toucheatout.net
 
Computer Science  Français  News  Misc
 
Home » Computer Science » Linux desktop and server operations

Basic linux operation: creating and maintaining user accounts

  toucheatout  2006-10-04 14:02  Linux  

A word of warning on a unix account potential

A unix account is something that grants in general alot of things you may not be aware of, especially if logging in is possible (That could be such things as a webspace (apache's mod_userdir), cron jobs, email, possibility of running one's own server software on non-privileged ports ...), in case it is on a machine running several services (which can run without anyone noticing). Not mentionned are half a ton of denial of service attacks, at least in the default install case (yet this last point should be considered implied when saying 'giving a unix account that can be used to log in with').

Creating a user account

The adduser command will do most of it for you, and in the event that you just want the standard, no option is necessary, just adduser newUserName and you'll be set with another account. Alot of options can then be used to specify a different user homedir, different shell etc... All of those can have a utility but should be considered carefully. /etc/adduser.conf configuration file detains the default behavior.

Useful options

Those options can specifically be useful in common cases:

  • --home homeDir: Where is user's homedir. For instance, a web developer account well may have his homedir set to /var/www/www.adomainname.net
  • --no-create-home: May be useful for an account for which the directory pre-exists or will be created on-fly - for instance with autodir.
  • --shell: This controls which shell the user gets. Note: the shell HAS to be mentionned in the /etc/shells to be usable here. Some usual values (disregarding the common bash or tcsh etc...) are: /bin/false or /sbin/nologin to prevent user from loggin in with system authentication (vsftpd can still be used by those if other parameters are rightly set to allow for that). Aside this some very specific account can use a command (for instance a reboot user that can use the /sbin/reboot command as login shell or a backup user that uses the custom /usr/local/bin/doBackups script - once again, don't forget they would have to be in /etc/shells).

Specific case of use of unix system accounts

The web developper case

To take a comprehensive example, as a rule, a developer that has to bring a site online should not have login possibility. They should intervene via a ftp-only account for instance (separate the ftp user-base from the system user-base, /etc/passwd).
vsftpd has alot of good features in that sense : automatic chroot of users in their homedir, possibility of setting their login shell to /bin/false or similar so that an account cannot be used to ssh login, ...

The guru friend

Well if you have such a friend, just stop reading this page and invite him home for lunch - sysadmins usually are delighted to encounter someone higher on enthousiasm than the usual cow-like face of lusers that respectfully listen to you before admitting they didn't get anything, and, to be honest, couldn't be bothered ;)

Less jokingly, you should rely on the fact he's REALLY a good friend...

‹ Bash shell nicest scripting featuresupBasics of source package usage under debian/ubuntu ›
  
Informatics


yro.slashdot.org - Your Rights online
more


nytimes.com New York Times - International
more


Informatic headlines
more


 
© 2004 - toucheatout.net