Accounts
- Superuser (“root”) - created during installation
- Programs, e.g., web server, backup, ssh server, etc. – created during program installation
- Users – created as needed by superuser
/home/username
- Home directory of username
- Created during adduser
- Not the only place to place home directories
- Especially on larger systems, or with “legacy accounts” from other Unix systems
- May be an alias for the actual location
Non-local Accounts
- Accounts on multiple systems are typically administered from a central location
- Home directories may be shared across machines
- Direct access to account information files is discouraged, e.g., /etc/passwd
root
- Superuser account, privileged user
- First account in system (userID of 0)
- No restrictions on what command can be performed or what program can be run
- Home directory (recommended): /root – “root on root”
- Not in /home directory with other accounts
- Used to be in “/”
- “root in root”
- Also has its own group
Using root
- Security problems when unauthorized program gets root status
- Recommended: minimize use of root, i.e., su to root
- Ubuntu, OS X do not enable (default) root access
- sudo
- Fine-grain permission to users to run programs, access files
- Log kept of access
- Login required (5 minute timespan)
- Notifies root (email) when unauthorized command is entered
User Account files and directories
- /home/
- /etc/passwd
- /etc/shadow
- /etc/group
- /etc/gshadow
- Typically created using adduser or useradd command
/etc/passwd
- Main account attributes: username, password, userID (uid), groupID (gid), gecos, home directory, default shell
- Colon (“:”) separated file
- Empty attribute “::”
- Any user can view
- Modify using usermod
/etc/shadow
- Purpose: hide passwords
- Restricted to root
- Attributes: username, password (encrypted),
password aging information
- One-way encryption algorithm, based on DES – crypt() function
/etc/group
- Accounts (e.g., users) belong to groups
- Serves as a way of sharing files and directories with a subset of all users
- Default group created for each user (during adduser)
- Create additional groups using addgroup
/etc/gshadow
- Purpose: hide group passwords
- “man gshadow”
- Groups also have a password, and an administrator (will revisit later)