(Dr.R.K.) HOWTO - Adding a New User


Go to Bottom blank blank Go up one level To frames R.K.'s Home Page Keyword Index Site Map Help Linux
This ``howto'' gives all the basic steps for setting up a new user account on your average UN*X (or Linux) machine. A lot of these steps can be automated, but it's a good idea to understand what's necessary to put a new user on your machine. Please review all the steps first before trying to perform the tasks, since some the earlier steps require information to be given in later steps. These commands must be performed from the root account, which has ``super user'' permissions and can do most anything.

In the following discussion commands or literal text will be given in this font, and generic things will be given in this font.

Slackware 3.3 comes with pretty good shadow password support, which I personally recommend. The reason for shadow password support is that it takes the users' and root's encrypted password out of the /etc/password file, which must remain world readable for many of the utilities such as ls to get the user name from the uid. The passwords are kept in the /etc/shadow file, which can be readable only by root.

The best procedures for adding a user when shadow passwords are given below in the shadow password section. However, it's advisable that you read the manual method given here immediately below to understand the steps of adding a user.

  1. Edit the password file, /etc/passwd, to contain the following type of information (one line for each user)
    username:x:uid:gid:full name:home_path:shell
    where
    • username - a unique name to identify the user
    • The second field (delimited by :'s) is the password. Setting it to x disables logins to this user account, and if you are set up for a shadow password file this will allow you to change the password as shown later.
    • uid - a unique octal number to specify the user
    • gid - an octal number indicative of the primary ``group'' the user belongs to.
    • full name - The name of the user (or GCOS field)
    • home_path - the home directory path of the user
    • shell - what shell the user should use, typically /bin/csh
    To safely edit the /etc/passwd file use the /usr/sbin/vipw utility. Because, if you mess up the password file this can cause serious problems to the usability of your system. (It's not really that bad, but you should be careful! ;^)

    As an example, I would add the following line to add rk as a user and member of the owen group:

    rk:x:100:101:R.K. Owen Ph.D.:/u/owen/rk:/bin/csh
  2. Edit the group file, /etc/group, to add the new user to one or more of the groups. A group entry has the following format:
    groupname::gid:user1,user2,...
    • groupname - a unique name to identify this group
    • The second field (delimited by :'s) is the group password. I haven't known of any site that actually uses this ... so generally set it to nothing (a zero length string).
    • gid - a unique octal number to specify the group. This number is also used in the /etc/passwd file to indicate the primary group for the user.
    • user1,user2,... - all the users that are apart of this group. These usernames are the same as given in the /etc/passwd file.
    Groups are an expression of some commonality. A user can be in more than one group.

    As an example, to ad rk to the owen & src group:

    src::16:root,bin,src,rk
    owen::101:rk,marsha
    
  3. Set your umask so that the user files & directories receive the same permissions in the following operations.
    umask 027
    use this if don't want other users (not in the same group) to be able to look at the users files. This is probably the prefered setting.
    umask 022
    allows any user on the system to read files in this user's directories.
    umask 077
    No one but the user can read his files or directories unless the user specifically changes the permissions.
    Things can always be changed later with the chmod -R command.

  4. Change to the root directory for the user's home directory, and create the directory. Usually, the directory name will be the same as the user name. This must be the same as given in the /etc/passwd file.

    For example, to create a directory for rk:

    cd /u/owen
    mkdir rk
    
  5. Set up the user directory with a rudimentory set of files. The ``skeleton'' or template for a user directory is typically contained in /etc/skel. If you don't have one yet (or haven't customized what you have for your system) then you need to address this issue.

    The files which are typically contained in the /etc/skel are:

    -rwxr-x---   1 root     root           96 May  3  1996 .cshrc*
    -rw-r-----   1 root     root         3016 May 13  1994 .emacs
    -rw-r-----   1 root     root          269 May  3  1996 .exrc
    -rwxr-x---   1 root     root          180 Nov 22 09:19 .login*
    drwxr-x---   2 root     root         1024 May  3  1996 bin/
    -rw-r-----   1 root     root           67 May  3  1996 calendar
    drwxr-x---   2 root     root         1024 May  3  1996 man/
    drwxr-x---   2 root     root         1024 May  3  1996 src/
    drwxr-x---   2 root     root         1024 May  3  1996 tmp/
    

    To set up this same structure in a new user directory, first cd to the new directory and use find & cpio -p to perform the copy. There are other ways of doing this and any of them will work, but this is probably the most portable.

