SlideShare a Scribd company logo

ManagingLocalLinuxUsersandGroups(2)

B
Bipul Kumar

The document discusses managing local Linux users and groups. It explains the role of users and groups on a Linux system and how they are understood by the computer. It describes different types of users like root, pseudo, system and normal users. It also discusses commands to switch users, view user details, administer users using sudo, and understand password and shadow files. Finally, it covers creating, modifying and deleting local user and group accounts and locking accounts.

1 of 14
Download to read offline
Managing Local Linux Users and Groups   Objectives:  ● Explain the role of users and groups on a linux system and how  they are understood by the computer.  ● Run commands as the superuser to administer a linux system.  ● Create,modify,lock and delete locally defined user accounts.  ● Create,modify, and delete locally defined group accounts.  ● Lock accounts manually or by setting a password­aging policy in the shadow  password files.  Sections  1. Users  Types of user  Switching users with su command & id for user details  Sudo command & /etc/sudoers file.  Understanding /etc/passwd & /etc/shadow file.  password hash   Managing Local User Accounts using ​useradd​,​usermod,userdel,id,passwd  2. Groups  Understanding /etc/group and /etc/gshadow file  Managing Local Group Accounts  Managing  group password.                                  ​Author Bipul kumar                                 
User:  Every process(running program) on the system runs as particular user.                    Every file is owned by a particular user.  Types of user  In general there are four types of user:  ●  Root user i.e 0  ●  Pseudo User  ●  System user   ●  Other user    Root user i.e 0 :   Root user have power to override normal privileges on the file system and  is used to manage and administer the system. In short it has power to  damage the system, remove files and directories, remove user and  accounts, add backdoors.      Pseudo User:  Normal user with special privilege to execute any command as a root user.    System user:  A system user is created default by OS during installation time or when you                            installed any packages and it runs as daemons in background. Ubuntu it’s                        range start from 100 ­ 999  Source /etc/adduser.conf      Other user:  Other users are created by root or sudo users. It has a limited access on                              the system.In Ubuntu it’s range start from 1000 ­ 29999. Source                      /etc/adduser.conf     
Switching users with su command & id for user details  ● su ­ ​Commands allows a user to switch to different user account.  su  ­  <username>  The command su <username> starts a non­login shell  su ­ <username> start login shell.  ● The main distinction is su ­ sets up the shell environment as if this                            were a clean login as that user, while su just starts a shell as that                              user with current environment settings.    ● ​id ​command is used to show information about the current logged­in                        user.  $id  #​Current logged in user  $id lucy #​Other account        ● To view the user associated with a file or directory use the  $ls ­l    ● To view process information, use the​ ps​ command and add ​a ​option  to  view all process with a terminal. To view the user associated with  a process include the ​u​ option.   $ps au       
sudo command & /etc/sudoers file.  1. The ​sudo ​command allows a user to be permitted to run command                        as root, or as another user, based on setting in the ​/etc/sudoers  2. sudo  requires users to enter their own password for authentication.  3. In ubuntu member of group admin can use sudo to run commands as                          any user, including root. Similar in Fedora/Redhat wheel group.  4. All command executed by sudo users are logged in ​ /var/log/secure  5. We use ​visudo ​command to edit ​/etc/sudoers​ file.    /etc/sudoers Files  # This file MUST be edited with the 'visudo' command as root.  # Cmnd alias specification  # User privilege specification  root ALL  =   (ALL:ALL) ALL    ALL    All terminal =   All Console =    All command  # Members of the admin group may gain root privileges  %admin ALL=(ALL) ALL    # Allow members of group sudo to execute any command  %sudo   ALL=(ALL:ALL) ALL       # See sudoers(5) for more information on "#include" directives:  #includedir /etc/sudoers.d    Question : Can we run any single /sbin command or root privileges                        command  though normal user?  Yes we can, let’s take an example ​adduser ​command  1. Login into the root account or sudo account  2. Create a normal user with password.  3. Go the the line number 20, and  edit the line with   lucy ALL=(ALL) /usr/sbin/adduser        4.  Now login into the lucy account, and you are done.   
