Introducing User Administration
– Introduction
An important system administration task is setting up user accounts for each user who requires system access. Each user needs a unique account name, a user identification (UID) number, a home directory, and a login shell. You also have to determine which groups a user may access.
– Main Components of a User Account
The following is a list of the main components of a user account:
- User name – A unique name that a user enters to log in to a system. The user name is also called the login name.
- Password – A combination of up to 256 letters, numbers, or special characters that a user enters with the login name to gain access to a system.
- UID number – A user account’s unique numerical identification within the system.
- Group identification (GID) number – A unique numerical identification of the group to which the user belongs.
Note: You can add a user to predefined groups listed in the /etc/group file. |
- Comment – Information that identifies the user. A comment generally contains the full name of the user and optional information, such as a phone number or a location.
- User’s home directory – A directory into which the user is placed after login. The directory is provided to the user to store and create files.
- User’s login shell – The user’s work environment is set up by the initialization files that are defined by the user’s login shell.
– System Files That Store User Account Information
The Solaris 10 OS stores user account and group entry information in the following system files:
- /etc/passwd
- /etc/shadow
- /etc/group
Authorized system users have login account entries in the /etc/passwd file.
The /etc/shadow file is a separate file that contains the encrypted passwords. To further control user passwords, you can enforce password aging. This information is also maintained in the /etc/shadow file.
The /etc/group file defines the default system group entries. You use this file to create new group entries or modify existing group entries on the system.
– System Files That Store User Account Information (continued)
The /etc/passwd File
Due to the critical nature of the /etc/passwd file, you should refrain from editing this file directly. Instead, you should use the SolarisTM Management Console or command-line tools to maintain the file.
The following is an example of an /etc/passwd file that contains the default system account entries.
../../../x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico smmsp:x:25:25:SendMail Message Submission Program:/: listen:x:37:4:Network Admin:/usr/net/nls: gdm:x:50:50:GDM Reserved UID:/: webservd:x:80:80:WebServer Reserved UID:/: nobody:x:60001:60001:NFS Anonymous Access User:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
Each entry in the /etc/passwd file contains seven fields. A colon separates each field. The following is the format for an entry:
loginID:x:UID:GID:comment:home_directory:login_shell
The table defines the requirements for each of the seven fields.
Fields in the /etc/passwd File | ||
Field | Description | |
---|---|---|
loginID |
Represents the user’s login name. It should be unique to each user. The field should contain a string of no more than eight letters (A-Z, a-z) and numbers (0-9). The first character should be a letter, and at least one character should be lowercase.
|
|
x | Represents a placeholder for the user’s encrypted password, which is kept in the /etc/shadow file. | |
UID | Contains the UID number used by the system to identify the user. UID numbers for users range from 100 to 60000. Values 0 through 99 are reserved for system accounts. UID number 60001 is reserved for the nobody account. UID number 60002 is reserved for the noaccess account. While duplicate UID numbers are allowed, they should be avoided unless absolutely required by a program.
|
|
GID | Contains the GID number used by the system to identify the user’s primary group. GID numbers for users range from 100 to 60000. (Those between 0 and 99 are reserved for system accounts.) | |
comment | Typically contains the user’s full name. | |
home_directory | Contains the full path name to the user’s home directory. | |
login_shell | Defines the user’s login shell. There are six possible login shells in the Solaris OS: the Bourne shell, the Korn shell, the C shell, the Z shell, the BASH shell, and the TC shell. |
The table shows the default system account data for entries in the /etc/passwd file.
Default System Account Entries | ||
User Name | User ID | Description |
---|---|---|
root |
0 |
The root account that has access to the entire system. It has almost no restrictions and overrides all other logins, protections, and permissions. |
daemon |
1 |
The system daemon account that is associated with routine system tasks. |
bin |
2 |
The administrative daemon account that is associated with running system binary files. |
sys |
3 |
The administrative daemon account that is associated with system logging or updating files in temporary directories. |
adm |
4 |
The administrative daemon account that is associated with system logging. |
lp |
71 |
The line printer (lp) daemon account. |
uucp |
5 |
The daemon account associated with UNIX®-to-UNIX Copy Protocol (UUCP) functions. |
nuucp |
6 |
The account that is used by remote systems to log in to the host and start file transfers using uucp. |
smmsp |
25 |
The sendmail message submission daemon account. |
listen |
37 |
The network listener daemon account. |
gdm | 50 | Gnome Display Manager daemon. |
webservd | 80 | Account reserved for WebServer access. |
nobody |
60001 |
The anonymous user account that is assigned by a Network File System (NFS) server when an unauthorized root user makes a request. The nobody user account is assigned to software processes that do not need any special permissions. |
noaccess |
60002 |
The account assigned to a user or a process that needs access to a system through some application instead of through a system login procedure. |
nobody4 |
65534 |
The anonymous user account that is the SunOSTM 4.X software version of the nobody account |
Note: The nobody account secures NFS resources. When a user is logged in as root on an NFS client and attempts to access a remote file resource, the UID number changes from 0 to the UID of nobody (60001)
– System Files That Store User Account Information (continued)
The /etc/shadow File
Due to the critical nature of the /etc/shadow file, you should refrain from editing it directly. Instead, maintain the fields of the file by using the Solaris Management Console or command-line tools. Only the root user can read the /etc/shadow file.
