The User Environment
Terms you’ll need to understand:
Techniques you’ll need to master:
This chapter covers the Exam I (310-009) objectives that address the user environment. This consists of administering user accounts and the initialization files associated with user accounts.
User Accounts
User accounts control access to the system. The administration of user accounts and the passwords associated with these accounts are a key system administration activity.
Account Administration
User accounts can be added, modified, or deleted manually or by using the admintool(1M). The preferred method is the admintool command, as this reduces or eliminates the possible introduction of typos and other errors that might affect all the user accounts.
Creating An Account Using The admintool Command
When the admintool command is started, the Users window is displayed as shown in Figure 6.1. To display the Add User window, select Add from the Edit pull-down menu. The Add User window, shown in Figure 6.2, consists of three portions: User Identity, Account Security, and Home Directory.
Figure 6.1 The Admintool: Users window
Figure 6.2 The Admintool: Add User window
The User Identity portion provides the information that needs to be defined to add a user account. All this information is stored in the /etc/passwd file except secondary groups information, which is stored in the /etc/group file. Table 6.1 lists the fields of the User Identity section.
Table 6.1 User identity fields of the Admintool: Add User window
Field |
Description |
User Name |
A unique user account name consisting of a maximum of eight upper- and lowercase letters and/or numbers. |
|
User ID |
The UID associated with the user account. A unique number, typically between 1000 and 60000. The next available number starting at 1000 is provided automatically. |
|
Primary Group |
The group to which the user should be assigned. By default, 10 (staff) is provided. Any specified group must exist before members can be added. |
|
Secondary Groups |
Additional groups (separated by commas) to which the user should be assigned. Specified groups must exist before members can be added. |
|
Comment |
Any text that should be placed in the /etc/passwd gcos field. |
|
Login Shell |
The Bourne (default), C, or Korn shell can be selected. Another shell can be specified by selecting "other" from the pull-down menu and entering the name of the shell in the field. |
The Account Security portion provides the information used to determine how the password should be defined and to set up password aging. All this information is stored in the /etc/shadow file. Table 6.2 lists the fields of the Account Security section.
Table 6.2 Account Security fields of the Admintool: Add User window
Field |
Description |
Password |
Password can be cleared until first login, account can be locked, there can be no password assigned (account is used for executing programs), or a password can be defined |
|
Min Change |
Minimum days required between password changes |
|
Max Change |
Maximum days password is valid |
|
Max Inactive |
Maximum number of days account can be inactive before password must be changed |
|
Expiration Date |
Date account expires |
|
Warning |
Number of days user is warned before password expires |
The Home Directory portion is used to define the home directory of the account and to create it if necessary. This path is stored in the /etc/passwd file. The appropriate initialization files are created in the home directory on the basis of the type of login shell selected.
Creating A Group Using The admintool Command
To create a group account, start the admintool command if it is not already active. Display the Groups window by selecting Groups from the Browse pull-down menu. The Groups window is shown in Figure 6.3.
Figure 6.3 The Admintool: Groups window
Then, display the Add Group window by selecting Add from the Edit pull down menu. The Add group window is shown in Figure 6.4.
Figure 6.4 The Admintool: Add Group window
Enter a unique group name in the Group Name field. Use the next available GID number or enter a unique GID in the Group ID field. In the Members List field, enter one or more user account names separated by commas. Using the mouse, click on OK. The new group is displayed in the Groups window.
Deleting An Account Using the admintool Command
To delete a user account, start the admintool command if it is not already active. Display the Users window by selecting Users from the Browse pull-down menu (see Figure 6.1).
With the mouse, click on the desired account entry to highlight it and then select Delete from the Edit pull-down menu. The Warning window shown in Figure 6.5 will display.
Figure 6.5 The Admintool: Warning window
Password Administration
Password administration involves settings parameters to control password aging, changing a user's password as needed, and possibly locking a user account to prevent use.
Password Aging
The parameters of the /etc/shadow file set through the Account Security fields of the admintool command Add or Modify User Account window determine the password aging policy. This includes how long a password is valid (Max Change), how often it can be changed (Min Change), and how long an account can be inactive before the password must be changed (Max Inactive). These parameters enforce a policy for protecting the integrity of passwords.
