Solaris 9 User Account Administration
Terms You Need to Understand
User accounts
Group accounts
admintool
Initialization files
The system profile
Concepts You Need to Master
Creating and deleting user accounts
Administering passwords
Creating and deleting group accounts
Initialization files and templates
Account Administration
User and group accounts control access to the system. The administration of user accounts and group accounts along with the passwords associated with these accounts is a key system administration activity.
User Accounts
User accounts can be added, modified, or deleted using command-line utilities or by using the admintool(1M) command. Use of the admintool command reduces or eliminates the possible introduction of typos and other errors that might affect all the user accounts.
However, the admintool command requires a graphical interface and is more time consuming than using the command-line utilities manually. These command-line utilities are as follows:
useradd(1M)
usermod(1M)
userdel(1M)
Both the admintool command and the command-line utilities are described in this chapter.
Creating an Account Using the admintool Command
When the admintool command is started, the Users window is displayed. To display the Add User window, select Add from the Edit pull-down menu. The Add User window, consists of three sections: User Identity, Account Security, and Home Directory.
The User Identity section provides the information that needs to be defined to add a user account. All this information is stored in the /etc/passwd file, except secondary groups information, which is stored in the /etc/group file. Table 3.1 lists the fields of the User Identity section.
Table 3.1 User identity Fields of the admintool: Add User Window
Field |
Description |
User Name |
A unique user account name consisting of a maximum of eight upper- and lowercase letters and/or numbers. |
User ID |
The UID associated with the user account. A unique number, typically between 1000 and 60000. The next available number starting at 1000 is provided automatically. |
Primary Group |
The group to which the user should be assigned. By default, 10 (staff) is provided. Any specified group must exist before members can be added. |
Secondary Groups |
Additional groups (separated by commas) to which the user should be assigned. Specified groups must exist before members can be added. |
Comment |
Any text that should be placed in the /etc/passwd Comment field. |
Login Shell |
The Bourne (default), C, or Korn shell can be selected. Another shell can be specified by selecting Other from the pull-down menu and entering the name of the shell in the field. |
The Account Security section provides the information used to determine how the password should be defined and to set up password aging. All this information is stored in the /etc/shadow file. Table 3.2 lists the fields of the Account Security section.
Table 3.2 Account Security Fields of the admintool: Add User Window
Field |
Description |
Password |
The choices are Cleared until first login, Account is locked, No passwordsetuid only, and Normal Password. |
Min Change |
Minimum days required between password changes. |
Max Change |
Maximum days a password is valid. |
Max Inactive |
Maximum number of days account can be inactive before password must be changed. |
Expiration Date |
Date account expires. |
Warning |
Number of days user is warned before password expires. |
The Home Directory section is used to define the home directory of the account and to create it if necessary. This path is stored in the /etc/passwd file. The appropriate initialization files are created in the home directory based on the type of login shell selected.
Modifying an Account Using the admintool Command
To modify a user account, start the admintool command if it is not already active. Display the Users window by selecting Users from the Browse pull-down menu.
Click the desired account entry and then select Modify from the Edit pull-down menu. The Modify User window is displayed. Change the fields as appropriate and click Apply to save the changes.
Deleting an Account Using the admintool Command
To delete a user account, start the admintool command if it is not already active. Display the Users window.
Click the desired account and then select Delete from the Edit pull-down menu. In the Warning window, select Delete to delete the user account.
CAUTION
Because using the admintool command makes creating, modifying, and deleting user accounts very easy and intuitive, Exam 310-014 concentrates on using the useradd, usermod, and userdel commands for administering user accounts.
Creating an Account Using the useradd Command
The useradd(1M) command provides a quick method to add a new user account. At a minimum, the account name must be specified as a command-line argument. Table 3.3 lists the command-line arguments supported by the useradd command.
