One of the tasks you will frequently perform as a system administrator is the administering of users. Whether you’re adding, deleting, or editing, you will deal with user accounts on a day-to-day basis. Having the right tools to deal with this task can make your job a great deal easier, and Linux has just the right tools.
What we’re going to discuss here is the GUI version of the Linux tool userconf. The linuxconf module userconf is a very simple-to-use tool that allows the administrator to take care of all user configurations from one centrally located place. The userconf tool is broken into four categories:
- Special accounts
- E-mail aliases
Within each of these categories are numerous subcategories. We’ll go into more detail as we hit each category, but before we do, let’s look at the application itself.
As shown in Figure A, the userconf GUI is fairly straightforward. Like the other modules in linuxconf, userconf is set up with tabs and buttons that make its use very simple.
|The main userconf screen shows the tool’s four categories and the three subcategories for normal accounts.|
This application can only be called by root and is called with the command:
When you run this command, the userconf tool appears, and you’re ready to get to work.
The Normal tab is where you do most of your work with userconf. Within the normal users, you will add/delete/modify user and group information. Before this tool, you were stuck using the confusing useradd and groupadd commands. Well, times are a-changin’, and even Linux administrators can do routine tasks via GUI.
Once you open the Normal tab, click on the User Accounts button and you’ll see a new window that looks much like Figure B.
|The User Accounts window in userconf allows you to add new users.|
Once this window is open, click on the Add button, and a new window will appear (see Figure C) where you will enter the user’s information. You will need to supply three critical pieces of information. The first is the Login Name, which is what the user will be known by within the Linux system. A word of advice: Here at TechRepublic, my network login name is wallenj. I use that as my Linux login name, which makes using such tools as smbmount, pine, and ssh that much easier.
|The user account creation window is where you will add the new user to the system.|
The next bit of information you may find critical is Full Name. Why, you ask, might Full Name be critical? Within a large corporation, you might have any number of employees logged on to a system. As an administrator, you might not remember what name is associated with a particular user. (Perhaps your Linux users aren’t all using their network login names as their Linux login names.) In order to find the information associated with a login name, you could simply finger the user@domain and discover the full name—simple and quick information gathering.
The last critical bit of information you will enter into the user account creation window (see Figure C) is under the Params tab (see Figure D).
|Within the Params tab, you can configure a user’s password to expire at a given time.|
You can configure a user’s password to expire on the Params tab. This is often a good way to make your users change their passwords every so often. As you can see in Figure D, the default is set to make the user change the password after 99,999 days. Since it’s highly doubtful any users will be using their Linux machine after 276.24 years, you can configure this section how you like, but remember that you are dealing in days.
Within this same window, you can set a user account to expire after a particular number of days as well. This can be useful when you need to create a temporary user account. By setting the account to expire after a number of days, you can ensure that you will not have stray accounts begging for nefarious activity. If you configure an account to expire after a given date, you can use the Warn # Days Before Expiration feature on this window to send a warning before the account expires.
You can set group definitions by clicking the Group Definitions button on the Normal tab. Much of the group configuration is similar to the user configuration.
On the Group Definitions window, click the Add button and you will see a new window open (see Figure E). In this Group Specification window, you will see two tabs. The first tab, Base Info, allows you to configure the Group Name, Group ID, and Alternate Members. It is best to leave the Group ID set to what the system offers (unless you have a very good reason to configure your own).
|The first tab in the Group Specification window, Base Info, allows you to configure Group Name, Group ID, and Alternate Members.|
The second tab is used to configure the directories of the group. Under this tab, you will enter the Home base directory for the new group and the Creation Permissions. For security reasons, it’s best to leave the permissions set as the system configures them.
Often, you do not need to give a group a home base directory, but there are times when you may want to. Should you wish to do so, you will do it under the Directories tab. By defining a home directory for a group, you will create a directory (for that group), which is owned by user and group root with a permission set of drwxr-xr-x (user/group/other can execute, user/group can read, and user can write). The only problem with this method is that when you create a group with a home directory, the home directory is owned by both user and group root. This will make it impossible for anyone belonging to the new group to write to this directory. If you want to allow group members to write to this directory, you need to change the directory’s group ownership. To change this ownership, open a command console, su to root, and run the proper command. Let’s say you have created the group accounting and you want any member of this group to be able to write to the new group directory /home/accounting. To do this, run the following set of commands:
chgrp accounting accounting
chmod o+rw accounting
Now any member of the group accounting will be able to write and read to this directory.
Please use extreme caution with this process because it can open up many security holes.
Although there are many other uses for the userconf tool (changing the root password, creating special accounts, setting up e-mail aliases, and creating special policies for users), the most obvious and useful is the ability to create, delete, and modify user and group accounts.
I’d like to let you in on a bit of admin fun! Within the userconf tool (click Message Of The Day under the Policies tab), you can create a message of the day that your users will see upon logging in to their machines. You can use this to many different ends…both benign and malevolent!