Question: Can we run any single /sbin command or root privileges                      command without password authentication?   ​Yes we can, through following steps  1. Go to the below line root ALL = (ALL:ALL) ALL ALL and edit the                            line with ​lucy  ALL=(ALL)  NOPASSWD:ALL        2. Now login into the lucy account , and your are done.  Question: Can we create user manually?  Yes, we can    1. Open a file ​/etc/passwd via any file editor. And update the last line                          with following way​ vipul:x:2006:2009::/home/vipul:/bin/sh  2. Same open file ​/etc/group​ and update in last line ​vipul:x:2009:  3. Run ​pwck ​and ​grpck ​in ​verifies the integrity of the users and                        authentication information.  4. Reset the password through encrypted   #echo YourPassword | openssl passwd ­1 ­stdin  #usermod ­p <copy of encrypted text>   vipul      You are done.                                   
Understanding /etc/passwd & /etc/shadow file.    A system uses simple flat file that is ​/etc/passwd file to store information                          about local users. The format of /etc/passwd follows seven colons                    separated fields.        The format of ​/etc/passwd​ follows(Seven colon separated fields)  1 username:2 password:3 UID:4 GID:5 GECOS:6 /home/dir:7 shell    1. Username: ​It is a mapping of a UID to a name for the benefit of human                                    users.  2. Password: ​Historically, a password where kept in an encrypted                      format          Today they are kept in separate file called ​/etc/shadow  3. UID: ​It is a user ID, a number that identifies the user at the most                                  fundamental level.    ​ 4.   GID:​ It is the user ‘s primary group ID number.     5.   GECOS ​It is arbitrary text, which includes user details and real name.  ​6​. /home/dir ​It is the location of users personal data and configuration                            files.      ​7.  Shell ​It is a program that runs as the user logs in. For a regular user,  this is the normally the program that provides the users command                        line prompt.         
  /etc/shadow file.    In older days, encrypted passwords were stored in readable ​/etc/passwd                    file. But due to security flaws, the encrypted passwords or password                      hashes is moved to ​/etc/shadow file. Which also allow password aging and                        expiration features to be implemented.  The format of ​/etc/shadow​ follows(nine colon­separated fields)      1. Name  This must be a valid account name of the system.  2. Password ​It is in encrypted format, if it start with ! mark means it’s                            locked.  3. Lastchange ​The date at which last password changed.  4. Minage     ​Minimum number of days before password may changed.  5. Maxage    ​Maximum number of days before password must change.  6. Warning ​Warning period at which password expired. 0 means no                    warning given.   7. Inactive The number of days an account remains active after                    password has expired. A user may log into the system and change                        his password. After that specified number of days, the account is                      locked, becoming inactive.  8. Expire ​The account expiration date  9. Blank: ​It is used for future use.     
