Administrator's Guide
• User name
• Encrypted password
• User ID
• Group ID
• Comment field
• Home directory
• Login program
Typically, the login program is a shell, such as /bin/sh, but it does not have to be a
shell. You can create a captive account—an account that logs a user directly into an
application—by identifying the application as the login shell.
Following is an example of restricting a user to run only the date command. The /etc/
passwd entry is:
username:rc70x.4,sx2:20:1:run only date command:/home/date:/usr/bin/date
At the login prompt, a user enters username and the appropriate password. The date
command is executed and then the user is immediately logged out.
login:username
Password:xxxxxx
Tue Nov 14 18:38:38 PDT 2006
2.1.4 Managing Group Accounts
When a group has to share or have access to project-related files, follow these steps to
ensure security:
1. Verify that each member has an entry in /etc/passwd.
2. Create an entry for the group in the /etc/group file.
3. Create a shared directory for the group.
drwxrwx-- root project /home/projects
4. Set the umask in each group member's ~/.profile. In the following example,
users in the group can read, write, and execute files, but no one else can:
umask u=rwx,g=rwx, o=
2.2 Authenticating Users During Login
To gain access to a system and its resources, users are required to log in. By controlling
access to the system, you can try to prevent unauthorized users from accessing the system.
However, even if unauthorized users do gain access, you can still prevent them from
running programs that consume resources and from accessing system data. This section
explains what happens during the login process from the time you type your user name
to the time you get a shell prompt.
2.2 Authenticating Users During Login 31