Table 3.3 Command-Line Arguments for the useradd Command
Argument |
Description |
account |
Specifies the name of the new user account (required). |
-A authorizations |
Specifies one or more authorizations. |
-b base |
Defines a base directory. If a home directory (-d) is not specified, the account name is added to base and used as the home directory. |
-c comment |
Specifies a comment that is placed in the comment (gcos) field of the /etc/passwd file. |
-d directory |
Defines the home directory of the account. |
-e date |
Specifies the expiration date for the account. After the specified date, the account is disabled. |
-f days |
Specifies the maximum number of days the account can be inactive before it is disabled. |
-g group |
Defines the GID or name of an existing group that will be the primary group for the user account. |
-G group |
Defines a GID or name of an existing group that will be a secondary group for the user account. |
-k template_dir |
Specifies the directory that contains a template (default) profile used for the user account. |
-m |
Creates the home directory if it doesn't exists. The home directory is defined by -b and account name or -d. |
-o |
Allows an existing UID to be specified. That is, it allows an account to be created with a duplicate UID (see -u). |
-p profiles |
Specifies one or more execution profiles. |
-R roles |
Specifies one or more user roles. |
-s shell |
Specifies the login shell; default is the Bourne Shell (/bin/sh). |
-u uid |
Specifies the UID of the user account. It must be a decimal integer. If not specified, the next highest available UID is assigned. |
The following example shows how to create a user account using the useradd command:
# useradd -d /export/home/user1 -m -g other -u 1050 user1 6 blocks #
This command creates the user1 user account, assigns it UID 1050, makes it a member of group other and creates its home directory /export/home/user1.
To make life a little easier, the useradd command also supports the -D command-line argument, which allows default values to be assigned to authorizations (-A), base directory (-b), group (-g), expiration date (-e), maximum inactivity (-f), execution profile (-P), and role (-R). Subsequent uses of the useradd command will use these default values if they are not specified. For example, the following command can be used to assign a default base directory and default group. Whenever defaults are assigned or changed, the new defaults are listed:
# useradd -D -b /export/home -g other group=other,1 project=,3 basedir=/export/home skel=/etc/skel shell=/bin/sh inactive=0 expire= auths= profiles= roles= # # useradd -m -u 1051 user2 6 blocks #
Because a default base and group were defined, the user2 account is a member of the other group and has a home directory of /export/home/user2.
NOTE
User accounts created with the useradd command do not have a password. These accounts are locked and cannot be used until a password is set for the account using the passwd(1) command.
Modifying an Account Using the usermod Command
The usermod(1M) command is used to modify an existing user account. The command-line arguments are identical to the useradd command-line arguments with the following exceptions:
The base directory (-b) is not available. Use -d to specify a new directory. Don't forget to include the -m if the directory doesn't exist.
The set default (-D) is not available.
The template directory (-k) is not available.
A new user account name is specified using -l account if the account name is being modified.
Keep in mind that if the account name is changed, the name of the home directory does not change unless the -d and -m command-line arguments are used. The following example shows the usermod command changing the name of the user1 account to user3.
# ls -l total 22 drwx------ 2 root root 8192 Jan 13 21:05 lost+found drwxr-x--- 2 user3 other 512 Mar 31 13:23 user1 drwxr-x--- 2 user2 other 512 Mar 31 13:45 user2 # # usermod -luser3 -d /export/home/user3 -m user1 6 blocks # # ls -l total 22 drwx------ 2 root root 8192 Jan 13 21:05 lost+found drwxr-x--- 2 user2 other 512 Mar 31 13:45 user2 drwxr-x--- 2 user3 other 512 Mar 31 13:23 user3 #
Deleting an Account Using the userdel Command
The userdel(1M) command is used to delete a user account. The user account is specified as a command-line argument. Only one other command-line argument is supported. This is -r, which is used to remove the home directory. The following shows deleting the user3 account:
# userdel -r user3 #
Group Accounts
Group accounts can be added, modified, or deleted using command-line utilities or by using the admintool(1M) command. Use of the admintool command reduces or eliminates the possible introduction of typos and other errors that might affect all the group accounts.
However, the admintool command requires a graphical interface and is more time consuming than using the command-line utilities manually. These command-line utilities are as follows:
groupadd(1M)
groupmod(1M)
groupdel(1M)
Both the admintool command and the command-line utilities are described in the following sections.
Creating a Group Using the admintool Command
To create a group account, start the admintool command if it is not already active. Display the Groups window by selecting Groups from the Browse pull-down menu.
Then, display the Add Group window by selecting Add from the Edit pull-down menu.
Enter a unique group name in the Group Name field. Use the next available GID number or enter a unique GID in the Group ID field. In the Members List field, enter one or more user account names separated by commas. Using the mouse, click OK. The new group is displayed in the Groups window.
Modifying a Group Using the admintool Command
To modify a group account, display the Group window. Click the account you want to modify, and then select Modify from the Edit menu. Change the fields in the Modify Group window, and click Apply to save the changes.
Deleting a Group Using the admintool Command
To delete a group account, display the Groups window, and then select the account you want to delete. Select Delete from the Edit menu. A Warning window displays that lists the group. Click Delete.
CAUTION
Because using the admintool command makes creating, modifying, and deleting group accounts very easy and intuitive, Exam 310-014 concentrates on using the groupadd, groupmod, and groupdel commands for administering group accounts.