  Managing user password / Password hash    In older days, encrypted passwords were stored in world­readable                  /etc/passwd file.But due to security concern, the encrypted password or                    password hashes were moved to more secure ​/etc/shadow file. Which also                      allow password aging and expiration features to be implemented.    When a user tries to login , the system looks up the entry for the user in                                  /etc/shadow​.  It combines the salt value and plain password you enter, and encrypt them                          with hashing algorithm. If the result matches with store encrypted hash at                        /etc/shadow then successful login into the system, otherwise authentication                  get failed.    There are three pieces of information stored in a modern password hash.  1. Hashing algorithm.  2. Hash Salt .  3. Encrypted hash.  $6$AmdWnEdR$c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwF nR7FPB5.    ● $6  ​It has SHA­512 hashing algorithm.  ● $AmdWnEdR ​Salt value which is combined with password to                  increase hash strength.  ● $c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwFnR7FPB5.  : ​It’s your password + salt value in encrypted format to make it                          Encrypted hash.  Source ​#Shadow_file           
    Managing Local User Accounts using  useradd/adduser,usermod, userdel, id,passwd,gpasswd  To create  user account on Linux system, we use adduser(Debian) or  useradd (Fedora).   #adduser <User>  #useradd ­u 7777 ­g bipul ­G root ­d /home/bipul ­S /bin/bash ­c                        “dba”  bipul  Make useradd command changes from here ​/etc/default/useradd  #for i in user{1..9};do adduser $i; done  Deleting user  #userdel   ­r    <User>  #for i in user{1..9};do userdel ­r $i; done  Creating/Updating password for user.We use passwd  #passwd  <User>  #echo “hacker” | passwd    ­­stdin   <user>  Locking the password for user  #passwd   ­l   <User>  To unlock the password  #Passwd   ­u   <User>  To check the status of the password  #passwd   ­S   <User>  To delete the password  #passwd   ­d    <User>  To modify a user account we use ​usermod​ command.  To change the password without passwd command  #encrypted=(echo "newpassword" | openssl passwd ­1 ­stdin);sudo              usermod ­p $encrypted  To lock the user account  #usermod   ­L   <User>  To Unlock the user account.  #usermod   ­U   <User> 
Assigning a primary group.  #usermod   ­g   admin   bipul  Assigning a secondary group.  #usermod   ­G   samba   bipul  Assigning more then one secondary group  #usermod   ­aG  dba  bipul  Remove secondary group dba from bipul  #gpasswd  ­d dba bipul                                                           
        Groups   Like user, group have name and number and it is divided into two parts:  1. Primary group.  2. Secondary group.    Understanding /etc/group and /etc/gshadow file    Local group or primary groups are defined in ​/etc/group            1​ groupname​: 2 ​password​:3 ​GID​:4 ​List of user in the group    1. Primary group: Every user has exactly one primary group. For local                        user, the primary group is defined by the GID number of the group listed in                              the fourth field of   /etc/passwd     2. Supplementary group:​ User may be a member of zero or more  supplementary   
Groups. The user that are supplementary member of local groups are  listed in the last field of the group entry in ​/etc/group         /etc/gshadow      1.Name  2.Hashing Algorithm  3.Salt hash  4. Salt+Hash = Encrypted password  5 Kept empty for future use  6 Kept empty for future use    Question:  Can we run sudo privileges commands or assigned user to any other  group to normal user temporarily ?  Yes we can, by assigning password to sudo group. The steps are given  below:  1. Assigning password for sudo group. 
● #gpasswd  sudo  2. Log in into other user account.  ● #su  ­  bipul  3. Use newgrp <groupName>  ● #newgrp  sudo  4. Now run any root privileges command or task for specific group.  ● #sudo  useradd  lucy  5. To come out from group use exit.  ● Exit      Managing Local Group Accounts  Creating a group from next available GID from the range specified in the  /etc/login.defs file with ​groupadd  ● #groupadd  admin  ● #groupadd  ­g  700  db1    Modifying the existing groups with ​groupmod  The groupmod command is used to change a group name to a GID  mapping. The ​­n​ option is used to specify a new name ​­g​ option to specify  a new GID  ● #groupmod   ­n   db1   db  ● #groupmod   ­g  700  db2   Deleting a group with ​groupdel  To remove group we use groupdel command.   ● #groupdel   db2  NOTE: A group may not be removed if it is a primary group of an existing  user. 
  Mail me your query​ bipul.opensource@gmail.com                       