    For example, to copy this same structure to /u/owen/rk do the following:

    cd /etc/skel
    find . -print | cpio -p -d -m /u/owen/rk
    
  6. Permissions and ownership of the directory & files needs to be fixed. Unless this step is done the user will probably not be able to read or write any files.

    For example, to set the ownership use chown -R. To set the group membership of the files use chgrp -R. The -R option says to do it ``recursively'' through out the entire directory structure to all sub-directories and so on.

    cd /u/owen
    chown -R rk rk
    chgrp -R owen rk
    
  7. Set the user's password to enable the user to login. The password needs to be communicated to the user. The user should be advised to change the password once they login by using the passwd command.

    For example, to change the password for rk:

    passwd rk
      Changing password for rk
      Enter new password: h0w2new
      Re-type new password: h0w2new
      Password changed.
    
    The actual password won't be echoed to the screen ... that's why you're prompted twice to verify that you actually typed in the intended password. The only difference for the user is that they will have to give the ``old'' password before being prompted twice for the new password.

    At this point, it's a good idea to educate the user about basic system security:

    • Passwords should be at least 6 characters long
    • Have nothing to do with the user (i.e. middle name, wife's name, birthdate, car license, etc.). These are called ``joe'' accounts and crackers are always on the look-out for them. You might as well hang your house key on the front-door!
    • Should not be a single word that could be found in some type of dictionary.
    • The password should have a combination of letters (mixed case), numbers, and even add punctuation characters if possible.
    • It must not be shared with others, and there's absolutely no need to ever give your password to a ``system administrator'' or anyone, for that matter.

  8. You have, pretty much, added a new user to your UN*X machine. One last thing to do is to send email to the user ... this insures that the user's mail spool get's created. You can have a ``boiler plate'' message you send out that explains the policies you have regarding security, etc.

    For example, to send email to rk:

    mail rk
    
    Of course, you must be knowledgeable enough about email to send a message.

Shadow Passwords

This gives the basic steps for adding a user if you have shadow passwords enabled. It's usually better to become familiar with the shadow password tools, since it's very difficult to coordinate changes between all the necessary files. To convert an already existing /etc/passwd file which is not currently under shadow password form use the pwconv command.
  1. Make sure the intend group exists by creating it with
    groupadd -g gid groupname

  2. To add a user as given in the above example
    useradd \		# modifies the /etc/{passwd|group|shadow} files
    -u 100 \		# give it an explicit uid, else
    -g owen \		# specify user's initial group (must exist already)
    -d /u/owen/rk \		# and home directory
    -s /bin/csh \		# and login shell
    -m \			# creates user's home directory from /etc/skel
    rk			# login name
    
    then use
    chfn rk
    to modify the GCOS field.

    If you insist on using vipw then be sure to run

    pwconv
    to automatically create users entry in the /etc/shadow file.

    The useradd command does the first 6 steps as given above (1,2,3,4,5,6). The only thing that needs to be done is to set the permission of the users home directory with

    chmod g+rX /u/owen/rk
    to grant group read access to the home directory.

  3. Set the users password (see above)

  4. Users can be added to a group with the command
    usermod -g groupname username
    or
    usermod -G groupname username
    where the first one will set the given group as the user's primary group. and the second will just add the user to the group

  5. There are many commands: useradd, userdel, usermod, groupadd, groupdel, groupmod, passwd, chfn, chsh, pwconv, and pwunconv.
    More information about each one can be found by executing the man utility
    man commandname
    to look at the command's man page.

Last Modified:
Go to Top blank blank Go up one level To frames R.K.'s Home Page Keyword Index Site Map Help Linux
Brought to you by: R.K. Owen,Ph.D.
This page is http://owen.sj.ca.us/rkowen/howto/newuser.html