Managing Local Linux Users and Groups

Objectives: Explain the role of users and groups on a linux system and how

they are understood by the computer. Run commands as the superuser to administer a linux system. Create,modify,lock and delete locally defined user accounts. Create,modify, and delete locally defined group accounts. Lock accounts manually or by setting a password­aging policy in the shadow

password files. Sections

1. Users Types of user Switching users with su command & id for user details Sudo command & /etc/sudoers file. Understanding /etc/passwd & /etc/shadow file. password hash Managing Local User Accounts using useradd,usermod,userdel,id,passwd

2. Groups Understanding /etc/group and /etc/gshadow file Managing Local Group Accounts Managing group password. Author Bipul kumar

User: Every process(running program) on the system runs as particular user. Every file is owned by a particular user. Types of user In general there are four types of user:

Root user i.e 0 Pseudo User System user Other user

Root user i.e 0 : Root user have power to override normal privileges on the file system and is used to manage and administer the system. In short it has power to damage the system, remove files and directories, remove user and accounts, add backdoors. Pseudo User: Normal user with special privilege to execute any command as a root user. System user: A system user is created default by OS during installation time or when you installed any packages and it runs as daemons in background. Ubuntu it’s range start from 100 ­ 999 Source /etc/adduser.conf Other user: Other users are created by root or sudo users. It has a limited access on the system.In Ubuntu it’s range start from 1000 ­ 29999. Source /etc/adduser.conf

Switching users with su command & id for user details su ­ Commands allows a user to switch to different user account.

su ­ <username> The command su <username> starts a non­login shell su ­ <username> start login shell.

The main distinction is su ­ sets up the shell environment as if this were a clean login as that user, while su just starts a shell as that user with current environment settings.

id command is used to show information about the current logged­in

user. $id #Current logged in user $id lucy #Other account

To view the user associated with a file or directory use the $ls ­l

To view process information, use the ps command and add a option

to view all process with a terminal. To view the user associated with a process include the u option. $ps au

sudo command & /etc/sudoers file. 1. The sudo command allows a user to be permitted to run command

as root, or as another user, based on setting in the /etc/sudoers 2. sudo requires users to enter their own password for authentication. 3. In ubuntu member of group admin can use sudo to run commands as

any user, including root. Similar in Fedora/Redhat wheel group. 4. All command executed by sudo users are logged in /var/log/secure 5. We use visudo command to edit /etc/sudoers file.

/etc/sudoers Files # This file MUST be edited with the 'visudo' command as root. # Cmnd alias specification # User privilege specification root ALL = (ALL:ALL) ALL ALL All terminal = All Console = All command # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d Question : Can we run any single /sbin command or root privileges command though normal user? Yes we can, let’s take an example adduser command

1. Login into the root account or sudo account 2. Create a normal user with password. 3. Go the the line number 20, and edit the line with

lucy ALL=(ALL) /usr/sbin/adduser 4. Now login into the lucy account, and you are done.

Question: Can we run any single /sbin command or root privileges command without password authentication? Yes we can, through following steps

1. Go to the below line root ALL = (ALL:ALL) ALL ALL and edit the line with lucy ALL=(ALL) NOPASSWD:ALL

2. Now login into the lucy account , and your are done. Question: Can we create user manually? Yes, we can

1. Open a file /etc/passwd via any file editor. And update the last line with following way vipul:x:2006:2009::/home/vipul:/bin/sh

2. Same open file /etc/group and update in last line vipul:x:2009: 3. Run pwck and grpck in verifies the integrity of the users and

authentication information. 4. Reset the password through encrypted

#echo YourPassword | openssl passwd ­1 ­stdin #usermod ­p <copy of encrypted text> vipul

You are done.

Understanding /etc/passwd & /etc/shadow file. A system uses simple flat file that is /etc/passwd file to store information about local users. The format of /etc/passwd follows seven colons separated fields.

The format of /etc/passwd follows(Seven colon separated fields) 1 username:2 password:3 UID:4 GID:5 GECOS:6 /home/dir:7 shell 1. Username: It is a mapping of a UID to a name for the benefit of human users. 2. Password: Historically, a password where kept in an encrypted

format Today they are kept in separate file called /etc/shadow

3. UID: It is a user ID, a number that identifies the user at the most fundamental level. 4. GID: It is the user ‘s primary group ID number. 5. GECOS It is arbitrary text, which includes user details and real name. 6. /home/dir It is the location of users personal data and configuration

files. 7. Shell It is a program that runs as the user logs in. For a regular user,

this is the normally the program that provides the users command line prompt.

/etc/shadow file. In older days, encrypted passwords were stored in readable /etc/passwd file. But due to security flaws, the encrypted passwords or password hashes is moved to /etc/shadow file. Which also allow password aging and expiration features to be implemented. The format of /etc/shadow follows(nine colon­separated fields)

1. Name This must be a valid account name of the system. 2. Password It is in encrypted format, if it start with ! mark means it’s

locked. 3. Lastchange The date at which last password changed. 4. Minage Minimum number of days before password may changed. 5. Maxage Maximum number of days before password must change. 6. Warning Warning period at which password expired. 0 means no

warning given. 7. Inactive The number of days an account remains active after

password has expired. A user may log into the system and change his password. After that specified number of days, the account is locked, becoming inactive.

8. Expire The account expiration date 9. Blank: It is used for future use.

Managing user password / Password hash In older days, encrypted passwords were stored in world­readable /etc/passwd file.But due to security concern, the encrypted password or password hashes were moved to more secure /etc/shadow file. Which also allow password aging and expiration features to be implemented. When a user tries to login , the system looks up the entry for the user in /etc/shadow. It combines the salt value and plain password you enter, and encrypt them with hashing algorithm. If the result matches with store encrypted hash at /etc/shadow then successful login into the system, otherwise authentication get failed. There are three pieces of information stored in a modern password hash.

1. Hashing algorithm. 2. Hash Salt . 3. Encrypted hash.

$6$AmdWnEdR$c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwFnR7FPB5.

$6 It has SHA­512 hashing algorithm. $AmdWnEdR Salt value which is combined with password to

increase hash strength. $c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwFnR7FPB5.

: It’s your password + salt value in encrypted format to make it Encrypted hash. Source #Shadow_file

Managing Local User Accounts using useradd/adduser,usermod, userdel, id,passwd,gpasswd To create user account on Linux system, we use adduser(Debian) or useradd (Fedora). #adduser <User> #useradd ­u 7777 ­g bipul ­G root ­d /home/bipul ­S /bin/bash ­c “dba” bipul Make useradd command changes from here /etc/default/useradd #for i in user1..9;do adduser $i; done Deleting user #userdel ­r <User> #for i in user1..9;do userdel ­r $i; done Creating/Updating password for user.We use passwd #passwd <User> #echo “hacker” | passwd ­­stdin <user> Locking the password for user #passwd ­l <User> To unlock the password #Passwd ­u <User> To check the status of the password #passwd ­S <User> To delete the password #passwd ­d <User> To modify a user account we use usermod command. To change the password without passwd command #encrypted=(echo "newpassword" | openssl passwd ­1 ­stdin);sudo usermod ­p $encrypted To lock the user account #usermod ­L <User> To Unlock the user account. #usermod ­U <User>

Assigning a primary group. #usermod ­g admin bipul Assigning a secondary group. #usermod ­G samba bipul Assigning more then one secondary group #usermod ­aG dba bipul Remove secondary group dba from bipul #gpasswd ­d dba bipul

Groups Like user, group have name and number and it is divided into two parts:

1. Primary group. 2. Secondary group.

Understanding /etc/group and /etc/gshadow file Local group or primary groups are defined in /etc/group 1 groupname: 2 password:3 GID:4 List of user in the group 1. Primary group: Every user has exactly one primary group. For local user, the primary group is defined by the GID number of the group listed in the fourth field of

/etc/passwd

2. Supplementary group: User may be a member of zero or more supplementary

Groups. The user that are supplementary member of local groups are listed in the last field of the group entry in /etc/group

/etc/gshadow

1.Name 2.Hashing Algorithm 3.Salt hash 4. Salt+Hash = Encrypted password 5 Kept empty for future use 6 Kept empty for future use Question: Can we run sudo privileges commands or assigned user to any other group to normal user temporarily ? Yes we can, by assigning password to sudo group. The steps are given below:

1. Assigning password for sudo group.

#gpasswd sudo 2. Log in into other user account. #su ­ bipul 3. Use newgrp <groupName> #newgrp sudo 4. Now run any root privileges command or task for specific group. #sudo useradd lucy 5. To come out from group use exit. Exit

Managing Local Group Accounts Creating a group from next available GID from the range specified in the /etc/login.defs file with groupadd

#groupadd admin #groupadd ­g 700 db1

Modifying the existing groups with groupmod The groupmod command is used to change a group name to a GID mapping. The ­n option is used to specify a new name ­g option to specify a new GID

#groupmod ­n db1 db #groupmod ­g 700 db2

Deleting a group with groupdel To remove group we use groupdel command.

#groupdel db2 NOTE: A group may not be removed if it is a primary group of an existing user.

Mail me your query bipul.opensource@gmail.com