The following is an example /etc/shadow file that contains initial system account entries.
../../../rJrdhjNWQQHoY:6445:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: smmsp:NP:6445:::::: listen:*LK*::::::: gdm:*LK*::::::: webservd:*LK*::::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445::::::
Each entry in the /etc/shadow file contains nine fields. A colon separates each field.
Following is the format of an entry:
loginID:password:lastchg:min:max:warn:inactive:expire:
The table defines the requirements for each of the eight fields.
Fields in the /etc/shadow File | |
Field | Description |
---|---|
loginID | The user’s login name. |
password |
A 13-character encrypted password. The string *LK* indicates a locked account, and the string NP indicates no valid password. Passwords must be constructed to meet the following requirements:
Each password must be at least six characters and contain at least two alphabetic characters and at least one numeric or special character. It cannot be the same as the login ID or the reverse of the login ID. |
lastchg |
The number of days between January 1, 1970, and the last password modification date. |
min | The minimum number of days required between password changes. |
max | The maximum number of days the password is valid before the user is prompted to enter a new password at login. |
warn |
The number of days the user is warned before the password expires. |
inactive |
The number of inactive days allowed for the user before the user’s account is locked. |
expire | The date (given as number of days since January 1, 1970) when the user account expires. After the date is exceeded, the user can no longer log in. |
flag | To track failed logins. The count is in low order four bits; the remainder is reserved for future use, set to zero. |
– System Files That Store User Account Information (continued)
The /etc/group File
Each user belongs to a group that is referred to as the user’s primary group. The GID number, located in the user’s account entry within the /etc/passwd file, specifies the user’s primary group.
Each user can also belong to up to 15 additional groups, known as secondary groups. In the /etc/group file, you can add users to group entries, thus establishing the user’s secondary group affiliations.
The following is an example of the default entries in an /etc/group file:
../../../:0: other::1:root bin::2:root,daemon sys::3:root,bin,adm adm::4:root,daemon uucp::5:root mail::6:root tty::7:root,adm lp::8:root,adm nuucp::9:root staff::10: daemon::12:root sysadmin::14: smmsp::25: gdm::50: webservd::80: nobody::60001: noaccess::60002: nogroup::65534::
Each line entry in the /etc/group file contains four fields. A colon character separates each field. The following is the format for an entry:
groupname:group-password:GID:username-list
The table defines the requirements for each of the four fields.
Fields in the /etc/group File | |||
Field | Description | ||
---|---|---|---|
groupname |
Contains the name assigned to the group. Group names contain up to a maximum of eight characters. | ||
group-password | Usually contains an empty field or an asterisk. This is a relic of earlier versions of UNIX.
|
||
GID | Contains the group’s GID number. It is unique on the local system and should be unique across the organization. Numbers 0 to 99, 60001, 60002 and 65534 are reserved for system group entries. User-defined groups range from 100 to 60000. | ||
username-list | Contains a comma-separated list of user names that represent the user’s secondary group memberships. By default, each user can belong to a maximum of 15 secondary groups.
|
– System Files That Store User Account Information (continued)
The /etc/default/passwd File
Set values for the following parameters in the /etc/default/passwd file to control properties for all users’ passwords on the system:
- MAXWEEKS – Sets the maximum time period (in weeks) that the password is valid.
- MINWEEKS – Sets the minimum time period before the password can be changed.
- PASSLENGTH – Sets the minimum number of characters for a password. Valid entries are 6, 7, and 8.
- WARNWEEKS – Sets the time period prior to a password’s expiration to warn the user that the password will expire.
Note: The WARNWEEKS value does not exist by default in the /etc/default/passwd file, but it can be added. |
The password aging parameters MAXWEEKS, MINWEEKS, and WARNWEEKS are default values. If set in the /etc/shadow file, the parameters in that file override those in the /etc/default/passwd file for individual users.
