TARGETS
è
Configuration of users and groups.
è
Modification of file permissions and ownerships,
usage of special permissions like SUID, SGID, Stick
bits.
è
Setting ACCESS CONTROLS to files/directories.
è
Configuration of network users with NIS and
LDAP.
Adding New User
Accounts:
Description
When
invoked without the -D option, the useradd command creates a new user account
using the values specified on the command line and the default values from the
system. Depending on command line options, the useradd command will update
system files and may also create the new user’s home directory and copy initial
files. The version provided with Red Hat Linux will create a group for each
user added to the system by default.
The basic command used to add a new user
account is
Syntax: useradd username
EX: useradd
student
The above command will add a new account
to the machine as will as set up that user’s home directory; create a private
group for user.
--To change the password of user
account is
Syntax: passwd
username
The user account details are stores in a file /etc/passwd
EX: [visitor@server
~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
visitor:x:500:500::/home/visitor:/bin/bash
named:x:25:25:Named:/var/named:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
[visitor@server
~]$
root:x:0:0:root:/root:/bin/bash
In
this 1st column represents
…………………………………………...Username
In
this 2nd column represents
…………………………..........Encrypted password
In
this 3rd column represents
……………………………………………..User ID
In
this 4th column represents
……………………………………………Group ID
In
this 5th column represents
……………………………………..Home directory
In
this 6th column represents
………………………………………...Login Shell
To create a NEW group
Syntax: groupadd groupname
EX: groupadd record
To add an user to the group
Syntax: usermod -G groupname
username
EX: usermod -G record
student
The group information is stored in
he file called /etc/group
EX: [visitor@server
~]$ cat /etc/group
Record:x:1070:student
[visitor@server
~]$
In this 1st
column represents………………………………………….Groupname
In this 2nd column represents………………………………Encrypted password
In this 3rd
column represents……………………………………………Group ID
In this 4th
column represents………………………………….Users in that group
To change the group of a
particular file
Syntax: chgrp groupname
filename
EX: chgrp record file1
Modification/ deleting
user accounts
Description
The usermod command modifies the system
account files to reflect the changes that are specified on the command line.
--To create a user without password
is
Syntax: passwd -d username
--To change the home directory of
an user
Syntax: usermod username -d
new_homedir
EX: usermod student -d
/opt/student
--To change the user group id
Syntax: usermod -gid groupID
username
EX: usermod -gid 200
student
--To change the login name of a user
Syntax: usermod -l username
newlogin_name
EX: usermod -l student
test
--To restrict a user should fail to
login to terminal
Syntax: usermod -s /bin/nologin
username
EX: usermod -s /bin/nologin
student
--To lock an user account
Syntax: usermod -L username
EX: usermod -L student
--To unlock an user account
Syntax: usermod -U
username
EX: usermod -U student
--To add a comment to an user account is
Syntax: usermod -c comment username
EX: usermod -c “Student of OST” student
--To disable an user account an a
particular date
Syntax: usermod -e
YYYY-MM-DD username
EX: usermod -e 2008-10-30
student
--To create a group with duplicate
(non-unique)GID
Syntax: groupadd -o
groupname
Password aging policies:
Description
The
chage command changes the number of
days between password changes and the
date of the last password change. This information is used by the system to determine when a user must change
his/her password.
>>By default
passwords do not expire
>>The chage command is used to setup password
aging
--To set the expire date of an user
account
Syntax: chage -E yyyy-mm-dd
username
EX: chage -E 2010-10-30
student
*Note: passing the number -1 as the expire date will remove an
account expiration date.
--To set the n.of days when
password change
Syntax: chage -d yyyy-mm-dd
username
Ex: chage -d 2010-10-30
student
--To set the n.of days inactivity
after a password has expired before the account is locked
Syntax: chage -I INACTIVE
username
Ex: chage -I 30 students
*Note: passing the number -1 as the inactive will remove an account
as inactivity
--To show an account aging
information
Syntax: chage -l username
EX: chage -l student
--To
set the minimum days between password changes
Syntax: chage -m
max_daysusername
--To
set the maximum days between password changes
Syntax: chage -M
max_daysusername
--To
set the number of days of warning before a password change is required
Syntax: chage -w
WARNDAYS username
EX: chage
-w 10 student
Note: The chage program requires a
shadow password file to be available.
