Making room for new chapter and a few minor modifications.

1 files changed, 186 insertions, 376 deletions

diff --git a/chapter_09.xml b/chapter_09.xml
index a0ab4d2..a2bb4e9 100644
--- a/chapter_09.xml
+++ b/chapter_09.xml
@@ -3,459 +3,269 @@
   "/usr/share/xml/docbook/xml-dtd-4.5/docbookx.dtd">
 
 <chapter>
-<title>Filesystem Permissions</title>
+<title>Users and Groups</title>
 
 <section>
-<title>Permissions Overview</title>
+<title>What Are Users and Groups?</title>
 
 <para>
-As we've discussed, Slackware Linux is a multi-user operating system.
-Because of this, its filesystems are mutli-user as well. This means
-that every file or directory has a set of permissions that can grant or
-deny privileges to different users. There are three basic permissions
-and three sets of permissions for each file. Let's take a look at an
-example file.
+Slackware Linux inherits a strong multi-user tradition from its UNIX
+inspiration. This means that multiple people may use the system at
+once, but it also means that each of these people may have different
+permissions. This allows users to prevent others from modifying their
+files, or lets system administrators explicitly define what users can
+and cannot do on the system. Moreover, users need not be actual people
+at all. In fact, Slackware includes several dozen pre-defined user
+and group accounts that are not typically used by regular users. Rather
+these accounts allow the system administrator to segment the system for
+security reasons. We'll see how that's done in the next chapter on
+filesystem permissions.
 </para>
 
-<screen><prompt>darkstar:~$ </prompt><userinput>ls -l /bin/ls</userinput>
--rwxr-xr-x 1 root root 81820 2007-06-08 21:12 /bin/ls
-</screen>
+</section>
+
+<section>
+<title>Managing Users and Groups</title>
 
 <para>
-Recall from chapter 4 that <application>ls</application> <arg>-l</arg>
-lists the permissions for a file or
-directory along with the user and group that "own" the file. In this
-case, the permissions are rwxr-xr-x, the user is root and the group is
-also root. The permissions section, while grouped together, is really
-three seperate pieces. The first set of three letters are the
-permissions granted to the user that owns the file. The second set of
-three are those granted to the group owner, and the final three are
-permissions for everyone else.
+The easiest way to add new users in Slackware is through the use of our
+very fine <application>adduser</application> shell script.
+<application>adduser</application> will prompt you to enter the details
+of the new user you wish to creature and step you through the process
+quickly and easily. It will even create a password for the new user.
 </para>
 
-<table pgwide="0">
-<title>Permissions of /bin/ls</title>
-<tgroup cols="3">
-  <thead>
-    <row>
-     <entry>Set</entry>
-     <entry>Listing</entry>
-     <entry>Meaning</entry>
-    </row>
-  </thead>
-  <tbody>
-    <row>
-      <entry>Owner</entry>
-      <entry>rwx</entry>
-      <entry>The owner "root" may read, write, and execute</entry>
-    </row>
-    <row>
-      <entry>Group</entry>
-      <entry>r-x</entry>
-      <entry>The group "root" may read and execute</entry>
-    </row>
-    <row>
-      <entry>Others</entry>
-      <entry>r-x</entry>
-      <entry>Everyone else may read and execute</entry>
-    </row>
-  </tbody>
-</tgroup>
-</table>
+<screen><prompt>darkstar:~# </prompt><userinput>adduser</userinput>
 
-<para>
-The permissions are pretty self explainatory of course, at least for
-files. Read, write, and execute allow you to read a file, write to it,
-or execute it. But what do these permissions mean for directories?
-Simply put, the read permissions grants the ability to list the
-directory's contents (say with <application>ls</application>). The write
-permission grants the ability to create new files in the directory as
-well as delete the entire directory, even if you otherwise wouldn't be
-able to delete some of the other files inside it. The execute
-permission grants the ability to actually enter the directory (with the
-<application>bash</application> built-in command cd for example).
-</para>
+Login name for new user []: <userinput>david</userinput>
 
-<para>
-Let's look at the permissions on a directory now.
-</para>
+User ID ('UID') [ defaults to next available ]: 
 
