5. Workbook 5 (1).pdf

Part Workbook 5. Userand Group Administration

rha130-6.1-1 2 Copyright 2011, Red Hat Inc.

Table of Contents1. What Is a User? ............................................................................................................. 5

Discussion ................................................................................................................ 5A Userid Is a Number ........................................................................................ 5Userid 0 is root ................................................................................................. 5Processes Have a Userid ..................................................................................... 5The id command ............................................................................................... 6The ps command ............................................................................................... 6Real or Effective Userid? .................................................................................... 7Resources (Files and Directories) Have Userids ...................................................... 7The /etc/passwd file ........................................................................................... 7Three kinds of users .......................................................................................... 9Userid ranges .................................................................................................. 10

Examples ............................................................................................................... 10Some Password Entries ..................................................................................... 10Some Processes ............................................................................................... 11Processes As Resources .................................................................................... 11Files As Resources .......................................................................................... 12

Online Exercises ...................................................................................................... 13Specification ................................................................................................... 13Deliverables .................................................................................................... 13

Questions ............................................................................................................... 132. Adding, Modifying, and Deleting Users ............................................................................ 16

Discussion .............................................................................................................. 16The useradd command ...................................................................................... 16Options for useradd and usermod ....................................................................... 17usermod options .............................................................................................. 18Deleting Users with userdel ............................................................................... 18

Examples ............................................................................................................... 18Adding Three Musicians with useradd ................................................................. 18usermod For Fickle Musicians ........................................................................... 19userdel For Evicting Them ................................................................................ 19

Exercise ................................................................................................................. 20Specification ................................................................................................... 20Deliverables .................................................................................................... 20

Questions ............................................................................................................... 213. Managing Passwords ..................................................................................................... 24

Discussion .............................................................................................................. 24Setting passwords ............................................................................................ 24Where Passwords Go -- Old School .................................................................... 25Where Passwords Go -- Today ........................................................................... 25The Shadow File ............................................................................................. 26Password Aging .............................................................................................. 26The chage command ........................................................................................ 27Account Expiration .......................................................................................... 27Setting Password Aging Parameters .................................................................... 28

Examples ............................................................................................................... 28Using chage .................................................................................................... 28Changing Passwords ......................................................................................... 29More chage .................................................................................................... 30

Exercise ................................................................................................................. 30Setup ............................................................................................................. 30

User and Group Administration


Specification ................................................................................................... 30Deliverables .................................................................................................... 30

Questions ............................................................................................................... 314. Adding, Modifying, and Deleting Groups .......................................................................... 33

Discussion .............................................................................................................. 33Creating Groups .............................................................................................. 33Deleting Groups .............................................................................................. 33Modifying Groups ........................................................................................... 33Adding Users to Groups or Removing Them ........................................................ 34The /etc/group File ........................................................................................... 34Primary and Secondary Groups .......................................................................... 35

Examples ............................................................................................................... 35Adding Groups ................................................................................................ 35Sharing One File with a Group .......................................................................... 35Modifying Groups ........................................................................................... 36

Exercises ................................................................................................................ 37Deliverables .................................................................................................... 37

Questions ............................................................................................................... 385. Users and the UNIX Filesystem ....................................................................................... 40

Discussion .............................................................................................................. 40Review of Mode Bits ....................................................................................... 40The umask command ....................................................................................... 40Set-Groupid Directories .................................................................................... 41User Private Group .......................................................................................... 42

Examples ............................................................................................................... 42A directory not shared with a group .................................................................... 42

Exercises ................................................................................................................ 43Deliverables .................................................................................................... 44

Questions ............................................................................................................... 446. Filesystem Access Control Lists ("acls") ............................................................................ 47

Discussion .............................................................................................................. 47Why Access Control Lists? ............................................................................... 47Observing and Setting acls: getfacl and setfacl ...................................................... 47The setfacl Command ....................................................................................... 49Directories and Default ACLs ............................................................................ 50The ls, mv, and cp Commands and ACLs ............................................................ 50Filesystem Support: the acl Mount Option ............................................................ 51A Final Word ................................................................................................. 51

Examples ............................................................................................................... 52Access to Removable Media .............................................................................. 52Managing Sound Card Access in Fedora .............................................................. 52

