Discount Web Hosting, Subdomain, Vps Hosting, Cpanel, Shared Web Hosting

Figure 3-8 The files have the same format. Here are descriptions of the four colon-separated fields, using the nextto- last line in Figure 3-7 as an example: 1. The name of the group, which is how the group is identified to users. In this example, the group name is the same as the account name. beginningunix:x:500: 2. The password for using the group. This field is blank (no password) on most systems, but it can contain the encrypted password for the group or an x for a shadowed password. The /etc/passwd security issues also apply in this case, which is why some systems use a group shadow file. That file is generally located at /etc/gshadow; refer to your vendor documentation for more information on the file and its format. beginningunix:x:500: 3. The group ID (GID). This number identifies the group to the system. It is how Unix sees the group (similar to /etc/passwd UID). beginningunix:x:500: 4. Comma-separated list of accounts that belong to the group. The line preceding the example line in Figure 3-7 shows that the account beginningunix also belongs to the author group: author:x:106:beginningunix This information allows permissions to be set accordingly (discussed in Chapter 4). The field can be blank, as the example shows. beginningunix:x:500: 38 Chapter 3
Note: If you are looking for high quality webhost to host and run your jsp application check Vision jsp web hosting services

7. Varies between the various Unix implementations but generally represents either the number of consecutive days of account inactivity that can elapse before the password is disabled, or the number of days after a password expires until that account is disabled. 8. The number of days from January 1, 1970, until the account expires. This is useful in creating limited-time accounts (such as for temporary employees with a fixed date of hire and contract end). 9. Reserved for future use. /etc/group The /etc/group file contains the group information for each account. Figure 3-7 shows a sample /etc/group file from a Linux system. Figure 3-7 Figure 3-8 shows the same file on a Solaris 10 system. 37 Understanding Users and Groups
Note: If you are looking for high quality webhost to host and run your jsp application check Vision christian web host services

Here are descriptions of the file entry fields, with examples from the line in Figure 3-6: 1. The login ID (username, or account name). This information corresponds to the /etc/passwd entry for the account. beginningunix:$1$cth3s70B$Sol7rv9u.UyKtEyZ0HP.V.:12736::9999:::: 2. The encrypted version of the password (which can be 13 or more characters depending on the Unix implementation). Because this file is readable only by root, the passwords are more protected than if they were in the openly readable in /etc/passwd file. If this field is blank, the user is not required to enter a password a very dangerous situation, because only the account name need be discovered for the system to be compromised. There are ways to lock an account (prevent anyone from using it) with this field as well, depending on the version of Unix. On some systems, for example, NP in this field means that the user cannot actively log in to the account, but must log in with his own account and then use sudo (discussed later in this chapter). You can also put a * (*LK* for Solaris) to indicate that the account is locked. beginningunix:$1$cth3s70B$Sol7rv9u.UyKtEyZ0HP.V.:12736::9999:::: 3. The number of days from January 1, 1970, until the password was changed. This is used in conjunction with the other fields to determine if the account and password are still valid and if the password requires updating. beginningunix:$1$cth3s70B$Sol7rv9u.UyKtEyZ0HP.V.:12736::9999:::: The January 1, 1970, date represents what is called the epoch. It s a date picked out by the creators of Unix as a good start time. 4. The minimum number of days before the user can change his password again. This allows the system administrator to protect the user from changing his password too soon after the previous change, reducing the chance an attacker can change the password if he finds it. This field is also used for administrative functions such as password propagation between systems. In this example, the field is blank: beginningunix:$1$cth3s70B$Sol7rv9u.UyKtEyZ0HP.V.:12736::9999:::: 5. The maximum number of days the password is valid before requiring a change. The administrator uses this field to enforce password change policies and to reduce the likelihood that a malicious entity can use brute force (continually trying passwords) to crack the password, which can take a significant amount of time, depending on how good the password is. beginningunix:$1$cth3s70B$Sol7rv9u.UyKtEyZ0HP.V.:12736::9999:::: 6. The number of days the user is warned before password expiration. It is a good practice to give each user warning that her password is going to expire, so that she has the opportunity to change it at a convenient time before its expiration. If the user fails to change her password in the given amount of time, she could be locked out of the system until the system administrator can intervene. In this example, the fields 6 9 are blank, as they are in most systems: beginningunix:$1$cth3s70B$Sol7rv9u.UyKtEyZ0HP.V.:12736::9999:::: 36 Chapter 3
Note: In case you are looking for affordable and reliable webhost to host and run your business application check Vision php5 hosting services

