6. General System Administration Issues

6.1 Root Account

The "root" account is the most privileged account on a Unix system. This account gives you the ability to carry out all facets of system administration, including adding accounts, changing user passwords, examining log files, installing software, etc.

When using this account it is crucial to be as careful as possible. The "root" account has no security restrictions imposed upon it. This means it is easy to perform administrative duties without hassle. However, the system assumes you know what you are doing, and will do exactly what you request -- no questions asked. Therefore it is easy, with a mistyped command, to wipe out crucial system files.

When you are signed in as, or acting as "root", the shell prompt displays '#' as the last character (if you are using bash). This is to serve as a warning to you of the absolute power of this account.

The rule of thumb is, never sign in as "root" unless absolutely necessary. While "root", type commands carefully and double-check them before pressing return. Sign off from the "root" account as soon as you have accomplished the task you signed on for. Finally, (as with any account but especially important with this one), keep the password secure!

6.2 Creating User Accounts

(WARNING: SLACKWARE-CENTRIC. NEEDS UPDATE FOR RED HAT)

This section assumes you are using the Shadow password suite on your Linux system. If you are not, you should consider doing so, as it helps to tighten up security somewhat. The Shadow suite is fairly easy to install and will automatically convert your non-shadow password file format over to the new shadow format.

There are two steps to creating a new user account. The first is to actually create the account itself, the second is to provide an alias to their e-mail address (at my place of employment, we follow the convention of "Firstname.Lastname@our.domain.name".)

To create the account, decide on the username you are going to assign to the user. The username is at most 8 characters long, and wherever possible you should choose their last name, or last name and first initial if a user account already exists (the adduser script will detect and prevent you from adding duplicate account names).

You will then be prompted to enter other information: full name of user, user group (usually the default value), a user id # (automatically assigned), home directory (automatically assigned), a user shell, some password expiration values, and finally the desired password (which won't echo to the screen; you should have the user choose a password between 6 to 8 characters in length for security reasons).

Please note that everything should be entered in lowercase, except for the full name of the user which can be entered in a "pleasing format" (eg. Joe Smith) and the password. Case is sensitive, so inform your user(s) they must use identical case when entering their username and password.

Here is a sample session where we will add a user named Joe Smith:

mail: # /sbin/adduser

User to add (^C to quit): smith

That name is in use, choose another.

User to add (^C to quit): smithj

Editing information for new user [smithj]

Full Name: Joe Smith

GID [100]:

Checking for an available UID after 500

First unused uid is 859

UID [859]:

Home Directory [/home/smithj]:

Shell [/bin/bash]:

Min. Password Change Days [0]:

Max. Password Change Days [30]: 90

Password Warning Days [15]:

Days after Password Expiry for Account Locking [10]: 0

Password [smithj]: FL1539

Retype Password: Fl1539

Sorry, they do not match.

Password: FL1539

Retype Password: FL1539

Information for new user [smithj]:

Name: Joe Smith

Home directory: /home/smithj

Shell: /bin/bash

Password: <hidden>

Uid: 859 Gid: 100

Min pass: 0 maX pass: 99999

Warn pass: 7 Lock account: 0

public home Directory: no

Type 'y' if this is correct, 'q' to cancel and quit the program,

or the letter of the item you wish to change: Y

The next step is to create the alias for the person's e-mail account. This gives people the choice of using their account name for their e-mail address, or their full name (First.Last combination) to make it "easier" for the outside world to guess their e-mail address when trying to contact them for the first time.

To add the e-mail alias, edit the ``/etc/aliases'' file as follows:

mail# pico -w /etc/aliases

Add the new alias at the bottom of the file. The format for an alias is:

First.Lastname:username

You should ask the user what preference they have for this (eg. Joseph.Smith or Joe.Smith). For our new Joe Smith user, the entry would be as follows:

Joe.Smith:smith

When finished adding the alias, press <ctrl>-<X> and save the file. Then, type ``newaliases'' to update the aliases database.

At this point the user account has been created and is ready for use. It is a good idea to remind the user that his username and password must be entered in lowercase characters, and what their e-mail address would be (eg. ``Joe.Smith@mail.mydomain.name'').

6.3 Changing User Passwords

To change a password on behalf of a user, first sign on or "su" to the "root" account. Then type, ``passwd user'' (where user is the username for the password you are changing). The system will prompt you to enter a password. Passwords do not echo to the screen when you enter them.

You can also change your own password, by typing ``passwd'' (without specifying a username). You will be prompted to enter your old password for verification, and then a new password.

6.4 Disabling User Accounts

To disable a user account, edit, as root, the ``/etc/shadow'' file (assuming you're using shadow passwords; if not, edit the ``/etc/passwd'' file instead), and replace the password (which is stored in its encrypted form) with a ``*'' asterisk character. All Unix passwords, regardless of length (up to a maximum of 8 characters), are stored in the password file as encrypted strings of 13 characters. Therefore, by replacing the password with a single ``*'' character, it is impossible for the user to sign in.

Note: This method will require you to assign a new password to the user if you re-enable the account, since the encrypted password field will have been replaced. One solution to this which seems to be popular among system administrators is to simply prefix the ``*'' asterisk character in front of the encrypted password to disable the account, and simply removing the asterisk to enable it.

For more information on the ``/etc/passwd'' and ``/etc/shadow'' files, see the "Linux Password & Shadow File Formats" section below.

