Unit-IV; Professional Sales Representative (PSR).pptx
Ch11
1. Chapter 11:
Managing Users
The Complete Guide to Linux System
Administration
2. Objectives
• Create and manage user accounts
• Manage complex file permissions
• Review advanced user security issues
The Complete Guide to Linux System Administration
2
3. Creating and Managing User
Accounts
• Process of creating new user accounts
– Add default files to be part of every user’s home
directory to /etc/skel directory
– Create home directory for all users
– Configure default settings for all users
– Create groups
– Create user account for each person
– Create valid password for each user
The Complete Guide to Linux System Administration
3
4. Managing User Accounts
Graphically
• /etc/passwd file defines user accounts, including:
– User name – Comment field
– Password – User’s home directory
– UID – User’s default shell
– GID
• vipw command edits /etc/passwd file
• passwd command defines password
The Complete Guide to Linux System Administration
4
5. Managing User Accounts
Graphically (continued)
• Utilities to create new user accounts
– Graphical tools
– Command-line utilities
• system-config-users utility
– Red Hat graphical user account creation tool
– Information from /etc/passwd file shown in window
– Can edit each fields
– Edit password information stored in /etc/shadow
The Complete Guide to Linux System Administration
5
6. Managing User Accounts
Graphically (continued)
The Complete Guide to Linux System Administration
6
7. Managing User Accounts
Graphically (continued)
• User Properties dialog, User Data tab
– User name
– Full name
– Password and confirm password
– Home directory
– Login shell
• User Properties dialog, Account Info tab
– Enable account expiration
– Lock local password
The Complete Guide to Linux System Administration
7
8. Managing User Accounts
Graphically (continued)
• User Properties dialog, Password Info tab
– View when user last changed password
– Enable password expiration
• Experts recommend changing password every
30 to 60 days
• User Properties dialog, Groups tab
– Lists groups from /etc/group file
– Each user assigned primary group
The Complete Guide to Linux System Administration
8
9. Managing User Accounts
Graphically (continued)
• User private group model
– Used by Red Hat Linux and Fedora
– User’s primary group has same name as user
– Contains only user as member
• Create new user
– system-config-users utility
– Add User button
– Enter information on dialog
– Utility creates home directory based on user name
The Complete Guide to Linux System Administration
9
10. Managing User Accounts
Graphically (continued)
• /etc/login.defs file
– Stores settings used to create new users
– Comments describe settings
• Create new group
– Click Add Group button
– Enter group name
The Complete Guide to Linux System Administration
10
11. Managing User Accounts
Graphically (continued)
• Delete user
– Select user name on Users tab
– Click delete button
– Some administrators prefer to permanently
disable, not delete
The Complete Guide to Linux System Administration
11
12. Creating New Users at the
Command Line
• useradd utility
– Create new users
– Must be logged in as root
– Example: useradd -g sales -c “Raley Solomon"
rsolomon
– -D option displays the default settings
– Edit /etc/default/useradd to change defaults
The Complete Guide to Linux System Administration
12
13. Creating New Users at the
Command Line (continued)
• passwd command
– Change user’s password
– Lock user account: passwd -l thomas
– Unlock account: passwd -u thomas
The Complete Guide to Linux System Administration
13
14. Creating New Groups
• groupadd command
– Preferred method for adding new group
– Example: groupadd managers
The Complete Guide to Linux System Administration
14
15. Modifying User and Group
Accounts at the Command Line
• usermod command
– Modify user account
– Uses same options as useradd command
• groupmod command
– Modify group
– -g option: change GID
– -n option: change name
The Complete Guide to Linux System Administration
15
16. Modifying User and Group
Accounts at the Command Line
(continued)
• grpck command
– Check integrity of /etc/group and /etc/gshadow
files
– Uses no parameters
• chage command
– Alter password aging information
– View password expiration
– Change aging for user
– Interactive mode
The Complete Guide to Linux System Administration
16
17. Modifying User and Group
Accounts at the Command Line
(continued)
• pwconv utility converts older /etc/passwd
password storage to /etc/shadow password
storage
• pwunconv utility converts existing /etc/shadow
passwords to older /etc/passwd system for
compatibility
• pwck command shows formatting errors that
make accounts unusable
The Complete Guide to Linux System Administration
17
18. Automating Home Directory
Creation
• Files in /etc/skel automatically copied into each
user’s home directory
– At time account created
– Includes hidden configuration files
– Files not added to existing user home directories
The Complete Guide to Linux System Administration
18
19. Disabling User Accounts
• Temporarily disable user’s account
– Change password
• passwd command
– passwd -l [username] to lock account
– Edit /etc/shadow file in text editor
• Place asterisk before encrypted password
– Place # at beginning of line for user account in
/etc/passwd
• Make line into comment
The Complete Guide to Linux System Administration
19
20. Disabling User Accounts
(continued)
• userdel command
– Delete user account permanently
– Does not remove user’s home directory or
contents
• groupdel command
– Remove group
– Be careful deleting groups
The Complete Guide to Linux System Administration
20
21. Complex File Permissions
• Sticky bit
– Directory can only be renamed or unlinked by
• User that owns it
• root
