>
- The line created in <filename>/etc/group</filename> has the following characteristics:
+ Note that each time a new session starts, a message will be displayed and the user will have to wait ten seconds. To adjust the time to wait before starting a session, change the value after the <command>sleep</command> command.
</para>
- <itemizedlist>
- <listitem>
- <para>
- It begins with the group name <systemitem class="username">juan</systemitem>.
- </para>
- </listitem>
- <listitem>
- <para>
- An <literal>x</literal> appears in the password field indicating that the system is using shadow group passwords.
- </para>
- </listitem>
- <listitem>
- <para>
- The GID matches the one listed for user <systemitem class="username">juan</systemitem> in <filename>/etc/passwd</filename>.
- </para>
- </listitem>
- </itemizedlist>
</step>
<step>
<para>
- A new line for a group named <systemitem class="groupname">juan</systemitem> is created in <filename>/etc/gshadow</filename>:
+ Add the following lines to the <filename>/etc/screenrc</filename> configuration file to close the <command>screen</command> session after a given period of inactivity:
</para>
- <screen>juan:!::</screen>
+ <programlisting language="Bash">idle 120 quit
+autodetach off</programlisting>
<para>
- The line has the following characteristics:
+ This will set the time limit to 120 seconds. To adjust this limit, change the value after the <option>idle</option> directive.
</para>
- <itemizedlist>
- <listitem>
- <para>
- It begins with the group name <systemitem class="groupname">juan</systemitem>.
- </para>
- </listitem>
- <listitem>
- <para>
- An exclamation mark (<literal>!</literal>) appears in the password field of the <filename>/etc/gshadow</filename> file, which locks the group.
- </para>
- </listitem>
- <listitem>
- <para>
- All other fields are blank.
- </para>
- </listitem>
- </itemizedlist>
+ <para>
+ Alternatively, you can configure the system to only lock the session by using the following lines instead:
+ </para>
+ <programlisting language="Bash">idle 120 lockscreen
+autodetach off</programlisting>
+ <para>
+ This way, a password will be required to unlock the session.
+ </para>
+ </step>
+ </procedure>
+ <para>
+ The changes take effect the next time a user logs in to the system.
+ </para>
+ </section>
+ <section id="s2-users-tools-groups-directories">
+ <title>Creating Group Directories</title>
+ <indexterm>
+ <primary>groups</primary>
+ <secondary>shared directories</secondary>
+ </indexterm>
+ <indexterm>
+ <primary>user private groups</primary>
+ <secondary>and shared directories</secondary>
+ </indexterm>
+ <para>
+ System administrators usually like to create a group for each major project and assign people to the group when they need to access that project's files. With this traditional scheme, file managing is difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it becomes difficult to associate the right files with the right group. However, with the UPG scheme, groups are automatically assigned to files created within a directory with the <firstterm>setgid</firstterm> bit set. The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group which owns the directory.
+ </para>
+ <para>
+ For example, a group of people need to work on files in the <filename class="directory">/opt/myproject/</filename> directory. Some people are trusted to modify the contents of this directory, but not everyone.
+ </para>
+ <procedure>
+ <step>
+ <para>
+ As <systemitem class="username">root</systemitem>, create the <filename class="directory">/opt/myproject/</filename> directory by typing the following at a shell prompt:
+ </para>
+ <screen><command>mkdir /opt/myproject</command></screen>
</step>
<step>
<para>
- A directory for user <systemitem class="username">juan</systemitem> is created in the <filename class="directory">/home/</filename> directory:
+ Add the <systemitem class="groupname">myproject</systemitem> group to the system:
</para>
- <screen>~]# <command>ls -l /home</command>
-total 4
-drwx------. 4 juan juan 4096 Mar 3 18:23 juan</screen>
+ <screen><command>groupadd myproject</command></screen>
+ </step>
+ <step>
<para>
- This directory is owned by user <systemitem class="username">juan</systemitem> and group <systemitem class="groupname">juan</systemitem>. It has <firstterm>read</firstterm>, <firstterm>write</firstterm>, and <firstterm>execute</firstterm> privileges <emphasis>only</emphasis> for the user <systemitem class="username">juan</systemitem>. All other permissions are denied.
+ Associate the contents of the <filename class="directory">/opt/myproject/</filename> directory with the <systemitem class="groupname">myproject</systemitem> group:
</para>
+ <screen><command>chown root:myproject /opt/myproject</command></screen>
</step>
<step>
<para>
- The files within the <filename class="directory">/etc/skel/</filename> directory (which contain default user settings) are copied into the new <filename class="directory">/home/juan/</filename> directory:
+ Allow users to create files within the directory, and set the setgid bit:
</para>
- <screen>~]# <command>ls -la /home/juan</command>
-total 28
-drwx------. 4 juan juan 4096 Mar 3 18:23 .
-drwxr-xr-x. 5 root root 4096 Mar 3 18:23 ..
--rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout
--rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile
--rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc
-drwxr-xr-x. 2 juan juan 4096 Jul 14 2010 .gnome2
-drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla</screen>
+ <screen><command>chmod 2775 /opt/myproject</command></screen>
</step>
</procedure>
<para>
- At this point, a locked account called <systemitem>juan</systemitem> exists on the system. To activate it, the administrator must next assign a password to the account using the <command>passwd</command> command and, optionally, set password aging guidelines.
+ At this point, all members of the <systemitem class="groupname">myproject</systemitem> group can create and edit files in the <filename class="directory">/opt/myproject/</filename> directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:
</para>
+ <screen>~]# <command>ls -l /opt</command>
+total 4
+drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 myproject</screen>
</section>
</section>
<section id="s1-users-groups-standard-users">
@@ -4280,147 +4498,6 @@ drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla</screen>
</tgroup>
</table>
</section>
- <section id="s1-users-groups-private-groups">
- <title>User Private Groups</title>
- <indexterm>
- <primary>groups</primary>
- <secondary>user private</secondary>
- </indexterm>
- <indexterm>
- <primary>user private groups</primary>
- <see>groups</see>
- </indexterm>
- <indexterm>
- <primary>groups</primary>
- <secondary>tools for management of</secondary>
- <tertiary><command>groupadd</command></tertiary>
- </indexterm>
- <indexterm>
- <primary>groups</primary>
- <secondary>tools for management of</secondary>
- <tertiary><application>system-config-users</application></tertiary>
- </indexterm>
- <para>
- &MAJOROS; uses a <firstterm>user private group</firstterm> (<firstterm>UPG</firstterm>) scheme, which makes UNIX groups easier to manage. A UPG is created whenever a new user is added to the system. It has the same name as the user for which it was created and that user is the only member of the UPG.
- </para>
- <para>
- UPGs make it safe to set default permissions for a newly created file or directory, allowing both the user and <emphasis>the group of that user</emphasis> to make modifications to the file or directory.
- </para>
- <para>
- The setting which determines what permissions are applied to a newly created file or directory is called a <firstterm>umask</firstterm> and is configured in the <filename>/etc/bashrc</filename> file. Traditionally on UNIX systems, the <command>umask</command> is set to <command>022</command>, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, <emphasis>including members of the creator's group</emphasis>, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.
- </para>
- <section id="s2-users-groups-rationale">
- <title>Group Directories</title>
- <indexterm>
- <primary>groups</primary>
- <secondary>shared directories</secondary>
- </indexterm>
- <indexterm>
- <primary>user private groups</primary>
- <secondary>and shared directories</secondary>
- </indexterm>
- <para>
- System administrators usually like to create a group for each major project and assign people to the group when they need to access that project's files. With this traditional scheme, file managing is difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it becomes difficult to associate the right files with the right group. However, with the UPG scheme, groups are automatically assigned to files created within a directory with the <firstterm>setgid</firstterm> bit set. The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group which owns the directory.
- </para>
- <para>
- For example, a group of people need to work on files in the <filename class="directory">/opt/myproject/</filename> directory. Some people are trusted to modify the contents of this directory, but not everyone.
- </para>
- <procedure>
- <step>
- <para>
- As <systemitem class="username">root</systemitem>, create the <filename class="directory">/opt/myproject/</filename> directory by typing the following at a shell prompt:
- </para>
- <screen><command>mkdir /opt/myproject</command></screen>
- </step>
- <step>
- <para>
- Add the <systemitem class="groupname">myproject</systemitem> group to the system:
- </para>
- <screen><command>groupadd myproject</command></screen>
- </step>
- <step>
- <para>
- Associate the contents of the <filename class="directory">/opt/myproject/</filename> directory with the <systemitem class="groupname">myproject</systemitem> group:
- </para>
- <screen><command>chown root:myproject /opt/myproject</command></screen>
- </step>
- <step>
- <para>
- Allow users to create files within the directory, and set the setgid bit:
- </para>
- <screen><command>chmod 2775 /opt/myproject</command></screen>
- </step>
- </procedure>
- <para>
- At this point, all members of the <systemitem class="groupname">myproject</systemitem> group can create and edit files in the <filename class="directory">/opt/myproject/</filename> directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:
- </para>
- <screen>~]# <command>ls -l /opt</command>
-total 4
-drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 myproject</screen>
- </section>
- </section>
- <section id="s1-users-groups-shadow-utilities">
- <title>Shadow Passwords</title>
- <indexterm>
- <primary>passwords</primary>
- <secondary>shadow</secondary>
- </indexterm>
- <indexterm>
- <primary>shadow passwords</primary>
- <secondary>overview of</secondary>
- </indexterm>
- <para>
- In multiuser environments it is very important to use <firstterm>shadow passwords</firstterm> (provided by the <filename>shadow-utils</filename> package). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
- </para>
- <para>
- The following list shows the advantages shadow passwords have over the traditional way of storing passwords on UNIX-based systems:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- Improves system security by moving encrypted password hashes from the world-readable <filename>/etc/passwd</filename> file to <filename>/etc/shadow</filename>, which is readable only by the <systemitem class="username">root</systemitem> user.
