Ubuntu 10.04: Managing Users

by Mike on June 11, 2010 · 1 comment

in Ubuntu Servers

Managing Users Series
Linux is a multi-user operating system.  This means that the administrator will have to be careful in how users are managed.  This article is the first in a series to show you how to manage users on an Ubuntu 10.04 server. There are three basic kinds of user accounts: the root usernormal user accounts and the service users.

The root user account is created by the operating system when it is installed.    This user is the superuser who basically has complete control of the entire system.  This means that great care should be taken to preserve the integrity of this account.  One aspect of this care is to ensure that the root password is complex and changed on a regular basis.  In addition, the root account should not be used to log into a server because if anyone gains access to the root account they have complete control of all services and information located on the server.

The kernel is aware of several system users which are really pseudo-users.

bin –> a legacy owner of system commands
On older systems bin owned the directory that contained many commands.  Today root owns these commands and it is not used much.
daemon –> owner of unprivileged system software
The files or processes that do not need to be owned by root are often given to daemon.  However, daemon is not used much.
nobody –> NFS uses this account to represent root users for the purpose of sharing
In order for remote root accounts to be turned into a regular user the UID of 0 must be changed to a regular user account on the local system so nobody is used.  The powerless user should not own any files on the system.

Service accounts such as www-data, proxy, bind, etc. are each created when the service is installed.  Typically there is no need to change these accounts.  These accounts often are accounts that cannot be used to log into the server.  As you view this example of /etc/passwd you can see that a number of accounts have /bin/false at the end of the line indicating that these accounts cannot be used to log into the system.

list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

Managing  normal  users involves managing user creation and deletion, managing user resources with quotas and managing user data with file permissions.
As you review the list above, you will notice several attributes are created for each user.

username:password:UID:GID:info:home directory:shell

root, of course, is the root user on the system and the importance of this account is seen in that the user ID is “0”.

mike is an example of a normal user account.

Each of these listed in /etc/passwd have several fields in common, each field separated by a “:”.  The first field is the username.  The second field in each example is “x” which refers to /etc/shadow where the password is encrypted.  The third field is the UID or User ID which is unique for each user.  The GID or Group ID is the next field which for Ubuntu is unique to each user as they are created by default with private groups.  This is not true of other distributions like SUSE which place all users in the users group allowing each user to view the files of other users.  A user information field comes after GID.  This field, an information field,  allows you to place a comment about each users.  Here is an example of the jane user who has her full named, office, and several phone numbers listed in this field.

jane:x:1001:1001:Jane Smith,Office 42,123-123-4455,456-456-6788:/home/jane:/bin/sh

The information field can contain any information that you deem important like full name, office number, phone extension or home phone. You can use the chfn command to change information in these fields.

chfn mike
Changing finger information for mike.
Name [mike]: Mike Wilson
Office []:
Office Phone []: 348-1234
Home Phone []: 123-4567

The home directory for the user is the 6th field and the last field is the shell that the user has.  If the user is not allowed to login you will see “nologin” or “/bin/false”.

The login name must be unique and less than 32 characters.  It may contain any characters except colons and new lines.  Typically login names are lower case, some Linux distros require lower case.  When you create login names a standard is important as these names also reflect what will be available for email addresses.

User passwords are encrypted and kept in a separate file which is not available to anyone but root.  This file is /etc/shadow.  Passwords must be encrypted which means they must be created with the passwd command or encrypted and copied to the account.  However, editing accounts by hand is filled with possibilities of mistakes so should be avoided.  Ubuntu uses SHA512 encryption which allows for random lengths in passwords.  You can tell the SHA512 encryption by the beginning as $6$.

UID numbers have a basic limit of 32,767 per site.  Any users that you create should be over the 1000 number to be sure they do not interfere with system accounts.  You should never have multiple accounts with 0 for the UID.

{ 1 comment }

Scunizi June 12, 2010 at 9:52 pm

You’ll get a slew of these.. but Ubuntu doesn’t have a “Root” account in the classic sense or a separate password that is assigned to it. A user with admin privileges can perform Root tasks by using “sudo” before the command and his normal password when prompted.. this doesn’t change the users status in cli or tty from user to root (ie. $ to #), the ability to perform more root admin tasks will be limited in time as the system will “forget” the password after a few minutes. However, even after the initial admin task is complete, the user will have to still use “sudo” with the next admin task desired.

There are ways of creating a root account with a separate password and there are ways of being on cli with root # status without creating a root account. I know it all sound so confusing.. for a much better explanation of sudo and it’s pro’s and con’s, as well as how to create a root account with separate password please see https://help.ubuntu.com/community/RootSudo

Previous post:

Next post: