sysadmin manual "users" chapter
Here's what I've done. I guess it's about 2/3 complete, depending on
feedback. Tapio, or anyone else, what do you think?
Also, what conversion tools are available for turning debiandoc SGML
into something I can print out (postscript, HTML, whatever) ... I want
to be able to get dead trees versions of what I write so I can go over
them with a big red pen.
K.
--
Kirrily Robert -- <skud@netizen.com.au> -- http://netizen.com.au/
Internet and Open Source Development, Consulting and Training
Level 13, 500 Collins St, Melbourne VIC 3000
Phone: +61 3 9614 0949 Fax +61 3 9614 0948
<!-- Debian System Administrator's Manual - User administration -->
<chapt id="sysadmin-users">
<heading>Managing User Accounts</heading>
<p>
author = ?
</p>
<p>
topics = ?
</p>
<sect>
<heading>Concepts</heading>
<sect1>
<heading>Usernames and User IDs</heading>
<p>
Each user of a UNIX system such as Debian has a
username which uniquely identifies them. Usernames are
associated with user IDs (or UIDs), and in fact it is the UID
which the underlying system uses to identify users; usernames,
however, are more mnemonic and tend to be used for most
day-to-day purposes.
</p>
<p>
Usernames are typically composed of alphanumeric characters,
that is letters and numbers. Most usernames are forms of the
user's own name (for instance "jane", "janedoe", or "jdoe") or
relate to a role or a pseudo-user created for the purpose of
administering part of the system, for instance "root" (for the
superuser account) and "www-data" (for the account which owns
and runs web servers and related services under Debian).
</p>
<p>
UIDs are numbers from zero to 65534. The numbers are grouped
as follows:
</p>
<p>
UIDs 0-99 are globally allocated by the Debian project and are
used for system accounts. The "root" account, for
instance, is UID 0.
</p>
<p>
UIDs 100-999 are for system users which have are not allocated
by the Debian project.
</p>
<p>
UIDs 1000-29999 are normal user accounts.
</p>
<p>
UID 65534 is user "nobody", an account with no rights or
permissions.
</p>
<p>
For more information about the allocation of UIDs, see the
Debian policy manual.
<!-- XXX what reference link should I use here? -->
</p>
<p>
Users may usually be referred to by either username or UID.
</p>
</sect1>
<sect1>
<heading>Groups and Group IDs</heading>
<p>
Groups are used to refer to logical groups of users on the
system. Groups have group IDs (GIDs) just as users have UIDs,
and the numeric ranges for different types of groups are the
same as those for users.
</p>
<p>
A typical example of a group on the system might be "webadmin"
where people who administer a website might be grouped
together. This would allow users to create files and
directories to which all of the "webadmin" group had read or
write access.
</p>
<p>
Groups may usually be referred to by either their name or GID.
</p>
</sect1>
<sect1>
<heading>Passwords</heading>
<p>
Each user on a Debian system has a password which they must
use to login to the system. This password is initially
specified at the time of account creation, and may be changed
at any time by the user or by the system administrator.
</p>
<p>
Passwords are stored in an encrypted format
on the system. The type of encryption used is referred to as
one-way or "trapdoor" encryption, meaning that it cannot be
reversed to find the original password. Instead, the password
typed by the user at login time is similarly encrypted, and
the two encrypted versions are compared to see if they are the
same.
</p>
<p>
Passwords are typically composed of alphanumeric and
punctuation characters. It is considered good practice to
choose a password which contains a mixture of upper and lower
case characters, numbers, and punctuation, as makes it harder
to guess and less susceptible to a "dictionary" attack,
whereby each word in a dictionary is encrypted and the
encrypted versions compared to the encrypted passwords on the
system.
</p>
<p>
Shadow passwords are used as a means of hiding even the
encrypted form of password from users. The normal password
file is world-readable, however the shadow password file is
only readable by the superuser.
</p>
</sect1>
<sect1>
<heading>Quotas</heading>
<p>
A concept related to users, in that it is often part of the
account creation process, is that of quotas. Quotas allow the
system administrator to restrict the amount of disk space used
by a user.