- </para>
- </listitem>
- <listitem>
- <para>
- Stores information about password aging.
- </para>
- </listitem>
- <listitem>
- <para>
- Allows the <filename>/etc/login.defs</filename> file to enforce security policies.
- </para>
- </listitem>
- </itemizedlist>
- <para>
- Most utilities provided by the <filename>shadow-utils</filename> package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the <filename>/etc/shadow</filename> file, any commands which create or modify password aging information do not work.
- </para>
- <para>
- The following is a list of commands which do not work without first enabling shadow passwords:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <command>chage</command>
- </para>
- </listitem>
- <listitem>
- <para>
- <command>gpasswd</command>
- </para>
- </listitem>
- <listitem>
- <para>
- <command>usermod</command> <option>-e</option> or <option>-f</option> options
- </para>
- </listitem>
- <listitem>
- <para>
- <command>useradd</command> <option>-e</option> or <option>-f</option> options
- </para>
- </listitem>
- </itemizedlist>
- </section>
<section id="s1-users-groups-additional-resources">
<title>Additional Resources</title>
<indexterm>
@@ -4432,7 +4509,7 @@ drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 myproject</screen>
<secondary>additional resources</secondary>
</indexterm>
<para>
- For more information about users and groups, and tools to manage them, refer to the following resources.
+ Refer to the following resources for more information about managing users and groups.
</para>
<section id="s2-users-groups-documentation">
<title>Installed Documentation</title>
@@ -4446,102 +4523,89 @@ drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 myproject</screen>
<secondary>additional resources</secondary>
<tertiary>installed documentation</tertiary>
</indexterm>
+ <para>
+ For information about various utilities for managing users and groups, refer to the following manual pages:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <emphasis role="bold">chage</emphasis>(1) — A command to modify password aging policies and account expiration.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">gpasswd</emphasis>(1) — A command to administer the <filename>/etc/group</filename> file.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">groupadd</emphasis>(8) — A command to add groups.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">grpck</emphasis>(8) — A command to verify the <filename>/etc/group</filename> file.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">groupdel</emphasis>(8) — A command to remove groups.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">groupmod</emphasis>(8) — A command to modify group membership.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">pwck</emphasis>(8) — A command to verify the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename> files.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">pwconv</emphasis>(8) — A tool to convert standard passwords to shadow passwords.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">pwunconv</emphasis>(8) — A tool to convert shadow passwords to standard passwords.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">useradd</emphasis>(8) — A command to add users.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">userdel</emphasis>(8) — A command to remove users.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">usermod</emphasis>(8) — A command to modify users.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ For information about related configuration files, see:
+ </para>
<itemizedlist>
<listitem>
<para>
- Related man pages — There are a number of man pages for the various applications and configuration files involved with managing users and groups. Some of the more important man pages have been listed here:
+ <emphasis role="bold">group</emphasis>(5) — The file containing group information for the system.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">passwd</emphasis>(5) — The file containing user information for the system.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">shadow</emphasis>(5) — The file containing passwords and account expiration information for the system.
</para>
- <variablelist>
- <varlistentry>
- <term>User and Group Administrative Applications</term>
- <listitem>
- <itemizedlist>
- <listitem>
- <para>
- <command>man chage</command> — A command to modify password aging policies and account expiration.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man gpasswd</command> — A command to administer the <filename>/etc/group</filename> file.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man groupadd</command> — A command to add groups.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man grpck</command> — A command to verify the <filename>/etc/group</filename> file.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man groupdel</command> — A command to remove groups.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man groupmod</command> — A command to modify group membership.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man pwck</command> — A command to verify the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename> files.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man pwconv</command> — A tool to convert standard passwords to shadow passwords.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man pwunconv</command> — A tool to convert shadow passwords to standard passwords.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man useradd</command> — A command to add users.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man userdel</command> — A command to remove users.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man usermod</command> — A command to modify users.
- </para>
- </listitem>
- </itemizedlist>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>Configuration Files</term>
- <listitem>
- <itemizedlist>
- <listitem>
- <para>
- <command>man 5 group</command> — The file containing group information for the system.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man 5 passwd</command> — The file containing user information for the system.
- </para>
- </listitem>
- <listitem>
- <para>
- <command>man 5 shadow</command> — The file containing passwords and account expiration information for the system.
- </para>
- </listitem>
- </itemizedlist>
- </listitem>
- </varlistentry>
- </variablelist>
</listitem>
</itemizedlist>
</section>
More information about the docs-commits
mailing list