Research ................................................................................................................ 52Deliverables .................................................................................................... 53Cleaning Up ................................................................................................... 53

Questions ............................................................................................................... 537. Network Based User Models ........................................................................................... 57

Discussion .............................................................................................................. 57The Name Service Switch ................................................................................. 57

The Naming Problem ............................................................................... 57The Name Service Switch ......................................................................... 57Databases ............................................................................................... 58Database Sources ..................................................................................... 58Searching Left to Right ............................................................................. 59

Working with centralized users .......................................................................... 59

User and Group Administration


More on Lightweight Directory Access Protocol (LDAP) ................................ 59More about Network Information Service (NIS) ............................................ 61Configuring Centralized Users (the easy way): system-config-authentication ........ 62System Security Services Daemon (SSSD). .................................................. 63getent .................................................................................................... 64

Examples ............................................................................................................... 64Exercise ................................................................................................................. 65

Specification ................................................................................................... 65Deliverables .................................................................................................... 68Cleaning Up ................................................................................................... 68

Questions ............................................................................................................... 688. Customizing the User's Environment ................................................................................ 71

Discussion .............................................................................................................. 71Environment Variables ..................................................................................... 71Date and Time Locale ...................................................................................... 71Five Different Scopes for Changing Environment .................................................. 71

Changing for One Command ..................................................................... 72Changing for One Shell ............................................................................ 72Changing for One User ............................................................................. 72Changing for All Future Users ................................................................... 73Changing for All Future Logins of All Users ................................................ 73

Shell Functions and Aliases ............................................................................... 73We've Been Talking about Bash ......................................................................... 74Three Kinds of Shells ....................................................................................... 74A Common Mistake ......................................................................................... 75What Really Happens When Starting a bash ......................................................... 75/etc/skel For Application Initialization Files .......................................................... 75

Examples ............................................................................................................... 76Changing PS1 For a Subshell ............................................................................. 76

Exercise ................................................................................................................. 76Deliverables .................................................................................................... 77

Questions ............................................................................................................... 77


Chapter 1. What Is a User?Key Concepts

Fundamentally, users are represented as a 32 bit integer, know as a user id (or simply uid).

Every process runs under the context of a userid, and resources (such as files) are owned by userids.

The /etc/passwd file associates usernames, passwords, a home directory, and a login shell for users witha userid.

Passwords are (usually) stored in the /etc/shadow file.

Some of the users on the system are system users, and are not meant to represent actual people.

DiscussionWhen you sit down at a Linux computer to do some work or play some games, you have to log on first,providing a username and a password. You think of that username as representing yourself: My name isAlice, and my username is alice, and it represents me.

A Userid Is a NumberBut what does Linux think of you as? Linux thinks of you as not just a username like alice, but also as anumber, like 531. You may think "I am not a number," but to Linux you are!

In Linux, a userid is a 32-bit integer -- that is, a number from 0 to 4,294,967,295. The userid is usedfrequently in the internal workings of Linux, and is usually only converted to a human-friendly username(like alice) for presentation to humans, as in a directory listing or an email address. This chapter will beabout when Linux uses a username, when Linux uses an integer userid, and how it converts one to theother when needed.

In this chapter we will consistently use the term username to mean human-friendly names like alice, andthe term userid to mean integers like 531.

Userid 0 is rootThe userid 0 is special: it is the userid of the superuser, whose username is always root. We mentionthis now, because you'll see userid 0 or username root a lot when you start looking around in your Linuxsystem, and we want you to notice it when you do.

Processes Have a UseridAll work done in Linux is done in the context of a process. Every program that is executed runs in a process(or sometimes in more than one process). This includes your login shell, commands you invoke from theshell, your graphical programs, Internet clients and servers, and a variety of other system processes thatrun quietly in the background.

Each of these processes has a userid, stored as a 32-bit integer, representing which user the program isrunning on behalf of, and therefore what rights the program has to access various resources, and whatuserid will own newly created resources.

RenResaltar

What Is a User?


A process with userid 0 is exceptional, in that it has permission to do whatever it asks to do. It is not subjectto the limitations that other userids have.

