User management

5.6 Controlling user resources

Every system has a mixture of passive and active users.

Passive users utilize the system often minimally, quietly accepting the choices which have been made for them. They seldom place great demands on the system.

They do not follow the development of the system with any zeal and they are often not even aware of what files they have. They seldom make demands other than when things go wrong. Passive users can be a security risk, because they are not aware of their actions.

Active users, on the other hand, follow every detail of system development.

They frequently find every error in the system and contact system administrators frequently, demanding upgrades of their favorite programs. Active users can be of great help to a system administrator, because they test out problems and report them actively. They are an important part of the system administration team, or community, and can also go a long way to helping the passive users. An important point about active users, however, is that they are not authorized staff.

Principle 21 (Active users). Active users need to understand that, while their skills are appreciated, they do not decide system policy: they must obey it. Even in a democracy, rules are determined by process and then obeyed by everyone.

Skilled administrators need to be social engineers, placating active user wishes and keeping them in the loop, without bowing to their every whim. Individual skill amongst users does not necessarily carry with it responsibility to the whole system. System administrators have a responsibility to find a balance which addresses users’ needs but which keeps the system stable and functional. If we upgrade software too often, users will be annoyed. New versions of software function differently and this can hinder people in their work. If we do not upgrade often enough, we can also hinder work by restricting possibilities.

5.6.1 Resource consumption

Disks fill up at an alarming rate. Users almost never throw away files unless they have to. If one is lucky enough to have only very experienced and extremely friendly users on the system, then one can try asking them nicely to tidy up their files. Most administrators do not have this luxury however. Most users never think about the trouble they might cause others by keeping lots of junk around. After all, multi-user systems and network servers are designed to give every user the

impression that they have their own private machine. Of course, some users are problematical by nature.

Suggestion 6 (Problem users). Keep a separate partition for problem users’

home directories, or enforce strict quotas on them.

No matter what we do to fight the fire, users still keep feeding the flames. To keep hosts working it is necessary to remove files, not just add them. Quotas limit the amount of disk space users can have access to, but this does not solve the real problem. The real problem is that in the course of using a computer many files are created as temporary data but are never deleted afterwards. The solution is to delete them.

• Some files are temporary by definition. For example, the byproducts of compilation, *.o files, files which can easily be regenerated from source like TeX *.dvi files, cache files in .netscape/ loaded in by Netscape’s browser program etc.

• Some files can be defined as temporary as a matter of policy. For example, files which users collect for personal pleasure like *.mp3, video formats and pornography.

When a Unix program crashes, the kernel dumps its image to disk in a file called core. These files crop up all over the place and have no useful purpose for most users.¹ To most users they are just fluff on the upholstery and should be removed. A lot of free disk space can be reclaimed by deleting these files.

Many users will not delete them themselves, however, because they do not even understand why they are there.

Disk quotas mean that users have a hard limit to the number of bytes they are allowed to use on the disk. They are an example of a more general concept known as system accounting whereby you can control the resources used by any user, whether they be the number of printed pages sent to the printer or the number of bytes written to the disk. Disk quotas have advantages and disadvantages.

• The advantage is that users really cannot exceed their limits. There is no way around this.

• Disk quotas are very restrictive and when a user exceeds their limit they often do not understand what has happened. Usually users do not even get a message unless they are logging in. Quotas also prevent users from creating large temporary files which can be a problem when compiling programs.

They carry with them a system overhead, which makes everything run a little slower.

In some environments, the idea of deleting a user’s files is too much to contemplate.

In a company or research laboratory, one might want to be extremely careful in

1In some instances, core files have been used by malicious users to obtain secret information about the system that was held in memory prior to the crash.

such a practice. In other cases, like schools and universities, this is pure necessity.

Deciding whether to delete files automatically must be a policy decision. It might be deemed totalitarian to delete files without asking. On the other hand, this is often the only way to ever clear anything up. Many users will be happy if they do not have to think about the problem themselves. A tidy policy, rather than a quota policy, gives users a greater illusion of freedom, which is good for system morale.

We must naturally be careful never to delete files which cannot be regenerated or re-acquired if necessary. File tidying was first suggested by Zwicky in ref. [336], within a framework of quotas. See also refs. [134, 55].

Example 2. A useful strategy is to delete files one is not sure about only if they have not been accessed for a certain period of time, say a week. This allows users to use files freely as long as they need to, but prevents them from keeping the files around for ever. Cfengine can be used to perform this task.

