First, edit /etc/fstab and select the partitions to enable quotas. Your choices are usrquota, for individual users, or grpquota, for putting quotas on groups. It’s okay to have both:

/dev/hda6 / ext3 defaults 0 1
/dev/hda7 /home ext3 defaults,usrquota,grpquota 0 2

Now remount the filesystem:

# mount -o remount /home

Quota’s init script will run quotacheck, which will examine the installation, create a database of disk usage, and create quota files.

Next, assign a quota to a user. This opens a configuration file in your default editor:

# edquota -u vhenson
Disk quotas for user vhenson (uid 1550):
Filesystem blocks soft hard inodes soft hard
/dev/hda7 550466 0 0 47466 0 0

Soft limits allow a grace period, with warnings to the user. Hard limits cut them off immediately. To set limits, simply edit the file:

# edquota -u vhenson
Disk quotas for user vhenson (uid 1550):
Filesystem blocks soft hard inodes soft hard
/dev/hda7 550466 650000 700000 47466 0 0

Blocks are always 1024 bytes, so 650,000 blocks is about 665 megabytes.

Save and close the file, and verify that the quota is in effect:

# quota vhenson
Disk quotas for user vhenson (uid 1550): 650000 700000

To assign a quota to a group use:

# edquota -g engineers

Note that if a single greedy user in a group uses up the group quota, it’s too bad for the rest of the group—it’s all gone.

This invokes the default editor, for setting the grace period for soft limits on the entire filesystem:

# edquota -t
Grace period before enforcing soft limits for users:
Time units may be: days, hours, minutes, or seconds
Filesystem Block grace period Inode grace period
/dev/hda3 7days 7days

You can use one “prototype” user as the model for new users:

# edquota -p vhenson dnorth

or for a whole bale of users:

# edquota -p vhenson `awk -F: ‘$3 > 999 {print $1}’ /etc/passwd`

Or you can list several at once:

# edquota -p vhenson dnorth jvesperman sanvin

You’ll doubtless want to keep an eye on things. This repquota command gives a system-wide snapshot of current usage:

# repquota -a

For a specific filesystem, use:

# repquota /home

Let’s say that you have a user, jhaugh, upon whom you wish to bestow full rootly powers. Because sudo users use their own passwords, root’s password is protected. Edit /etc/sudoers with visudo—it will open in your default text editor:

# visudo
# sudoers file.
#
# This file MUST be edited with the ‘visudo’
# command as root.
# See the man page for details on how to write
# a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification

root ALL=(ALL) ALL

First, set up a host alias:

Host_Alias LOCALHOST= localhost

Under the “User privilege specification” line, you can add individual users:

jhaugh ALL=(ALL) ALL

This gives jhaugh root powers for everything on the system and on all connected machines. Now say you have another user, tgwynne, who needs root privileges only on the local machine. Add the following line for this user:

tgwynne LOCALHOST = ALL

Adding to your delegation of minions is msmith, who is allowed only to shut down the local machine:

msmith LOCALHOST = /sbin/shutdown, /sbin/halt

This grants groups of ordinary users shutdown privileges on their own machines:

# Host alias specification
Host_Alias LOCALHOST= localhost
# User alias specification
User_Alias USERS = tgwynne, msmith, jhaugh, \
abyron, jwinters

# Cmnd alias specification
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown, /usr/sbin/halt, \
/usr/sbin/reboot, /usr/sbin/poweroff

# User privilege specification
USERS LOCALHOST = SHUTDOWN

To execute a sudo command, users do this:

$ sudo /usr/sbin/halt

They will be prompted for their passwords, then the command will execute. Users can check which commands they are authorized for with the following command:

$ sudo -l

User jhaugh may run the following commands on this host:
(ALL) ALL

sudo logs all errors to the syslog, and tattles to root:

$ sudo /usr/sbin/halt
carla is not in the sudoers file. This incident will be reported.