Switching accounts
The
su command is used to switch to
another account from the terminal. This is mostly offenly used by the system
administrator to temporarily become the root user without logging out of the
non-privileged account.
The
password of the account being switched to must be supplied unless the super
user issued the su command.
Without
the ‘-’ option the original user’s
environment is maintained. Using the ‘-’
Option causes the new shell to be
login shell which, among the other things, unsets the original user’s
environment variables in the new shell.
--To switching to another
Syntax: su - username
EX: su - student
--To switch as a root user
Syntax: s u
-
--To pass a single COMMAND to the
shell
Syntax: su -user -c command
EX: su -user -c ls
Description
In
general most system administration tasks are best performed using sudo. sudo is safer than an su
to root.
The purpose of sudo is to delegrate root
privileges to non-root users. It has many advantages over the su including not
having to manage a shared password and logging of who actually execute
commands, when and from where.
sudo allows a permitted user
to execute a command as the superuser or another user, as specified in the
sudoers file. The real and effective uid
and gid are set to match those of the target user as specified in the passwd
file and the group vector is initialized based on the group file (unless the -P
option was specified). If the invoking
user is root or if the target user is the same as the invoking user, no
password is required. Otherwise, sudo
requires that users authenticate themselves with a password by default
Note: in the default configuration this
is the user’s password, not the root password.
Once
a user has been authenticated, a timestamp is updated and the user may then use
sudo without a password for a short period of time (5 minutes unless overridden
in sudoers).
sudo
determines who is an authorized user by consulting the file /etc/sudoers.
By giving sudo the -v flag a user can update the time stamp without
running a command. The password prompt itself will also time out if the users
password is not entered within 5 minutes (unless overridden via sudoers).
If a user who is not listed in the sudoers file tries
to run a command via sudo, mail is sent to the proper authorities, as defined
at configure time or in the sudoers file (defaults to root). Note that the mail will not be sent if an
unauthorized user tries to run sudo with the –l or -v flags. This allows users to determine for themselves
whether or not they are allowed to use sudo.
Network Users
Information about users and group
accounts are stored in local file like /etc/passwd
on each work station or server. However it may be easier to keep account
information synchronized among many computers by storing it centrally in a
remote network server.
There are two
basic types of information must always be provided foe each user account
--Account information
--Authentication
Account information
Name service information must be
provided to the standard C library, glibc. This information maps the account’s
username to a UID number, primary group, GECOS field information (such as
user’s real name), home directory, and default shell. This is controlled by a
system called NSS (name service switch).
Authentication
A mechanism must be provided which
can determine if a password provided to authenticate login or other access to a
particular account is the correct password for that account. This is configured
for programs through the PAM(pluggable authentication modules).
Authentication Configuration
The mechanism used to manage user
information can be changed with system-config-authentication.
By default, this provides a graphical tool to configure network authentication.
The authconfig
command can be called authconfig-tui
for graphical or text based utility.
This information provides two tabs.
--User information
(which changes NIS settings)
-- Authentication (which
changes PAM settings)
For User information five data sources are
supported:
--NIS gets information from database
maps stored on a NIS server.
--LDAP allows account information to
be stored as entries in a LDAP directory server.
--Hesiod stores user information as
a special resource in a DNS name server.
--Winbind uses winbindd to
automatically map accounts stored in a Microsoft windows domain controller to
Linux users by storing SID to UID/GID mappings in a database.
For Authentication, six data sources are
supported:
--NSS will provided an encrypted
password with the other NSS user information
--Kerberos authenticates users by
requesting a ticket for the user from the kerberos server.
--LDAP authentication maps the
username provided to LDAP directory entry and tries to bind to the directory
using that entry.