</p>
<p>
This subject is discussed in more detail in the filesystems
chapter of this manual. See <ref id="sysadmin-filesystems">
for details.
</p>
</sect1>
</sect>
<sect>
<heading>Common tasks</heading>
<sect1>
<heading>Adding new users</heading>
<p>
New users are usually added using the <prgn>adduser</prgn>
tool. Typical syntax is <prgn>adduser
<var>username</var></prgn>, which will prompt the
administrator for various information such as the user's full
name, initial home directory, et cetera.
</p>
<p>
There is also a <prgn>useradd</prgn> program, which predates
<prgn>adduser</prgn>.
</sect1>
<sect1>
<heading>Changing or editing user information and settings</heading>
<p>
User information (such as the user's home directory location,
real name, etc) may be changed using the <prgn>usermod</prgn>
program. The <prgn>chfn</prgn> program is intended
specifically for changing the "full name" and other contact
detail stored in the password file, while the
<prgn>chsh</prgn> command may be used to change a user's
default shell.
</p>
<p>
You may also change user information by editing the
<file>/etc/passwd</file> file directly. The best tool for
doing this is <prgn>vipw</prgn> program, which locks the file
and brings it up for editing in your favourite editor (as
found in the VISUAL or EDITOR environment variables).
</p>
</sect1>
<sect1>
<heading>Removing user accounts</heading>
<p>
User accounts can be removed using the <prgn>userdel</prgn>
command.
</p>
</sect1>
<sect1>
<heading>Changing user passwords</heading>
<p>
The system administrator may change any user's password by
typing <prgn>passwd <var>username</var></prgn>.
</p>
</sect1>
<sect1>
<heading>Setting and changing password expiry times</heading>
<p>
If you are using shadow passwords, you can set up the system
so that passwords expire after a certain number of days. When
a password is due for expiry, the user is warned and must
change their password to avoid having their account locked or
disabled.
</p>
<p>
The tool used to set password expiry times is
<prgn>chage</prgn>.
</p>
</sect1>
<sect1>
<heading>Creating groups</heading>
<p>
Groups may be created by using the <prgn>addgroup</prgn> tool.
Typical syntax for the <prgn>addgroup</prgn> command is
<prgn>addgroup <var>groupname</var></prgn>.
</p>
<p>
Administrators may also choose to add groups to the
<file>/etc/group</file> directly. The best tool for doing
this is the <prgn>vigr</prgn> program, which locks the file
and brings it up for editing in your favourite editor (as
found in the VISUAL or EDITOR environment variables).
</p>
</sect1>
<sect1>
<heading>Editing groups</heading>
<p>
Groups may be edited using the <prgn>groupmod</prgn> tool.
</p>
<p>
Administrators may also choose to edit the
<file>/etc/group</file> directly. The best tool for doing
this is the <prgn>vigr</prgn> program, which locks the file
and brings it up for editing in your favourite editor (as
found in the VISUAL or EDITOR environment variables).
</p>
</sect1>
<sect1>
<heading>Deleting groups</heading>
<p>
Groups may be deleted using the <prgn>groupdel</prgn> tool.
</p>
<p>
Administrators may also choose to delete groups from the
<file>/etc/group</file> directly. The best tool for doing
this is the <prgn>vigr</prgn> program, which locks the file
and brings it up for editing in your favourite editor (as
found in the VISUAL or EDITOR environment variables).
</p>
</sect1>
<sect1>
<heading>Setting up quotas</heading>
</sect1>
<sect1>
<heading>Using shadow passwords</heading>
<p>
Shadow passwords can be turned on and off using the
<prgn>shadowconfig</prgn> tool.
</p>
<p>
See also <manref name="shadowconfig" section="8">
</p>
</sect1>
</sect>
<sect>
<heading>Tools reference</heading>
<sect1>
<heading>Command-line tools</heading>
<sect2>
<heading>adduser, addgroup</heading>
<p>
In the short form, these commands can be used by simply
typing <tt>adduser <var>username</var></tt> or <tt>addgroup
<var>groupname</var></tt>. This provides an interactive
interface which will prompt the administrator for various
values, such as a user's home directory.