Figure 3-5 Figure 3-6 uses the last line in Figure 3-4 to indicate the colon-delimited fields. Figure 3-6 beginningunix: $1$rS2RgftT$fe3j8yS20GV90PeuE8KpZ0: 12736: :99999::: Login ID (Field 1) Minimum (Field 4) Maximum (Field 5) Warning (Field 6) Inactive (Field 7) Expires (Field Last Changed (Field 3) Reserved (Field 9) Encrypted Password (Field 2) 35 Understanding Users and Groups
Note: If you are looking for cheap and reliable webhost to host and run your web application check Vision coldfusion web hosting services

write, and execute). The directory is usually owned by the account with which it s aligned. Do not assign any account with /tmp as the home directory because this can create serious security vulnerabilities. beginningunix:x:510:500:Beginning Unix:/home/beginningunix:/bin/bash 7. The user s login shell. It must be a valid shell (usually listed in the /etc/shells file), or else the user cannot log in interactively. All valid shells are usually identified in /etc/shells. (Shells are described in depth in Chapter 5.) If the shell identified in field seven doesn t exist (such as a misspelled entry), the user will not be able to log in interactively. Be very careful when manually editing this field. beginningunix:x:510:500:Beginning Unix:/home/beginningunix:/bin/bash /etc/shadow The /etc/shadow file contains the encrypted password entries for local users as well as any password aging (which tells when passwords expire) or restrictions. Figure 3-4 shows a sample /etc/shadow file from a Linux system. Figure 3-4 Figure 3-5 shows an /etc/shadow example from a Solaris 10 Unix system. The field content is slightly different from what is shown in Figure 3-4, but the nine fields are the same. 34 Chapter 3
Note: If you are looking for high quality webhost to host and run your jsp application check Vision jsp web hosting services

machines got more powerful, it became easier to crack or discover the passwords, and passwords were moved to a separate file called /etc/shadow. Permissions allow only specific accounts to view that file. Some versions of Unix still include the encrypted password in the /etc/passwd file, but this practice is generally frowned upon. An administrator usually assigns a user s initial password. beginningunix:x:510:500:Beginning Unix:/home/beginningunix:/bin/bash 3. UID (user ID number) by which the system knows the account. This is how Unix represents the user (instead of using the username). A user often interacts with the system only through an account name, but the Unix system uses a number (UID) to represent the user. Every account is assigned a UID, generally in the range from 0 to 65535, with 0 99 reserved for system IDs (root the superuser is always 0). The 65535 limit is not valid on all systems (some allow for many more). The UID does not have to be unique, although having users share UIDs is a bad practice because logging and permissions become confusing when two users share a UID. (The functionality sought by having users share UIDs can be accomplished through groups.) An administrator typically assigns account names and UIDs. beginningunix:x:510:500:Beginning Unix:/home/beginningunix:/bin/bash The UID is what really identifies the user to the system. You can change your root account s name to admin but because the UID associated with the account is 0, the system identifies it as the superuser. You could also assign the 0 UID to another user, and that account would have superuser permissions (this assignment presents security issues and is highly discouraged). 4. Default GID (group ID) the primary, or default, group to which the account belongs. This doesn t limit the total groups to which the account can belong; it only identifies the regular group the user belongs to upon login. This number doesn t need to be unique because many users can share the same group with no adverse effects on the system. Lower-number groups are generally used for system account groups. beginningunix:x:510:500:Beginning Unix:/home/beginningunix:/bin/bash 5. The GCOS, or comment, field holds information about the accounts, such as the full name of the user, the telephone or office number, or any other human-readable information. This field can contain almost anything you want (except a colon, which would represent the end of the field). Most organizations use it to add some contact information for the account in case there is a problem. Anything in this file (and field) can be viewed by anyone on the system, so do not provide sensitive information such as credit card numbers or Social Security numbers. This field can be left blank with no adverse effect (you ll have two colons next to each other, the blank field in between). beginningunix:x:510:500:Beginning Unix:/home/beginningunix:/bin/bash Interestingly, the GCOS field derives its name from the General Electric Comprehensive Operating System (GECOS), or General Comprehensive Operating System. The field was originally used for holding GCOS identification for services that ran off GECOS systems (which was its own operating system). GCOS is not in much use these days, but the term survives today when referring to this field. 6. Location of the account s starting, or home, directory (used to store personal files). This can be any valid directory (usually but not always /home) on which the user has full permissions (read, 33 Understanding Users and Groups
Note: If you are looking for high quality webhost to host and run your jsp application check Vision christian web host services

Figure 3-2 Take a look at any of the lines in the file (the example in Figure 3-3 uses the beginningunix line at the end of the file shown in Figure 3-1), and you can see that there are seven distinct parts called fields separated by colons. Although some fields can be left empty, each entry in the file must have all seven fields. Figure 3-3 indicates the location of each of the fields. Figure 3-3 Here are descriptions of the file entry fields, with examples from the line shown in Figure 3-3: 1. Login ID (username) that a user enters to log in to the account. Usernames should be unique, so avoid duplicate names, which only introduce confusion and create serious permission problems. Usernames are generally assigned by the administrator. Because users must use their usernames to log in to the system, complexity versus ease of use must be weighed when selecting username schemas. beginningunix:x:510:500:Beginning Unix:/home/beginningunix:/bin/bash 2. Encrypted password or x. If shadow passwords are used, this field contains just an x. In the early days of Unix, the password field contained the user s encrypted password, but as beginningunix:x:510:500:Beginning Unix:/home/beginningunix:/bin/bash Encrypted Password or x Login ID UID Default GID GCOS/Comment Home Directory Login Shell 32 Chapter 3
Note: If you are looking for cheap and reliable webhost to host and run your mysql application check Vision mysql hosting services