Recommended

Linux Security
Linux SecurityLinux Security
Linux SecurityMahdi Cherif
 
Edubooktraining
EdubooktrainingEdubooktraining
Edubooktrainingnorhloudspeaker
 
A bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AESA bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AEScgvwzq
 
шпехт артур+консультант+все люди
шпехт артур+консультант+все людишпехт артур+консультант+все люди
шпехт артур+консультант+все людиАртур Шпехт
 
Sinteze şi Dezbateri de Politică Externă Nr.11 (116), Noiembrie 2015
Sinteze şi Dezbateri de Politică Externă Nr.11 (116), Noiembrie 2015Sinteze şi Dezbateri de Politică Externă Nr.11 (116), Noiembrie 2015
Sinteze şi Dezbateri de Politică Externă Nr.11 (116), Noiembrie 2015Lina Grau
 
шпехт артур+повар+все люди
шпехт артур+повар+все людишпехт артур+повар+все люди
шпехт артур+повар+все людиАртур Шпехт
 
Strup & Strup Corporate Communication Brand Journalism
Strup & Strup Corporate Communication Brand JournalismStrup & Strup Corporate Communication Brand Journalism
Strup & Strup Corporate Communication Brand JournalismJeannette Refstrup
 
Port Folio_Sufia Taher-Practical work
Port Folio_Sufia Taher-Practical workPort Folio_Sufia Taher-Practical work
Port Folio_Sufia Taher-Practical workSufia Taher
 

Recommended

Linux Security
Linux SecurityLinux Security
Linux SecurityMahdi Cherif
 
Edubooktraining
EdubooktrainingEdubooktraining
Edubooktrainingnorhloudspeaker
 
A bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AESA bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AEScgvwzq
 
шпехт артур+консультант+все люди
шпехт артур+консультант+все людишпехт артур+консультант+все люди
шпехт артур+консультант+все людиАртур Шпехт
 
Sinteze şi Dezbateri de Politică Externă Nr.11 (116), Noiembrie 2015
Sinteze şi Dezbateri de Politică Externă Nr.11 (116), Noiembrie 2015Sinteze şi Dezbateri de Politică Externă Nr.11 (116), Noiembrie 2015
Sinteze şi Dezbateri de Politică Externă Nr.11 (116), Noiembrie 2015Lina Grau
 
шпехт артур+повар+все люди
шпехт артур+повар+все людишпехт артур+повар+все люди
шпехт артур+повар+все людиАртур Шпехт
 
Strup & Strup Corporate Communication Brand Journalism
Strup & Strup Corporate Communication Brand JournalismStrup & Strup Corporate Communication Brand Journalism
Strup & Strup Corporate Communication Brand JournalismJeannette Refstrup
 
Port Folio_Sufia Taher-Practical work
Port Folio_Sufia Taher-Practical workPort Folio_Sufia Taher-Practical work
Port Folio_Sufia Taher-Practical workSufia Taher
 
El lince ibérico
El lince ibéricoEl lince ibérico
El lince ibéricoAndré García Conde
 
sed(1)
sed(1)sed(1)
sed(1)Bipul Kumar
 
Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...
Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...
Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...Lina Grau
 
ACLs
ACLsACLs
ACLsBipul Kumar
 
1 sistema endócrino
1 sistema endócrino1 sistema endócrino
1 sistema endócrinoVirgínia Rodirgues
 
ahmed lotfi cv final
ahmed lotfi cv finalahmed lotfi cv final
ahmed lotfi cv finalahmed lotfi
 
шпехт артур+интернет резерв+все люди
шпехт артур+интернет резерв+все людишпехт артур+интернет резерв+все люди
шпехт артур+интернет резерв+все людиАртур Шпехт
 
Power Point Imagen Y video
Power Point Imagen Y videoPower Point Imagen Y video
Power Point Imagen Y videoyismariherrera
 
ECM BY KP - Copy
ECM BY KP - CopyECM BY KP - Copy
ECM BY KP - CopyKrishna Prasad JP
 
MEJB_HR_Joanna Harrop
MEJB_HR_Joanna HarropMEJB_HR_Joanna Harrop
MEJB_HR_Joanna HarropJoanna Harrop
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShareSlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShareSlideShare
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShareSlideShare
 
With respect to the security aspects of Linux- answer the following qu.docx
With respect to the security aspects of Linux- answer the following qu.docxWith respect to the security aspects of Linux- answer the following qu.docx
With respect to the security aspects of Linux- answer the following qu.docxSUKHI5
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurityricharddxd
 
User and group administration in Linux
User and group administration in LinuxUser and group administration in Linux
User and group administration in LinuxMohammed Yazdani
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
sun solaris
sun solarissun solaris
sun solarisAshis Das (CSE,MBA,RHCSA,RHCE)
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissionsShay Cohen
 
Users and groups in Linux
Users and groups in LinuxUsers and groups in Linux
Users and groups in LinuxKnoldus Inc.
 