The id commandIf you are logged in to Red Hat Enterprise Linux, you can find out what your shell's current userid is withthe id command:[student@system student]$ iduid=500(student) gid=500(student) groups=500(student) context=user_u:system_r:unconfined_t

The number marked uid= is your userid. It also looks up the username associated with that userid, andprints it in parentheses. The rest are group ids; we'll talk about them later.

If run on yourself, the id command also reports your SELinux context, which showed up starting in RedHat Enterprise Linux 4. All standard users of a type called unconfined, which, as the name implies, hasno relevant effect.

Try the id command. What is your integer userid?

The ps commandTo see the userids of all processes on your system, use the command ps lax.

NoteTo make this listing fit on the page better, we've left out a few columns and a few rows. Whenyou try this, you should see a bit more.

[alice@system alice]$ ps laxF UID PID PPID STAT TTY TIME COMMAND4 0 1 0 S ? 0:05 init [1 0 2 1 SW ? 0:00 [keventd]1 0 3 1 SW ? 0:00 [kapmd]1 0 4 1 SWN ? 0:00 [ksoftirqd_CPU0]1 0 5 1 SW ? 0:00 [kswapd]1 0 7 1 SW ? 0:00 [kscand/Normal]1 0 10 1 SW ? 0:00 [kupdated]1 0 1437 1 S ? 0:00 syslogd -m 05 0 1441 1 S ? 0:00 klogd -x5 32 1459 1 S ? 0:00 portmap5 29 1478 1 S ? 0:00 rpc.statd5 0 1608 1 S ? 0:00 xinetd -stayalive -reuse5 0 1628 1 S ? 0:00 sendmail: accepting connections1 51 1637 1 S ? 0:00 sendmail: Queue runner@01:00:005 0 1647 1 S ? 0:00 gpm -t ps/2 -m /dev/mouse1 0 1656 1 S ? 0:00 crond5 43 1726 1 S ? 0:00 xfs -droppriv -daemon1 2 1744 1 S ? 0:00 /usr/sbin/atd1 0 1754 1 S ? 0:00 rhnsd --interval 2404 0 1760 1 S ? 0:00 login -- alice4 0 1765 1 S ? 0:00 login -- root4 500 1768 1760 S tty1 0:00 -bash4 0 1810 1765 S tty6 0:00 -bash0 0 1863 1810 S tty6 0:01 vim u5-1.txt0 500 1868 1768 R tty1 0:00 ps lax

The second column (UID) shows the userid of the process. The third column (PID) shows the process ID,a unique number identifying each process.

If you try ps lax, you'll notice that your userid owns at least one shell (probably bash) and one processrunning ps. Why is that?

RenResaltar

RenResaltar

RenResaltar

What Is a User?


You'll also see lots of processes running with userid 0, for instance the process with PID 1, which executesthe program init.

Real or Effective Userid?We're simplifying things a bit when we say a process has a userid -- it actually has more, including a "realuserid" and an "effective userid". In the situations we describe in this workbook, the real userid and theeffective userid will always be the same. But if they were to differ, it would be the effective userid thatdetermines what rights the process has to use various resources. (That also is a slight simplification, butat this point, it's the right way to think about it. See man 2 setreuid setfsuid if you need the gory details).

Resources (Files and Directories) Have UseridsBy resources, we usually mean files and directories, but there are a few other things in Linux which alsohave an integer userid (named pipes & System V shared memory segments are examples). However inthis lesson we will only talk about files and directories.

Each file, directory, and other node in a UNIX file system has an owner, which is an integer userid. Whena process creates a new file or directory, it receives the userid of the process as its owner userid. In general,a process has more rights to make changes to files that have its same userid (that is, files that it owns) thanit does to files that have different userids.

To see the integer userid of files and directories, use the command ls -ln. Try ls -lna /home.What userid owns your home directory? What userid owns the directory /home?[alice@localhost alice]$ ls -lna /hometotal 56drwxr-xr-x 4 0 0 4096 May 15 22:39 .drwxr-xr-x 25 0 0 4096 May 18 00:27 ..drwx------ 12 500 500 4096 May 16 19:07 alicedrwx------ 2 502 502 4096 May 15 21:42 bob

(Notice there are two columns with the numbers 0, 500, and 502. The left column is the userid, and theright column is the groupid.)The -n option means to show userids numerically. Usually you want userids to be translated to usernames,so you don't use the -n option:

[alice@localhost alice]$ ls -la /hometotal 56drwxr-xr-x 4 root root 4096 May 15 22:39 .drwxr-xr-x 25 root root 4096 May 18 00:27 ..drwx------ 12 alice alice 4096 May 16 19:07 alicedrwx------ 2 bob bob 4096 May 15 21:42 bob

What usernames in this listing map to what userids in the previous listing?

