Maintaining UNIX Users – Part 2/2

UNIX provides a number of command-line tools to help with account maintenance.

  • passwd
  • pwck
  • grpck
  • useradd
  • userdel
  • usermod
  • groupadd
  • groupdel
  • groupmod
  • logins (Solaris only)
  • vipw

passwd

The most common account tool is the passwd command. This utility is used to change the password of an established account and can be invoked by generic system users as well as the system administrator. For instance, to change a password, which is the default behavior, the following procedure would be followed:

# passwd
passwd: Changing password for stevem
Enter login password:
New password:
Re-enter new password:
passwd (SYSTEM): passwd successfully changed for stevem

When selecting a new password, the following can be used as a general set of guidelines:

  • Each user account password must be a minimum number of characters long. This minimum is defined within the /etc/default/passwd file.
  • A password must have at least one number or special character, plus at least two alphabetic characters. These characters may include both uppercase and lowercase.
  • A password must be different from the login name or any standard deviation from the login name. This includes using uppercase letters as well.
  • New account passwords must be sufficiently different from the old ones.

The passwd program supports a number of powerful command-line options. These can be divided into three categories: those that permit the user to alter some information within the account configuration files, those that control the login account system in some way, and those that report account information.

  • -e: Change the login shell of the user.
  • -F: Use an alternative password file (HP-UX only).
  • -g: Change the comment field of the user.
  • -h: Change the home directory of the user.
  • -r: Specify which repository the change should be made in (HP-UX only)
  • -a: Show password attributes for all entries within the /etc/passwd file.
  • -s: Show password attributes for the specified login name.
  • -l: Lock out a particular user from the system.

pwck

The pwck utility performs a consistence check on the UNIX /etc/passwd administrative file to ensure that it remains free from syntax errors or doesn’t contain invalid information. This utility can be used to detect the following:

  • Syntax errors
  • Invalid fields information
  • Incorrect number of fields

Typically, this program would be executed after the /etc/passwd file was updated. However, if the administrator uses standard tools to manipulate the password file, then no consistency check is really need. With many of the system-supplied tools-for example, admintool-it would be very difficult to introduce a syntax error since these programs were written to catch and resolve such problems. The only time it would be needed is when /etc/passwd file is updated manually.

grpck

The grpck utility performs a consistence check on the UNIX /etc/group administrative file and operates in the same manner as the pwck tool. It performs similar syntax and field checks on the group file. The syntax is the same as pwck-simply execute the grpck tool on the command line and it will scan and report any problems it finds.

useradd

The useradd tool provides the ability to add a new UNIX user to the system from the command line. Each of the required Account fields are specified on the command line with designated options. This tool is very useful if you must add a user to the system but don’t have access to a workstation that can display a GUI tool. Also, if you have the need to automate the adding of users, this tool can be used as the basis of such automation.

  • -c Specifies the account comment
  • -d Specifies the account home directory
  • -u Specifies the UID for the user
  • -e Specifies account expiration
  • -f Specifies the interval for account deactivation
  • -g Specifies the group of the account
  • -G Specifies additional account groups
  • -k Specifies the directory that contains the skeleton information that will be copied to a new user’s account
  • -m Instructs to create the user’s home directory if it doesn’t already exist
  • -s Specifies the full pathname of the login shell

userdel

The userdel tool provides the ability to remove a UNIX user from the system using the command line. The command supports a single command-line option -r-which will force the program to remove the home directory of the user.

usermod

The usermod tool is used to make changes to already-defined UNIX accounts. It uses many of the same command-line arguments as theuseradd command and also supports a few new ones.

  • -l Change the existing user name to a new name.
  • -L Lock the user account (Linux only).
  • -m Move the user’s mode directory.
  • -U Unlock the user account (Linux only).
  • -u Modify the UID.

groupadd

The groupadd command provides the ability to add a new group to the system using the command line. The command-line options include the -g and -o arguments. The -g option permits the specification of the group ID number instead of using the next-highest number defined by the system. The -o option permits the inclusion of a duplicate group ID number.

groupdel

The groupdel command provides the inverse of the groupadd command; it removes an existing UNIX account group.

groupmod

The groupmod tool is used to alter the name of an existing group.

logins

The Solaris system supports a tool call logins that displays a list of all the defined users on the system. The tool supports a few command-line option:

  • -a Displays two additional password expiration fields to the output
  • -d Displays only logins with duplicate IDs
  • -g Displays all accounts matching the specified group name
  • -l Displays the specified user
  • -m Shows multiple group members information
  • -o Displays the information using colon-separated fields with one entry per line
  • -p Displays logins that contain no passwords
  • -s Displays only system logins
  • -t Displays entries sorted by login and not the user ID
  • -x Displays additional information about each user

vipw

The vipw command provides a quick way to edit the password file. Running the command starts the vi editor with the /etc/passwd file so that you can edit the contents.