Groups of servers can be defined, and users can be given privileges to the groups:

# Host alias specification
Host_Alias FILESERVERS = host1, host2, host3
# User alias specification
User_Alias FILESERVADMINS = jhaugh, abyron, jwinters
# Cmnd alias specification
Cmnd_Alias FILEUTILS = /bin/chgrp, /bin/chmod, \
/bin/chown, /bin/cp, /bin/dd, /bin/df, \
/bin/dir, /bin/dircolors, /bin/du, /bin/install, \
/bin/ln, /bin/ls, /bin/mkdir, /bin/mkfifo, \
/bin/mknod,bin/mv, /bin/rm, /bin/rmdir, \
/bin/shred, /bin/touch, /bin/vdir sync
# User privilege specification
FILESERVADMIN FILESERVERS = FILEUTILS

sudo can also be used to let users execute scripts, such as backup scripts. Be very careful with scripts, or any command that gives shell access or invokes a text editor, because these may allow users to escalate their privileges. You can try to restrict sudo users to RJOE, which is a restricted editor that cannot invoke a shell, but it’s better to be careful with how you delegate rootly chores in the first place.

Paste your list of login names directly into /etc/group.

Here’s a quick way to generate a list of users to add to /etc/group. This depends on having a UID numbering scheme already in place, so that you can easily sort out selected groups of users. Let’s add some Trainers to a group:

$ awk -F: ‘($3 >= 1050) && ($3 <=1060) { print $1}' /etc/passwd | tr '\n' ','
bcool,bkind,frnow,kthxbye,oknodo,

Now copy and paste into /etc/group.

What if you do not have a nice, tidy, organized UID scheme? This is where the GECOS fields come in handy. Go back and pick one for entering some kind of label. The “other” field is best, because users are blocked from changing it. Where is this “other” field? It’s inside the “full name,” or GECOS, field which contains five comma-delimited fields. It looks like this:

bcool:x:1300:1300:Bob Cool,,,,trainer:/home/bkind:/bin/bash
bkind:x:1055:1055:Bev Kind,,,,trainer:/home/bkind:/bin/bash

Once you’ve added the labels, grep and awk can easily fetch these users for you:

$ cat /etc/passwd | grep trainer | awk -F: ‘{ print $1}’ | tr ‘\n’ ‘,’
bkind,bcool,

Use the mass_passwd script. It lets you select batches of users in three different ways:

# mass_passwd
username1
username2
…
# mass_passwd -g
groupname
groupname
…
# mass_passwd -a

The first method uses a simple space-delimited list of logins.

The second method changes the passwords of users belonging to the named groups.

The third method changes every password in /etc/passwd.

Then mass_passwd generates a separate file for each user, containing their new login names and passwords and whatever instructions or policies you choose to include. This is designed to make it easy to print a separate instruction sheet for each user.

You may do a dry run with the -n flag:

# ./mass_passwd -v -g -n usergroup
generating password for dawns…..teivuphu
generating password for nikitah…..kohfahsh
2 password(s) reset – see /root/mass_passwds/mass_passwd.log

No passwords are changed; this just lets you test-drive your options before committing to any changes.

login
:
firstname
lastname

You may also include additional GECOS data, like this:

dawns:Dawn Marie Schroder,,123-4567,trainers

Then invoke the mass_useradd script. It creates entries in /etc/passwd, /etc/group, and /etc/shadow; home directories; personal login groups; and passwords that expire at first use.

This tells mass_useradd to use the list of new users in newusers and to overwrite or create the output file newlogins.txt:

# sh mass_useradd < newusers > newlogins.txt

This appends the new logins and passwords to newlogins.txt:

# sh mass_useradd < newusers >> newlogins.txt

In addition to the output file, which is a simple list, mass_passwd creates a separate file for each user, containing the new login name and instructions. This makes it easy to print them individually for distribution. These files, plus a log file, are stored in the home directory of the user who runs the scripts (usually root):

# ls /root/mass_passwds

dawns.passwd.txt nikitah.passwd.txt mass_passwd.log rubst.passwd.txt

Because the scripts use standard Shadow Suite utilities, they are easy to customize by adjusting the options for the various utilities used in the scripts.

