12.2 Users and Groups, the Hard Way

Of course, it is possible to add, modify, and remove users and groups without using the scripts and programs that come with Slackware. It's not really difficult, although after reading this process, you'll probably find it much easier to use the scripts. However, it's important to know how your password information is actually stored, in case you ever need to recover this information and don't have the Slackware tools available.

First, we'll add a new user to the /etc/passwd(5), /etc/shadow(5), and /etc/group(5) files. The passwd file holds some information about the users on your system, but (strangely enough) not their passwords. This was once the case, but was halted long ago for security reasons. The passwd file must be readable by all users, but you don't want encrypted passwords world-readable, as would-be intruders can use the encrypted passwords as a starting point for decrypting a user's password. Instead, the encrypted passwords are kept in the shadow file, which is only readable by root, and everyone's password is entered into the passwd file simply as “x”. The group file lists all the groups and who is in each.

You can use the vipw command to edit the /etc/passwd file safely, and the vigr command to edit the /etc/group file safely. Use vipw -s to edit the /etc/shadow file safely. (“Safely” in this context means someone else won't be able to modify the file you're editing at the moment. If you're the only administrator of your system, you're probably safe, but it's best to get into good habits from the start.)

Let's examine the /etc/passwd file and look at how to add a new user. A typical entry in passwd looks like this:

chris:x:1000:100:Chris Lumens,Room 2,,:/home/chris:/bin/bash

Each line is an entry for one user, and fields on each line are separated by a colon. The fields are the login name, encrypted password (“x” for everyone on a Slackware system, since Slackware uses shadow passwords), user ID, group ID, the optional finger information (separated by commas), home directory, and shell. To add a new user by hand, add a new line at the end of the file, filling in the appropriate information.

The information you add needs to meet some requirements, or your new user may have problems logging in. First, make sure that the password field is an x, and that both the user name and user ID is unique. Assign the user a group, either 100 (the “users” group in Slackware) or your default group (use its number, not its name). Give the user a valid home directory (which you'll create later) and shell (remember, valid shells are listed in /etc/shells).

Next, we'll need to add an entry in the /etc/shadow file, which holds the encrypted passwords. A typical entry looks like this:

chris:$1$w9bsw/N9$uwLr2bRER6YyBS.CAEp7R.:11055:0:99999:7:::

Again, each line is an entry for one person, with each field delimited by a colon. The fields are (in order) login name, encrypted password, days since the Epoch (January 1, 1970) that the password was last changed, days before the password may be changed, days after which the password must be changed, days before password expiration that the user is notified, days after expiration that the account is disabled, days since the Epoch that the account is disabled, and a reserved field.

As you can see, most of that is for account expiration information. If you aren't using expiration information, you only need to fill in a few fields with some special values. Otherwise, you'll need to do some calculations and decision making before you can fill those fields in. For a new user, just put some random garbage in the password field. Don't worry about what the password is right now, because you're going to change it in a minute. The only character you cannot include in the password field is a colon. Leave the “days since password was changed” field blank as well. Fill in 0, 99999, and 7 just as you see in the example entry, and leave the other fields blank.

(For those of you who think you see my encrypted password above and believe you've got a leg up on breaking into my system, go right ahead. If you can crack that password, you'll know the password to a firewalled test system. Now that's useful :) )

All normal users are members of the “users” group on a typical Slackware system. However, if you want to create a new group, or add the new user to additional groups, you'll need to modify the /etc/group file. Here is a typical entry:

cvs::102:chris,logan,david,root

The fields are group name, group password, group ID, and group members, separated by commas. Creating a new group is a simple matter of adding a new line with a unique group ID, and listing all the users you want to be in the group. Any users that are in this new group and are logged in will have to log out and log back in for those changes to take effect.

At this point, it might be a good idea to use the pwck and grpck commands to verify that the changes you've made are consistent. First, use pwck -r and grpck -r: the -r switch makes no changes, but lists the changes you would be asked to make if you ran the command without the switch. You can use this output to decide whether you need to further modify any files, to run pwck or grpck without the -r switch, or to simply leave your changes as they are.

At this point, you should use the passwd command to create a proper password for the user. Then, use mkdir to create the new user's home directory in the location you entered into the /etc/passwd file, and use chown to change the owner of the new directory to the new user.

Removing a user is a simple matter of deleting all of the entries that exist for that user. Remove the user's entry from /etc/passwd and /etc/shadow, and remove the login name from any groups in the /etc/group file. If you wish, delete the user's home directory, the mail spool file, and his crontab entry (if they exist).

Removing groups is similar: remove the group's entry from /etc/group.