Ch11

338 views

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
338
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ch11

  1. 1. Chapter 11: Managing UsersThe Complete Guide to Linux System Administration
  2. 2. Objectives• Create and manage user accounts• Manage complex file permissions• Review advanced user security issuesThe Complete Guide to Linux System Administration 2
  3. 3. Creating and Managing User Accounts• Process of creating new user accounts – Add default files to be part of every user’s home directory to /etc/skel directory – Create home directory for all users – Configure default settings for all users – Create groups – Create user account for each person – Create valid password for each userThe Complete Guide to Linux System Administration 3
  4. 4. Managing User Accounts Graphically• /etc/passwd file defines user accounts, including: – User name – Comment field – Password – User’s home directory – UID – User’s default shell – GID• vipw command edits /etc/passwd file• passwd command defines passwordThe Complete Guide to Linux System Administration 4
  5. 5. Managing User Accounts Graphically (continued)• Utilities to create new user accounts – Graphical tools – Command-line utilities• system-config-users utility – Red Hat graphical user account creation tool – Information from /etc/passwd file shown in window – Can edit each fields – Edit password information stored in /etc/shadowThe Complete Guide to Linux System Administration 5
  6. 6. Managing User Accounts Graphically (continued)The Complete Guide to Linux System Administration 6
  7. 7. Managing User Accounts Graphically (continued)• User Properties dialog, User Data tab – User name – Full name – Password and confirm password – Home directory – Login shell• User Properties dialog, Account Info tab – Enable account expiration – Lock local passwordThe Complete Guide to Linux System Administration 7
  8. 8. Managing User Accounts Graphically (continued)• User Properties dialog, Password Info tab – View when user last changed password – Enable password expiration• Experts recommend changing password every 30 to 60 days• User Properties dialog, Groups tab – Lists groups from /etc/group file – Each user assigned primary groupThe Complete Guide to Linux System Administration 8
  9. 9. Managing User Accounts Graphically (continued)• User private group model – Used by Red Hat Linux and Fedora – User’s primary group has same name as user – Contains only user as member• Create new user – system-config-users utility – Add User button – Enter information on dialog – Utility creates home directory based on user nameThe Complete Guide to Linux System Administration 9
  10. 10. Managing User Accounts Graphically (continued)• /etc/login.defs file – Stores settings used to create new users – Comments describe settings• Create new group – Click Add Group button – Enter group nameThe Complete Guide to Linux System Administration 10
  11. 11. Managing User Accounts Graphically (continued)• Delete user – Select user name on Users tab – Click delete button – Some administrators prefer to permanently disable, not deleteThe Complete Guide to Linux System Administration 11
  12. 12. Creating New Users at the Command Line• useradd utility – Create new users – Must be logged in as root – Example: useradd -g sales -c “Raley Solomon" rsolomon – -D option displays the default settings – Edit /etc/default/useradd to change defaultsThe Complete Guide to Linux System Administration 12
  13. 13. Creating New Users at the Command Line (continued)• passwd command – Change user’s password – Lock user account: passwd -l thomas – Unlock account: passwd -u thomasThe Complete Guide to Linux System Administration 13
  14. 14. Creating New Groups• groupadd command – Preferred method for adding new group – Example: groupadd managersThe Complete Guide to Linux System Administration 14
  15. 15. Modifying User and Group Accounts at the Command Line• usermod command – Modify user account – Uses same options as useradd command• groupmod command – Modify group – -g option: change GID – -n option: change nameThe Complete Guide to Linux System Administration 15
  16. 16. Modifying User and Group Accounts at the Command Line (continued)• grpck command – Check integrity of /etc/group and /etc/gshadow files – Uses no parameters• chage command – Alter password aging information – View password expiration – Change aging for user – Interactive modeThe Complete Guide to Linux System Administration 16
  17. 17. Modifying User and Group Accounts at the Command Line (continued)• pwconv utility converts older /etc/passwd password storage to /etc/shadow password storage• pwunconv utility converts existing /etc/shadow passwords to older /etc/passwd system for compatibility• pwck command shows formatting errors that make accounts unusableThe Complete Guide to Linux System Administration 17
  18. 18. Automating Home Directory Creation• Files in /etc/skel automatically copied into each user’s home directory – At time account created – Includes hidden configuration files – Files not added to existing user home directoriesThe Complete Guide to Linux System Administration 18
  19. 19. Disabling User Accounts• Temporarily disable user’s account – Change password • passwd command – passwd -l [username] to lock account – Edit /etc/shadow file in text editor • Place asterisk before encrypted password – Place # at beginning of line for user account in /etc/passwd • Make line into commentThe Complete Guide to Linux System Administration 19
  20. 20. Disabling User Accounts (continued)• userdel command – Delete user account permanently – Does not remove user’s home directory or contents• groupdel command – Remove group – Be careful deleting groupsThe Complete Guide to Linux System Administration 20