For example a simple cfengine program would look like:

control:

actionsequence = ( tidy ) mountpattern = ( /site/host ) homepattern = ( home? )

#

# 3 days minimum, remember weekends

# tidy:

home pattern=core recurse=inf age=0

home pattern=a.out recurse=inf age=3

home pattern=*% recurse=inf age=3

home pattern=*~ recurse=inf age=3

home pattern=*.o recurse=inf age=1

home pattern=*.aux recurse=inf age=3

home pattern=*.mp3 recurse=inf age=14

home/Desktop/Trash pattern=* recurse=inf age=14 home/.netscape/cache pattern=* recurse=inf age=0

This script iterates automatically over all users’ home directories, and recurses into them, deleting files if the time since they were last accessed exceeds the time limits specified.

Care should always be taken in searching for and deleting patterns containing

‘core’. Some operating systems keep directories called core, while others have files called core.h. As long as the files are plain files with an exact name match, one is usually safe.

5.6.2 Quotas and limits in general

In a shared environment, all users share the same machine resources. If one user is selfish that affects all of the other users. Given the opportunity, users will consume all of the disk space and all of the memory and CPU cycles somehow, whether through greed or simply through inexperience. Thus it is in the interests of the user community to limit the ability of users to spoil things for other users.

One way of protecting operating systems from users and from faulty soft-ware is to place quotas on the amount of system resources which they are allowed.

• Disk quotas: Place fixed limits on the amount of disk space which can be used per user. The advantage of this is that the user cannot use more storage than this limit; the disadvantage is that many software systems need to generate/cache large temporary files (e.g. compilers, or web browsers) and a fixed limit means that these systems will fail to work as a user approaches his/her quota.

• CPU time limit: Some faulty software packages leave processes running which consume valuable CPU cycles to no purpose. Users of multiuser computer systems occasionally steal CPU time by running huge programs which make the system unusable for others. The C-shell limit cputime function can be globally configured to help prevent accidents.

• Policy decisions: Users collect garbage. To limit the amount of it, one can specify a system policy which includes items of the form: ‘Users may not have mp3, wav, mpeg etc. files on the system for more than one day’.

Quotas have an unpleasant effect on system morale, since they restrict personal freedom. They should probably only be used as a last resort. There are other ways of controlling the build-up of garbage.

Principle 22 (Freedom). Quotas, limits and restrictions tend to antagonize users. Users place a high value on personal freedom. Restrictions should be minimized or made inconspicuous to avoid a backlash. Workaround solutions which avoid rigid limits are preferable, if possible.

5.6.3 Killing old processes

Processes sometimes do not get terminated when they should. There are several reasons for this. Sometimes users forget to log out, sometimes poorly written terminal software does not properly kill its processes when a user logs out.

Sometimes background programs simply crash or go into loops from which they never return. One way to clean up processes in a work environment is to look for user processes which have run for more than a day. (Note that the assumption here is that everyone is supposed to log out each day and then log in again the next day – that is not always the case.) Cfengine can also be used to clean up old processes. Cfengine’s processes commands are used to match processes in the process table (which can be seen by running ps ax on Unix).

5.6.4 Moving users

When disk partitions become full, it is necessary to move users from old partitions to new ones.² Moving users is a straightforward operation, but it should be done with some caution. A user who is being moved should not be logged in while the move is taking place, or files could be copied incorrectly. We begin by looking for an appropriate user, perhaps one who has used a particularly large amount of disk space.

Example 3. On Unix-like systems we have all the tools we require:

cd /site/host/home-old du -s *

Having chosen a user, with username user, we copy the directory to its new location, tar cf - user | (cd /site/host/home-new; tar xpvf - )

edit the new location in the password file, emacs /etc/passwd

and finally remove the old data:

rm -r user

Users need to be informed about the move: we have to remember that they might hard-code the names of their home directories in scripts and programs, e.g. CGI-scripts. Also, the user’s account must be closed by altering their login shell, for instance, before the files are moved.

5.6.5 Deleting old users

Users who leave an organization eventually need to be deleted from the system.

For the sake of certainty, it is often advisable to keep old accounts for a time in case the user actually returns, or wishes to transfer data to a new location.

Whether or not this is acceptable must be a question of policy. Clearly it would be unacceptable for company secrets to be transferred to a new location. Before deleting a user completely, a backup of the data can be made for safe-keeping.

Then we have to remove the following:

• Account entry from the password database.

• Personal files.

• E-mail and voice mail and mailing lists.

• Removal from groups and lists (e.g. mailing lists).

• Removal of cron and batch tasks.

• Revocation of smartcards and electronic ID codes.

2Some systems might be equipped with virtual volume managers which provide the illusion of infinitely large partitions, but not everyone can afford this luxury.