User management
User managementUser management
User managementMufaddal Haidermota
 

More Related Content

Viewers also liked

Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...
Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...
Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...Lina Grau
 
ahmed lotfi cv final
ahmed lotfi cv finalahmed lotfi cv final
ahmed lotfi cv finalahmed lotfi
 
шпехт артур+интернет резерв+все люди
шпехт артур+интернет резерв+все людишпехт артур+интернет резерв+все люди
шпехт артур+интернет резерв+все людиАртур Шпехт
 
Power Point Imagen Y video
Power Point Imagen Y videoPower Point Imagen Y video
Power Point Imagen Y videoyismariherrera
 
MEJB_HR_Joanna Harrop
MEJB_HR_Joanna HarropMEJB_HR_Joanna Harrop
MEJB_HR_Joanna HarropJoanna Harrop
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShareSlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShareSlideShare
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShareSlideShare
 

Viewers also liked (13)

El lince ibérico
El lince ibéricoEl lince ibérico
El lince ibérico
 
sed(1)
sed(1)sed(1)
sed(1)
 
Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...
Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...
Republica Moldova după primul tur al alegerilor prezidențialeSinteze si Dezba...
 
ACLs
ACLsACLs
ACLs
 
1 sistema endócrino
1 sistema endócrino1 sistema endócrino
1 sistema endócrino
 
ahmed lotfi cv final
ahmed lotfi cv finalahmed lotfi cv final
ahmed lotfi cv final
 
шпехт артур+интернет резерв+все люди
шпехт артур+интернет резерв+все людишпехт артур+интернет резерв+все люди
шпехт артур+интернет резерв+все люди
 
Power Point Imagen Y video
Power Point Imagen Y videoPower Point Imagen Y video
Power Point Imagen Y video
 
ECM BY KP - Copy
ECM BY KP - CopyECM BY KP - Copy
ECM BY KP - Copy
 
MEJB_HR_Joanna Harrop
MEJB_HR_Joanna HarropMEJB_HR_Joanna Harrop
MEJB_HR_Joanna Harrop
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShare
 
Getting Started With SlideShare
Getting Started With SlideShareGetting Started With SlideShare
Getting Started With SlideShare
 

Similar to ManagingLocalLinuxUsersandGroups(2)

With respect to the security aspects of Linux- answer the following qu.docx
With respect to the security aspects of Linux- answer the following qu.docxWith respect to the security aspects of Linux- answer the following qu.docx
With respect to the security aspects of Linux- answer the following qu.docxSUKHI5
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurityricharddxd
 
User and group administration in Linux
User and group administration in LinuxUser and group administration in Linux
User and group administration in LinuxMohammed Yazdani
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014Nabil Munawar
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissionsShay Cohen
 
Users and groups in Linux
Users and groups in LinuxUsers and groups in Linux
Users and groups in LinuxKnoldus Inc.
 