Changing Passwords Using The admintool Command
To change the password of a user account, start the admintool command if it is not already active. Display the Users window by selecting Users from the Browse pull-down menu.
The user account can be selected in two ways: by double-clicking on the account entry or by clicking on the account entry to highlight it and then selecting Modify from the Edit pull-down menu. Using either method, the Modify User window is displayed as shown in Figure 6.6.
Figure 6.6 The Admintool: Modify User (Normal Password) window
To modify the account password, position the mouse cursor over the Password field and hold down the left button. Then move the mouse cursor over the Normal Password item and release the mouse button. The Set User Password window is displayed as shown in Figure 6.7.
Figure 6.7 The Set User Password window
Enter the same password for both the Enter Password and the Verify Password field. Asterisks are displayed in the place of each character entered. Using the mouse, click on OK. To save the password, -click on OK in the Modify User window. Other than using the admintool command, the passwd(1) command is the only other way to change the password for a user account.
Locking A User Account Using The admintool Command
An account can be locked to prevent it from being used. Start the admintool command if it is not already active. Display the Users window by selecting Users from the Browse pull-down menu.
The account can be locked in two ways: by double-clicking on the account entry or by clicking on the account entry to highlight it and then selecting Modify from the Edit pull-down menu. Using either method, the Modify User window is displayed as shown in Figure 6.8.
To lock the account, position the mouse cursor over the Password field and hold down the left button. Then move the mouse cursor over the Account Is Locked item and release the mouse button. The Account Is Locked item is displayed in the Password field as shown in Figure 6.8. To save the change, click on OK in the Modify User window.
Figure 6.8 The Admintool: Modify User (Account Is Locked) window
Initialization Files
Several initialization (or startup) files are associated with each user account home directory. These files are used to specify commands to be executed when the associated event occurs. Depending on the login shell being used, there might be a login initialization file, a shell startup file, or a logout file. Table 6.3 lists the various initialization files.
Table 6.3 Initialization files
File |
sh |
csh |
ksh |
Login initialization file |
.profile |
.login |
.profile |
|
Shell startup initialization file |
N/A |
.cshrc |
user-defined |
|
Logout file |
N/A |
.logout |
N/A |
Commands in the login initialization file are executed when the user logs in. All three common shells provide a login initialization file. Commands in the shell startup file are executed whenever the logged-in user starts a shell. Both csh and ksh provide this capability. The ENV parameter is used to define the ksh shell startup initialization file. Only csh provides a file for automatic execution of commands when a user logs out.
The System Profile
For user accounts that use sh (Bourne shell) or ksh as a login shell, commands in the system profile are executed before the user’s login initialization file. This file is named /etc/profile and, when executed, sets a default terminal type (TERM) and then calls umask(1) to set the default file permission mask to 022. If the user’s home directory does not include a file by the name of .hushlogin, the user’s storage quota is displayed using quota(1M), the message of the day (if any) is displayed, and a notification message is displayed if new email has arrived for the user.
The following listing shows the default contents of /etc/profile:
trap "" 2 3
export LOGNAME PATH
if [ "$TERM" = "" ]
then
if /bin/i386
then
TERM=AT386
else
TERM=sun
fi
export TERM
fi
# Login and -su shells get /etc/profile services.
# -rsh is given its environment in its .profile.
case "$0" in
-sh | -ksh | -jsh)
if [ ! -f .hushlogin ]
then
/usr/sbin/quota
# Allow the user to break the motd only.
trap "trap '' 2" 2
/bin/cat -s /etc/motd
trap "" 2
/bin/mail -E
case $? in
0)
echo "You have new mail."
;;
2)
echo "You have mail."
;;
esac
fi
esac
umask 022
trap 2 3
Initialization File Templates
When a user account is created and a home directory specified, part of setting up the user account is to copy the appropriate default initialization files to the user’s home directory. These initial files or templates are stored in the /etc/skel directory.
