Who you are as a user on the Linux system is important to understanding what you can do. Just like Windows, Linux is a multi-user operating system and all users do not possess the same rights. There are three basic types of users on the Linux system; the root user, normal user accounts and the service users.
The root user account is created by the operating system when it is installed. This user is the superuser who basically has complete control of the entire system. This means that great care should be taken to preserve the integrity of this account. One aspect of this care is to ensure that the root password is complex and changed on a regular basis. In addition, the root account should not be used to log into a server because if anyone gains access to the root account they have complete control of all services and information located on the server.
Service accounts such as apache, squid, cups, etc. are each created when the service is installed. Typically there is no need to change these accounts. These accounts often are accounts that cannot be used to log into the server. A number of service accounts cannot be used to log into the system. This is simply a security matter and should not be changed nor will it offer any problems.
Normal users are users that are created on Linux file system and have a home directory in /home. So if you had 4 users on the system called; fred, jane, mary and tom you would see these /home directories.
Normal users do not all have the same privileges. The fist user created on the system can use a special command called “sudo” to gain root privileges so that this account could be used to manage a server or desktop. Other users do not by default have these rights nor can they gain these rights unless the root user provides them with those special rights.
Typically users can do anything they want in their own home directories. They can create, copy or delete files and directories in their home. They also have the rights to read just about any file on the entire Linux system. That means that they can read any of the configuration files in the /etc directory or any of the program listings in the /usr directory. Normal users can move all around the file system. There are very few limitations, one of those is the /root directory. No user is allowed to view or move into the /root directory which is the home directory for the root user.
The implications of a normal user in the file system is that they can only save files or backups to their own home directory, they will not be able to save anywhere else.
When users are created they will also be created as a member of a group with the same name. So when the user tom is created, immediately the group tom is created with the user tom being the only member. Groups allow several users to share files if they needed to. Here are a few examples.
fred fred, tom, mary
In the examples above, each user is created and the group with their name is also created. However, when you look at the group fred both tom and mary have been added to that group so that fred, tom and mary could share files that were owned by the group.
A user’s login name must be unique and less than 32 characters. It may contain any characters except colons and new lines. Typically login names are lower case, some Linux distros require lower case. When you create login names a standard is important as these names also reflect what will be available for email addresses.
User passwords are encrypted and kept in a separate file which is not available to anyone but root. This file is /etc/shadow. Passwords must be encrypted which means they must be created with the passwd command or encrypted and copied to the account. However, editing accounts by hand is filled with possibilities of mistakes so should be avoided. Most Linux distributions use the MD5 encryption which allows for random lengths in passwords.
When users are create d they will get a login name for the users to recognize but the system will user a UID or User Identification number. These numbers will begin at either 500 or 1000 and be incremented by one for each new user. So if you create the user tom and tom is the first user to be created he will have a UID of 1001.
In addition to UIDs that are created, a GID or Group Identification number is also created for each user name. The GID is a private group with Ubuntu which means that no other users have read access to a user’s files. If tom is the first created user and his UID is 1001 he will also have a GID of 1001. Again, the numbers that relate to the users is for the operating system. Here are some examples.
User UID GID
tom 1001 1001
mary 1002 1002
jane 1003 1003
fred 1004 1005
Note that the UID and the GID do not have to be the same. If you created a special group before you created fred then all the rest of the numbers will be out of sync which is not a problem but something you need to be aware of.
The root User
The root user is the superuser on the system. Root has access to all files and directories on the system and is able to configure all aspects of the system. The UID for root is 0, which you can see in /etc/passwd. There should only be one user with a UID of 0 on the system as this could lead to serious security abuse. Many activities on the system are limited to the root user only. Changes like creating device files, setting the hostname, configuring network interfaces, working with privileged network ports (below 1024) are examples of activities that can only be performed by root. This is a powerful and yet dangerous account as root can make, and will make mistakes that could take the system down.
Best security practices suggest that you never login as root. When you login as the administrator of the Linux system you need to recognize the dangers of allowing the server to run as root. Any access gained into the system as root user will give intruders complete control of the server. If you login as a normal user this means that you must become root using the “su root” command. This is simply to protect your system when online since if the system was cracked when you are logged in as a regular user there is much less damage done than if you were logged in as root, allowing full access. The issue is file and directory ownership and access. User Identification numbers (UID) and Group Identification numbers are mapped to each user and group and recorded in /etc/passwd and /etc/group. These UIDs and GIDs are used to determine ownership and access to files and directories. In addition, users run processes and the owner of a process can send process signals that can impact the process activity.
The root user is intended to run many commands that are not available to other users of the operating system. Here are several directories that are intended only for the root user:
/sbin – This directory contains commands for modifying disk partitions (fdisk), changing boot procedures (lilo), and changing system states (init).
/usr/sbin – This directory has commands for managing user accounts (adduser), configuring the mouse(mouseconfig) or keyboard (kbdconfig). Most daemon processes are also in this directory.
/bin and /usr/bin contain commands that both root and users will use. For example: /bin/mount is a command that root will mount directories but users will use this command to list mounted directories.
The /usr/share/man/man8 directory lists many of the commands that are intended for use by the system administrator.
The command line interface will either be from a terminal or a SSH window like putty. Here is an example of the Gnome terminal (Applications/Accessories/Terminal from the menu). You can see that it is only text but it does have a menu system for modifying the color of the screen and text or allowing you to open multiple terminals at one time.
If you login from a putty session from a Windows machine or if you are logged into a TTY session on the Linux box you will not have the option of a terminal and so you will be using text only as there will be no menus or graphics of any kind. Text is exactly the same as you can see in the next example. The biggest difference is that it will typically be a black screen with white text.