6.5 Removing User Accounts

On occasion, you may wish to remove a user's access from your server altogether.

If you are a Red Hat user, the easiest way to remove an unneeded user account is with the ``userdel'' command, which must be typed as ``root''. An example follows:

/usr/sbin/userdel baduser

The above command will remove the entry matching the username ``baduser from the ``/etc/passwd'', file, and, if you're using the Shadow password format (which you should be; see the "Linux Password & Shadow File Formats" section for details), the ``/etc/shadow''. Note: The ``/etc/group'' is not modified, to avoid removing a group that other user(s) may also belong to. This isn't much of a big deal, but if this bothers use, you can edit the group file and remove the entry manually.

Should you wish to remove the user's home directory as well, add the ``-r'' option to the ``userdel'' command. For example:

/usr/sbin/userdel -r baduser

I recommend not removing an account right away, but first simply disable it, especially if you are working with a corporate server with lots of users. After all, the former user may one day require the use of his or her account again, or may request a file or two which was stored in their home directory. Or perhaps a new user (such as an employee replacement) may require access to the former user's files. In any event, make sure you have backups of the former user's home directory, "just-in-case". See the "Disabling User Accounts" section for details on disabling an account, and the "Backup and Restore Procedures" section for details on how to perform backups.

6.6 Linux Password & Shadow File Formats

Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called ``/etc/passwd''. As this file is used by many tools (such as ``ls'') to display file ownerships, etc. by matching user id #'s with the user's names, the file needs to be world-readable. Consequentally, this can be somewhat of a security risk.

Another method of storing account information, one that I always use, is with the shadow password format. As with the traditional method, this method stores account information in the /etc/passwd file in a compatible format. However, the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.

While some other Linux distributions forces you to install the Shadow Password Suite in order to use the shadow format, Red Hat makes it simple. To switch between the two formats, type (as root):

  /usr/sbin/pwconv      To convert to the shadow format
  /usr/sbin/pwunconv    To convert back to the traditional format

With shadow passwords, the /etc/passwd file contains account information, and looks like this:

smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash<p>

Each field in a passwd entry is separated with ":" colon characters, and are as follows:

• Username, up to 8 characters. Case-sensitive, usually all lowercase
• An "x" in the password field. Passwords are stored in the ``/etc/shadow'' file.
• Numeric user id. This is assigned by the ``adduser'' script. Unix uses this field, plus the following group field, to identify which files belong to the user.
• Numeric group id. Red Hat uses group id's in a fairly unique manner for enhanced file security. Usually the group id will match the user id.
• Full name of user. I'm not sure what the maximum length for this field is, but try to keep it reasonable (under 30 characters).
• User's home directory. Usually /home/username (eg. /home/smithj). All user's personal files, web pages, mail forwarding, etc. will be stored here.
• User's "shell account". Often set to ``/bin/bash'' to provide access to the bash shell (my personal favorite shell).

Perhaps you do not wish to provide shell accounts for your users. You could create a script file called ``/bin/sorrysh'', for example, that would display some kind of error message and log the user off, and then set this script as their default shell. Note: If the account needs to provide "FTP" transfers to update web pages, etc. then the shell account will need to be set to ``/bin/bash'' -- and then special permissions will need to be set up in the user's home directory to prevent shell logins. See the "Web Server Administration" section for details on this.

The ``/etc/shadow'' file contains password and account expiration information for users, and looks like this:

smithj:Ep6mckrOLChF.:10063:0:99999:7:::<p>

As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows:

• Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
• Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.
• The number of days (since January 1, 1970) since the password was last changed.
• The number of days before password may be changed (0 indicates it may be changed at any time)
• The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)
• The number of days to warn user of an expiring password (7 for a full week)
• The number of days after password expires that account is disabled
• The number of days since January 1, 1970 that an account has been disabled
• A reserved field for possible future use

6.7 System Shutdown and Restart

To shut down the system from a terminal session, sign in or "su" to the "root" account. Then type ``/sbin/shutdown -r now''. It may take several moments for all processes to be terminated, and then Linux will shut down. The computer will reboot itself. If you are in front of the console, a faster alternative to this is to press <Ctrl>-<Alt>-<Del> to shut down. Please be patient as it may take a couple of minutes for Linux to terminate.

You can also shut down the system to a halt (ie. it will shut down and not reboot the system). The system will be unavailable until power-cycled or rebooted with <Ctrl>-<Alt>-<Del>. This can be useful if you need to power down the system and move it to a different location, for example. To do this, type ``/sbin/shutdown -h now'' when signed into or "su"ed to the "root" account. Linux will shut itself down then display a message, "System halted". At this point you can power down the computer.

It is probably a good idea to only shut down the system when you are at the console. Although you can shut it down remotely via a shell session, if anything goes wrong and the system does not restart properly, the system will be unavailable until action is taken at the system unit. (I haven't experienced any problems doing this myself, however).

Upon system bootup, Linux will start automatically, and load all necessary services including networking support, and Internet services.

Tip: If you wish to provide some kind of warning to any online users (online meaning logged in to shell accounts), you can substitute a time value instead of the "now" keyword. You can also customize the shutdown warning message. For example, ``/sbin/shutdown -r +5 Hardware upgrade'' would inform users that the system was about to shutdown for the given reason. They are then given periodic warnings that they should close files and log off before the big moment arrives.