Previous Section  < Day Day Up >  Next Section

8.1. Introduction

On a Linux system, both human users and system processes have user accounts. Some system processes need user accounts to control privileges and access rights, just like human users.

Remember the most fundamental Linux security principles:

  1. Use the minimum necessary privileges to get the job done.

  2. Strong passwords work.

Following these two principles will prevent all sorts of aggravation and mishaps.

Linux has a collection of utilities for managing users and groups: useradd, groupadd, userdel, groupdel, usermod, groupmod, passwd, chfn, and chsh. These are part of the "Shadow Suite."

The Shadow Suite was created by Julianne Frances Haugh to improve password security and to make user account management easier. In the olden days, all the relevant files had to be edited individually, and encrypted passwords were stored in /etc/passwd. But because /etc/passwd must remain world-readable, storing passwords in it, even if they're encrypted, is asking for trouble. Anyone who copies it can then crack the passwords at their leisure. Relocating the encrypted passwords to /etc/shadow, which is accessible only by root, adds a useful layer of protection.

useradd behaves differently on different systems. Traditionally, it lumped all new users into the same login group, users (100). This meant that all home directories were wide open by default, because users all belonged to the same group. Red Hat changed this with their "User Private Group" scheme. Red Hat's useradd creates a private group for each new user, with the same user ID (UID) and group ID (GID). Obviously, different users have different needs, and some prefer that their user's directories be open. A fundamental security principle is "deny all, allow as needed."

Newer arrivals on the scene are adduser and addgroup, which are Perl script wrappers for useradd and groupadd. These scripts walk you through a complete new user configuration. adduser and addgroup are very nice for making individual entries, but they're no good for batch operations (unless, of course, you modify the adduser or addgroup scripts yourself).

See Recipe 8.17 for a custom script for adding new users in batches and changing passwords en masse.

    Previous Section  < Day Day Up >  Next Section