< Day Day Up > |
Each time a user logs in, two profile scripts are executed, a system profile script that is the same for every user, and a user login profile script that can be customized to each user's needs. When the user logs out, a user logout script is run. In addition, each time a shell is generated, including the login shell, a user shell script is run. There are different kinds of scripts used for different shells. On Red Hat, the default shell commonly used is the BASH shell. As an alternative, users could use different shells such as TCSH or the Z shell, both installed with Red Hat Linux.
For the BASH shell, each user has their own BASH login profile script named .bash_profile in their home directory. The system profile script is located in the /etc directory and named profile with no preceding period. The BASH shell user shell script is called .bashrc. The .bashrc file also runs the /etc/bashrc file to implement any global definitions such as the PS1 and TERM variables. The /etc/bashrc file also executes any specialized initialization file in the /etc/profile.d directory, such as those used for KDE and GNOME. The .bash_profile file runs the .bashrc file, and through it, the /etc/bashrc file, implementing global definitions.
As a superuser, you can edit any of these profile or shell scripts and put in any commands you want executed for each user when they log in. For example, you may want to define a default path for commands, in case the user has not done so. Or you may want to notify the user of recent system news or account changes.
When you first add a user to the system, you must provide the user with skeleton versions of their login, shell, and logout initialization files. For the BASH shell, these would be the .bash_profile, .bashrc, and .bash_logout files. The useradd command and other user management tools such as Red Hat User Manager add these files automatically, copying any files in the directory /etc/skel to the user's new home directory. The /etc/skel directory contains a skeleton initialization file for the .bash_profile, .bashrc, and .bash_logout files or, if you are using the TCSH shell as your login shell, the .login, .tcshrc, and .logout files. The /etc/skel directory also contains default files and directories for your desktops. These include a .screenrc file for the X Window System, a .kde directory for the KDE desktop, and a Desktop directory that contains default configuration files for the GNOME desktop.
As a superuser, you can configure the .bash_profile or .bashrc file in the /etc/skel directory any way you want. Usually, basic system variable assignments are included that define pathnames for commands and command aliases. The PATH and BASH_ENV variables are defined in .bash_profile. Once users have their own .bash_profile or .bashrc file, they can redefine variables or add new commands as they choose.
System-wide values used by user and group creation utilities such as useradd and usergroup are kept in the /etc/login.defs file. Here you will find the range of possible user and group IDs listed. UID_MIN holds the minimum number for user IDs, and UID_MAX the maximum number. Various password options control password controls—such as PASS_MIN_LEN, which determines the minimum number of characters allowable in a password. Options such as CREATE_HOME can be set to tell user tools like useradd to create home directories for new accounts by default. Samples of these entries are shown here:
MAIL_DIR /var/spool/mail PASS_MIN_LEN 5 CREATE_HOME yes
You can control user login access by remote users to your system with the /etc/login.access file. The file consists of entries listing users, whether they are allowed access, and from where they can access the system. A record in this file consists of three colon-delimited fields: a plus (+) or minus (-) sign indicating whether users are allowed access, user login names allowed access, and the remote system (host) or terminal (tty device) from which they are trying to log in. The following enables the user chris to access the system from the rabbit.mytrek.com remote system:
+:chris:rabbit.mytrek.com
You can list more than one user or location, or use the ALL option in place of either users or locations to allow access by all users and locations. The ALL option can be qualified with the EXCEPT option to allow access by all users except certain specified ones. The following entry allows any valid user to log in to the system using the console, except for the users larisa and aleina:
+:ALL EXCEPT larisa aleina:console
Other access control files are used to control access for specific services, such as the hosts.deny and hosts.allows files used with the tcpd daemon for xinetd-supported servers.
Once you have created a user account, you can control the user's access to it. Both the Red Hat User Manager and the passwd tool let you lock and unlock a user's account. You use the passwd command with the -l option to lock an account, invalidating its password, and you use the -u option to unlock it.
You can also force a user to change his or her password at given intervals by setting an expiration date for that password. Both the Red Hat User Manager and the change command let you specify an expiration limit for a user's password. A user could be required to change his or her password every month, every week, or at a given date. Once the password expires, the user will be prompted to enter a new one. You can issue a warning beforehand, telling the user how much time is left before the password expires. For account that you want to close, you can permanently expire a password. You can even shut down accounts that are inactive too long. In the next example, the password for the chris account will stay valid for only seven days. The -M option with the number of days sets the maximum time that a password can be valid.
chage -M 7 chris
To set a particular date for the account to expire, use the -E option with the date specified mm/dd/yyyy.
chage -E 07/30/2003 chris
To find out what the current expiration settings are for a given account, use the -l option.
chage -l chris
You can also combine your options into one command,
chage -M 7 -E 07/30/2003 chris
A listing of the change options appears in Table 28-2.
Option |
Description |
---|---|
-m |
Minimum number of days a user must go before being able to change his password |
-M |
Maximum number of days a user can go without changing his password |
-d |
The last day the password was changed |
-E |
Specific expiration date for a password, date in format in yyyy-mm-dd or in commonly used format like mm/dd/yyyy |
-I |
Allowable account inactivity period (in days), after which password will expire |
-W |
Warning period, number of days before expiration when the user will be sent a warning message |
-l |
Display current password expiration controls |
< Day Day Up > |
This HTML Help has been published using the chm2web software. |