-<screen><prompt>darkstar:~$ </prompt><userinput>ls -ld /home/alan</userinput>
-drwxr-x--- 60 alan users 3040 2008-06-06 17:14 /home/alan/
-</screen>
+Initial group [ users ]: 
+Additional UNIX groups:
 
-<para>
-Here we see the permissions on my home directory and its ownership. The
-directory is owned by the user alan and the group users. The user is
-granted all rights (rwx), the group is granted only read and execute
-permissions (r-x), and everyone else is prohibited from doing anything.
-</para>
+Users can belong to additional UNIX groups on the system.
+For local users using graphical desktop login managers such
+as XDM/KDM, users may need to be members of additional groups
+to access the full functionality of removable media devices.
 
-</section>
+* Security implications *
+Please be aware that by adding users to additional groups may
+potentially give access to the removable media of other users.
 
-<section>
-<title><application>chmod</application>,
-<application>chown</application>, and
-<application>chgrp</application></title>
+If you are creating a new user for remote shell access only,
+users do not need to belong to any additional groups as standard,
+so you may press ENTER at the next prompt.
 
-<para>
-So now that we know what permissions are, how do we change them? And
-for that matter, how do we assign user and group ownership? The answer
-is right here in this section.
-</para>
+Press ENTER to continue without adding any additional groups
+Or press the UP arrow to add/select/edit additional groups
+:  <userinput>audio cdrom floppy plugdev video</userinput>
 
-<para>
-The first tool we'll discuss is the useful
-<application>chown</application>
-(1) command. Using <application>chown</application>, we can (you guessed
-it), change the ownership of a file or
-directory.  <application>chown</application> is historically used only
-to change the user ownership, but can change the group ownership as well.
-</para>
+Home directory [ /home/david ] 
 
-<screen><prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo</userinput>
-total 0
--rw-r--r-- 1 alan users 0 2008-06-06 22:29 a
--rw-r--r-- 1 alan users 0 2008-06-06 22:29 b
-<prompt>darkstar:~# </prompt><userinput>chown root /tmp/foo/a</userinput>
-<prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo</userinput>
-total 0
--rw-r--r-- 1 root users 0 2008-06-06 22:29 a
--rw-r--r-- 1 alan users 0 2008-06-06 22:29 b
-</screen>
+Shell [ /bin/bash ] 
 
-<para>
-By using a colon after the user account, you may also specify a new
-group account.
-</para>
+Expiry date (YYYY-MM-DD) []: 
 
-<screen><prompt>darkstar:~# </prompt><userinput>chown root:root /tmp/foo/b</userinput>
-<prompt>darkstar:~# </prompt><userinput> ls -l /tmp/foo</userinput>
-total 0
--rw-r--r-- 1 root users 0 2008-06-06 22:29 a
--rw-r--r-- 1 root root  0 2008-06-06 22:29 b
-</screen>
+New account will be created as follows:
 
-<para>
-<application>chown</application> can also be used recursively to change
-the ownership of all files and directories below a target directory.
-The following command would change all the files under the directory
-<filename>/tmp/foo</filename> to have their ownership set to root:root.
-</para>
+---------------------------------------
+Login name.......:  david
+UID..............:  [ Next available ]
+Initial group....:  users
+Additional groups:  audio,cdrom,floppy,plugdev,video
+Home directory...:  /home/david
+Shell............:  /bin/bash
+Expiry date......:  [ Never ]
 
-<screen><prompt>darkstar:~# </prompt><userinput>chown -R root:root /tmp/foo/b</userinput></screen>
+This is it... if you want to bail out, hit Control-C.  Otherwise, press
+ENTER to go ahead and make the account.
 
-<para>
-Specifying a colon and a group name without a user name will simply
-change the group for a file and leave the user ownership intact.
-</para>
 
-<screen><prompt>darkstar:~# </prompt><userinput>chown :wheel /tmp/foo/a</userinput>
-<prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo</userinput>
-ls -l /tmp/foo
-total 0
--rw-r--r-- 1 root wheel 0 2008-06-06 22:29 a
--rw-r--r-- 1 root root  0 2008-06-06 22:29 b
-</screen>
+Creating new account...
 