--Smartcard authentication allows a
smartcard to be used to login.
--SMB and Winbind use different
approaches to authenticate using a Microsoft Windows domain controller
NIS
Configuration
One popular service used to
centrally manage system and account information is NIS (network information system).
NIS service typically used to
synchronize account information. They can be share the content of the /etc/passwd,/etc/shadow
,/etc/group ,and /etc/gpasswd
by converting
them into NIS maps.
The way to set
up a client to use an existing NIS server is to do following steps
--Install port
map ,and ypbind packages
[visitor@server
~]$vim /etc/auto-master
# append below line in the to the file
/rhome /etc/auto.misc --timeout=60
[visitor@server ~]$vim /etc/auto.misc
nisuser1 -rw, soft, intr 192.168.0.253:/rhome/nisuser1
[visitor@server ~]$mkdir /rhome
[visitor@server ~]$service autofs
restart
[visitor@server
~]$authconfig-tui
Under user information, enable NIS and the domain
name command is run to set it.
In NIS settings
EX: Domain name :
OPENSOURCE
Server : 192.168.0.253
And
click OK button
Now go to any terminal try to login as
nisuser1
EX: login: nisuser1
Password:
[visitor@localhost~]#ls /rhome
nisuser1
[visitor@localhost ~]#
LDAP Configuration
LDAP is a protocol used to talk to a
distributed directory service based on X.500, which can be used to store system
and account information. Client programs can use the LDAP protocol to get
information from directory servers running slapd,
the standalone LDAP service. The openLDAP packages in the distribution provide
a slapd server implementation as
well as client tools and development libraries which can be used to work with
LDAP services.
One use of an LDAP directory service
is to synchronize account information between multiple networked systems.
The way to set
up a client to use an existing LDAP server is to do following steps
--Install nss_ldap ,
openldap packages
[visitor@localhost
~]#vim /etc/openldap/ldap.conf
HOST 192.168.0.3
BASE ‘dc=soft, dc=com’
[visitor@server ~]#authconfig-tui
Under
user information, enable LDAP and the domain name command is run to set it.
In LDAP settings
Server: 192.168.0.3
Dc=soft, dc=com
Click on OK button
[visitor@server ~]#mkdir /home/ldapuser
[visitor@server ~]#chmod 700
/home/ldapuser
[visitor@server ~]#cp /etc/skel/.*
/home/ldapuser
[visitor@server ~]#chown -R
ldapuser:users /home/ldapuser
Go
to any terminal try to login as ldapuser
EX: login:
ldapuser
Password:
SUID and SGID Executables
Normally processes started by a user
run under the user and group security context of that user. When a user starts
a process, it run with the permissions of that user. If you run vi,
and try to edit a file which you do not have permission to read and write, the
operation fails. However, if the SUID or SGID bit is set on an executable, it
runs with the permissions of its owner.
EX: [visitor@localhost~]# ll
/etc/shadow
-r-------- 1 root root 1061 Jul 14 01:29
/etc/shadow
The
file is owned by the root, who has exclusive read access. Users may still
change their passwords with the passwd
command, because the passwd command has its SUID bit set, and is owned by root:
[visitor@localhost~]#
ll /usr/bin/passwd
-rwsr-xr-x 1
root root 22960 Jul 17 2006
/usr/bin/passwd
SUID and SGID
bits are set using the chmod command
SUID:
[visitor@localhost~]#chmod u+s filename
SGID:
[visitor@localhost~]#chmod g+s filename
For
security reasons, SUID and SGID permissions are not honored when set on
non-compiled programs such as shell scripts.
SGID Directories
When a file is created in a
directory, it belongs to the primary group of the user that created the file.
For a directory the default permissions are 755
For a file the default permissions are 644
However,
if the setgid bit is set for the
directory, new files that are created in this directory have their group
ownership set to the same group ownership as the directory. This provide a
mechanism to allow one level of access to users, who are members of the same group that owns the directory while
allowing a different level of access to non-member users of files in the
directory.
