13.2 User Administration
The following files are referenced while doing user administration.
/etc/utmp Contains the record of users logged into the system.
/var/adm/wtmp Contains connect time accounting records.
/etc/motd Contains the message to be displayed every time a user logs in to the system.
The /etc/security/environ file is an ASCII file that contains stanzas with the environment attributes for users. Each stanza is identified by a user name and contains attributes in the Attribute=Value form with a comma separating the attributes. Each line is ended by a new-line character, and each stanza is ended by an additional new-line character. If environment attributes are not defined, the system uses default values.
The mkuser command creates a user stanza in this file. The initialization of the attributes depends upon their values in the /usr/lib/security/mkuser.default file. The chuser command can change these attributes, and the lsuser command can display them. The rmuser command removes the entire record for a user.
A typical /etc/security/environ file is shown in the following example which has no environment attributes defined. Therefore, the system is using default values.
# pg /etc/security/environ default: root: daemon: bin: sys: adm: uucp: guest:
The /etc/security/lastlog file is an ASCII file that contains stanzas with the last login attributes for users. Each stanza is identified by a user name and contains attributes in the Attribute=Value form. Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. Two stanzas for users (root & john) are shown in Figure 109.
The mkuser command creates a user stanza in the lastlog file. The
attributes of this user stanza are initially empty. The field values are set by
the login command as a result of logging in to the system. The
lsuser command displays the values of these attributes; the
rmuser command removes the user stanza from this file along with the
Figure 109: /etc/security/lastlog Stanzas
The /etc/security/limits file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.
Each stanza is identified by a user name followed by a colon and contains attributes in the Attribute=Value form. Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. If you do not define an attribute for a user, the system applies default values.
The default attributes and attributes for a user smith are shown in Figure 110.
When you create a user with the mkuser command, the system adds a
stanza for the user to the limits file. Once the stanza exists, you can use the
chuser command to change the user's limits. To display the current
limits for a user, use the lsuser command. To remove users and their
stanzas, use the rmuser command.
Figure 110: Contents of /etc/security/limits File
The /etc/security/user file contains extended user attributes. This is an ASCII file that contains attribute stanzas for users. The mkuser command creates a stanza in this file for each new user and initializes its attributes with the default attributes defined in the /usr/lib/security/mkuser.default file.
Each stanza in the /etc/security/user file is identified by a user name, followed by a colon (:), and contains comma-separated attributes in the Attribute=Value form. If an attribute is not defined for a user, either the default stanza or the default value for the attribute is used. You can have multiple default stanzas in the /etc/security/group file. A default stanza applies to all of the stanzas that follow but does not apply to the stanzas preceding it.
Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character.
The mkuser command creates an entry for each new user in the /etc/security/user file and initializes its attributes with the attributes defined in the /usr/lib/security/mkuser.default file. To change attribute values, use the chuser command. To display the attributes and their values, use the lsuser command. To remove a user, use the rmuser command.
The /usr/lib/security/mkuser.default file contains the default attributes for new users. This file is an ASCII file that contains user stanzas. These stanzas have attribute default values for users created by the mkuser command. Each attribute has the Attribute=Value form. If an attribute has a value of $USER, the mkuser command substitutes the name of the user. The end of each attribute pair and stanza is marked by a new-line character.
There are two stanzas, user and admin, that can contain all defined attributes except the ID and admin attributes. The mkuser command generates a unique ID attribute. The admin attribute depends on whether the -a flag is used with the mkuser command. The following example shows a typical stanza in /usr/lib/security/mkuser.default.
# pg /usr/lib/security/mkuser.default user: pgrp = staff groups = staff shell = /usr/bin/ksh home = /home/$USER admin: pgrp = system groups = system shell = /usr/bin/ksh home = /home/$USER
The /etc/passwd file contains basic user attributes. This is an ASCII file that contains an entry for each user. Each entry defines the basic attributes applied to a user.
When you use the mkuser command to add a user to your system, the command updates the /etc/passwd file.
An entry in the /etc/passwd file has the following form with all attributes separated by a colon(:).
Name:Password: UserID:PrincipleGroup:Gecos: HomeDirectory:Shell
Password attributes can contain an asterisk (*) indicating an invalid password or an exclamation point (!) indicating that the password is in the /etc/security/passwd file. Under normal conditions, the field contains an exclamation point (!). If the field has an asterisk (*) and a password is required for user authentication, the user cannot log in.
The shell attribute specifies the initial program or shell (login shell) that is executed after a user invokes the login command or su command. The Korn shell is the standard operating system login shell and is backwardly compatible with the Bourne shell. If a user does not have a defined shell, /usr/bin/sh, the system default shell (Bourne shell) is used. The Bourne shell is a subset of the Korn shell.
The mkuser command adds new entries to the /etc/passwd file and fills in the attribute values as defined in the /usr/lib/security/mkuser.default file. The Password attribute is always initialized to an asterisk (*), which is an invalid password. You can set the password with the passwd or pwdadm commands. When the password is changed, an exclamation point (!) is added to the /etc/passwd file indicating that the encrypted password is in the /etc/security/passwd file.
Use the chuser command to change all user attributes except Password. The chfn command and the chsh command change the Gecos attribute and Shell attribute, respectively. To display all the attributes in this file, use the lsuser command. To remove a user and all the user's attributes, use the rmuser command.
The contents of /etc/passwd file in Figure 111 shows
that the Password attributes for two users (john and bob) are ! and *,
respectively, which implies that bob cannot login as it has invalid password.
Figure 111: Contents of /etc/passwd File
The /etc/security/passwd file is an ASCII file that contains stanzas with password information. Each stanza is identified by a user name followed by a colon (:) and contains attributes in the form Attribute=Value. Each attribute is ended with a new line character, and each stanza is ended with an additional new line character.
Although each user name must be in the /etc/passwd file, it is not necessary
to have each user name listed in the /etc/security/passwd file. A typical file
would have contents as shown in Figure 112.
Figure 112: Contents of /etc/security/passwd File
The /etc/security/login.cfg file (Figure 113) is an ASCII file that contains stanzas of configuration information for login and user authentication. Each stanza has a name, followed by a : (colon). Attributes are in the form Attribute=Value. Each attribute ends with a new-line character, and each stanza ends with an additional new-line character. There are three types of stanzas.
The utmp file, the wtmp file, and the failedlogin file contain records with user and accounting information. When a user successfully logs in, the login program writes entries in two files.
On an invalid login attempt, due to an incorrect login name or password, the login program makes an entry in the /etc/security/failedlogin file, which contains a record of unsuccessful login attempts.
The message of the day is displayed every time a user logs in to the system. It is a convenient way to communicate information to all users, such as installed software version numbers or current system news. The message of the day is contained in the /etc/motd file. To change the message of the day, simply edit that file.
A typical /etc/motd file contents would look like
Figure 114: Sample etc/motd File
The /etc/environment file contains variables specifying the basic environment for all processes. When a new process begins, the exec subroutine makes an array of strings available that have the form Name=Value. This array of strings is called the environment. Each name defined by one of the strings is called an environment variable or shell variable. Environment variables are examined when a command starts running.
When you log in, the system sets environment variables from the environment file before reading your login profile, .profile. Following are a few variables that make up part of the basic environment.
13.4 User Administration