linux system administration - brookdale community...

Creating User Accounts Linux System Administration

1

Linux System Administration

Creating User Accounts

Creating User Accounts Linux System Administration 2

ObjectiveAt the conclusion of this module, the student will be able to:• List the types of security policies that are key to a well-secured system • Match the properties of a UNIX user account to their correct descriptions • Describe the purpose and contents of the password file • Enter the basic account properties into the password database • Set up a home directory for a new account • Use automated account creation to create a new user account • Set password aging parameters in the password database • Use groups to delegate administrative power and to allow users to share

work • Describe how system accounts are used to enhance security


2


Basic Security Issues• The types of security policies that are key to a well-secured

system:• Authentication

– the ability to prove a user's identity.• Strong passwords

– one which has at least eight alphanumeric characters, combined with control characters, such as the following: ~ # _

• Auditing– create and monitor logs that track user activity– used to detect illegal system activity, not system user activity


Basic Security Issues• In UNIX and Linux, authentication is accomplished during the

login process when users give a user name and a password– User input is compared to the entry in the /etc/passwd file

• One way to manage authenticated users is to place them in groups

• Require strong permissions with the following: – Define specific groups – Assign group permissions based upon the Group ID (GID) – Place users into the groups


3


Strong Passwords• The primary goal of any hacker is to obtain root access• If a hacker can steal the /etc/passwd file, he/she can run a

cracking program to identify the passwords• SA can create scripts that enforce strong passwords

– Passwords must have a minimum of eight alphanumeric characters– Passwords must contain at least one control characters such as the

following: ~ # _ • Such characters help protect against automated dictionary cracking

programs designed to guess common words and names• Password aging and account lockouts also are options

– The disadvantage of password aging is that users tend to forget new passwords over time, or write them down which defeats the security purpose of password aging


Other Vulnerabilities• It is appropriate to consider physical security such as making

sure all systems are behind a secure firewall • Various legacy UNIX protocols, such as NIS, NFS, and finger

are inherently non-secure• sendmail, ftpd, and bind may pose security risks

– certain versions can be made to crash and leave behind shells with full permissions


4


Creating a User Account• Creating a Linux/UNIX user account has two parts:

1. entry of the new account into the system's user database2. the creation of the resources

• Each new account will need: – a home directory /home/username– default login configuration files

/home/username/.bash_profile


Properties of a User Account• A shell program

– This is the shell that gets executed when the user logs in– Usually, it is the user's preferred interactive environment (/bin/sh, /bin/ksh, /bin/csh, or /bin/bash)

• May be modified by user– it also may be a special-purpose shell with limited capabilities– In Red Hat, all default shell files are stored in /etc/skel– Copied to /home/username by useradd tools


5


My Default .bash_profile in /etc/skel# .bash_profile

# Get the aliases and functionsif [ -f ~/.bashrc ]; then. ~/.bashrc

fi

# User specific environment and startup programsPATH=$PATH:$HOME:$HOME/bin

export PATHunset USERNAME

# The following are optionalalias p='pwd'alias dir='ls -l'alias copy='cp'alias cls='clear'li ' t t '


Creating a User AccountUser Account information is stored in the system user database• Depending on the version of Linux or UNIX, this database is

stored in two or three files: – the group file - /etc/group

• One user may be in multiple groups in addition to his/her own unique group

– the password file - /etc/passwd– the shadow password file - /etc/shadow

• Shadow passwords are optional, and on by default in Red Hat• In some older versions of UNIX the /etc/passwd file contained

encrypted versions of the user's password in the password location– Did not create separate shadow password file

• Shadow passwords use MD5 encryption by default in Red Hat• In many *nix systems you turn shadow passwords on with pwconv or grpconv, and off with pwunconv or grpumconv


6


/etc/passwd• /etc/passwd

– is world-readable – contains a list of users each on a separate line– On each line is a colon-delimited list containing the following

information usernamepasswordUser ID (UID) Group ID (GID) GECOSHome directoryShell


Properties of a User Account• username

– The name used to log on• An ASCII string that must not contain spaces, • There is a length limit, but it is sufficiently long as to be irrelevant• Most organizations use a system such as the person's first initial, last name

• password– This is the user's login password– Options include password aging– All the complications in user account management come from the need

to protect this field• UID (User ID number)

– UID’s must be globally unique • uniquely identifies the user on the system

– This is the number stored in the file system to identify a file's owner, and in the kernel's process table to identify the owner of a process

