The From-Powerup-To-BASH-Prompt-HOWTO does a good job of outlining the steps in the login process. Basically it works like this.
The init daemon starts a getty process on the terminal.
The getty program displays the contents of
/etc/issue
and prompts for a user name.
When the user name is entered, control is handed off to the login program.
The login program asks for a password and
verifies the credentials using /etc/passwd
,
/etc/group
and possibly
/etc/shadow
.
If everything is okay the user's shell is started.
The getty and login programs were already installed as part of the util-linux package so there is no need to download any new source code.
Details about virtual console device files can be found in the
Linux kernel source code file called devices.txt
in the Documentation
directory. We will need to
create tty1
through tty6
for
each of the virtual consoles as well as tty0
and
tty
to represent the current virtual
console.
The /etc/issue
file is pretty easy to
construct. It can contain any text we want displayed on the screen
prior to the login prompt. It could be something friendly like
"Welcome to Pocket Linux", something menacing like "Authorized users
only!" or something informational like "Connected to tty1 at 9600bps".
The agetty(8) manpage explains how to display information like tty
line and baud rate using escape codes.
The format of /etc/passwd
can be obtained
by reading the passwd(5) manpage. We can easily create a user account
by adding a line like "root::0:0:superuser:/root:/bin/sh" to the
file.
Maintaining passwords will be somewhat challenging because of
the system being loaded into ramdisk. Any changes to
/etc/passwd
will be lost when the system is
shutdown. So to make things easy, we will create all users with null
passwords.
The structure of /etc/group
is available
from the group(5) manpage. A line of "root::0:root" would define a
group called "root" with no password, a group id of zero and the user
root assigned to it as the only member.
User and group names and id's are generally not chosen at
random. Most Linux systems have very similar looking
/etc/passwd
and /etc/group
files. Definitions for commonly used user id and group id assignments
may be found in one of several places:
The /etc/passwd
and
/etc/group
files on any popular GNU/Linux
distribution.
The Debian Policy Manual -- available online at http://www.debian.org/doc/debian-policy.
The Linux Standard Base specification -- downloadable in many formats from http://www.linuxbase.org/spec/index.shtml.
Essential System Administration, 3rd Edition by Aeleen Frisch -- available at libraries, bookstores or directly from O'Reilly Publishing at http://www.oreilly.com/.
Running ldd on the login
program from util-linux will reveal that it is linked to the libraries
libcrypt.so.1
, libc.so.6
and
ld-linux.so.2
. In addition to these libraries there
is another, unseen dependency on libnss_files.so.2
and the configuration file
/etc/nsswitch.conf
.
The name service switch library
libnss_files.so.2
and
nsswitch.conf
are required for
libc.so.6
, and consequently the
login
program, to access the
/etc/passwd
file. Without libnss and its
configuration file, all logins will mysteriously fail. More information
about glibc's use of the name service switch libraries can be found at
http://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html.
Previously, with the single user system, there was no need to worry about permissions when installing directories, files and device nodes. The shell was effectively operating as root, so everything was accessible. Things become more complex with the addition of multiple user capability. Now we need to make sure that every user has access to what they need and at the same time gets blocked from what they do not need.
A good guideline for assigning ownership and permissions would be
to give the minimum level of access required. Take the
/bin
directory as an example. The Filesystem
Hierarchy (FHS) document says, "/bin
contains
commands that may be used by both the system administrator and by
users". From that statement we can infer that /bin
should have read and execute permission for everyone. On the other hand,
the /boot
directory contains files for the boot
loader. Chances are good that regular users will not need to access
anything in the /boot
directory. So the minimum
level of access would be read permission for the root user and other
administrators who are members of the root group. Normal users would
have no permissions assigned on the /boot
directory.
Most of the time we can assign similar permissions to all the commands in a directory, but there are some programs that prove to be exceptions to the rule. The su command is a good example. Other commands in the /bin directory have a minimum requirement of read and execute, but the su command needs to be setuid root in order to run correctly. Since it is a setuid binary, it might not be a good idea to allow just anyone to run it. Ownership of 0:0 (root user, root group) and permissions of rwsr-x--- (octal 4750) would be a good fit for su.
The same logic can be applied to other directories and files in the root filesystem using the following steps:
Assign ownership to the root user and root group.
Set the most restrictive permissions possible.
Adjust ownership and permissions on an "as needed" basis.