File permission in Linux
File permission in LinuxFile permission in Linux
File permission in LinuxKrutikMandre1
 
The files etcpasswd and etcshadow can be manually edited. Why wo.pdf
The files etcpasswd and etcshadow can be manually edited. Why wo.pdfThe files etcpasswd and etcshadow can be manually edited. Why wo.pdf
The files etcpasswd and etcshadow can be manually edited. Why wo.pdflakshmijewellery
 
Building File Systems with FUSE
Building File Systems with FUSEBuilding File Systems with FUSE
Building File Systems with FUSEelliando dias
 

Similar to ManagingLocalLinuxUsersandGroups(2) (20)

With respect to the security aspects of Linux- answer the following qu.docx
With respect to the security aspects of Linux- answer the following qu.docxWith respect to the security aspects of Linux- answer the following qu.docx
With respect to the security aspects of Linux- answer the following qu.docx
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurity
 
User and group administration in Linux
User and group administration in LinuxUser and group administration in Linux
User and group administration in Linux
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
sun solaris
sun solarissun solaris
sun solaris
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissions
 
Users and groups in Linux
Users and groups in LinuxUsers and groups in Linux
Users and groups in Linux
 
User management
User managementUser management
User management
 
Unix Administration 3
Unix Administration 3Unix Administration 3
Unix Administration 3
 
Sudo
SudoSudo
Sudo
 
Solaris basics
Solaris basicsSolaris basics
Solaris basics
 
File permission in Linux
File permission in LinuxFile permission in Linux
File permission in Linux
 
Presentation1
Presentation1Presentation1
Presentation1
 
Users and groups
Users and groupsUsers and groups
Users and groups
 
The files etcpasswd and etcshadow can be manually edited. Why wo.pdf
The files etcpasswd and etcshadow can be manually edited. Why wo.pdfThe files etcpasswd and etcshadow can be manually edited. Why wo.pdf
The files etcpasswd and etcshadow can be manually edited. Why wo.pdf
 
Host security
Host securityHost security
Host security
 
Host security
Host securityHost security
Host security
 
Building File Systems with FUSE
Building File Systems with FUSEBuilding File Systems with FUSE
Building File Systems with FUSE
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
 

ManagingLocalLinuxUsersandGroups(2)