• stored internally in 32-bit fields– The lowest UID for a user is 500


7


Properties of a User Account• GID (Group ID number )

– The default group for this user– This group owns files this user creates– The lowest GID for a user is 500– Not unusual for the UID and the GID to be the same

• GECOS– Named for historical reasons– the GECOS field is optional and is used to store extra information

(such as the user's full name)– Multiple entries can be stored here in a comma-delimited list– Utilities such as finger access this field to provide additional user

information. • A home directory

– This is the initial current directory for the user's login shell– /home/username


UID and GID• UIDs and GIDs must be globally unique in your organization

if you wish to share files and resources over a network• There are two instances where the actual numeric value of a

UID or GID has any specific meaning– A UID and GID of zero (0) is used for the root user

• treated specially by granting access to everything automatically– UIDs and GIDs below 500 are reserved for system use

• Not treated differently by Linux like UID 0• One use is they are assigned to daemons

• As new user accounts are added, the new user accounts should be assigned the first available UID and GID starting at 500 – Done automatically when using useradd or GUI tools– If a number is skipped, standard tools do not fill any gaps

• Next highest UID is assigned


8


/etc/passwd• The password file, /etc/passwd, is an ASCII text file with

colon-separated fields – It holds all publicly readable account information

• All user account information except the encrypted password data is stored here– This is necessary because processes must be able to convert UID

numbers to user names and vice versa– processes may want to determine a user's home directory

• Each line of /etc/passwd lists a separate user with the following layout: username:x:UID:GID:Full Name:Home_Directory:Shell

An exampleandrewjr:x:500:500:Andrew H. Andersen:/home/andrewjr:/bin/bash


/etc/shadow• Because the /etc/passwd file must be world-readable,

there is a risk involved in storing passwords in /etc/passwd even though the passwords are encrypted

• If cracker downloads the password file, it is possible to perform attacks against passwords

• If the encrypted password is available in /etc/passwd– A password-cracker generates potential passwords– Each potential password is then encrypted using the same algorithm as

the system– The encrypted potential password is then compared against the

encrypted passwords in /etc/passwd• Encrypted passwords should be kept in separate file that is

readable only with root privileges


9


/etc/shadow• Each user's information is on a separate line• Each line is a colon delimited list including the following:• Username• Encrypted password

– Many more characters than the actual password ( 13 – 24 characters)• Date password last changed• Number of days before password can be changed• Number of days before a password change is required• Number of days warning before password change• Number of days before the account is disabled• Date since the account has been disabled• A reserved field (not used in Red Hat) An entry in the /etc/shadow file looks like the following:• andrewjr:$1$kd8KYFGX$omfMRa4UF/SKXfM1QmeSW.:12590:

0:99999:7:::


/etc/group

• Groups provide a mechanism for managing access to files and processes by, not surprisingly, groups of people

• Groups add useful flexibility to the account management system

• The group mechanism is managed by two pieces of information. – the password database /etc/passwd contains a default group ID

(GID) for every user– the /etc/group file, which contains a list of group names, group ID

numbers, and the members of the group– /etc/group is a text file with each line a record made of colon-

separated fields


10


/etc/group

• group_name– The name of the group.

• *– Placeholder used to hold an encrypted group password– These are no longer in use– field is still there for backwards compatibility– Can contain anything– * is a good traditional choice for this field

• GID– Numeric group identifier.

• user_list– List of user names, separated by commas

• A typical group record has the form: faculty:*:700:user1,user2,user3,user10


Password Management• Password Aging

– administrator sets the maximum and minimum days between mandatory password changes

– may involve setting an account to expire on a certain date• expiring an account if it remains inactive for some time• setting grace periods for the above time restrictions

• Password Checking– passwords are checked for strength– may impose the requirement that the password contains a certain

number of non-alphabetic characters– set the minimum number of characters – check the password against standard cracking programs to see if it can

be broken by a dictionary attack


11


Forced Password Expiration• chage

– changes the number of days between password changes and the date of the last password change

– used by the system to determine when a user must change her password• Instruction syntax• chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user


Adding Users• useradd (also adduser in Red Hat)