-<para>
-The younger brother of <application>chown</application> is the
-slightly less useful <application>chgrp</application>(1). This
-command works just like <application>chown</application>, except
-it can only change the group
-ownership of a file. Since <application>chown</application> can
-already do this, why bother with
-<application>chgrp</application>? The answer is simple. Many other
-operating systems use a
-different version of <application>chown</application> that cannot
-change the group ownership, so
-if you ever come across one of those, now you know how.
-</para>
 
-<para>
-There's a reason we discussed changing ownership before changing
-permissions. The first is a much easier concept to grasp. The tool for
-changing permissions on a file or directory is
-<application>chmod</application>(1). The syntax for it
-is nearly identical to that for <application>chown</application>, but
-rather than
-specify a user or group, the administrator must specify either a set of
-octal permissions or a set of alphabetic permissions. Neither one is
-especially easy to grasp the first time. We'll begin with the less
-complicated octal permissions.
-</para>
+Changing the user information for david
+Enter the new value, or press ENTER for the default
+	Full Name []: 
+	Room Number []: 
+	Work Phone []: 
+	Home Phone []: 
+	Other []: 
+Changing password for david
+Enter the new password (minimum of 5, maximum of 127 characters)
+Please use a combination of upper and lower case letters and numbers.
+New password: 
+Re-enter new password: 
+Password changed.
+
+
+Account setup complete.
+</screen>
 
 <para>
-Octal permissions derive their name from being assigned by one of eight
-digits, namely the numbers 0 through 7. Each permissions is assigned a
-number that is a power of 2, and those numbers are added together to
-get the final permissions for one of the permission sets. If this
-sounds confusing, maybe this table will help. 
+The addition of optional groups needs a little explaining. Every user
+in Slackware has a single group that it is always a member of. By
+default, this is the "users" group. However, users can belong to more
+than one group at a time and will inherit all the permissions of every
+group they belong to. Typical desktop users will need to add several
+group memberships in order to do things like play sound or access
+removeable media like cdroms or USB flash drives. You can simply press
+the up arrow key at this section and a list of default groups for
+desktop users will magically appear. You can of course, add to or
+remove groups from this listing.
 </para>
 
-<table pgwide="0">
-<title>Octal Permissions</title>
-<tgroup cols="2">
-  <thead>
-    <row>
-      <entry>Permission</entry>
-      <entry>Meaning</entry>
-    </row>
-  </thead>
-  <tbody>
-    <row>
-      <entry>Read</entry>
-      <entry>4</entry>
-    </row>
-    <row>
-      <entry>Write</entry>
-      <entry>2</entry>
-    </row>
-    <row>
-      <entry>Execute</entry>
-      <entry>1</entry>
-    </row>
-  </tbody>
-</tgroup>
-</table>
-
 <para>
-By adding these values together, we can reach any number between 0 and
-7 and specify all possible permission combinations. For example, to
-grant both read and write privilages while denying execute, we would
-use the number 6. The number 3 would grant write and execute
-permissions, but deny the ability to read the file. We must specify a
-number for each of the three sets when using octal permissions. It's
-not possible to specify only a set of user or group permissions this
-way for example.
+Now that we've demonstrated how to use the interactive
+<application>adduser</application> program, lets look at some powerful
+non-interactive tools that you may wish to use. The first is
+<application>useradd</application>(8).
+<application>useradd</application> is a little less friendly, but much
+faster for creating users in batches. This makes it ideal for use in
+shell scripts. In fact, <application>adduser</application> is just such
+a shell script and uses <application>useradd</application> for most of
+the heavy lifting. <application>useradd</application> has many options
+and we can't explain them all here, so refer to its man page for the
+complete details. Now, let's make a new user.
 </para>
 
-<screen><prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo/a</userinput>
--rw-r--r-- 1 root root  0 2008-06-06 22:29 a
-<prompt>darkstar:~# </prompt><userinput>chmod 750 /tmp/foo/a</userinput>
-<prompt>darkstar:~# </prompt><userinput>ls -l /tmp/foo/a</userinput>
--rwxr-x--- 1 root root  0 2008-06-06 22:29 a
+<screen><prompt>darkstar:~# </prompt><userinput>useradd -d /data/home/alan -s /bin/bash -g users -G audio,cdrom,floppy,plugdev,video alan</userinput>
 </screen>
 
