Learn – Solaris 10 OS

Introducing User Administration

– Introduction

An important system administration task is setting up user accounts for each user who requires system access. Each user needs a unique account name, a user identification (UID) number, a home directory, and a login shell. You also have to determine which groups a user may access.

– Main Components of a User Account

The following is a list of the main components of a user account:

  • User name – A unique name that a user enters to log in to a system. The user name is also called the login name.
  • Password – A combination of up to 256 letters, numbers, or special characters that a user enters with the login name to gain access to a system.
  • UID number – A user account’s unique numerical identification within the system.
  • Group identification (GID) number – A unique numerical identification of the group to which the user belongs.
Note: You can add a user to predefined groups listed in the /etc/group file.
  • Comment – Information that identifies the user. A comment generally contains the full name of the user and optional information, such as a phone number or a location.
  • User’s home directory – A directory into which the user is placed after login. The directory is provided to the user to store and create files.
  • User’s login shell – The user’s work environment is set up by the initialization files that are defined by the user’s login shell.

– System Files That Store User Account Information

The Solaris 10 OS stores user account and group entry information in the following system files:

  • /etc/passwd
  • /etc/shadow
  • /etc/group

Authorized system users have login account entries in the /etc/passwd file.

The /etc/shadow file is a separate file that contains the encrypted passwords. To further control user passwords, you can enforce password aging. This information is also maintained in the /etc/shadow file.

The /etc/group file defines the default system group entries. You use this file to create new group entries or modify existing group entries on the system.

– System Files That Store User Account Information (continued)

The /etc/passwd File

Due to the critical nature of the /etc/passwd file, you should refrain from editing this file directly. Instead, you should use the SolarisTM Management Console or command-line tools to maintain the file.

The following is an example of an /etc/passwd file that contains the default system account entries.

../../../x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:

Each entry in the /etc/passwd file contains seven fields. A colon separates each field. The following is the format for an entry:

loginID:x:UID:GID:comment:home_directory:login_shell

The table defines the requirements for each of the seven fields.

Fields in the /etc/passwd File
Field Description
loginID
Represents the user’s login name. It should be unique to each user. The field should contain a string of no more than eight letters (A-Z, a-z) and numbers (0-9). The first character should be a letter, and at least one character should be lowercase.

Note: Even though some programs allow a maximum of 32 characters, as well as user names that contain periods (.), underscores (_), and hyphens (-), this practice is not recommended and might cause problems with other programs.
x Represents a placeholder for the user’s encrypted password, which is kept in the /etc/shadow file.
UID Contains the UID number used by the system to identify the user. UID numbers for users range from 100 to 60000. Values 0 through 99 are reserved for system accounts. UID number 60001 is reserved for the nobody account. UID number 60002 is reserved for the noaccess account. While duplicate UID numbers are allowed, they should be avoided unless absolutely required by a program.

Note: The maximum value for a UID is 2147483647. However, the UIDs over 60000 do not have full utility and are incompatible with some Solaris OS features. Avoid using UIDs over 60000 so as to be compatible with earlier versions of the operating system.
GID Contains the GID number used by the system to identify the user’s primary group. GID numbers for users range from 100 to 60000. (Those between 0 and 99 are reserved for system accounts.)
comment Typically contains the user’s full name.
home_directory Contains the full path name to the user’s home directory.
login_shell Defines the user’s login shell. There are six possible login shells in the Solaris OS: the Bourne shell, the Korn shell, the C shell, the Z shell, the BASH shell, and the TC shell.

The table shows the default system account data for entries in the /etc/passwd file.

