UNIX System Administration Handbook - Evi Nemeth [54]
7. If myprog were a shell script, it would need both read and execute permission turned on. In order for the script to be run by an interpreter, it must be opened and read like a text file. Binary files are executed directly by the kernel and therefore do not need read permission turned on.
6 Adding New Users
Adding and removing users is a routine chore on most systems. These tasks are simple, but they are also boring; most administrators build tools to automate the process and then delegate the actual work to an assistant or operator.
Account hygiene is a key determinant of system security. Infrequently used accounts are prime targets for hackers, as are accounts with easily guessed passwords. Even if you use your system’s default tools to add and remove users, it’s important to understand the underlying changes the tools are making.
6.1 THE/ETC/PASSWD FILE
The /etc/passwd file is a list of users recognized by the system. The system consults the file at login time to determine a user’s UID and to verify the user’s password. Each line in the file represents one user and contains seven fields separated by colons:
• Login name
• Encrypted password (unless a shadow password file is used; see below)
• UID number
• Default GID number
• “GECOS” information: full name, office, extension, home phone
• Home directory
• Login shell
For example, the following lines are all valid /etc/passwd entries.
root:jsg8Y.1p6uWMo:0:0:The System,,x6096,:/:/bin/csh
jl:Hwex6bM8cT3/E:100:0:Jim Lane,ECT8-3,,:/staff/jl:/bin/sh
dotty:oP0vdZ/s93ZiY:101:20::/home/korbel/dotty:/bin/csh
The contents of /etc/passwd are often shared among systems with a database system such as NIS or NIS+. See Chapter 18, Sharing System Files, for more information.
The following sections discuss the /etc/passwd fields in more detail.
Login name
Login names (also known as usernames) must be unique and, depending on the operating system, usually no more than 8 characters long.1 If you use NIS or NIS+, login names are limited to 8 characters, regardless of the operating system.
In the past, login names were traditionally limited to alphanumeric characters. Modern systems allow them to contain any characters except colons and newlines. However, it’s probably wise to stick to alphanumerics and to limit login names to 8 characters. This policy will avert potential conflicts with email systems and older software and will guarantee that users can have the same login name on every machine. Remember, the fact that you have a homogeneous environment today doesn’t mean that this will be the case tomorrow.
Login names are case sensitive; however, most mail systems (including sendmail) expect login names to be lower case. For this reason, we suggest avoiding uppercase characters in login names unless the user is not expected to receive any mail. Lowercase names are traditional, and they are also easier to type.
Login names should be easy to remember, so random sequences of letters do not make good login names. Avoid “handles” and cutesy nicknames. Since login names are often used as email addresses, it’s useful to establish a standard way of forming them. It should be possible for users to make educated guesses about each other’s login names. First names, last names, initials, or some combination of these all make reasonable naming schemes.
Any fixed scheme for choosing login names eventually results in duplicate names or names that are too long, so you will sometimes have to make exceptions. In the case of a long name, you can use the /etc/mail/aliases file to equate two versions of the name, at least as far as mail is concerned.
See page 550 for more information about mail aliases.
For example, suppose you use an employee’s first initial and last name as a paradigm. Brent Browning would therefore be “bbrowning”, which is 9 characters and therefore