 <para>
-<application>chmod</application> can also use letter values along with
-<keycap>+</keycap> or <keycap>-</keycap> to grant or deny permissions.
-While this may be easier to
-remember, it's often easier to use the octal permissions. 
+Here I have added the user "alan". I specified the user's home
+directory as <filename>/data/home/alan</filename> and used
+<application>bash</application> as my shell. Also, I specified my
+default group as "users" and added myself to a number of useful groups
+for dekstop use.  You'll note that <application>useradd</application>
+does not do any prompting like <application>adduser</application>.
+Unless you want to accept the defaults for everything, you'll need to
+tell <application>useradd</application> what to do.
 </para>
 
-<table pgwide="0">
-<title>Alphabetic Permissions</title>
-<tgroup cols="2">
-  <thead>
-    <row>
-      <entry>Permission</entry>
-      <entry>Letter Value</entry>
-    </row>
-  </thead>
-  <tbody>
-    <row>
-      <entry>Read</entry>
-      <entry>r</entry>
-    </row>
-    <row>
-      <entry>Write</entry>
-      <entry>w</entry>
-    </row>
-    <row>
-      <entry>Execute</entry>
-      <entry>x</entry>
-    </row>
-  </tbody>
-</tgroup>
-</table>
-
-<table pgwide="0">
-<title>Alphabetic Users and Groups</title>
-<tgroup cols="2">
-  <thead>
-    <row>
-      <entry>Accounts Affected</entry>
-      <entry>Letter Value</entry>
-    </row>
-  </thead>
-  <tbody>
-    <row>
-      <entry>User/Owner</entry>
-      <entry>u</entry>
-    </row>
-    <row>
-      <entry>Group</entry>
-      <entry>g</entry>
-    </row>
-    <row>
-      <entry>Others/World</entry>
-      <entry>o</entry>
-    </row>
-  </tbody>
-</tgroup>
-</table>
-
 <para>
-To use the letter values with <application>chmod</application>, you
-must specify which set to use them with, either "u" for user, "g" for
-group, and "o" for all others. You must also specify whether you are
-adding or removing permissions with the "+" and "-" signs. Multiple
-sets can be changed at once by seperating each with a comma.
+Now that we know how to add users, we should learn how to add groups.
+As you might have guessed, the command for doing this is
+<application>groupadd</application>(8).
+<application>groupadd</application> works in the same way as
+<application>useradd</application>, but with far fewer options. The
+following command adds the group "slackers" to the system.
 </para>
 
-<screen><prompt>darkstar:/tmp/foo# </prompt><userinput>ls -l</userinput>
-total 0
--rw-r--r-- 1 alan users 0 2008-06-06 23:37 a
--rw-r--r-- 1 alan users 0 2008-06-06 23:37 b
--rw-r--r-- 1 alan users 0 2008-06-06 23:37 c
--rw-r--r-- 1 alan users 0 2008-06-06 23:37 d
-<prompt>darkstar:/tmp/foo# </prompt><userinput>chmod u+x a</userinput>
-<prompt>darkstar:/tmp/foo# </prompt><userinput>chmod g+w b</userinput>
-<prompt>darkstar:/tmp/foo# </prompt><userinput>chmod u+x,g+x,o-r c</userinput>
-<prompt>darkstar:/tmp/foo# </prompt><userinput>chmod u+rx-w,g+r,o-r d</userinput>
-<prompt>darkstar:/tmp/foo# </prompt><userinput>ls -l</userinput>
--rwxr--r-- 1 alan users 0 2008-06-06 23:37 a*
--rw-rw-r-- 1 alan users 0 2008-06-06 23:37 b
--rwxr-x--- 1 alan users 0 2008-06-06 23:37 c*
--r-xr----- 1 alan users 0 2008-06-06 23:37 d*
+<screen><prompt>darkstar:~# </prompt><userinput>groupadd slackers</userinput>
 </screen>
 
 <para>
-Which you prefer to use is entirely up to you. There are places where
-one is better than the other, so a real Slacker will know both inside
-out.
+Deleting users and groups is easy as well. Simply run the
+<application>userdel</application>(8) and
+<application>groupdel</application>(8) commands. By default,
+<application>userdel</application> will leave the user's home directory
+on the system. You can remove this with the <arg>-r</arg> argument.
 </para>
 