The /etc/passwd fileUNIX could have had only numeric userids: you would login as user "500" instead of using analphanumeric username. But it's friendlier and easier to see meaningful names like "alice" and "bob", soa text file /etc/passwd contains mappings between usernames and their corresponding userids andsome other information.

Take a look at your password file. (The head -10 command shows the first 10 lines of a text file.)[root@system root]# head -10 /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologin

What Is a User?


daemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:

Each line contains seven fields separated by colons, with no extra spaces. Since colons are used to separatethe fields, colons cannot be used within any field.

The seven fields are as follows:

1. Alphanumeric username

2. The user's encrypted password, or "x" if the encrypted password is in /etc/shadow

3. The user's integer userid

4. The user's primary integer groupid

5. A field for miscellaneous information (often the user's full name), historically called the GECOS field,and now usually called the comment field.

6. The user's home directory

7. The user's login shell

Now we will talk about each of the seven fields in more detail.

1. The first field is the alphanumeric username. For the most compatibility with older programs and otherUNIX systems, it's best if usernames be one to eight characters; contain only lowercase letters, digits,and underscores; and begin with a lowercase letter. Although some Linux users today have usernameslonger than eight characters, there are programs which will truncate their output to only show the firsteight characters (for example, who and last), and other programs that just refuse to show long usernames(for example, ps).

Each line in /etc/passwd must begin with a different username; that is, the usernames must beunique.

2. Traditionally UNIX stored the user's password in the second field in an encrypted form. For instance,the password "pig+foo9" might be stored as "yk2uSm8XR6eZ1".

Today it is best practice to use the newer Shadow Password mechanism, in which the encryptedpasswords are saved in a separate file /etc/shadow. When shadow passwords are used, this secondfield of /etc/passwd contains a single "x". If this field is empty, the account is "unpassworded",and no password will be requested when the user logs on. If the system will ever be connected to anetwork, this is not a good idea!

3. The third field is the integer userid we've been talking about. These are usually unique, but in rare cases,two different usernames may map to the same userid (most often for userid zero).

4. The fourth field is similar to userid; it's the primary groupid. It's also a 32-bit integer in today's Linux.We'll talk more about group ids in later sections.

5. The fifth field is the comment (or GECOS) field. It's often just left blank, or it might store the user'sfull name. Older UNIX systems sometimes put phone numbers or other information here. Read man 5passwd if you want to know why this field is still sometimes called the "GECOS field".

What Is a User?


6. Each username is assigned a home directory, which is named in the sixth field. People need homedirectories; when they login, their current directory is set to their home. System users have less needfor them, but some home directory should be specified for all usernames.

7. People must have a program which is executed when they login, called the login shell, which is namedin the seventh field. On Red Hat Enterprise Linux, it is usually /bin/bash.

System users do not usually log in with login shells, but something must be named here. If the programnamed here does not appear in the file /etc/shells, the user will not be allowed to login. One wayof forbidding people to log in (that is, to disable a user's account) is to put /sbin/nologin for the loginshell. It is a special command that tells them they cannot log in.

Three kinds of usersUNIX systems have three kinds of users: human users, superusers, and system users.

Human Users Human users are people who actually log in to the computer towork. Different people have different usernames so they can operateindependently: they want separate mailboxes, they might want somedegree of privacy to some of their files, they want to set their ownoptions on various programs, and they don't want other users to be able toaccidentally clobber their files. Having different usernames and differentuserids lets Linux keeps them separate.

Superusers The userid zero is special, in that a process with userid zero is never deniedaccess to a file, directory, or any other resource on the system. In addition,there are some system calls that only userid zero is allowed to do, such asmount a file system, or shut down the computer. (There may be provisionsfor non-super users to be able to do these things, but they all involve aprocess that has userid zero.)