The Solaris 10 OS release introduces a number of new controls for password management. These controls are configured by setting values in the /etc/default/passwd file.
- NAMECHECK=NO – Sets the password controls to verify that the user is not using their login name as a component of the password.
- HISTORY=26 – Forces the passwd program to log up to 26 changes to the user’s password. This prevents the user from reusing the same password for 26 changes. Setting the HISTORY value to zero (0) will case the password log for a user to be removed on the next password change.
- DICTIONLIST= – Causes the passwd program to perform dictionary word lookups.
- DICTIONDBDIR=/var/passwd – Causes the passwd program to perform dictionary word lookups.
Complexity of the password can be controlled using the following parameters:
#MINDIFF=3 #MINALPHA=2 #MINNONALPHA=1 #MINUPPER=0 #MINLOWER=0 #MAXREPEATS=0 #MINSPECIAL=0 #MINDIGIT=0 #WHITESPACE=YES
By default, all of the above parameters are commented out.
Note: By forcing greater complexity of password structure, you may inadvertently cause the users to write down their passwords as they may be too difficult for the user to remember. When setting a password change policy, you must not underestimate the problems that too much complexity may cause.
Sweet lesson, thanks!!!!!!!!
LikeLike
Welcome ….
LikeLike
How do you define the “NP” in the password field in /etc/shadow?
Thanks in advance.
LikeLike
‘NP’ in /etc/shadow file stands for No passwd can be assigned,usually this field will be available for non-login user
Example:-
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
smmsp:NP:6445::::::
LikeLike
can you send me a example of the unix operating system, because i want to see how it run because i need it with my studies, in my operating system subject..thanks and God bless you..
LikeLike
Dear Jem u can download Solaris 10 OS from ORACLE have full future or u can download fake copy from openindiana.org for LIVE CD and have UNIX future
best,
LikeLike
can anyone tell me what r the by default passwords for built in users in Solaris 10.
Thanks in advance
LikeLike
Good explanation… it really helped me a lot… I have a query for u? Can any one tell me in how many ways a normal or admin can be restricted to log into a system….
LikeLike
hello all
wht the Case u have to restricted user to log can u explain more
LikeLike
Thank you so much – saved me loads of time searching.
LikeLike
really its helpfull content……..plz keep posting
LikeLike
OK Dude
LikeLike
Hi, how do I set the inactive period in the shadow file by default for new user accounts(e.g. MAXWEEKS for new account password expire).
For current users is it possible to set the inactive period through the command line rather than editing the shadow file itself.
LikeLike
Thanks alot my teacher…
that’s enough to get introduced to solaris 10
always good….always better
regards…
LikeLike
nice one
LikeLike
nice artifcle. thanks a lot.
LikeLike
good one…….. still expecting more.
LikeLike
Very informative and precise.. thanks for posting.
LikeLike
thankuuu so much, its realy helpful
LikeLike
thanks for the clean explanation
LikeLike
Hi…
Can we give a username like “a——a”. If yes, is it not a wiered name?
LikeLike
How are you affected to a reverse mortgage after the person have to go to nursing home?
LikeLike
Good info. Lucky me I found your website by chance (stumbleupon).
I’ve book marked it for later!
LikeLike
Heya i am for the first time here. I found this board and I to find It really helpful & it helped me out much.
I am hoping to offer one thing again and aid others such as you
aided me.
LikeLike
Fine way of explaining, and fastidious post tto obtain factss on the topic of my presentation topic, which i am going to deliver in institution of higher education.
LikeLike
This is very interesting post..
Please provide me links to learn solaris from the basics
Thanks
LikeLike
Greetings! I know this is kind of off toppic but I was wondering which
blog platform arre you using for this site? I’m getting sick aand tired
of WordPress because I’ve had problems with hackers and I’m looking at options
for another platform. I would bee fantastic if yoou could point me in the direction of a good platform.
LikeLike
I just couldn’t go away your website before suggesting that I really loved the standard information an individual supply on your visitors?
Is going to be again regularly to check up on new posts
LikeLike
Thanks
LikeLike
This design is spectacular! You definitely know how to keep
a reader entertained. Between your wit and your videos, I was almost moved
to start my own blog (well, almost…HaHa!) Excellent job.
I really enjoyed whatt you had to say, and more than that, how you presented it.
Too cool!
LikeLike
I read a lot of interesting posts here. Probably you spend
a lot of time writing, i know how to save you a lot of work, there is an online tool that creates high
quality, google friendly posts in minutes, just type in google – laranita free content
source
LikeLiked by 1 person