The output file looks like this:

dawns shabaefi 1002
nikitah gohbinga 1003
rubst ahtoohaa 1004

/etc/passwd looks like this:

dawns:x:1002:1002:Dawn Marie Schroder,,123-4567,trainers:/home/dawns:/bin/bash
nikitah:x:1003:1003:Nikita Horse,,123-4567,equine:/home/nikitah:/bin/bash
rubst:x:1004:1004:Rubs The Cat,101,,234-5678,,test:/home/rubst:/bin/bash

The individual files generated for each user look like this:

———————————————————

Login name: rubst

Password: eejahgue

Please log in and change your password; the system should prompt you to do this when you log in. You can change your password at any time with the ‘passwd’ command. Choose a strong password – everyday words, birthdays, names of people or animals, all these are too eay to guess. Also, DO NOT give your password to anyone, ever. The IT staff will never ask you for your password, and neither should anyone else. You will be held responsible for all activity done via your account.

————————————————————

mass_useradd

#!/bin/sh
## Mass Useradd For Linux
## This script extracts new user data from a delimited
## text file, and automatically generates new user accounts.
## It generates a random password for each login, and exports
## the new logins and passwords to a text file.
## Passwords automatically expire at first login. The
## input file format is “username: full name” (no quotes) for
## each line.
##
## Mass Useradd creates a “User Personal Group.”
## The UID and the GID are the same. User’s home directories
## are created with restrictive permissions, chmod 700.
## Mass Useradd uses standard Shadow Suite utilities.
## Values and behaviors are easily modifiable, according
## to the individual utility being called. It calls
## a companion script, mass_passwd, to set each user password.
## You should have received mass_passwd from the same source
## as mass_useradd.
##
## This script was created by Aaron Malone, and modified by
## Meredydd Luff, Peter Samuelson, and Kathryn Hogg.
## Many thanks!
## Carla Schroder wrote the documentation and pestered
## the aforementioned persons to write the script.
## Copyright (C) 2003 Carla Schroder
## carla at bratgrrl dot com
## This program is free software; you can redistribute
## it and/or modify it under the terms of the GNU General
## Public License as published by the Free Software
## Foundation; either version 2 of the License, or (at your
## option) any later version.
##
## This program is distributed in the hope that it will
## be useful, but WITHOUT ANY WARRANTY; without even the
## implied warranty of MERCHANTABILITY or FITNESS FOR A
## PARTICULAR PURPOSE. See the
## GNU General Public License for more details.
## http://www.fsf.org/licenses/gpl.html
##
## Usage:
## # sh mass_useradd < inputfile >> new-passwords.txt
##

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:$PATH

# Read a line of input.
# the format of the input file must be like this:
# userlogin : FirstName LastName
# to use a comma-delimited file, change IFS=”:$IFS” to
# IFS=”,$IFS”

while IFS=”:$IFS” read username realname; do

# First, weed out blank lines and #comments
case “$username” in
” | \#*) continue ;;
esac

# this part reads /etc/passwd and /etc/group, and calculates
# the next available UID and GID.
# it starts at {id=1000}, change this to suit
id=$({ getent passwd; getent group; } | cut -f3 -d: | sort -un |
awk ‘BEGIN { id=1000 }
$1 = = id { id++ }
$1 > id { print id; exit }’)

# Now users are added to /etc/group, /etc/passwd,
# and home directories with chmod 700 are created
# Any of the groupadd, useradd, and chmod options
# can be changed to suit
groupadd -g $id $username
useradd -m -c “$realname” -g $username -u $id $username
chmod 700 /home/$username

