HOWTO - Adding a New User |
This ``howto'' gives all the basic steps for setting up a new user account on your average UN*X (or Linux) machine. A lot of these steps can be automated, but it's a good idea to understand what's necessary to put a new user on your machine. Please review all the steps first before trying to perform the tasks, since some the earlier steps require information to be given in later steps. These commands must be performed from the root account, which has ``super user'' permissions and can do most anything.In the following discussion commands or literal text will be given in this font, and generic things will be given in this font.
Slackware 3.3 comes with pretty good shadow password support, which I personally recommend. The reason for shadow password support is that it takes the users' and root's encrypted password out of the /etc/password file, which must remain world readable for many of the utilities such as ls to get the user name from the uid. The passwords are kept in the /etc/shadow file, which can be readable only by root.
The best procedures for adding a user when shadow passwords are given below in the shadow password section. However, it's advisable that you read the manual method given here immediately below to understand the steps of adding a user.
- Edit the password file, /etc/passwd, to contain the following type of information (one line for each user)
username:x:uid:gid:full name:home_path:shell
whereTo safely edit the /etc/passwd file use the /usr/sbin/vipw utility. Because, if you mess up the password file this can cause serious problems to the usability of your system. (It's not really that bad, but you should be careful! ;^)
- username - a unique name to identify the user
- The second field (delimited by :'s) is the password. Setting it to x disables logins to this user account, and if you are set up for a shadow password file this will allow you to change the password as shown later.
- uid - a unique octal number to specify the user
- gid - an octal number indicative of the primary ``group'' the user belongs to.
- full name - The name of the user (or GCOS field)
- home_path - the home directory path of the user
- shell - what shell the user should use, typically /bin/csh
As an example, I would add the following line to add rk as a user and member of the owen group:
rk:x:100:101:R.K. Owen Ph.D.:/u/owen/rk:/bin/csh- Edit the group file, /etc/group, to add the new user to one or more of the groups. A group entry has the following format:
groupname::gid:user1,user2,...Groups are an expression of some commonality. A user can be in more than one group.
- groupname - a unique name to identify this group
- The second field (delimited by :'s) is the group password. I haven't known of any site that actually uses this ... so generally set it to nothing (a zero length string).
- gid - a unique octal number to specify the group. This number is also used in the /etc/passwd file to indicate the primary group for the user.
- user1,user2,... - all the users that are apart of this group. These usernames are the same as given in the /etc/passwd file.
As an example, to ad rk to the owen & src group:
src::16:root,bin,src,rk owen::101:rk,marsha- Set your umask so that the user files & directories receive the same permissions in the following operations.
Things can always be changed later with the chmod -R command.
- umask 027
- use this if don't want other users (not in the same group) to be able to look at the users files. This is probably the prefered setting.
- umask 022
- allows any user on the system to read files in this user's directories.
- umask 077
- No one but the user can read his files or directories unless the user specifically changes the permissions.
- Change to the root directory for the user's home directory, and create the directory. Usually, the directory name will be the same as the user name. This must be the same as given in the /etc/passwd file.
For example, to create a directory for rk:
cd /u/owen mkdir rk- Set up the user directory with a rudimentory set of files. The ``skeleton'' or template for a user directory is typically contained in /etc/skel. If you don't have one yet (or haven't customized what you have for your system) then you need to address this issue.
The files which are typically contained in the /etc/skel are:
-rwxr-x--- 1 root root 96 May 3 1996 .cshrc* -rw-r----- 1 root root 3016 May 13 1994 .emacs -rw-r----- 1 root root 269 May 3 1996 .exrc -rwxr-x--- 1 root root 180 Nov 22 09:19 .login* drwxr-x--- 2 root root 1024 May 3 1996 bin/ -rw-r----- 1 root root 67 May 3 1996 calendar drwxr-x--- 2 root root 1024 May 3 1996 man/ drwxr-x--- 2 root root 1024 May 3 1996 src/ drwxr-x--- 2 root root 1024 May 3 1996 tmp/To set up this same structure in a new user directory, first cd to the new directory and use find & cpio -p to perform the copy. There are other ways of doing this and any of them will work, but this is probably the most portable.
For example, to copy this same structure to /u/owen/rk do the following:
cd /etc/skel find . -print | cpio -p -d -m /u/owen/rk- Permissions and ownership of the directory & files needs to be fixed. Unless this step is done the user will probably not be able to read or write any files.
For example, to set the ownership use chown -R. To set the group membership of the files use chgrp -R. The -R option says to do it ``recursively'' through out the entire directory structure to all sub-directories and so on.
cd /u/owen chown -R rk rk chgrp -R owen rk- Set the user's password to enable the user to login. The password needs to be communicated to the user. The user should be advised to change the password once they login by using the passwd command.
For example, to change the password for rk:
The actual password won't be echoed to the screen ... that's why you're prompted twice to verify that you actually typed in the intended password. The only difference for the user is that they will have to give the ``old'' password before being prompted twice for the new password.passwd rk Changing password for rk Enter new password: h0w2new Re-type new password: h0w2new Password changed.At this point, it's a good idea to educate the user about basic system security:
- Passwords should be at least 6 characters long
- Have nothing to do with the user (i.e. middle name, wife's name, birthdate, car license, etc.). These are called ``joe'' accounts and crackers are always on the look-out for them. You might as well hang your house key on the front-door!
- Should not be a single word that could be found in some type of dictionary.
- The password should have a combination of letters (mixed case), numbers, and even add punctuation characters if possible.
- It must not be shared with others, and there's absolutely no need to ever give your password to a ``system administrator'' or anyone, for that matter.
- You have, pretty much, added a new user to your UN*X machine. One last thing to do is to send email to the user ... this insures that the user's mail spool get's created. You can have a ``boiler plate'' message you send out that explains the policies you have regarding security, etc.
For example, to send email to rk:
Of course, you must be knowledgeable enough about email to send a message.mail rkShadow Passwords
This gives the basic steps for adding a user if you have shadow passwords enabled. It's usually better to become familiar with the shadow password tools, since it's very difficult to coordinate changes between all the necessary files. To convert an already existing /etc/passwd file which is not currently under shadow password form use the pwconv command.
- Make sure the intend group exists by creating it with
groupadd -g gid groupname
- To add a user as given in the above example
then useuseradd \ # modifies the /etc/{passwd|group|shadow} files -u 100 \ # give it an explicit uid, else -g owen \ # specify user's initial group (must exist already) -d /u/owen/rk \ # and home directory -s /bin/csh \ # and login shell -m \ # creates user's home directory from /etc/skel rk # login namechfn rkto modify the GCOS field.If you insist on using vipw then be sure to run
pwconvto automatically create users entry in the /etc/shadow file.The useradd command does the first 6 steps as given above (1,2,3,4,5,6). The only thing that needs to be done is to set the permission of the users home directory with
chmod g+rX /u/owen/rkto grant group read access to the home directory.
- Set the users password (see above)
- Users can be added to a group with the command
usermod -g groupname usernameorusermod -G groupname usernamewhere the first one will set the given group as the user's primary group. and the second will just add the user to the group
- There are many commands: useradd, userdel, usermod, groupadd, groupdel, groupmod, passwd, chfn, chsh, pwconv, and pwunconv.
More information about each one can be found by executing the man utilityman commandnameto look at the command's man page.
Last Modified:
Brought to you by: R.K. Owen,Ph.D.
This page is http://owen.sj.ca.us/rkowen/howto/newuser.html