Conventionally the username root is mapped to userid zero on the firstline of the password file, and bad things will surely happen if it isn't.Therefore being a superuser is frequently called "being root" or "havingroot privileges."

(It is possible to have other usernames in addition to root map to useridzero, and these usernames will also be superusers. This is sometimesdone if several people all have root privileges, but want different homedirectories so they can have different initialization files. You might callthem superhumans.)

System Users Some RPM packages allocate their own userid and username when theyare installed. Such packages often have some files that they manipulate,and they often execute processes with their own userid. (It is preferablefor them to have their own userid, instead of running as root, to limit theamount of damage possible if a programming error allowed the packageto be exploited in a bad way.)

Since there is no human user behind these userids, they are called systemusers, and they are usually defined in the first part of the password file,on the lines following root.

Databases, Internet servers, mail and news transport programs, and printspoolers are examples of packages that have system users. Red Hat

What Is a User?


Enterprise Linux systems usually have password entries for "mail","news", "apache", etc.

Userid rangesWe mentioned at the beginning that userids are 32-bit integers. This means they can range from zero to4,294,967,295.

Userid zero is always the superuser. Red Hat Enterprise Linux reserves the range 1 through 499 for systemusers, and recommends that human users have userids 500 and higher.

Older UNIX systems had only 16-bit integers for userids. For compatibility with them, keep userids lessthan 65,000 if you can. A couple of anomalous system users (with names like "nobody") were historicallyassigned userids with signed values of -1 and -2, or equivalent unsigned 16-bit values of 65534 and 65535.One of these is still in Red Hat Enterprise Linux -- look in /etc/passwd for it. Furthermore, in someLinux kernel calls userid -1 has a special meaning, and some older commands print -1 for any userid higherthan 65534.

For these reasons, Red Hat Enterprise Linux ships with defaults to allocate userids for humans in the rangeof 500 through 60,000.

ExamplesSome Password Entries

If we look at the first few lines in /etc/passwd, will see the root entry and some system users.

[root@system root]# head -10 /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:

(The head command shows the first few lines of a text file.)

Notice that root has userid 0. The others shown here are all system users, with userid and groupid less than500: bin has userid 1, lp (line printer) is 4, mail is 8. They have various directories listed as their homedirectories, and most have /sbin/nologin as login shell, so that no one can ever login with these accounts.The last field of the news line is empty, meaning it defaults to /bin/sh, the most standard UNIX shell.

Now if we look at the last few lines of /etc/passwd, we see some human users.

[student@system student]# tail -3 /etc/passwdjulius:x:501:501::/home/julius:/bin/bashalice:x:502:502::/home/alice:/bin/bashbob:x:503:503::/home/bob:/bin/bash

(The tail command shows the last few lines of a text file.)

Julius, Alice, and Bob have userids 501, 502, and 503. They have normal home directories in /home,and the usual /bin/bash login shell. The fifth field (comment or GECOS) is empty, so you just see twocolons together after the groupid.

What Is a User?


Some ProcessesLet's look at processes running on a typical Linux workstation. The command ps lax shows us allprocesses, with the userid in the second column labeled UID. Notice the first few all have userid 0,including process (PID) 1,which is always init. Then some system processes have system userids: portmaphas userid 32, and xfs (a font server) is 43. A human user with userid 500 is running the Nautilus filemanager. Finally humans 501, 502, and 503 are logged in on consoles tty2, tty3, and tty4.

NoteTo make this listing fit on the page better, we've left out a few columns and quite a few rows.When you try this, you should see a bit more. ]