# Set the password. This calls another script from
# this toolkit, mass_passwd, which can be used independently.
# mass_passwd outputs the username, password and userid.
$(dirname $0)/mass_passwd -M $username

done

mass_passwd

#!/bin/sh
## Mass Password Change for Linux
## This requires the Shadow Suite utilities.
## Usage:
## mass_passwd username username …
## mass_passwd -g groupname groupname …
## mass_passwd -a
##
## This program is free software; you can redistribute
## it and/or modify it under the terms of the GNU General
## Public License as published by the Free Software
## Foundation; either version 2 of the License, or (at your
## option) any later version.
##
## This program is distributed in the hope that it will
## be useful, but WITHOUT ANY WARRANTY; without even the
## implied warranty of MERCHANTABILITY or FITNESS FOR A
## PARTICULAR PURPOSE. See the
## GNU General Public License for more details.
## http://www.fsf.org/licenses/gpl.html

#############################################################

## This is where the “username.passwd.txt” files will
## be dumped. It will be created if it doesn’t already exist
text_file_dir=$HOME/mass_passwds
log_file=mass_passwd.log

## Minimum userid considered a regular (human) user
min_uid=1000

## Length of generated passwords
pass_len=8

## Length of time, in days, before a password expires
pass_expire=90

##############################################################

## Few user-serviceable parts inside.
## You may wish to edit the text between the two ———
## lines, below.
# Get the name of this program (probably “mass_passwd”)
prog=${0##*/}

usage ( ) {
echo “usage: $prog [-v] [-n] username …”
echo ” $prog [-v] [-n] [-g] groupname …”
echo ” $prog [-v] [-n] [-a]”
echo ” -g change passwords of everyone in a group”
echo ” -a change everyone’s password”
echo ” -v verbose”
echo ” -n don’t do it, just simulate (implies -v)”
exit 0
}

short_usage ( ) {
echo >&2 “usage: $prog [-v] [-g] [-a] name…”
echo >&2 ” $prog -h for help”
exit 1
}

# echo something, but only if in verbose mode
vecho ( ) {
test -n “$verbose” && echo “$@”
}

# Generate a random password.
#
# If pwgen is available, use that – that’s what it’s for, and it works well.
#
# If not, read /dev/urandom and filter out all non-
#alphanumeric characters until we have enough for a password.
# The numbers in the “tr -d” are ASCII values, in octal
# notation, of ranges of character values to delete.
#
# Using /dev/urandom like this is very inefficient, but
# who cares?

randompass ( ) {
pwgen $pass_len 1 2>&- ||
tr -d ‘[\000-\057][\072-\100][\133-\140][\173-\377]‘ < /dev/urandom |
dd bs=$pass_len count=1 2>&-
}

# Interpret usernames / groupnames / “-a” mode, and return
# a list of usernames
get_users ( ) {
if [ -n "$all_mode" ]; then
getent passwd | awk -F: ‘{if ($3 >= ‘$min_uid’) {print $1}}’
return
fi
if [ -z "$group_mode" ]; then
echo “$@”
return
fi

# ok, we’re in group mode, must look up the users who
# belong to a group
while [ -n "$1" ]; do
g_ent=$(getent group “$1″ 2>&-)
if [ -z "$g_ent" ]; then
echo >&2 “warning: $1: group not found”
continue
fi
members=${g_ent##*:}
gid=${g_ent%:*}
gid=${gid##*:}
echo “$members” | tr ‘,’ ‘ ‘
getent passwd | awk -F: ‘{if ($4 = = ‘$gid’) { print $1 } }’
shift
done
}

#############################################################

## main body

group_mode=; verbose=; all_mode=; simulate=; eol=;
while [ -z "$eol" ]; do
case “$1″ in
-g) group_mode=1; shift ;;
-v) verbose=1; shift ;;
-a) all_mode=1; shift ;;
-n) simulate=true; verbose=1; shift ;;
# we’re called from mass_useradd
-M) mass_out=1; shift ;;
-h | -? | –help) usage ;;
–) eol=1; shift ;;
-*) short_usage ;;
*) eol=1 ;;
esac
done

