Welcome to the World of Linux

In a large installation, it is sometimes difficult to keep control of user activities. Some user programs can use excessive resources, to the detriment of other users. This is particularly true in universities and colleges, where student’s activities can leave few resources for programs run by staff. Also some services automatically grab as many resources as they find available at run time, leaving few resources for subsequent programs. Resources include disk space, memory, CPU time and I/O requests.

It can be useful, therefore, to set limits for each user or group of users. The /etc/security directory holds files that can be used to limit user activities. The most important of these files is /etc/security/limits.conf. It holds entries in the following format:

<domain> <type> <item> <value>
where
<domain>   is the name of the user or group (groups must be prefixed with @)
<type>     is either ‘hard’ or ‘soft’
<item>     is one of the items listed below
<value>    is the value required

Items include:
core - limits the core file size (KB)
data - maximum data size (KB)
fsize - maximum filesize (KB)
memlock - maximum locked-in-memory address space (KB)
nofile - number of open files
rss - max resident memory set size (KB)
stack - stack size (KB)
cpu - maximum CPU time
nproc - maximum number of processes
as - address space limit
maxlogins - maximum number of logins for this user
priority - the priority used for user processes
locks - maximum number of file locks

When setting these limits, you should check the documentation of any software packages that you are running, to ensure that they are able to run within the limits that you have set.

Another useful file in this directory is /etc/security/access.conf, which is used to control which users are allowed to log in from which sources. For example, it is possible to restrict a user’s access to one particular terminal, or to prevent users from logging in via the network.

This file holds entries in the format:

<permission>:<user_or_group>:<origin>
where
<permission>     can be + or -
<user_or_group> A user name, group name, or ALL, or ALL except user or group name
<origin>    A TTY number, host name or domain name

In most cases, new users are created with similar settings. It is possible to define defaults, so that when you create a new user, you need only specify the things that are different to other users.

User defaults are held in the file /etc/default/useradd, which may look like this:
HOME=/home
INACTIVE=45
SHELL=/bin/bash
CREATE-MAIL-SPOOL=yes
SKEL=/etc/skel

The HOME entry specifies the directory under which user directories are created. If no directory is specified when a user is created, his home directory will be placed under this directory and given the same name as the user.

The SKEL entry specifies the name of a directory containing files that will be copied to the new user’s directory if the –m and –k switches are invoked when running useradd. This directory will be empty when Unix is installed; it is up to the administrator to place files into it. It is useful for setting up a default .profile file, so that you do not have to create one for every user. There may be other files specific to your installation that could be useful here. In a training institution, for example, you could put all the sample files needed by the students in this directory.

Other entries in the /etc/default/useradd file relate to the various user options, such as number of days to keep inactive accounts.

The useradd command can be run with the –D switch to either view or change these settings. Used with no other switches, this will display the default settings. Used with the –D –b switch, it allows you to specify a base directory for new user directories. Other switches such as –g, -f, -s etc that are normally used when creating a new user can be used in conjunction with the –D switch to set defaults for these options.

The Systems Administrator can create, delete and modify logins for other users of the system. Each user must have a unique name within the local machine. Normally, users will need to have a password to prevent unauthorized access to the machine. Passwords can be set to expire after a given period, to give greater security.

Users can be grouped together. In a very simple system, there would be only two groups: the administrator and others. In more complex systems, you may need more groups. For example, in a university, you may want a group for lecturers, a group for students, and another group for accounts staff. It is possible to share files between users within a group while refusing access to users in other groups.

The administrator can allocate a home directory to a user. This is the directory he will be taken to when he first logs in. In this directory, a .profile script can be used to carry out initial tasks when he logs in. These could include setting the type and characteristics of his terminal, and setting the path to include the programs he will need to use.

Each user has a unique user id number (UID). This can be allocated by the system, or by the administrator. UID’s 0 to 99 are reserved and should not be used.

Certain user names are also reserved for system use. These will differ from one version of Unix to another, but usually include root, adm, daemon and bin.

The shell command logins gives a list of user logins currently assigned within the system.