– adds a new user login on the system • Syntax• useradd [-c comment] [-d dir] [-e expire] [-f inactive] [- g group] [ -G group [ , group...]] [ -m [-k skel_dir]] [ -u uid [-o]] [-s shell] [-A authorization [,authorization...]] [-P profile [,profile...]] [-R role [,role...]] [-p projname] login useradd -D [-b base_dir] [-e expire] [-f inactive] [- g group] [-p projname]


12


Changing PasswordsAs Userpasswd– Enter old password– Enter new password twice

As root or supasswd username– Enter new password twice

• To lock a users account, use the –l optionpasswd –l username

• To force user to change password at next loginchage –d 0 username– The -d 0 option tricks the system to think the password has expired– States that password has expired and prompts for new password– May be used when creating new accounts to force new user to change

passwd on first login


Removing Usersuserdel username– delete a user's login from the system – Does not delete users home directory

Option • -r

– Remove the user's home directory from the system– all files and directories under the home directory will no longer be

accessible following successful execution of the command– Usually not used since others may be sharing files with useruserdel -r username– delete a user's login from the system – deletes users home directory


13


groupadd

• A group is a way to organize users on any *nix-based machine – Group members may share files and directories – You must have root access to add a group

• Groups are created with the groupadd command– add (create) a new group definition on the system groupadd [ -g gid [-o]] groupname– -g gid Assigns the group id gid for the new group– -o Allows the gid to be duplicated (non-unique).

• Groups are modified with groupmodgroupmod –g gid –n groupname newgroupname– -g changes GID– -n changes groupname

• Groups are deleted with groupdel groupname


Permissions and Access Bits• Access to a file or other resource is based on permissions that

are given or removed at the owner, group, and other levels• Every file and directory has a basic set of 9 access permission

bits (in binary), each of which can be set or cleared• The 9 access permission bits are divided into 3 sets of 3-bits• The 3 sets are user, group, and other• The 3 permission bits are read, write, execute

– The permission bits may be displayed or set as a three digit octal number or a 9-bit number

• The permission bits may also be displayed as rwxrwxrwx– If a bit is set, you see its letter– If a bit is not set, it is displayed as a -


14


Permissions and Access Bits• Because the largest octal value possible (rwx) is 7, each set of

permission bits may be represented by a single octal digit • The collection of all three sets of rwx bits may represented as a

three-digit octal numberrwxrw-r-- = 764r-xr--r-- = 544rwx------ = 700

• As a file is create, the permission bits are initially set by the 3 digit octal value of umask

• If we assume all three group bits are set, umask would apply an XOR of all permission bits set with the umask bits– Wherever the umask bit is 1, the permission bit is 0– Wherever the umask bit is 0, the permission bit is 1– If umask = 002, permissions = 775


Changing Default Permissions• In most versions of UNIX, the umask is set in /etc/profile

• In Red Hat, it is located in /etc/bashrcif [ "ìd -gn`" = "ìd -un`" -a ìd -u` -gt 99 ]; thenumask 002

elseumask 022

fi

• To change the defaults, edit bashrc, change the values, save and exit

• Users may change their default value with the commandumask maskvalue


15


Changing Permissions• Only the owner or the root can change permissions on a file or

directory• The chmod utility modifies the file mode bits of the listed

files as specified by the mode operand• There are numerous ways it may be applied• If all have read permission only, to give execute permissions to

the group and the world for index.html, use the commandchmod 755 index.htmlchmod go+x index.html

• To remove execute permissions from the group and other, execute the command:chmod 744 index.htmlchmod go-x index.html


Checking File Permissions• The easiest way to check for file permissions is with the ls –l command

• The output of this command would look like the following:-rwxr-xr-x 1 root root 225 Jun 8 11:38 greet-rwxr-xr-x 1 root root 87 Jun 8 13:05 hello-rwxr-xr-x 1 root root 24 Jun 8 11:24 nu


16

Linux Network Administration

Setting Disk Quotas


Objectives• Identify block-based and inode-based quotas• Define purpose to establish common quota practices and sizes• Describe disk quota commands and files• Enable partitions for disk quotas• Use the mount, umount, quotacheck and quotaon

commands• Create user-based and group-based quotas using edquota• Use quota and repquota to determine the status of quotas

on a system


17


Blocks, Inodes and Quotas• Disk quotas may be configured for individual users as well as

user groups • Used to impose limits of storage

– This kind of flexibility makes it possible to give each user a small quota to handle personal file or large quota for major projects

