Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
4.  Managing User Accounts and Groups (Overview) What You Can Do With Solaris User Management Tools Modify User Accounts  Previous   Contents   Next 
   
 

Delete User Accounts

When you delete a user account with the Users Tool, the software deletes the entries in the passwd and group files. In addition, you can delete the files in the user's home directory and mail directory.

Add Customized User Initialization Files

Although you can't create customized user initialization files with the Users Tool, you can populate a user's home directory with user initialization files located in a specified "skeleton" directory by creating a user template with the User Templates tool.

You can customize the user initialization templates in the /etc/skel directory and then copy them to users' home directories.

Administer Passwords

You can use Users Tool for password administration, which includes specifying a normal password for a user account, enabling users to create their own passwords during their first login, disabling or locking a user account, or specifying expiration dates and password aging information.

Note - Password aging is not supported by the NIS name service.

Disable User Accounts

Occasionally, you might need to temporarily or permanently disable a login account. Disabling or locking a user account means that an invalid password, *LK*, is assigned to the user account, preventing future logins.

The easiest way to disable a user account is to use the Users Tool to lock the password for an account. You can also enter an expiration date in the account availability section of the User Properties screen to set how long the user account is disabled.

Other ways to disable a user account is to set up password aging or to change the user's password.

Where User Account and Group Information Is Stored

Depending on your site policy, you can store user account and group information in a name service or a local system's /etc files. In the NIS+ name service, information is stored in tables, and in the NIS name service, information is stored in maps.

Note - To avoid confusion, the location of the user account and group information is generically referred to as a file rather than as a database, table or map.

Most of the user account information is stored in the passwd file. However, password encryption and password aging is stored in the passwd file when using NIS or NIS+ and in the /etc/shadow file when using /etc files. Password aging is not available when using NIS.

Group information is stored in the group file.

Fields in the passwd File

The fields in the passwd file are separated by colons and contain the following information: 

username:password:uid:gid:comment:home-directory:login-shell

For example:

kryten:x:101:100:Kryten Series 4000 Mechanoid:/export/home/kryten:/bin/csh

The following table describes the passwd file fields.

Table 4-11 Fields in the passwd File

Field Name

Description

username

Contains the user or login name. User names should be unique and consist of 1-8 letters (A-Z, a-z) and numerals (0-9). The first character must be a letter, and at least one character must be a lowercase letter.

password

Contains an x, a placeholder for the encrypted password. The encrypted password is stored in the shadow file.

uid

Contains a user identification (UID) number that identifies the user to the system. UID numbers for regular users should range from 100 to 60000. All UID numbers should be unique.

gid

Contains a group identification (GID) number that identifies the user's primary group. Each GID number must be a whole number between 0 and 60002 (60001 and 60002 are assigned to nobody and noaccess, and 65534 is assigned to nobody4).

comment

Usually contains the full name of the user. (This field is informational only.) It is sometimes called the GECOS field because it was originally used to hold the login information needed to submit batch jobs to a mainframe running GECOS (General Electric Computer Operating System) from UNIX systems at Bell Labs.

home-directory

Contains the user's home directory path name.

login-shell

Contains the user's default login shell, such as /bin/sh, /bin/csh or /bin/ksh. Table 4-18 contains a description of shell features.

Default passwd File

The default Solaris passwd file contains entries for standard daemons, processes usually started at boot time to perform some system-wide task, such as printing, network administration, and port monitoring.

root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:

Table 4-12 Default passwd File Entries

User Name

User ID

Description

root

0

Superuser account.

daemon

1

Umbrella system daemon associated with routine system tasks.

bin

2

Administrative daemon associated with running system binaries to perform some routine system task.

sys

3

Administrative daemon associated with system logging or updating files in temporary directories.

adm

4

Administrative daemon associated with system logging.

lp

71

Line printer daemon.

uucp

5

Daemon associated with uucp functions.

nuucp

6

Daemon associated with uucp functions.

smmsp

25

Sendmail message submission program daemon.

listen

37

Network listener daemon.

nobody

60001

Assigned to users or software processes that do not need nor should have any special permissions.

noaccess

60002

Assigned to a user or a process that needs access to a system through some application but without actually logging in.

nobody4

65534

SunOS 4.0 or 4.1 version of the nobody user account.

Fields in the shadow File

The fields in the shadow file are separated by colons and contain the following information: 

username:password:lastchg:min:max:warn:inactive:expire

For example:

rimmer:86Kg/MNT/dGu.:8882:0::5:20:8978

The following table describes the shadow file fields.

Table 4-13 Fields in the shadow File

Field Name

Description

username

Contains the user or login name.

password

Might contain the following entries: a 13-character encrypted user password; the string *LK*, which indicates an inaccessible account; or the string NP, which indicates no password for the account.

lastchg

Indicates the number of days between January 1, 1970, and the last password modification date.

min

Contains the minimum number of days required between password changes.

max

Contains the maximum number of days the password is valid before the user is prompted to specify a new password.

inactive

Contains the number of days a user account can be inactive before being locked.

expire

Contains the absolute date when the user account expires. Past this date, the user cannot log in to the system.

Fields in the group File

The fields in the group file are separated by colons and contain the following information: 

group-name:group-password:gid:user-list

For example:

bin::2:root,bin,daemon

The following table describes the group file fields.

Table 4-14 Fields in the group File

Field Name

Description

group-name

Contains the name assigned to the group. For example, members of the chemistry department in a university might be called chem. Group names can have a maximum of eight characters.

group-password

Usually contains an asterisk or is empty. The group-password field is a relic of earlier versions of UNIX. If a group has a password, the newgrp command prompts users to enter it. However, there is no utility to set the password.

gid

Contains the group's GID number. It must be unique on the local system, and should be unique across the entire organization. Each GID number must be a whole number between 0 and 60002. Numbers under 100 are reserved for system default group accounts. User defined groups can range from 100 to 60000. (60001 and 60002 are reserved and assigned to nobody and noaccess, respectively.)

user-list

Contains a comma-separated list of user names, representing the user's secondary group memberships. Each user can belong to a maximum of 15 secondary groups.

Default group file

The default Solaris group file contains the following system groups that support some system-wide task, such as printing, network administration, and electronic mail. Many of these having corresponding entries in the passwd file.

root::0:root
other::1:
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
mail::6:root
tty::7:root,tty,adm
lp::8:root,lp,adm
nuucp::9:root,nuucp
staff::10:
daemon::12:root,daemon
smmsp::25:smmsp
sysadmin::14:root
nobody::60001:
noaccess::60002:
nogroup::65534:

Table 4-15 Default group File Entries

Group Name

Group ID

Description

root

0

Superuser group.

other

1

Optional group.

bin

2

Administrative group associated with running system binaries.

sys

3

Administrative group associated with system logging or temporary directories.

adm

4

Administrative group associated with system logging.

uucp

5

Group associated with uucp functions.

mail

6

Electronic mail group.

tty

7

Group associated with tty devices.

 

8

Line printer group.

nuucp

9

Group associated with uucp functions.

staff

10

General administrative group.

daemon

12

Group associated with routine system tasks.

sysadmin

14

Administrative group associated with Admintool and Solstice AdminSuite tools.

smmsp

25

Sendmail message submission program daemon.

nobody

60001

Group assigned to users or software processes that do not need nor should have any special permissions.

noaccess

60002

Group assigned to a user or a process that needs access to a system through some application but without actually logging in.

nogroup

65534

Group assigned to a user who not a member of a known group.

 		 
 
  Previous   Contents   Next