  21. 21. Complex File Permissions• Sticky bit – Directory can only be renamed or unlinked by • User that owns it • root – Often used on directories all users should be able to create files such as /tmp – To set: chmod a+t /tmpThe Complete Guide to Linux System Administration 21
  22. 22. Complex File Permissions (continued)• Set user ID permission – SUID – Can be added to file that has execute permission set – Causes user who executes file to take on file permissions of owner of file – Very useful for few specialized programs – To set: chmod u+s fileThe Complete Guide to Linux System Administration 22
  23. 23. Complex File Permissions (continued)• Permissions not always what they seem at first• Set group ID permission – SGID – Person who executes program has permissions of file’s group while executing program – To set: chmod g+s file – Can also be set numericallyThe Complete Guide to Linux System Administration 23
  24. 24. Complex File Permissions (continued)• SGID set on directory – Any file created within directory assigned to group of directory• Permissions examined in order – Owner first – Group second – Others third – Can deny group permission without users having other permissionThe Complete Guide to Linux System Administration 24
  25. 25. User Security Issues• Other ways of securing Linux – Additional communications – User security mechanismsThe Complete Guide to Linux System Administration 25
  26. 26. Communicating with Users• /etc/motd file – Contents displayed just before shell is started each time user logs in – “Message of the day” – Does not appear unless: • User opens command line • Or logs in at text-mode consoleThe Complete Guide to Linux System Administration 26
  27. 27. Communicating with Users (continued)• wall command – Write all – Communicate immediate message to all users who are logged in to system – Displays broadcast message on command line for all users • Working in text mode • Or with open terminal windowThe Complete Guide to Linux System Administration 27
  28. 28. Communicating with Users (continued)• fuser command – Learn about what users are doing – View users accessing • File system • Serial port • Network connection – -k option kills processesThe Complete Guide to Linux System Administration 28
  29. 29. Granting Limited Root Access• sudo command – Assign root privileges to any user account – User can execute just programs that sudo configuration specifies• /etc/sudoers configuration file – Syntax can be very complex – Basic format: user host = command_listThe Complete Guide to Linux System Administration 29
  30. 30. Granting Limited Root Access (continued)• /etc/sudoers configuration file – Can define aliases for: • Collection of users • Collection of hosts • Collection of programs • Set of sudo options• visudo program edits /etc/sudoers file• System administrator must hand out sudo power carefullyThe Complete Guide to Linux System Administration 30
  31. 31. Using Pluggable Authentication Modules• Pluggable authentication module (PAM) – Architecture and set of libraries – Programmer can create module to perform specific security-related function – System administrators can select, configure, and use one or more modules • Control operation of program that is aware of PAM capabilities – Configured by default for Red Hat LinuxThe Complete Guide to Linux System Administration 31
  32. 32. Using Pluggable Authentication Modules (continued)• To use PAM, select PAM modules for program• Configured using: – Single configuration file /etc/pam.conf – Series of configuration files in directory /etc/pam.d – Person compiling software selects which configuration style is usedThe Complete Guide to Linux System Administration 32
  33. 33. Using Pluggable Authentication Modules (continued)• Red Hat Linux and Fedora use directory configuration method• /etc/pam.d directory contains file with name matching program being configured• When PAM-compatible program executed, checks to see which applicable modules are configured for given task• Stacked modules – Multiple modules are listed for module typeThe Complete Guide to Linux System Administration 33
  34. 34. Using Pluggable Authentication Modules (continued)• control_flag element – Determines how PAM processes stacked modules – Has two formsThe Complete Guide to Linux System Administration 34
  35. 35. Using Network Information Service• Network Information Service (NIS) – Lets system administrator manage single set of configuration files for multiple Linux servers – Sometimes called yellow pages service or yp• When user logs in, server contacts NIS server to see if user has valid user accountThe Complete Guide to Linux System Administration 35
  36. 36. Using Network Information Service (continued)• NIS+ or NISplus – More recent version of NIS• authconfig program – Set up system to use NIS server• /etc/nsswitch.conf file – Instructs various system programs in Linux on where to look for configuration information – Often includes multiple optionsThe Complete Guide to Linux System Administration 36
  37. 37. Summary• User accounts can be managed graphically• useradd command creates user accounts on the command line• usermod command modifies existing user accounts• User accounts can be disabled using various methodsThe Complete Guide to Linux System Administration 37
  38. 38. Summary (continued)• SUID and SGID permissions cause user to assume permissions of owner of executable file when program is executed• Sticky bit and other special file permissions allow administrators to control shared files• Administrators can broadcast messages to users• sudo program lets regular users perform tasks that require root privilegesThe Complete Guide to Linux System Administration 38
  39. 39. Summary (continued)• PAMs provide flexible and powerful way for system administrators to configure exactly how user security is handled• NIS or NIS+ server – Multiple systems can share user filesThe Complete Guide to Linux System Administration 39

×