[root@system root]# ps laxF UID PID PPID STAT TTY TIME COMMAND4 0 1 0 S ? 0:05 init [1 0 2 1 SW ? 0:00 [keventd]1 0 3 1 SW ? 0:00 [kapmd]1 0 5 1 SW ? 0:00 [kswapd]1 0 73 1 SW ? 0:00 [khubd]1 0 2250 1 SW ? 0:00 [kjournald]1 0 2257 1 SW ? 0:00 [kjournald]1 0 2515 1 S ? 0:00 syslogd -m5 0 2519 1 S ? 0:00 klogd -x5 32 2537 1 S ? 0:00 portmap5 29 2556 1 S ? 0:00 rpc.statd5 43 2881 1 S ? 0:00 xfs -droppriv -daemon0 500 2991 2961 S pts/1 0:00 bash4 0 3018 2991 S pts/1 0:00 su -4 0 3021 3018 S pts/1 0:00 -bash0 500 3279 1 S ? 0:00 /usr/bin/meta0 500 3283 1 S ? 0:01 gnome-panel -0 500 3285 1 S ? 0:01 nautilus --no0 500 3289 1 S ? 0:00 eggcups --sm-0 500 3291 1 S ? 0:00 pam-panel-ico0 500 3293 1 S ? 0:11 /usr/bin/pyth0 500 3305 1 S ? 0:00 gnome-termina0 500 3306 3305 S ? 0:00 gnome-pty-hel0 500 3307 3305 S pts/0 0:00 bash4 501 4929 2841 S tty2 0:00 -bash0 501 4969 4929 S tty2 0:00 sleep 6004 502 4970 2842 S tty3 0:00 -bash4 503 5011 2843 S tty4 0:00 -bash0 502 5056 4970 S tty3 0:00 sleep 8000 503 5057 5011 S tty4 0:00 sleep 9004 0 5058 3021 R pts/1 0:00 ps lax

Processes As ResourcesIt turns out that the users we see on tty3 and tty4 are Alice (userid 502) and Bob (userid 503). We'll showyou now what they're doing. Each of them puts a sleep command into the background (sleep simply doesnothing for the specified number of seconds) and takes note of its process id (PID).

Then each tries to kill the others' sleep process, using the kill command. They each get an error, becauseyou are only allowed to kill processes that have your same userid. Then they kill their own sleep process,which succeeds.

[alice@system alice]$ sleep 800 &[1] 5056[alice@system alice]$ ps PID TTY TIME CMD

What Is a User?


4970 tty3 00:00:00 bash 5056 tty3 00:00:00 sleep 5060 tty3 00:00:00 ps[alice@system alice]$ kill 5057-bash: kill: (5057) - Operation not permitted[alice@system alice]$ kill 5056

[bob@system bob]$ sleep 900 &[1] 5057[bob@system bob]$ ps PID TTY TIME CMD 5011 tty4 00:00:00 bash 5057 tty4 00:00:00 sleep 5061 tty4 00:00:00 ps[bob@system bob]$ kill 5056-bash: kill: (5056) - Operation not permitted[bob@system bob]$ kill 5057

This demonstrated the rights of a process (the ability of a shell to kill) being limited based on its useridand the userid of a resource (the sleeping process).

Files As ResourcesNext we'll look at the mail spool directory, which holds incoming mail for users. With ls -lan, we seeuserids and group ids printed numerically.

Then we leave out the -n option, so it translates userids and group ids into usernames and groupnames.

[student@system student]$ ls -lan /var/spool/mail/total 44drwxrwxr-x 2 0 12 4096 May 22 04:20 .drwxr-xr-x 13 0 0 4096 May 9 00:43 ..-rw------- 1 502 12 713 May 22 04:19 alice-rw------- 1 503 12 690 May 22 04:20 bob-rw------- 1 501 12 17611 May 22 04:20 julius-rw------- 1 504 12 6373 May 22 04:20 student[student@system student]$ ls -la /var/spool/mailtotal 44drwxrwxr-x 2 root mail 4096 May 22 04:20 .drwxr-xr-x 13 root root 4096 May 9 00:43 ..-rw------- 1 alice mail 713 May 22 04:19 alice-rw------- 1 bob mail 690 May 22 04:20 bob-rw------- 1 julius mail 17611 May 22 04:20 julius-rw------- 1 student mail 6373 May 22 04:20 student

What userid is associated with each username? (That is, what is student's userid?) What groupid andgroupname is the group owner of each mail file?