Managing Users and Groups User management is a cornerstone activity for the healthy upkeep of a system. For security purposes, management should be limited to a few users who need to administer accounts. There are three main user administration files: . /etc/passwd Identifies the authorized accounts for the system. . /etc/shadow Holds the encrypted password of the corresponding account. Most Unix systems have this file. . /etc/group Contains information on group accounts. /etc/passwd The first and the most important administration file is /etc/passwd. This file holds the majority of information about accounts on the Unix system. Almost anyone with an account on the system can view the file, but only root can modify it. Figure 3-1 shows a sample /etc/passwd file from a Linux machine. Figure 3-1 Figure 3-2 shows an /etc/passwd file from a Solaris 10 system. It s nearly identical to the file shown in Figure 3-1 because the format is the same among the various Unix systems. 31 Understanding Users and Groups
Note: If you are looking for best quality webspace to host and run your tomcat application check Vision shared web hosting services

System Accounts System accounts are those needed for the operation of system-specific components. They include, for example, the mail account (for electronic mail functions) and the sshd account (for ssh functionality). System accounts are generally provided by the operating system during installation or by a software manufacturer (including in-house developers). They generally assist in the running of services or programs that the users require. There are many different types of system accounts, and some of them may not exist on your Unix system. For instance, some of the system account names you may find in your /etc/passwd file (discussed later in this chapter) are adm, alias, apache, backup, bin, bind, daemon, ftp, guest, gdm, gopher, halt, identd, irc, kmem, listen, mail, mysql, named, noaccess, nobody, nobody4, ntp, root, rpc, rpcuser, and sys. These accounts are usually needed for some specific function on your system, and any modifications to them could adversely affect the system. Do not modify them unless you have done your research on their functionality and have tested the system with any changes. User Accounts User accounts provide interactive access to the system for users and groups of users. General users are typically assigned to these accounts and usually have limited access to critical system files and directories. Generally you want to use eight characters or fewer in an account name, but this is no longer a requirement for all Unix systems. For interoperability with other Unix systems and services, however, you will most likely want to restrict your account names to eight characters or fewer. An account name is the same as a username. Group Accounts Group accounts add the capability to assemble other accounts into logical arrangements for simplification of privilege (permission) management. Unix permissions (which are discussed in depth in Chapter 4) are placed on files and directories and are granted in three subsets: the owner of the file, also known as the user; the group assigned to the file, also known simply as group; and anyone who has a valid login to the system but does not fall into either the owner or group subsets, also known as others. The existence of a group enables a resource or file owner to grant access to files to a class of people. For example, say that a company with about 100 employees uses a central Unix server for all activities from production to research to support objectives. Three of the employees compose the company s human resources (HR) staff; they often deal with sensitive information, including salaries, pay raises, and disciplinary actions. The HR staff has to store its information on the server everyone else uses, but its directory, Human_Resources, needs to be protected so that others cannot view the contents. To enable HR to set specific permissions on its files that allow access only to HR staff, the three staff members are put into a group called hr. The permissions on the Human_Resources directory can then be set to allow those members to view and modify files, while excluding all who fall into the other group (everyone else). One of the strengths of groups is that an account can belong to many groups, based on access requirements. For instance, the two members of the internal audit team may need to access everyone s data, but their directory, called Audit, needs to be protected from everyone else s account. To do this, they can belong to all groups and still have a special audit group in which they are the only members. This situation is discussed later in the chapter. 30 Chapter 3
Note: If you are looking for best quality webspace to host and run your tomcat application check Vision personal web hosting services

3 Understanding Users and Groups A user account provides you with access to the Unix system, whether by a shell, an ftp account, or other means. To use the resources that the Unix system provides, you need a valid user account and resource permissions (permissions are discussed in Chapter 4). Think of your account as your passport, identifying who you are to the Unix system. For further Mac OS X specific information regarding users and groups, see Chapter 20. This chapter discusses the basics of accounts and what accounts are on the various Unix systems, examines how to administer accounts, and explores the purposes of groups and how groups work. It also includes other pertinent information about users and groups in Unix. Account Basics There are three primary types of accounts on a Unix system: the root user (or superuser) account, system accounts, and user accounts. Almost all accounts fall into one of those categories. Root Account The root account s user has complete and unfettered control of the system, to the point that he can run commands to completely destroy the system. The root user (also called root) can do absolutely anything on the system, with no restrictions on files that can be accessed, removed, and modified. The Unix methodology assumes that root users know what they want to do, so if they issue a command that will completely destroy the system, Unix allows it. If you are used to working with Microsoft Windows, its administrator account is most like Unix s root account, except that Windows generally tries to protect itself from you if you try to format the disk that the operating system is on, Windows prevents you from doing so, but Unix accepts the command and starts formatting with no regard to self-destruction. This basic tenet is why people generally use root for only the most important tasks, and then use it only for the time required and very cautiously.
Note: If you are looking for high quality webhost to host and run your jsp application check Vision christian web host services