There are also a number of command line options
which can be used to specify these values.
<p>
See also <manref name="adduser" section="1">.
</p>
</sect2>
<sect2>
<heading>chage</heading>
<p>
See also <manref name="chage" section="1">.
</p>
</sect2>
<sect2>
<heading>chfn</heading>
<p>
The <prgn>chfn</prgn> command may be used to change a user's
"full name" or other information stored in the password
file. If no command line options are used, the command runs
in an interactive fashion, prompting for input for each
field.
<p>
See also <manref name="chfn" section="1">.
</p>
</sect2>
<sect2>
<heading>chsh</heading>
<p>
The basic syntax of the <prgn>chsh</prgn> command is
<tt>chsh -s <var>shell</var> <var>username</var></tt>.
However, if the <tt>-s</tt> parameter is omitted, the
administrator will be prompted for which shell to use.
The username is also optional: only the superuser may change
other users' shells; ordinary users may change their own
shell simply by typing <tt>chsh</tt>
<p>
See also <manref name="chsh" section="1">.
</p>
</sect2>
<sect2>
<heading>passwd</heading>
<p>
The basic form of the <prgn>passwd</prgn> command (as used
by the system administrator) is
<tt>passwd <var>username</var></tt>, which will prompt for
the user's new password.
</p>
<p>
See also <manref name="passwd" section="1">.
</p>
</sect2>
<sect2>
<heading>userdel</heading>
<p>
The basic syntax of the <prgn>userdel</prgn> command is
<tt>userdel <var>username</var></tt>.
</p>
<p>
See also <manref name="userdel" section="8">.
</p>
</sect2>
<sect2>
<heading>vipw, vigr</heading>
<p>
See also <manref name="vipw" section="1">.
</p>
</sect2>
</sect1>
<sect1>
<heading>Graphical tools</heading>
</sect1>
</sect>
<sect>
<heading>Files reference</heading>
<sect1>
<heading>/etc/passwd</heading>
<p>
The <file>/etc/passwd</file> file consists of user records,
one to a line. Each record contains multiple fields,
separated by colons (<tt>:</tt>). The fields are:
</p>
<list>
<item>username
<item>encrypted password (or <tt>x</tt> if shadow passwords
are in use)
<item>UID
<item>default GID
<item>real name (also known as the GECOS field)
<item>home directory
<item>default shell
</list>
<p>
See also <manref name="passwd" section="5">.
</p>
</sect1>
<sect1>
<heading>/etc/group</heading>
<p>
The <file>/etc/group</file> file consists of group records,
one to a line. Each record contains multiple fields,
separated by colons (<tt>:</tt>). The fields are:
</p>
<list>
<item>group name
<item>encrypted group password (or <tt>x</tt> if shadow
passwords are in use)
<item>GID
<item>group members' usernames, comma-separated
</list>
<p>
See also <manref name="group" section="5">.
</p>
</sect1>
<sect1>
<heading>/etc/shadow</heading>
<p>
If shadow passwords are being used, the <file>/etc/shadow</file>
file contains users' encrypted passwords and other information
about the passwords. Its fields are colon-separated as for
<file>/etc/passwd</file>, and are as follows:
</p>
<list>
<item>username
<item>encrypted password
<item>Days since Jan 1, 1970 that password was last changed
<item>Days before password may be changed
<item>Days after which password must be changed
<item>Days before password is to expire that user is warned
<item>Days after password expires that account is disabled
<item>Days since Jan 1, 1970 that account is disabled
<item>A reserved field
</list>
<p>
The password expiry related fields are modified by the
<prgn>chage</prgn> program.
</p>
<p>
See also: <manref name="shadow" section="5">
</p>
</sect>
</chapt>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:"system-administrator.sgml chapt sect"
sgml-exposed-tags:nil
sgml-local-catalogs:"/usr/lib/sgml/catalog"
sgml-local-ecat-files:nil
End:
-->
Reply to: