Ch11

Chapter 11:
Managing Users

The Complete Guide to Linux System
Administration

Objectives

• Create and manage user accounts
• Manage complex file permissions
• Review advanced user security issues

The Complete Guide to Linux System Administration
2

Creating and Managing User
Accounts
• Process of creating new user accounts
– Add default files to be part of every user’s home
directory to /etc/skel directory
– Create home directory for all users
– Configure default settings for all users
– Create groups
– Create user account for each person
– Create valid password for each user

3

Managing User Accounts
Graphically
• /etc/passwd file defines user accounts, including:
– User name – Comment field
– Password – User’s home directory
– UID – User’s default shell
– GID
• vipw command edits /etc/passwd file
• passwd command defines password

4

Graphically (continued)
• Utilities to create new user accounts
– Graphical tools
– Command-line utilities
• system-config-users utility
– Red Hat graphical user account creation tool
– Information from /etc/passwd file shown in window
– Can edit each fields
– Edit password information stored in /etc/shadow

5


6

• User Properties dialog, User Data tab
– User name
– Full name
– Password and confirm password
– Home directory
– Login shell
• User Properties dialog, Account Info tab
– Enable account expiration
– Lock local password

7

• User Properties dialog, Password Info tab
– View when user last changed password
– Enable password expiration
• Experts recommend changing password every
30 to 60 days
• User Properties dialog, Groups tab
– Lists groups from /etc/group file
– Each user assigned primary group

8

• User private group model
– Used by Red Hat Linux and Fedora
– User’s primary group has same name as user
– Contains only user as member
• Create new user
– system-config-users utility
– Add User button
– Enter information on dialog
– Utility creates home directory based on user name

9

• /etc/login.defs file
– Stores settings used to create new users
– Comments describe settings
• Create new group
– Click Add Group button
– Enter group name

10

• Delete user
– Select user name on Users tab
– Click delete button
– Some administrators prefer to permanently
disable, not delete

11

Creating New Users at the
Command Line
• useradd utility
– Create new users
– Must be logged in as root
– Example: useradd -g sales -c “Raley Solomon"
rsolomon
– -D option displays the default settings
– Edit /etc/default/useradd to change defaults

12

Creating New Users at the
Command Line (continued)
• passwd command
– Change user’s password
– Lock user account: passwd -l thomas
– Unlock account: passwd -u thomas

13

Creating New Groups

• groupadd command
– Preferred method for adding new group
– Example: groupadd managers

14

Modifying User and Group
Accounts at the Command Line
• usermod command
– Modify user account
– Uses same options as useradd command
• groupmod command
– Modify group
– -g option: change GID
– -n option: change name

15

(continued)
• grpck command
– Check integrity of /etc/group and /etc/gshadow
files
– Uses no parameters
• chage command
– Alter password aging information
– View password expiration
– Change aging for user
– Interactive mode

16

(continued)
• pwconv utility converts older /etc/passwd
password storage to /etc/shadow password
storage
• pwunconv utility converts existing /etc/shadow
passwords to older /etc/passwd system for
compatibility
• pwck command shows formatting errors that
make accounts unusable

17

Automating Home Directory
Creation
• Files in /etc/skel automatically copied into each
user’s home directory
– At time account created
– Includes hidden configuration files
– Files not added to existing user home directories

18

Disabling User Accounts

• Temporarily disable user’s account
– Change password
• passwd command
– passwd -l [username] to lock account
– Edit /etc/shadow file in text editor
• Place asterisk before encrypted password
– Place # at beginning of line for user account in
/etc/passwd
• Make line into comment

19

Disabling User Accounts
(continued)
• userdel command
– Delete user account permanently
– Does not remove user’s home directory or
contents
• groupdel command
– Remove group
– Be careful deleting groups

20

Complex File Permissions

• Sticky bit
– Directory can only be renamed or unlinked by
• User that owns it
• root
– Often used on directories all users should be able
to create files such as /tmp
– To set: chmod a+t /tmp