– May enable qroup quotas to allow the projects• Quotas may be set to control the number of disk blocks

consumed as well as to control the number of inodes– Because inodes are used to contain file-related information, this allows control

over the number of files that can be created


Configuring Disk QuotasTo implement disk quotas, use the following steps: 1. Unmount the filesystem2. Enable quotas per file system by modifying /etc/fstab3. Remount the filesystem4. Create the quota files and generate the disk usage table5. Assign quotas to users and groups


18


Enabling Quotas• Assume root privileges• Use a text editor to open /etc/fstab and verify the presence or add the

usrquota and/or grpquota options to the filesystems that require quotas.– You may enable either one or both– We will only enable usrquota

• The following s an example fstab file:# This file is edited by fstab-sync - see 'man fstab-sync' for detailsLABEL=/1 / ext3 defaults 1 1LABEL=/boot1 /boot ext3 defaults 1 2none /dev/pts devpts gid=5,mode=620 0 0none /dev/shm tmpfs defaults 0 0LABEL=/home1 /home ext3 defaults,usrquota 1 2none /proc proc defaults 0 0none /sys sysfs defaults 0 0LABEL=SWAP-hda5 swap swap defaults 0 0/dev/hdc /media/cdrom auto pamconsole,fscontext=system_u:object_r:removable_t,ro,exec,noauto,managed 0 0/dev/fd0 /media/floppy auto pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed 0 0


Create the Partition Quota Configuration File• The topmost directory of the filesystem where you wish to

establish quotas needs – aquota.user file to define quotas by user– aquota.group file to define quotas by group

• We will enable only per user quotas• First, use touch to create an empty aquota.user file, and

then enable read/write permissions only to the root• This requires root privileges, and is done as follows:touch /home/aquota.userchmod 600 /home/aquota.user


19


Initialize The Quota Table• We must generate a quota table separate from the aquota files, which

lists all the current allocations for each user on the file system– This table is automatically updated each time a file is modified– Linux compares the values in this table with the quota limitations the systems

administrator has placed in the aquota file– Will use this to determine whether the user has rights to increased disk usage

• The quota table initialization is done using the quotacheck command– You will receive an error the first time you enter the command as Linux will

realize that the aquota file has not yet been created


Initialize The Quota Table• Create the quota table as follows:quotacheck -vagumquotacheck: WARNING - Quotafile /home/aquota.user

was probably truncated. Can't save quota settings...

quotacheck: Scanning /dev/hda3 [/home] donequotacheck: Checked 185 directories and 926 files


20


Quota Parameters • Blocks: The amount of space in 1K blocks the user is currently using.• Inodes: The number of files the user is currently using.• Soft Limit: The maximum blocks/inodes a quota user may have

on a partition– The role of a soft limit changes if grace periods are used

• When this occurs, the user is only warned that their soft limit has been exceeded• When the grace period expires, the user is barred from using additional disk space or files

– When set to zero, limits are disabled• Hard Limit: The maximum blocks/inodes a quota user may have on a

partition when a grace period is set• Users may exceed a soft limit, but they can never exceed their hard limit


Edit the User's Quota Information• Now we need to edit the user's quota information. This is done with the

edquota command that allows you to selectively edit a portion of theaquota.user file on a per user basis

• The following command will invoke the vi editor– This will allow you to edit any of fields.

edquota -u andrewjrDisk quotas for user andrewjr (uid 501):

Filesystem blocks soft hard inodes soft hard/dev/hda3 40 0 0 24 0 0


21


Grace Periods• The edquota -t command sets the grace period for each filesystem• Edit group quotas with the edquota -g command.• The grace period is a time limit before the soft limit is enforced for a quota

enabled file system. – Time units are seconds, minutes, hours, days, weeks, and months – There can be no spaces between the number and the unit of time measure– 7days is correct and 7 days is wrong

• This is an example of the edquota -t command: edquota -tGrace period before enforcing soft limits for users:Time units may be: days, hours, minutes, or seconds

Filesystem Block grace period Inode grace period/dev/hda3 7days 7days


Quota Reports• repquota lists quota usage limits of all users on the system • Here is an example.repquota /home*** Report for user quotas on device /dev/hda3Block grace time: 7days; Inode grace time: 7days

Block limits File limitsUser used soft hard grace used soft hard grace----------------------------------------------------------root -- 52696 0 0 1015 0 0...andrewjr 40 0 0 24 0 0

linux system administration - brookdale community...

Documents