  • 1. Managing Local Linux Users and Groups   Objectives:  ● Explain the role of users and groups on a linux system and how  they are understood by the computer.  ● Run commands as the superuser to administer a linux system.  ● Create,modify,lock and delete locally defined user accounts.  ● Create,modify, and delete locally defined group accounts.  ● Lock accounts manually or by setting a password­aging policy in the shadow  password files.  Sections  1. Users  Types of user  Switching users with su command & id for user details  Sudo command & /etc/sudoers file.  Understanding /etc/passwd & /etc/shadow file.  password hash   Managing Local User Accounts using ​useradd​,​usermod,userdel,id,passwd  2. Groups  Understanding /etc/group and /etc/gshadow file  Managing Local Group Accounts  Managing  group password.                                  ​Author Bipul kumar                                 
  • 2. User:  Every process(running program) on the system runs as particular user.                    Every file is owned by a particular user.  Types of user  In general there are four types of user:  ●  Root user i.e 0  ●  Pseudo User  ●  System user   ●  Other user    Root user i.e 0 :   Root user have power to override normal privileges on the file system and  is used to manage and administer the system. In short it has power to  damage the system, remove files and directories, remove user and  accounts, add backdoors.      Pseudo User:  Normal user with special privilege to execute any command as a root user.    System user:  A system user is created default by OS during installation time or when you                            installed any packages and it runs as daemons in background. Ubuntu it’s                        range start from 100 ­ 999  Source /etc/adduser.conf      Other user:  Other users are created by root or sudo users. It has a limited access on                              the system.In Ubuntu it’s range start from 1000 ­ 29999. Source                      /etc/adduser.conf     
  • 3. Switching users with su command & id for user details  ● su ­ ​Commands allows a user to switch to different user account.  su  ­  <username>  The command su <username> starts a non­login shell  su ­ <username> start login shell.  ● The main distinction is su ­ sets up the shell environment as if this                            were a clean login as that user, while su just starts a shell as that                              user with current environment settings.    ● ​id ​command is used to show information about the current logged­in                        user.  $id  #​Current logged in user  $id lucy #​Other account        ● To view the user associated with a file or directory use the  $ls ­l    ● To view process information, use the​ ps​ command and add ​a ​option  to  view all process with a terminal. To view the user associated with  a process include the ​u​ option.   $ps au       
  • 4. sudo command & /etc/sudoers file.  1. The ​sudo ​command allows a user to be permitted to run command                        as root, or as another user, based on setting in the ​/etc/sudoers  2. sudo  requires users to enter their own password for authentication.  3. In ubuntu member of group admin can use sudo to run commands as                          any user, including root. Similar in Fedora/Redhat wheel group.  4. All command executed by sudo users are logged in ​ /var/log/secure  5. We use ​visudo ​command to edit ​/etc/sudoers​ file.    /etc/sudoers Files  # This file MUST be edited with the 'visudo' command as root.  # Cmnd alias specification  # User privilege specification  root ALL  =   (ALL:ALL) ALL    ALL    All terminal =   All Console =    All command  # Members of the admin group may gain root privileges  %admin ALL=(ALL) ALL    # Allow members of group sudo to execute any command  %sudo   ALL=(ALL:ALL) ALL       # See sudoers(5) for more information on "#include" directives:  #includedir /etc/sudoers.d    Question : Can we run any single /sbin command or root privileges                        command  though normal user?  Yes we can, let’s take an example ​adduser ​command  1. Login into the root account or sudo account  2. Create a normal user with password.  3. Go the the line number 20, and  edit the line with   lucy ALL=(ALL) /usr/sbin/adduser        4.  Now login into the lucy account, and you are done.   
  • 5. Question: Can we run any single /sbin command or root privileges                      command without password authentication?   ​Yes we can, through following steps  1. Go to the below line root ALL = (ALL:ALL) ALL ALL and edit the                            line with ​lucy  ALL=(ALL)  NOPASSWD:ALL        2. Now login into the lucy account , and your are done.  Question: Can we create user manually?  Yes, we can    1. Open a file ​/etc/passwd via any file editor. And update the last line                          with following way​ vipul:x:2006:2009::/home/vipul:/bin/sh  2. Same open file ​/etc/group​ and update in last line ​vipul:x:2009:  3. Run ​pwck ​and ​grpck ​in ​verifies the integrity of the users and                        authentication information.  4. Reset the password through encrypted   #echo YourPassword | openssl passwd ­1 ­stdin  #usermod ­p <copy of encrypted text>   vipul      You are done.                                   