As you change users the prompt will show the change in user as you can see from these examples:
As you change to different servers the hostname will change. The hostname is a name that is applied to a server so that users and applications may refer to the server with a name and not an IP Address. An example would be of a hostname of ub instead of the IP Address 192.168.5.43. As you connect to different servers or workstations, this name will change. These names can be anything the system administrator would like to assign.
As you change locations in the file system the location will change. The ~ symbol indicates that a user is located in their home directory. The home directory in Linux is located in a directory, Windows calls them folders, labeled /home. So if fred is in his home directory he is really located in /home/fred. Each user has a home directory named for the user. If fred changes location in the directory system to /var, his prompt will reflect that change.
If mary changes to the /usr/share directory it will reflect that change.
If tom changes to the /usr/bin directory it will reflect that change.
And finally if jane moves to the / directory it will reflect that change.
Changes in location in the file system will list the location in the prompt. It is important that you use this as a clue to location especially when you begin to issue commands.
One of the major projects that Ubuntu is doing right for the whole Linux world is LTSP, Linux Terminal Server Project. The focus of this project is to create low cost networks using diskless computers. A diskless computer runs without a hard drive and can be an old box that is not powerful enough to run Windows any longer but could work great for a diskless system.
Many of the significant changes are part of the hard work from the people at LTSP.org and the Ubuntu distribution. LTSP 5 took me only 45 minutes to set up. I have been building LTSP servers for schools for 8 years now so I was greatly impressed. My first install took over 100 hours. It was very ugly back in those days having to configure the XWindow for each different video card. Today it is a project that people need to give a look at because of cost savings and savings with the central management features. If you purchase LTSP ready workstations, cost is $100-$300, they are almost plug-and-play. See the links for the few steps you need to take.
LTSP would be a great option for a small company wanting to move their users to Linux because one central server can be configured to work very well for a number of desktops. The server is your major cost in this adventure because you need the RAM and CPU power for all of the desktops. A dual XEON with 4 GB of RAM can run 100 computers. That is a significant cost savings. Even if you paid $5000 for the server and $200 a piece for the pre-built workstations you end up having a major network(100 workstations) for around $30,000. That includes cables, switches, keyboards, mice and monitors. How many kids could benefit from computer access in schools? LTSP is the way to make it happen fast.
LTSP works so well because the whole operating system is transferred over the network to the diskless workstation.
Notable Changes in LTSP 5
There are several significant changes in LTSP 5 which make the system much more usable. You will get enhanced security as now the GUI is exported using ssh -X and not the old XDMCP. SSH offers encryption of course which is actually faster and safer. The remote connection is made with LDM a python application that connects using SSH and not the old KDM or GDM. NFS has been dropped and replaced with NBD. NBD or Network Block Device is a network block device which emulates a block device like a hard drive over the network. This allows you to either use this space as swap or use it as network diskspace.
The at command will run a script at a specified time. The command is used by typing at and then the time you want the activity to occur. This will create the at> prompt enabling you to enter the commands you desire to run. When you are done press Control+D.
Here is the basic format for an at command:
at [-c | -k | -s] [-f filename] [-q queuename] [-m] -t time [date] [-l] [-r]
[-c | -k | -s] — refers to the shell you are using C, Korn or Bourne
You could create a file that would be run by at. For example a bash shell script.
-m send mail to the user when it is complete sent by default with /usr/sbin/sendmail
-d this is an alias for atrm which will delete at jobs
-v shows the time a job will be executed
-c cats job to standard output
-t set a time for job to run ([[CC]YY]MMDDhhmm)
-q queue The a queue is reserved for at and the b queue is reserved for batch. If you add a queue then that queue will increase in niceness, which means it will have less priority.
-V prints version number
Who can use at is controlled by /etc/at.allow and /etc/at.deny
If at.allow exists, only those in allow can use it. If at.deny exists and allow does not then everyone not in deny can use it. If neither exist only root can use it.
MMDDYY, MM/DD/YY, or MM.DD.YY formats
now + time the current time is in minutes, hours, days, or weeks. For example, now + 3 days
atq to view pending jobs
Here is an Example:
at> touch mkdir test
Unlike cron, these jobs will only run once.
-l list jobs
-d jobnumber delete a job
This example shows that the user root has two jobs waiting.
2 2005-09-11 09:07 a root
at -d job1
This will delete job1.
Practice Lab: Using at
This is simply an easy practice exercise to get familiar with at.
In order to get at to work the first thing you need to do is enter at in the terminal with a time:
Once you do this an at> will be shown on the screen. This is where you will enter your command. So if you wanted to create a directory called test in the /root directory enter this information for the command:
at> mkdir /test
When you hit enter the at> will show up again waiting for a second command you may want to provide. But if you are only doing one command the next thing you do is hit CTRL+D. This will install the at command you did and initiate the command.
Once you do CTRL+D it will list your job or jobs that are currently waiting
to happen. It will all look like this:
at> mkdir /root/test
job 1 at 2006-09-02 10:35
Now check to see if the /test directory was created.
Pausing downloads can be important if you’d like to start a download, close Firefox, and come back to the download at a later time. To do this simply open up Firefox and find a file you’d like to download.
After selecting Save File your download will begin to download automatically. Here we can see the status of the download along with two icons to the right of the status bar. The first one is a pause icon and the second a stop sign. Press the pause icon to pause your download and come back to it later. Press the stop icon to completely stop the download.
After pressing the pause icon you will see that the download status stands still. The pause icon is now a play icon and clicking it will begin the download right where you left off.
This screen shot shows the download completed successfully.