– Often used on directories all users should be able
to create files such as /tmp
– To set: chmod a+t /tmp
The Complete Guide to Linux System Administration
21
22. Complex File Permissions
(continued)
• Set user ID permission
– SUID
– Can be added to file that has execute permission
set
– Causes user who executes file to take on file
permissions of owner of file
– Very useful for few specialized programs
– To set: chmod u+s file
The Complete Guide to Linux System Administration
22
23. Complex File Permissions
(continued)
• Permissions not always what they seem at first
• Set group ID permission
– SGID
– Person who executes program has permissions of
file’s group while executing program
– To set: chmod g+s file
– Can also be set numerically
The Complete Guide to Linux System Administration
23
24. Complex File Permissions
(continued)
• SGID set on directory
– Any file created within directory assigned to group
of directory
• Permissions examined in order
– Owner first
– Group second
– Others third
– Can deny group permission without users having
other permission
The Complete Guide to Linux System Administration
24
25. User Security Issues
• Other ways of securing Linux
– Additional communications
– User security mechanisms
The Complete Guide to Linux System Administration
25
26. Communicating with Users
• /etc/motd file
– Contents displayed just before shell is started
each time user logs in
– “Message of the day”
– Does not appear unless:
• User opens command line
• Or logs in at text-mode console
The Complete Guide to Linux System Administration
26
27. Communicating with Users
(continued)
• wall command
– Write all
– Communicate immediate message to all users
who are logged in to system
– Displays broadcast message on command line for
all users
• Working in text mode
• Or with open terminal window
The Complete Guide to Linux System Administration
27
28. Communicating with Users
(continued)
• fuser command
– Learn about what users are doing
– View users accessing
• File system
• Serial port
• Network connection
– -k option kills processes
The Complete Guide to Linux System Administration
28
29. Granting Limited Root Access
• sudo command
– Assign root privileges to any user account
– User can execute just programs that sudo
configuration specifies
• /etc/sudoers configuration file
– Syntax can be very complex
– Basic format: user host = command_list
The Complete Guide to Linux System Administration
29
30. Granting Limited Root Access
(continued)
• /etc/sudoers configuration file
– Can define aliases for:
• Collection of users
• Collection of hosts
• Collection of programs
• Set of sudo options
• visudo program edits /etc/sudoers file
• System administrator must hand out sudo power
carefully
The Complete Guide to Linux System Administration
30
31. Using Pluggable Authentication
Modules
• Pluggable authentication module (PAM)
– Architecture and set of libraries
– Programmer can create module to perform
specific security-related function
– System administrators can select, configure, and
use one or more modules
• Control operation of program that is aware of PAM
capabilities
– Configured by default for Red Hat Linux
The Complete Guide to Linux System Administration
31
32. Using Pluggable Authentication
Modules (continued)
• To use PAM, select PAM modules for program
• Configured using:
– Single configuration file /etc/pam.conf
– Series of configuration files in directory /etc/pam.d
– Person compiling software selects which
configuration style is used
The Complete Guide to Linux System Administration
32
33. Using Pluggable Authentication
Modules (continued)
• Red Hat Linux and Fedora use directory
configuration method
• /etc/pam.d directory contains file with name
matching program being configured
• When PAM-compatible program executed,
checks to see which applicable modules are
configured for given task
• Stacked modules
– Multiple modules are listed for module type
The Complete Guide to Linux System Administration
33
34. Using Pluggable Authentication
Modules (continued)
• control_flag element
– Determines how PAM processes stacked modules
– Has two forms
The Complete Guide to Linux System Administration
34
35. Using Network Information
Service
• Network Information Service (NIS)
– Lets system administrator manage single set of
configuration files for multiple Linux servers
– Sometimes called yellow pages service or yp
• When user logs in, server contacts NIS server to
see if user has valid user account
The Complete Guide to Linux System Administration
35
36. Using Network Information
Service (continued)
• NIS+ or NISplus
– More recent version of NIS
• authconfig program
– Set up system to use NIS server
• /etc/nsswitch.conf file
– Instructs various system programs in Linux on
where to look for configuration information
– Often includes multiple options
The Complete Guide to Linux System Administration
36
37. Summary
• User accounts can be managed graphically
• useradd command creates user accounts on the
command line
• usermod command modifies existing user
accounts
• User accounts can be disabled using various
methods
The Complete Guide to Linux System Administration
37
38. Summary (continued)
• SUID and SGID permissions cause user to
assume permissions of owner of executable file
when program is executed
• Sticky bit and other special file permissions allow
administrators to control shared files
• Administrators can broadcast messages to users
• sudo program lets regular users perform tasks
that require root privileges
The Complete Guide to Linux System Administration
38
39. Summary (continued)
• PAMs provide flexible and powerful way for
system administrators to configure exactly how
user security is handled
• NIS or NIS+ server
– Multiple systems can share user files
The Complete Guide to Linux System Administration
39