21

(continued)
• Set user ID permission
– SUID
– Can be added to file that has execute permission
set
– Causes user who executes file to take on file
permissions of owner of file
– Very useful for few specialized programs
– To set: chmod u+s file

22

(continued)
• Permissions not always what they seem at first
• Set group ID permission
– SGID
– Person who executes program has permissions of
file’s group while executing program
– To set: chmod g+s file
– Can also be set numerically

23

(continued)
• SGID set on directory
– Any file created within directory assigned to group
of directory
• Permissions examined in order
– Owner first
– Group second
– Others third
– Can deny group permission without users having
other permission

24

User Security Issues

• Other ways of securing Linux
– Additional communications
– User security mechanisms

25

Communicating with Users

• /etc/motd file
– Contents displayed just before shell is started
each time user logs in
– “Message of the day”
– Does not appear unless:
• User opens command line
• Or logs in at text-mode console

26

(continued)
• wall command
– Write all
– Communicate immediate message to all users
who are logged in to system
– Displays broadcast message on command line for
all users
• Working in text mode
• Or with open terminal window

27

(continued)
• fuser command
– Learn about what users are doing
– View users accessing
• File system
• Serial port
• Network connection
– -k option kills processes

28

Granting Limited Root Access

• sudo command
– Assign root privileges to any user account
– User can execute just programs that sudo
configuration specifies
• /etc/sudoers configuration file
– Syntax can be very complex
– Basic format: user host = command_list

29

Granting Limited Root Access
(continued)
• /etc/sudoers configuration file
– Can define aliases for:
• Collection of users
• Collection of hosts
• Collection of programs
• Set of sudo options
• visudo program edits /etc/sudoers file
• System administrator must hand out sudo power
carefully

30

Using Pluggable Authentication
Modules
• Pluggable authentication module (PAM)
– Architecture and set of libraries
– Programmer can create module to perform
specific security-related function
– System administrators can select, configure, and
use one or more modules
• Control operation of program that is aware of PAM
capabilities
– Configured by default for Red Hat Linux

31

Modules (continued)
• To use PAM, select PAM modules for program
• Configured using:
– Single configuration file /etc/pam.conf
– Series of configuration files in directory /etc/pam.d
– Person compiling software selects which
configuration style is used

32

Modules (continued)
• Red Hat Linux and Fedora use directory
configuration method
• /etc/pam.d directory contains file with name
matching program being configured
• When PAM-compatible program executed,
checks to see which applicable modules are
configured for given task
• Stacked modules
– Multiple modules are listed for module type

33

Modules (continued)
• control_flag element
– Determines how PAM processes stacked modules
– Has two forms

34

Using Network Information
Service
• Network Information Service (NIS)
– Lets system administrator manage single set of
configuration files for multiple Linux servers
– Sometimes called yellow pages service or yp
• When user logs in, server contacts NIS server to
see if user has valid user account

35

Using Network Information
Service (continued)
• NIS+ or NISplus
– More recent version of NIS
• authconfig program
– Set up system to use NIS server
• /etc/nsswitch.conf file
– Instructs various system programs in Linux on
where to look for configuration information
– Often includes multiple options

36

Summary

• User accounts can be managed graphically
• useradd command creates user accounts on the
command line
• usermod command modifies existing user
accounts
• User accounts can be disabled using various
methods

37

Summary (continued)

• SUID and SGID permissions cause user to
assume permissions of owner of executable file
when program is executed
• Sticky bit and other special file permissions allow
administrators to control shared files
• Administrators can broadcast messages to users
• sudo program lets regular users perform tasks
that require root privileges

38

Summary (continued)

• PAMs provide flexible and powerful way for
system administrators to configure exactly how
user security is handled
• NIS or NIS+ server
– Multiple systems can share user files

39

Ch11

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Ch11

Similar a Ch11 (20)

Último

Último (20)

Ch11