Creating a Group Using the groupadd Command
The groupadd(1M) command provides a quick method to add a new group account. At a minimum, the group account name must be specified as a command-line argument. The groupadd command supports two other command-line arguments. The first is -g gid, which used to specify the unique GID associated that should be associated with group. It must be a decimal integer. If GID is not specified, the next highest available GID is assigned. The other command-line argument is -o, which allows a duplicate GID to be assigned to the group.
The following example shows creating a group using the groupadd command.
# # groupadd -g 1000 newgroup #
Modifying a Group Using the groupmod Command
The groupmod(1M) command is used to modify an existing group account. The command-line arguments are identical to the groupadd command-line arguments, except the new group account name is specified using -n name if the group account name is being modified. The following example shows how to use the groupmod to change group newgroup to ngroup.
# groupmod -n ngroup newgroup #
Deleting a Group Using the groupdel Command
The groupdel(1M) command is used to delete a group account. The group account is specified as a command-line argument.
# groupdel ngroup #
Password Administration
Password administration involves setting parameters to control password aging, changing a user's password as needed, and possibly locking a user account to prevent use.
Password Aging
The parameters of the /etc/shadow file determine the password aging policy. These are set through the Account Security fields of the admintool command's Add or Modify User Account window. This includes how long a password is valid (Max Change), how often it can be changed (Min Change), and how long an account can be inactive before the password must be changed (Max Inactive). These parameters enforce a policy for protecting the integrity of passwords.
Note that of these three password-aging parameters, only Max Inactive can be specified using the useradd command and modified using the usermod command.
Password Requirements
Unless specified by a superuser account such as root, passwords must meet the following requirements:
A password must contain at least the number of characters specified by the PASSLENGTH parameter contained in the /etc/default/passwd file. The default is six. It is best to increase this value to eight.
A password must contain at least two alphabetic characters and at least one numeric character (within the first PASSLENGTH characters).
A password cannot be the same as user account name, the reverse of the user account name, or a circular shift of the user account name. Any uppercase letters are mapped to lowercase letters for requirement checking. This means that the password for the guest user account cannot be guest, tseug, uestg, estgu, GUEST, and so on.
‰A new password must be different by at least three characters from the old password. Once again, uppercase and lowercase letters are equivalent for requirement checking.
CAUTION
Passwords can be any length, but only the first eight characters are significant. For example, a password can be defined as 25administration but 25admini is actually used to log into the system.
Keep in mind that these requirements do not apply when root or some other superuser account defines its own password or the password of another user account.
Changing Passwords Using the admintool Command
To change the password of a user account, start the admintool command if it is not already active. Display the Users window by selecting Users from the Browse pull-down menu.
The user account can be selected in two ways: by double-clicking the account entry or by clicking the account entry to highlight it and then selecting Modify from the Edit pull-down menu. Using either method, the Modify User window is displayed.
To modify the account password, position the mouse cursor over the Password field and hold down the left button. Then, move the mouse cursor over the Normal Password item and release the mouse button.
Enter the same password for both the Enter Password and the Verify Password fields. Asterisks are displayed in place of each character entered. Using the mouse, click OK. To save the password, click OK in the Modify User window.
Changing Passwords using the passwd Command
Other than using the admintool command, the passwd(1) command is the only other way to change the password for a user account. When used without any command-line arguments, the passwd command changes the password of the current user account. The following code shows how to change the password for the currently logged in user (dla):
$ passwd passwd: Changing password for dla Enter login password: New password: Re-enter new password: passwd (SYSTEM): passwd successfully changed for dla $
Note that the current password must be entered before a new password can be specified. When a superuser account, such as root, uses the passwd command, the current password is not required.
A variety of command-line arguments are provided to support changing passwords. Table 3.4 lists the more significant command-line arguments.
Table 3.4 Selected Command-Line Arguments for the passwd Command
Argument |
Description |
account |
Specifies the name of the user account for which the password will be changed. |
-as |
Lists password attributes for all user accounts (displays LK for locked, PS for password, and so on). |
-d |
Deletes the password for the specified account. |
-l |
Locks the specified account so it cannot be accessed. |
A superuser account can change the password for another user account. The user account is specified as a command-line argument. The following shows the superuser changing the password for the dla account:
# passwd dla New password: Re-enter new password: passwd (SYSTEM): passwd successfully changed for dla #
Locking a User Account Using the admintool Command
An account can be locked to prevent it from being used. In the admintool's Users window, select the account you want to lock. Select Modify from the Edit menu. In the Modify User window, choose the Account Is Locked item, save the change, and click OK.