Account Management

Depending on the size and dynamics of an organization, managing user accounts can either be a huge job or a seldom performed task. Most Unix and Linux systems provide both command line and graphical tools for managing accounts. In many cases, custom programs and web applications are needed to automate the process and provide the level of customization that differs between organizations. One shoe does not fit all when it comes to account management.

What is in an Account?

When one executes getent passwd *username*, basic information about a user is displayed as a colon separated list. The source of the information depends on the authentication scheme used.

Username

Just what it says

Password

On older systems, the encrypted password was listed here. What usually appears here is an x, which means that the shadow information must be consulted to retrieve the encrypted password.

User ID

The unique ID number of the user.

Group ID

The default group of the user. It is usually the same number as the user ID, but some organizations list the group number related to the user’s department or status in the organization, e.g., staff, student, engineering, etc.

GECOS

Normally it is the full common name that the user goes by. Sometimes additional information, such as a phone number or office location, is also listed in this field.

Home directory

Just what it says

Shell

The default shell given to the user. Normally it is a shell program such as /bin/bash or /bin/ksh; however, it maybe another program such /sbin/nologin. If new shells are added to the system, they need to also be listed in the /etc/shells file.

Shadow data

The encrypted password are found in /etc/shadow/. The permissions of this file are the most restrictive. Even programs run by root have to use special techniques to read or write to this file. There is normally no need to modify this file manually.

Startup Scripts

In most cases, the files in the /etc/skel directory are copied to the home directory of newly created accounts. These files are normally shell scripts that set-up the user’s environment when they login. If it is desired that all users have certain environment variable settings, such as PATH, those might be set in the appropriate file here.

PAM and Authentication

For consistency, any pieces of software that allows users to log into the Unix system, use PAM, the Pluggable Authentication Module, to authenticate the user name and password. Thus, it is PAM that knows how the user databases are handled on the system. The starting point for system database configuration is the /etc/nsswitch.conf file. The files that determine what PAM will allow or block are contained in the /etc/security and /etc/pam.d directories.

Managing Users and Groups

Large system installation often have extra tasks that must be done to create or delete users beyond what the base Unix system requires. Thus, in such environments, the process is usually customized and automated by some carefully crafted scripts in either Unix shell, Perl, or Python.

Some standard commands that do exist to help with base Unix systems include: useradd, groupadd, usermod, groupmod, userdel, and groupdel.

Read the man pages for these commands and use them to create several new users and groups. Add various users to the new groups. Delete some users and check to see if these users are still listed in any groups.