 </section>
 
 <section>
-<title>SUID, SGID, and the "Sticky" Bit</title>
+<title>Other User and Group Tools</title>
 
 <para>
-We're not quite done with permissions just yet. There are three other
-"special" permissions in addition to those mentioned above. They are
-SUID, SGID, and the sticky bit. When a file has one or more of these
-permissions set, it behaves in special ways. The SUID and SGID
-permissions change the way an application is run, while the sticky bit
-restricts deletion of files. These permissions are applied with
-<application>chmod</application>
-like read, write, and execute, but with a twist.
+Several other tools exist for managing users and groups. Perhaps the
+most important one is <application>passwd</application>(1). This
+command changes a user account's password. Normal users may change
+their own passwords only, but root can change anyone's password. Also,
+root can lock a user account with the <arg>-l</arg> argument. This
+doesn't actually shutout the account, but instead changes the user's
+encrypted password to a value that can't be matched.
 </para>
 
 <para>
-SUID and SGID stand for "Set User ID" and "Set Group ID" respectively.
-When an application with one of these bits is set, the application runs
-with the user or group ownership permissions of that application
-regardless of what user actually 
-executed it. Let's take a look at a common SUID application, the humble
-<application>passwd</application> and the files it modifies.
+Another useful tool is <application>chsh</application>(1) which changes a
+user's default shell. Like <application>passwd</application>, normal
+users can only change their own shell, but the root user can change
+anyone's.
 </para>
 
-<screen><prompt>darkstar:~# </prompt><userinput>ls -l /usr/bin/passwd \
-  /etc/passwd \
-  /etc/shadow</userinput>
--rw-r--r-- 1 root root    1106 2008-06-03 22:23 /etc/passwd
--rw-r----- 1 root shadow   627 2008-06-03 22:22 /etc/shadow
--rws--x--x 1 root root   34844 2008-03-24 16:11 /usr/bin/passwd*
-</screen>
-
 <para>
-Notice the permissions on <application>passwd</application>. Instead of
-an <keycap>x</keycap> in the user's execute slot, we have an
-<keycap>s</keycap>. This tells us that
-<application>passwd</application> is a SUID program, and when we run
-it, the process will run as the user "root" rather than as the user
-that actually executed it. The reason for this is readily apparent as
-soon as you look at the two files it modifies. Neither
-<filename>/etc/passwd</filename> nor <filename>/etc/shadow</filename>
-are writeable by anyone other than root. Since users need to change
-their personal information, <application>passwd</application> must be
-run as root in order to modify those files.
+The last tool we're going to discuss is
+<application>chfn</application>(1). This is used to enter identifying
+information on the user such as his phone number and real name. This
+information is stored in the <filename>passwd</filename>(5) file and
+retrieved using <application>finger</application>(1).
 </para>
 
-<para>
-So what about the sticky bit? The sticky bit restricts the ability to
-move or delete files and is only ever set on directories. Non-root
-users cannot move or delete any files under a directory with the sticky
-bit set unless they are the owner of that file. Normally anyone with
-write permission to the file can do this, but the sticky bit prevents
-it for anyone but the owner (and of course, root). Let's take a look at
-a common "sticky" directory. 
-</para>
+</section>
 
-<screen><prompt>darkstar:~# </prompt><userinput>ls -ld /tmp</userinput>
-drwxrwxrwt 1 root root   34844 2008-03-24 16:11 /tmp
-</screen>
+<section>
+<title>Managing Users and Groups Manually</title>
 
 <para>
-Naturally, being a directory for the storage of temporary files sytem
-wide, <filename>/tmp</filename> needs to be readable, writeable, and
-executable by anyone and everyone. Since any user is likely to have a
-file or two stored here at any time, it only makes good sense to
-prevent other users from deleting those files, so the sticky bit has
-been set. You can see it by the presence of the <keycap>t</keycap> in
-place of the <keycap>x</keycap> in the world permissions section.
+Like most things in Slackware Linux, users and groups are stored in
+plain-text files. This means that you can edit all the details of a
+user, or even create a new user or group simply by editing these files
+and doing a few other tasks like creating the user's home directory. Of
+course, after you see how this is done you'll appreciate just how
+simple the included tools make this task.
 </para>
 