  • 6. Understanding /etc/passwd & /etc/shadow file.    A system uses simple flat file that is ​/etc/passwd file to store information                          about local users. The format of /etc/passwd follows seven colons                    separated fields.        The format of ​/etc/passwd​ follows(Seven colon separated fields)  1 username:2 password:3 UID:4 GID:5 GECOS:6 /home/dir:7 shell    1. Username: ​It is a mapping of a UID to a name for the benefit of human                                    users.  2. Password: ​Historically, a password where kept in an encrypted                      format          Today they are kept in separate file called ​/etc/shadow  3. UID: ​It is a user ID, a number that identifies the user at the most                                  fundamental level.    ​ 4.   GID:​ It is the user ‘s primary group ID number.     5.   GECOS ​It is arbitrary text, which includes user details and real name.  ​6​. /home/dir ​It is the location of users personal data and configuration                            files.      ​7.  Shell ​It is a program that runs as the user logs in. For a regular user,  this is the normally the program that provides the users command                        line prompt.         
  • 7.   /etc/shadow file.    In older days, encrypted passwords were stored in readable ​/etc/passwd                    file. But due to security flaws, the encrypted passwords or password                      hashes is moved to ​/etc/shadow file. Which also allow password aging and                        expiration features to be implemented.  The format of ​/etc/shadow​ follows(nine colon­separated fields)      1. Name  This must be a valid account name of the system.  2. Password ​It is in encrypted format, if it start with ! mark means it’s                            locked.  3. Lastchange ​The date at which last password changed.  4. Minage     ​Minimum number of days before password may changed.  5. Maxage    ​Maximum number of days before password must change.  6. Warning ​Warning period at which password expired. 0 means no                    warning given.   7. Inactive The number of days an account remains active after                    password has expired. A user may log into the system and change                        his password. After that specified number of days, the account is                      locked, becoming inactive.  8. Expire ​The account expiration date  9. Blank: ​It is used for future use.     
  • 8.   Managing user password / Password hash    In older days, encrypted passwords were stored in world­readable                  /etc/passwd file.But due to security concern, the encrypted password or                    password hashes were moved to more secure ​/etc/shadow file. Which also                      allow password aging and expiration features to be implemented.    When a user tries to login , the system looks up the entry for the user in                                  /etc/shadow​.  It combines the salt value and plain password you enter, and encrypt them                          with hashing algorithm. If the result matches with store encrypted hash at                        /etc/shadow then successful login into the system, otherwise authentication                  get failed.    There are three pieces of information stored in a modern password hash.  1. Hashing algorithm.  2. Hash Salt .  3. Encrypted hash.  $6$AmdWnEdR$c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwF nR7FPB5.    ● $6  ​It has SHA­512 hashing algorithm.  ● $AmdWnEdR ​Salt value which is combined with password to                  increase hash strength.  ● $c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwFnR7FPB5.  : ​It’s your password + salt value in encrypted format to make it                          Encrypted hash.  Source ​#Shadow_file           
  • 9.     Managing Local User Accounts using  useradd/adduser,usermod, userdel, id,passwd,gpasswd  To create  user account on Linux system, we use adduser(Debian) or  useradd (Fedora).   #adduser <User>  #useradd ­u 7777 ­g bipul ­G root ­d /home/bipul ­S /bin/bash ­c                        “dba”  bipul  Make useradd command changes from here ​/etc/default/useradd  #for i in user{1..9};do adduser $i; done  Deleting user  #userdel   ­r    <User>  #for i in user{1..9};do userdel ­r $i; done  Creating/Updating password for user.We use passwd  #passwd  <User>  #echo “hacker” | passwd    ­­stdin   <user>  Locking the password for user  #passwd   ­l   <User>  To unlock the password  #Passwd   ­u   <User>  To check the status of the password  #passwd   ­S   <User>  To delete the password  #passwd   ­d    <User>  To modify a user account we use ​usermod​ command.  To change the password without passwd command  #encrypted=(echo "newpassword" | openssl passwd ­1 ­stdin);sudo              usermod ­p $encrypted  To lock the user account  #usermod   ­L   <User>  To Unlock the user account.  #usermod   ­U   <User> 
  • 11.         Groups   Like user, group have name and number and it is divided into two parts:  1. Primary group.  2. Secondary group.    Understanding /etc/group and /etc/gshadow file    Local group or primary groups are defined in ​/etc/group            1​ groupname​: 2 ​password​:3 ​GID​:4 ​List of user in the group    1. Primary group: Every user has exactly one primary group. For local                        user, the primary group is defined by the GID number of the group listed in                              the fourth field of   /etc/passwd     2. Supplementary group:​ User may be a member of zero or more  supplementary   
  • 13. ● #gpasswd  sudo  2. Log in into other user account.  ● #su  ­  bipul  3. Use newgrp <groupName>  ● #newgrp  sudo  4. Now run any root privileges command or task for specific group.  ● #sudo  useradd  lucy  5. To come out from group use exit.  ● Exit      Managing Local Group Accounts  Creating a group from next available GID from the range specified in the  /etc/login.defs file with ​groupadd  ● #groupadd  admin  ● #groupadd  ­g  700  db1    Modifying the existing groups with ​groupmod  The groupmod command is used to change a group name to a GID  mapping. The ​­n​ option is used to specify a new name ​­g​ option to specify  a new GID  ● #groupmod   ­n   db1   db  ● #groupmod   ­g  700  db2   Deleting a group with ​groupdel  To remove group we use groupdel command.   ● #groupdel   db2  NOTE: A group may not be removed if it is a primary group of an existing  user.