Default System Account Entries
User Name User ID Description
root
0
The root account that has access to the entire system. It has almost no restrictions and overrides all other logins, protections, and permissions.
daemon
1
The system daemon account that is associated with routine system tasks.
bin
2
The administrative daemon account that is associated with running system binary files.
sys
3
The administrative daemon account that is associated with system logging or updating files in temporary directories.
adm
4
The administrative daemon account that is associated with system logging.
lp
71
The line printer (lp) daemon account.
uucp
5
The daemon account associated with UNIX®-to-UNIX Copy Protocol (UUCP) functions.
nuucp
6
The account that is used by remote systems to log in to the host and start file transfers using uucp.
smmsp
25
The sendmail message submission daemon account.
listen
37
The network listener daemon account.
gdm 50 Gnome Display Manager daemon.
webservd 80 Account reserved for WebServer access.
nobody
60001
The anonymous user account that is assigned by a Network File System (NFS) server when an unauthorized root user makes a request. The nobody user account is assigned to software processes that do not need any special permissions.
noaccess
60002
The account assigned to a user or a process that needs access to a system through some application instead of through a system login procedure.
nobody4
65534
The anonymous user account that is the SunOSTM 4.X software version of the nobody account

Note: The nobody account secures NFS resources. When a user is logged in as root on an NFS client and attempts to access a remote file resource, the UID number changes from 0 to the UID of nobody (60001)

– System Files That Store User Account Information (continued)

The /etc/shadow File

Due to the critical nature of the /etc/shadow file, you should refrain from editing it directly. Instead, maintain the fields of the file by using the Solaris Management Console or command-line tools. Only the root user can read the /etc/shadow file.

The following is an example /etc/shadow file that contains initial system account entries.

../../../rJrdhjNWQQHoY:6445::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
smmsp:NP:6445::::::
listen:*LK*:::::::
gdm:*LK*:::::::
webservd:*LK*:::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::

Each entry in the /etc/shadow file contains nine fields. A colon separates each field.

Following is the format of an entry:

loginID:password:lastchg:min:max:warn:inactive:expire:

The table defines the requirements for each of the eight fields.

Fields in the /etc/shadow File
Field Description
loginID The user’s login name.
password
A 13-character encrypted password. The string *LK* indicates a locked account, and the string NP indicates no valid password. Passwords must be constructed to meet the following requirements:

Each password must be at least six characters and contain at least two alphabetic characters and at least one numeric or special character. It cannot be the same as the login ID or the reverse of the login ID.

lastchg
The number of days between January 1, 1970, and the last password modification date.
min The minimum number of days required between password changes.
max The maximum number of days the password is valid before the user is prompted to enter a new password at login.
warn
The number of days the user is warned before the password expires.
inactive
The number of inactive days allowed for the user before the user’s account is locked.
expire The date (given as number of days since January 1, 1970) when the user account expires. After the date is exceeded, the user can no longer log in.
flag To track failed logins. The count is in low order four bits; the remainder is reserved for future use, set to zero.

– System Files That Store User Account Information (continued)

The /etc/group File

Each user belongs to a group that is referred to as the user’s primary group. The GID number, located in the user’s account entry within the /etc/passwd file, specifies the user’s primary group.

Each user can also belong to up to 15 additional groups, known as secondary groups. In the /etc/group file, you can add users to group entries, thus establishing the user’s secondary group affiliations.

The following is an example of the default entries in an /etc/group file:

../../../:0:
other::1:root
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root
mail::6:root
tty::7:root,adm
lp::8:root,adm
nuucp::9:root
staff::10:
daemon::12:root
sysadmin::14:
smmsp::25:
gdm::50:
webservd::80:
nobody::60001:
noaccess::60002:
nogroup::65534::

Each line entry in the /etc/group file contains four fields. A colon character separates each field. The following is the format for an entry:

groupname:group-password:GID:username-list

The table defines the requirements for each of the four fields.

Fields in the /etc/group File
Field Description
groupname
Contains the name assigned to the group. Group names contain up to a maximum of eight characters.
group-password Usually contains an empty field or an asterisk. This is a relic of earlier versions of UNIX.

Caution: A group-password is a security hole because it might allow an unauthorized user who is not a member of the group but who knows the group password, to enter the group.
Note: The newgrp command changes a user’s primary group association within the shell environment from which it is executed. If this new, active group has a password and the user is not a listed member in that group, the user must enter the password before the newgrp command can continue.
GID Contains the group’s GID number. It is unique on the local system and should be unique across the organization. Numbers 0 to 99, 60001, 60002 and 65534 are reserved for system group entries. User-defined groups range from 100 to 60000.
username-list Contains a comma-separated list of user names that represent the user’s secondary group memberships. By default, each user can belong to a maximum of 15 secondary groups.