For user accounts that use sh or ksh as the login shell, the /etc/skel/local.profile file is copied to the .profile file in the user’s home directory. The following listing shows the default contents of the /etc/skel/local.profile file:
#
# @(#)local.profile 1.6 98/02/06 SMI # stty istrip PATH=/usr/bin:/usr/ucb:/etc:. export PATH # # If possible, start the windows system # if [ "`tty`" = "/dev/console" ] ; then if [ "$TERM" = "sun" -o "$TERM" = "AT386" ] ; then if [ ${OPENWINHOME:-""} = "" ] ; then OPENWINHOME=/usr/openwin export OPENWINHOME fi echo "" echo "Starting OpenWindows in 5 seconds" sleep 5 echo "" $OPENWINHOME/bin/openwin clear # get rid of annoying cursor rectangle exit # logout after leaving windows system fi fi
For user accounts that use csh as the login shell, the /etc/skel/local.login file is copied to the .login file in the user’s home directory. The following listing shows the default contents of the /etc/skel/local.login file:
# @(#)local.login 1.4 98/02/06 SMI
stty -istrip
#if ( "`tty`" == "/dev/console" ) then if ( "$TERM" == "sun" || "$TERM" == "AT386" ) then if ( ${?OPENWINHOME} == 0 ) then setenv OPENWINHOME /usr/openwin endif echo "" echo -n "Starting OpenWindows in 5 seconds" sleep 5 echo ""$OPENWINHOME/bin/openwin clear # get rid of annoying cursor rectangle logout # logout after leaving windows system endif endif
In addition, for user accounts that use csh as the login shell, the /etc/skel/local.cshrc file is copied to the .cshrc file in the user’s home directory. The following listing shows the default contents of the /etc/skel/local.cshrc file:
# @(#)cshrc 1.11 89/11/29 SMI
umask 022
set path=(/bin /usr/bin /usr/ucb /etc .)
if ( $?prompt ) then
set history=32
endif
Customizing The User Environment
The initialization file templates can be modified to provide a custom environment for new user accounts. In addition, the system profile (/etc/profile) can be modified to customize the environment for all users during login initialization.
 |
Keep in mind that the system profile, /etc/profile, is executed before the user's profile. This provides the ability to control and restrict the user environment before the user has an opportunity to make any modifications. |
To customize individual user accounts, the initialization files in the user’s home directories can be modified. For the most part, this will consist of adding commands to be automatically executed or defining shell parameters.
Defining Shell Variables In .profile
Variables defined and exported in.profile become part of the user’s environment. These variables are available to programs and shells executed by the user.
A common shell variable defined in.profile is LPDEST, which is used to specify a default printer. To define the printer HPLaser as the default printer, include the following in.profile for a user account:
LPDEST=HPLaser
export LPDEST
An alternate way is to specify both commands on the same line and separate the commands with a semicolon:
LPDEST=HPLaser; export LPDEST
A similar syntax can be used for a user account that uses the Korn shell as a login shell. ksh also supports the following variation:
export LPDEST=HPLaser
Although defining variables for csh user accounts is not a certification requirement, the syntax for two csh methods of defining variables is shown in the following listing:
set LPDEST=HPlaser
setenv LPDEST HPlaser
|
Changes made to the user's login initialization file do not take effect until the user logs in again, or the .profile is executed be preceding it with a dot separated by a space. This executes the .profile and makes it part of the current environment. |
Sourcing .profile
For user accounts that use the Solaris Common Desktop Environment (CDE), the /usr/dt/bin/Xsession command that starts the desktop can be configured to read and process the .login (csh) or .profile (sh and ksh) login initialization file in the user’s home directory as part of the startup process.
The first user-specific file that Xsession calls is.dtprofile in the user’s home directory. The last line of the default .dtprofile file is:
DTSOURCEPROFILE=true
This will cause the .login or .profile file to be executed (or sourced) automatically. To change this default behavior and prevent the login initialization file from being sourced, change true to false.
Need To Know More?
 |
System Administration Guide, Volume 1 Sun Microsystems |