Announcement

Collapse
No announcement yet.

Linux user administration

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux user administration

    Code:
    /etc/passwd
    The file where system user account definition is done is /etc/passwd. This file has the following structure :

    Code:
    $ cat /etc/passwd
    ...
    username:x:500:500:Some comments:/home/username:/bin/bash
    ...

    username
    The system account username . It should not start with a number or include uppercase letters.

    x
    The password. An x points to /etc/shadow for the password. An * means the account is disabled. A random group of letters and numbers represents the encrypted password.

    500
    The user ID (UID) for that user.

    500
    The group ID (GID) associated with that user.

    Some comments
    Any information can be used in this field.

    /home/username
    By default, RHEL places new home directories in /home/username.

    /bin/bash
    Default user shell.

    In order add/delete users to the system this file can be edited directly with vipw or using useradd/userdel commands as described in next sections.
    /etc/group

    The file where system group account definition is done is /etc/group. This file has the following structure :


    Code:
    $ cat /etc/group
    ...
    groupname:x:500:user1,user2
    ...

    groupname
    The system account groupname user gets his own group. By default when a user is created is related to a group with groupname equal to username.

    x
    The group password password. An x points to /etc/gshadow for the password. As user password on /etc/passwd random group of letters and numbers represents the encrypted password.

    500
    The group ID (GID) associated with user.

    user1,user2
    Lists of users that belong to the group. If it's blank means that there is a username that is identical to the groupname.

    In order add/delete groups to the system this file can be edited directly with vigr or using useradd/userdel commands as described in next sections.
    /etc/shadow

    The /etc/passwd file is can be read for every user on the system so include the encrypted password there is not a good idea. For this reason the file /etc/shadow accessible to root only is used to store the encrypted password :
    Code:
    $ cat /etc/shadow
    ...
    username:$1sdsew$td%wqee@132ewSDADdsa:14860:0:99999:7:::
    ...

    username
    Username shadow entry, it is related with 'username' account on /etc/passwd.

    $1sdsew$td%wqee@132ewSDADdsa
    Encrypted password. An x in the second column of /etc/passwd means that the encrypted password is stored here.

    14860
    Last password change date, in Linux epoch number of days: number of days after January 1, 1970.

    0
    The value of 0 here means that this user can keep this password forever.

    99999
    The system will ask to username to change his password after 99999 days since account creation.

    ::
    This value means the number of days before password expiration when a warning is given, in this case none.

    ::
    It sets the number of days after password expiration when an account is made inactive, in this case none.

    ::
    This value means the number of days after password expiration when an account is disabled, in this case none.
    Adding user account

    When a user account needs to be added to the system the command useradd must be used :
    Code:
    $ useradd -u 600 -c "Test add user" -d /home/john -s /bin/bash john
    With this command we have created the user account 'john' with UID=600 which home directory in /home/john and default shell bash. By default the user is assigned to a new created group 'john' with GID=600. This value can be changed using the -g option.

    Code:
    $ cat /etc/passwd
    ...
    john:x:600:600:Test add user:/home/john:/bin/bash
    Next step must be create a password to 'john' account with the command '$ passwd john'
    Deleting user account

    When a user account needs to be removed in the system the command userdel must be used :

    Code:
    $ userdel -r john
    With this command all information about 'john' account is removed on the system, including all /home/john directory and mail spool files.

    Modifying user account

    In order to change the parameters of an existing account the commands usermod and/or chage can be used :
    Code:
    $ usermod -e 2012-10-08 john
    Sets the expiration account day for user 'john' to 2012-10-08
    
    $ usermod -G sales john
    Sets 'john' account group ownership to 'sales' group.
    
    $ chage -E -1 john
    Removes any account expiration date for user 'john'
    User profile
    By default when a user account is created some environment files stored in /etc/skel are copied to the user home directory. Any changes applied to this files on /etc/skel directory are propagated to the new users home directories.

    .bashrc
    This file points to the general /etc/bashrc configuration file. It normally includes the commands to be run bash shell is started.

    .bash_logout
    This file is executed when the user exits a bash shell. It normally includes commands for clearing screen, umount partitions, etc.

    .bash_profile
    It is the bash startup environment where environment variables as PATH and LIB_PATH are configured.