The permission to be set with chmod
[visitor@localhost~]#chmod g+s directory
This sets the
SGID bit without affecting current permissions
[visitor@localhost~]#chmod 2770 directory
The above syntax
sets the SGID bit and gives read, write, and execute permission to the owner of
the directory and members of the group whose ownership is on that directory.
The Sticky Bit
Normally users with write
permissions to a directory can delete any file in that directory regardless of
that file’s permissions or ownership. Setting the sticky bit prevents users
from deleting each others files, even though they have full access to the
directory.
To set the sticky bit on a directory
[visitor@localhost~]#chmod o+t directory
ACCESS CONTROL LISTS (ACLs)
Description
This
manual page describes POSIX Access Control Lists, which are used to define more
fine-grained discretionary access rights for files and directories.
ACL Types
Every object can be thought of as having
associated with it an ACL that governs the discretionary access to that object;
this ACL is referred to as an access ACL. In addition, a directory may have an
associated ACL that governs the initial access ACL for objects created within
that directory; this ACL is referred to as a default ACL.
ACL Entries
An ACL consists of a set of ACL entries. An
ACL entry specifies the access permissions on the associated object for an
individual user or a group of users as a combination of read, write and
search/execute permissions.
An
ACL entry contains an entry tag type, an optional entry tag qualifier, and a
set of permissions. We use the term
qualifier to denote the entry tag
qualifier of an ACL entry.
The
qualifier denotes the identifier of a user or a group, for entries with tag
types of ACL_USER or ACL_GROUP, respectively. Entries with tag types other than
ACL_USER or ACL_GROUP have no defined qualifiers.
The ext3 file system includes
support for access control lists which allow finer grained control of the
system permissions than are possible with the standard three access categories
that are normally provided.
In order to enable ACLs on a file system, the file system must be
mounted with the acl mount option.
File system created during installation include the acl flag in their default mount option.
This utility sets Access Control Lists (ACLs)
of files and directories. On the command line, a sequence of commands is
followed by a sequence of
files (which in
turn can be followed by another sequence of commands, ...).
Permissions
The file owner and processes capable of
CAP_FOWNER are granted the right to modify ACLs of a file. This is analogous to
the permissions required for accessing the file mode. (On current Linux
systems, root is the only user with the CAP_FOWNER capability.)
To
remount the /home/ directory
with the acl option
[visitor@localhost~]#mount
-o remount,acl /home/
The basic ACL
options are:
--To view the
ACL’s for a file
EX: [visitor@localhost
~]# getfacl /home/
# file : home
# owner : root
# group : root
User :: rwx
Group :: r-x
Other :: r-x
[visitor@localhost
~]#
ACLs can be
modified using the setfacl command
--To granting an
additional user read access
Syntax: setfacl -m
u:lisa:r file
--To revoking
write access from all groups and all named users (using
the effective rights mask)
Syntax: setfacl –m m::rx
file
--To removing a
named group entry from a fileâs ACL
Syntax: setfacl -x
g:staff file
--To copying the
ACL of one file to another
Syntax: getfacl file1 |
setfacl --set-file=- file2
--To copying the
access ACL into the Default ACL
Syntax: getfacl --access
dir | setfacl -d -M
- dir
Correspondence Between ACL entries and file permission bits
The
permissions defined by ACLs are a superset of the permissions specified by the
file permission bits. The permissions defined for the file owner correspond to
the permissions of the ACL_USER_OBJ entry.
The permissions defined for the file group correspond to the permissions
of the ACL_GROUP_OBJ entry, if the ACL has no ACL_MASK entry. If the ACL has an
ACL_MASK entry, then the permissions defined for the file group correspond to
the permissions of the ACL_MASK entry. The permissions defined for the other
class correspond to the permissions of the ACL_OTHER_OBJ entry.
Modification
of the file permission bits results in the modification of the permissions in the
associated ACL entries. Modification of the permissions in the ACL entries
results in the modification of the file permission bits.
No comments:
Post a Comment