Ubuntu 10.04: Managing Users

Managing Users Series
Linux is a multi-user operating system.  This means that the administrator will have to be careful in how users are managed.  This article is the first in a series to show you how to manage users on an Ubuntu 10.04 server. There are three basic kinds of user accounts: the root user,  normal user accounts and the service users.

The root user account is created by the operating system when it is installed.    This user is the superuser who basically has complete control of the entire system.  This means that great care should be taken to preserve the integrity of this account.  One aspect of this care is to ensure that the root password is complex and changed on a regular basis.  In addition, the root account should not be used to log into a server because if anyone gains access to the root account they have complete control of all services and information located on the server.

Pseudo-Users
The kernel is aware of several system users which are really pseudo-users.

bin –> a legacy owner of system commands
On older systems bin owned the directory that contained many commands.  Today root owns these commands and it is not used much.
daemon –> owner of unprivileged system software
The files or processes that do not need to be owned by root are often given to daemon.  However, daemon is not used much.
nobody –> NFS uses this account to represent root users for the purpose of sharing
In order for remote root accounts to be turned into a regular user the UID of 0 must be changed to a regular user account on the local system so nobody is used.  The powerless user should not own any files on the system.

Service accounts such as www-data, proxy, bind, etc. are each created when the service is installed.  Typically there is no need to change these accounts.  These accounts often are accounts that cannot be used to log into the server.  As you view this example of /etc/passwd you can see that a number of accounts have /bin/false at the end of the line indicating that these accounts cannot be used to log into the system.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
bind:x:102:107::/var/cache/bind:/bin/false
landscape:x:103:108::/var/lib/landscape:/bin/false
mike:x:1000:1000:mike,,,:/home/mike:/bin/bash

Managing  normal  users involves managing user creation and deletion, managing user resources with quotas and managing user data with file permissions.
As you review the list above, you will notice several attributes are created for each user.

username:password:UID:GID:info:home directory:shell

root, of course, is the root user on the system and the importance of this account is seen in that the user ID is “0”.
root:x:0:0:root:/root:/bin/bash

mike is an example of a normal user account.
mike:x:1000:1000:mike,,,:/home/mike:/bin/bash

Each of these listed in /etc/passwd have several fields in common, each field separated by a “:”.  The first field is the username.  The second field in each example is “x” which refers to /etc/shadow where the password is encrypted.  The third field is the UID or User ID which is unique for each user.  The GID or Group ID is the next field which for Ubuntu is unique to each user as they are created by default with private groups.  This is not true of other distributions like SUSE which place all users in the users group allowing each user to view the files of other users.  A user information field comes after GID.  This field, an information field,  allows you to place a comment about each users.  Here is an example of the jane user who has her full named, office, and several phone numbers listed in this field.

jane:x:1001:1001:Jane Smith,Office 42,123-123-4455,456-456-6788:/home/jane:/bin/sh

The information field can contain any information that you deem important like full name, office number, phone extension or home phone. You can use the chfn command to change information in these fields.

chfn mike
Changing finger information for mike.
Password:
Name [mike]: Mike Wilson
Office []:
Office Phone []: 348-1234
Home Phone []: 123-4567

The home directory for the user is the 6th field and the last field is the shell that the user has.  If the user is not allowed to login you will see “nologin” or “/bin/false”.

The login name must be unique and less than 32 characters.  It may contain any characters except colons and new lines.  Typically login names are lower case, some Linux distros require lower case.  When you create login names a standard is important as these names also reflect what will be available for email addresses.

User passwords are encrypted and kept in a separate file which is not available to anyone but root.  This file is /etc/shadow.  Passwords must be encrypted which means they must be created with the passwd command or encrypted and copied to the account.  However, editing accounts by hand is filled with possibilities of mistakes so should be avoided.  Ubuntu uses SHA512 encryption which allows for random lengths in passwords.  You can tell the SHA512 encryption by the beginning as $6$.

UID numbers have a basic limit of 32,767 per site.  Any users that you create should be over the 1000 number to be sure they do not interfere with system accounts.  You should never have multiple accounts with 0 for the UID.

Tagged as: ubuntu, ubuntu 10.04, users