    The system-wide shell configuration files are stored in /etc/bashrc and /etc/profile. These files configure the default system-wide umask value for default file creation permission, the default prompt display, the system-wide PATH, aliases, etc.
    Switch accounts with 'su'

    The 'su' commands allows the change between users accounts without logout :
    Code:
    $ su - john
    Password:
    john-$
    It also allows to execute some command/script as another user after authentication without changing the user account :
    Code:
    john-$ su cate -c id
    Password:
    uid=501(cate) gid=502(cate) groups=502(cate) context=user_u:system_r:unconfined_t
    Without changing user john account we have executed the 'id' command as 'cate' user after typing cate password
    Execute a command as another user with 'sudo'

    A most powerful way to execute process as another user than 'su -c' is the sudo command. The file /etc/sudoers accessible with visudo command controls how sudo is executed.

    The sudoers file format looks like:

    user host = (userl) command

    * user is the username or groupname to which the rule applies
    * host is a list of hosts where the rule applies
    * userl is the user that this rule can be run as. If it is not specified sudo run the command as root user
    * command is the command/s that can be run as userl from user account

    The parameters host, userl and command can be replaced with the ALL, meaning unrestricted access for this parameter. The parameter NOPASSWD after userl means that no passowrd authentication is required on sudo execution.
    Sudo examples

    %john ALL=(cate) /usr/bin/id


    Code:
    john-$ sudo -u cate id
    [sudo] password for john:
    uid=502(cate) gid=503(cate) groups=503(cate) context=user_u:system_r:unconfined_t
    Without changing user john account we have executed the 'id' command as 'cate' user after typing john password. Note the difference with the 'su' command, with sudo you do not need to know the user password to run a process as that user.

    %john ALL=(cate)NOPASSWD: /usr/bin/id

    Code:
    john-$ sudo -u cate id
    
    uid=502(cate) gid=503(cate) groups=503(cate) context=user_u:system_r:unconfined_t
    The same as before without typing any password

    %john ALL=NOPASSWD: /bin/mount, /bin/umount

    Code:
    john-$ sudo mount /dev/sda1 /mnt
    User john can execute mount/umount (only root can run these commands) as root without typing any password. Note that no userl is specified the sudo execution is done as root.

    SUID

    The Set User ID permission changes the effective user ID permission to the owner file user ID in the file execution. It allows run a command/script as the owner´s file. In this case the permission is set up on the standard file permission with the chmod u+s command. One common example is the passwd command that allow system users change their password without being root on the system :
    Code:
    $ ls -lrt /usr/bin/passwd
    -rwsr-xr-x 1 root root 22960 jul 17 2006 /usr/bin/passwd
    The 's' on the user permission field means that this when a system user like 'john' will run this command it will be executed with the effective owner file user ID root which has the right permissions to modify the /etc/shadow file in order to change 'john' password.
    SGID

    The Set Group ID permission changes the effective group ID permission to the owner file group ID in the file execution. It allows share files between users in the same group. As the SUID the permission is set up on the standard group directory using the command chmod g+s command:

    Code:
    $ groupadd admin
    Create a new system group called admin.


    Code:
    $ usermod -G admin -a mike
    $ usermod -G admin -a cate
    $ usermod -G admin -a john
    Add users john, cate and mike to 'admin' group.

    Code:
    $ mkdir /home/admin
    Create the shared directory '/home/admin'.

    Code:
    $ chown nobody:admin /home/admin
    Change the shared directory group ownership to 'admin'.
    Code:
    $ chmod 770 /home/admin
    Only group 'admin' has access to the shared directory '/home/admin'.
    Code:
    $ chmod g+s /home/admin
    $ ls -lrt /home/ | grep admin drwxrws--- 2 nobody admin 4096 oct 30 08:51 admin
    Set the group bit to the shared directory '/home/admin', the 's' in the group permission field. Now the files created on /home/admin automatically inherits 'admin' group ID so all 'admin' group members (john ,cate and mike) can access rw directly to all the files on the shared /home/admin group directory without changing any permission.

    STICKY DIRECTORY

    The sticky permission ('t' on others permission field) allows to remove files only to the owner in 777 directories as /tmp. Thanks to the sticky permission on /tmp everybody can create/remove files but only the owner of the file can remove it. As previous examples the permission is applied on the directory with the chmod o+t command :


    Code:
    $ chmod o+t /tmp
    $ ls -lrt / | grep tmp
    drwxrwxrwt 93 root root 4096 oct 30 08:55 tmp
    
    $ su - john
    john-$ ls -lrt /tmp/cate
    -rwxrwxrwx 1 cate cate 0 oct 30 08:55 cate
    john-$ rm /tmp/cate
    rm: can not remove «cate»: Permision denied
    The file /tmp/cate has 777 permision so everybody can remove it, but the directory that contains the file /tmp has the sticky bit set so only the file owner ('cate') can remove /tmp/cate.
    Last edited by kuldeep; 02-22-2015, 12:11 AM.
Working...
X