# Set up a secure environment and the directory for
# printable text files
PATH=/usr/sbin:/usr/bin:$PATH
umask 077
mkdir -p $text_file_dir
cd $text_file_dir

processed=0
for u in $(get_users “$@”); do
vecho -n “generating password for $u…”
pass=$(randompass)
echo “$u:$pass” | eval $simulate chpasswd
vecho -n “.”
eval $simulate chage -M $pass_expire -d 2003-01-01 $u
vecho -n “.”

rm -f $u.passwd.txt
echo > $u.passwd.txt “\

————————————————————-

Login name: $u

Password: $pass

Please log in and change your password; the system should prompt you to do this
when you log in. You can change your password at any time with the ‘passwd’ command.
Choose a strong password – everyday words, birthdays, names of people or animals,
all these are too easy to guess. Use combinations of letters and numbers. Write down your
password in a safe place.
Also, DO NOT give your password to anyone, ever. The IT
staff will never ask you for your password, and neither
should anyone else. You will be held responsible for all
activity done via your account.
————————————————————-”

printf >> $log_file “$(date) %-12s %s\\n” $u $pass
vecho “$pass”
if [ -n "$mass_out" ]; then
uid=$(getent passwd $u | cut -f3 -d:)
echo -e “$u\\t$pass\\t$uid”
fi
processed=$(expr $processed + 1)
done

if [ $processed -gt 0 ]; then
test -z “$mass_out” &&
echo >&2 “$processed password(s) reset – see $text_file_dir/$log_file”
else
echo >&2 “no users specified – see ‘$prog -h’ for help”
fi

Use pwck for checking /etc/passwd and /etc/shadow, and use grpck for /etc/group and /etc/gshadow:

# pwck

# grpck

pwck performs a consistency check on the /etc/passwd and /etc/shadow files. It checks each user account, and verifies that it has:

• The correct number of fields
• A unique user name
• A valid user and group identifier
• A valid primary group
• A valid home directory
• A valid login shell

pwck will report any account that has no password.

When pwck finds an error, your choices are to delete the account or to ignore the account, in which case pwck shuts down and won’t check any more lines (with one exception: if it finds a duplicate name, it will continue checking even if you don’t delete the account)

grpck checks the /etc/group and /etc/gshadow files to verify that each group has:

• The correct number of fields
• A unique group name
• A valid list of members and administrators

You may also use adduser and usermod, but beware of sneaky gotchas: adduser will only add a user to one group at a time, but usermod, which allows you to list several groups at once, will overwrite any existing group assignments.

# addgroup —system
newsysgroup

You can assign the GID, overriding the default. Remember to stick with your distribution’s (or your personal) numbering scheme:

# addgroup —system —gid 300
newsysgroup

Both adduser and useradd can do this. adduser works like this:

# adduser —system —no-create-home —group squid
Adding system user squid…
Adding new group squid (109).
Adding new user squid (109) with group squid
Not creating home directory

Check your work:

# cat /etc/passwd | grep squid
squid:x:109:109::/home/squid:/bin/false

Even though it lists /home/squid, a home directory is not created.

Here’s how useradd does it:

# useradd -d /dev/null -g squid -s /bin/false squid

The nobody user is the default for a lot of daemons and processes that need a system account, but an increasing number of applications require their own unique users. Use a unique user whenever possible, because it’s a good security practice. The nobody account is a common cracker target, and you don’t want to expose all kinds of processes and daemons to a common point of attack.

To delete a group use:

# groupdel
groupname

Deleting a group tends to be messy, because there is no utility for automatically migrating or deleting any files or users belonging to the group. You’ll need to hunt these down and change the GIDs manually:

# find / -gid 750
/usr/src/include/lber.h
/usr/src/include/ldap.h
/usr/src/include/ldbm.h

You can change these one at a time:

# chgrp 800 /usr/src/include/lber.h

Or you can let find and chgrp do the work:

# find / -gid 750 -exec chgrp -v 800 { } \;