Note: The maximum number of groups is set by the kernel parameter called ngroups_max. You can set this parameter in the /etc/system file to allow for a maximum of 32 groups. Not all applications will be able to reference group memberships greater than 16. NFS is a notable example.

– System Files That Store User Account Information (continued)

The /etc/default/passwd File

Set values for the following parameters in the /etc/default/passwd file to control properties for all users’ passwords on the system:

  • MAXWEEKS – Sets the maximum time period (in weeks) that the password is valid.
  • MINWEEKS – Sets the minimum time period before the password can be changed.
  • PASSLENGTH – Sets the minimum number of characters for a password. Valid entries are 6, 7, and 8.
  • WARNWEEKS – Sets the time period prior to a password’s expiration to warn the user that the password will expire.
Note: The WARNWEEKS value does not exist by default in the /etc/default/passwd file, but it can be added.

The password aging parameters MAXWEEKS, MINWEEKS, and WARNWEEKS are default values. If set in the /etc/shadow file, the parameters in that file override those in the /etc/default/passwd file for individual users.

The Solaris 10 OS release introduces a number of new controls for password management. These controls are configured by setting values in the /etc/default/passwd file.

  • NAMECHECK=NO – Sets the password controls to verify that the user is not using their login name as a component of the password.
  • HISTORY=26 – Forces the passwd program to log up to 26 changes to the user’s password. This prevents the user from reusing the same password for 26 changes. Setting the HISTORY value to zero (0) will case the password log for a user to be removed on the next password change.
  • DICTIONLIST= – Causes the passwd program to perform dictionary word lookups.
  • DICTIONDBDIR=/var/passwd – Causes the passwd program to perform dictionary word lookups.

Complexity of the password can be controlled using the following parameters:

#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES

By default, all of the above parameters are commented out.

Note: By forcing greater complexity of password structure, you may inadvertently cause the users to write down their passwords as they may be too difficult for the user to remember. When setting a password change policy, you must not underestimate the problems that too much complexity may cause.

31 comments

    1. ‘NP’ in /etc/shadow file stands for No passwd can be assigned,usually this field will be available for non-login user
      Example:-
      daemon:NP:6445::::::
      bin:NP:6445::::::
      sys:NP:6445::::::
      adm:NP:6445::::::
      lp:NP:6445::::::
      uucp:NP:6445::::::
      nuucp:NP:6445::::::
      smmsp:NP:6445::::::

      Like

  1. can you send me a example of the unix operating system, because i want to see how it run because i need it with my studies, in my operating system subject..thanks and God bless you..

    Like

  2. Good explanation… it really helped me a lot… I have a query for u? Can any one tell me in how many ways a normal or admin can be restricted to log into a system….

    Like

  3. Hi, how do I set the inactive period in the shadow file by default for new user accounts(e.g. MAXWEEKS for new account password expire).
    For current users is it possible to set the inactive period through the command line rather than editing the shadow file itself.

    Like

  4. Greetings! I know this is kind of off toppic but I was wondering which
    blog platform arre you using for this site? I’m getting sick aand tired
    of WordPress because I’ve had problems with hackers and I’m looking at options
    for another platform. I would bee fantastic if yoou could point me in the direction of a good platform.

    Like

  5. This design is spectacular! You definitely know how to keep
    a reader entertained. Between your wit and your videos, I was almost moved
    to start my own blog (well, almost…HaHa!) Excellent job.
    I really enjoyed whatt you had to say, and more than that, how you presented it.
    Too cool!

    Like

  6. I read a lot of interesting posts here. Probably you spend
    a lot of time writing, i know how to save you a lot of work, there is an online tool that creates high
    quality, google friendly posts in minutes, just type in google – laranita free content
    source

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s