-<table pgwide="0">
-<title>SUID, SGID, and "Sticky" Permissions</title>
-<tgroup cols="3">
-  <thead>
-    <row>
-     <entry>Permission Type</entry>
-     <entry>Octal Value</entry>
-     <entry>Letter Value</entry>
-    </row>
-  </thead>
-  <tbody>
-    <row>
-      <entry>SUID</entry>
-      <entry>4</entry>
-      <entry>s</entry>
-    </row>
-    <row>
-      <entry>SGID</entry>
-      <entry>2</entry>
-      <entry>s</entry>
-    </row>
-    <row>
-      <entry>Sticky</entry>
-      <entry>1</entry>
-      <entry>t</entry>
-    </row>
-  </tbody>
-</tgroup>
-</table>
-
 <para>
-When using octal permissions, you must specify an additional leading
-octal value. For example, to recreate the permission on
-<filename>/tmp</filename>, we would use 1777. To recreate those
-permissions on <filename>/usr/bin/passwd</filename>, we would use 4711.
-Essentially, any time this leading fourth octet isn't specified,
-<application>chmod</application> assumes its value to be 0.
+Our first stop is the <filename>/etc/passwd</filename> file. Here, all
+the information about a user is stored, except for (oddly enough) the
+user's password. The reason for this is rather simple.
+<filename>/etc/passwd</filename> must be readable by all users on the
+system, so you wouldn't want passwords stored there, even if they are
+encrypted. Let's take a quick look at my entry in this file.
 </para>
 
-<screen><prompt>darkstar:~# </prompt><userinput>chmod 1777 /tmp</userinput>
-<prompt>darkstar:~# </prompt><userinput>chmod 4711 /usr/bin/passwd</userinput>
+<screen>
+alan:x:1000:100:,,,:/home/alan:/bin/bash
 </screen>
 
 <para>
-Using the alphabetic permission values is slightly different. Assuming
-the two files above have permissions of 0000 (no permissions at all),
-here is how we would set them. 
+Each line in this file contains a number of fields seperated by a
+colon. They are, from left to right: username, password, UID, GUID, a
+comment field, home directory, and shell. You'll notice that the
+password field for every entry is an <keycap>x</keycap>. That is
+because Slackware uses shadow passwords, so the actual encrypted
+password is stored in <filename>/etc/shadow</filename>. Let's take a
+look there.
 </para>
 
-<screen><prompt>darkstar:~# </prompt><userinput>chmod ug+rwx,o+rwt /tmp</userinput>
-<prompt>darkstar:~# </prompt><userinput>chmod u+rws,go+x /usr/bin/passwd</userinput>
+<screen>
+alan:$1$HlR?M3fkL@oeJmsdLfhsLFM*4dflPh8:14197:0:99999:7:::
 </screen>
 
+<para>
+The <filename>shadow</filename> file contains more than just the
+encrypted password as you'll notice. The fields here, again from left
+to right, are: username, encrypted password, last day the password was
+changed, days before the password may be changed again, how many days
+before the password expires, days that the account will be disabled
+after expiring, when the account was disabled, and a reserved field.
+You may notice on some accounts that the various "days" fields often
+include very large numbers. The reason for this is that Slackware
+counts time from the "Epoch" which is January 1, 1970 for historical
+reasons.
+</para>
 
+<para>
+To create a new user account, you'll just need to open these files
+using <application>vipw</application>(8). This will open
+<filename>/etc/passwd</filename> in the editor
+defined by your VISUAL variable or your EDITOR variable if VISUAL isn't
+defined. If neither is present, it will fall back to
+<application>vi</application> by default. If you pass the <arg>-s</arg>
+argument, it will open <filename>/etc/shadow</filename> instead. It's
+important to use <application>vipw</application> instead of using any
+other editor, because <application>vipw</application> will lock the
+file and prevent other programs from editing it right underneath your feet.
+</para>
 
-
-
-
+<para>
+That isn't all you'll need to do however; you must also create the
+user's home directory and change the user's password using
+<application>passwd</application>.
+</para>
 
 </section>