Next user student does a directory listing of "the root directory" (named /). Then student tries to list"root's home directory" (named /root), but doesn't have permission to do so.[student@system student]$ ls -la /total 265drwxr-xr-x 42 root root 4096 May 22 03:51 .drwxr-xr-x 42 root root 4096 May 22 03:51 ..drwxr-xr-x 2 root root 4096 May 9 01:49 bindrwxr-xr-x 3 root root 4096 May 9 00:37 bootdrwxr-xr-x 20 root root 118784 May 22 03:52 devdrwxr-xr-x 52 root root 4096 May 22 04:18 etcdrwxr-xr-x 7 root root 4096 May 22 04:18 homedrwxr-xr-x 2 root root 4096 Jan 24 23:52 initrddrwxr-xr-x 9 root root 4096 May 9 01:48 libdrwx------ 2 root root 16384 May 8 23:52 lost+founddrwxr-xr-x 2 root root 4096 Jan 28 04:22 misc

What Is a User?


drwxr-xr-x 3 root root 4096 May 9 01:21 mntdrwxr-xr-x 2 root root 4096 Jan 24 23:52 optdr-xr-xr-x 84 root root 0 May 22 03:50 procdrwxr-x--- 15 root root 4096 May 22 04:08 rootdrwxr-xr-x 2 root root 8192 May 9 01:49 sbindrwxrwxrwt 11 root root 4096 May 22 04:20 tmpdrwxr-xr-x 15 root root 4096 May 9 00:35 usrdrwxr-xr-x 17 root root 4096 May 9 00:55 var[student@system student]$ ls -la /rootls: /root: Permission denied

We see in the listing of / that /root has mode displayed as drwxr-x---, and it's owned by user rootand group root. Why can't student list it?

Online ExercisesLab ExerciseObjective: Gain experience editing the /etc/passwd file.

Estimated Time: 5 mins.

Specification1. As a precaution, make a backup of your /etc/passwd file, and store it somewhere safe.

2. As root, edit the file /etc/passwd with a text editor. Insert the word avocado in the comment (fifth)field of your primary student account. Save the file.

Deliverables1.

1. An avocado in your comment field.

Questions1. How many fields are in each line of /etc/passwd?

a. 3

b. 7

c. up to 32

d. one for each user

e. depends on how many : characters there are

2. Which command shows you the owner userid of a file as an integer?

a. ls

b. ls -laR

c. ls -lan

What Is a User?


d. ps lax

e. id

3. Which characters can you use in usernames?

a. only digits 0-9

b. any non-meta character

c. any printable character except :

d. only letters and digits

e. only lowercase letters, digits, and underscores

4. Red Hat recommends system users in what range?

a. 1-499

b. 0-1023

c. 0-65535

d. 10-99

e. 500-60000

5. What is the userid of the process with process id (PID) 1?

a. 0

b. 1

c. 500

d. 65535

e. ps

6. What is the problem with this line from /etc/passwd? root::0:0:root:/root:/bin/bash

a. userid and groupid are the same

b. /bin/bash is obsolete

c. the full name should be in the comment field

d. the superuser account is unpassworded, so anyone can take over the computer

e. root is a reserved username

7. What happens if a user's login shell is set to /sbin/nologin?

a. only the superuser can log in

b. that user is not allowed to log in

c. the user is asked what login shell they want

What Is a User?


d. the home directory is disabled

e. the computer shuts down completely

8. In Red Hat Enterprise Linux, mail, news, and apache are examples of what?

a. default shells

b. process ids

c. system users

d. superusers

e. home directories

9. The command ps lax can be used to do what?

a. control PostScript printers

b. convert files to PostScript

c. see which users have logged off

d. see userids of all processes on the system

e. see all permissions on the file system

10. The id command shows you what?

a. root's userid

b. userids of system users

c. userids of all logged-on users

d. userids of all processes on the system

e. userid, username, and group information for the current user


Chapter 2. Adding, Modifying, andDeleting Users

Key Concepts

Users can be managed by manually editing the /etc/passwd file.

Usually, the useradd, usermod, and userdel command line utilities are used instead.

After users have been deleted, resources can still be owned by the (now vacant) userid.

DiscussionUsers exist in a Linux system because they are present in the passwd file. Although it's done indirectlythrough the PAM module, the login programs (as well as ls -l and ps -a) in effect read the /etc/passwdfile for information about users.

(Actually, other user authentication mechanisms can be enabled, but we'll ignore them until a later chapter.)

To add new users, the superuser could just edit the passwd file. As we've seen, it's a text file, and it's easyto edit. You can duplicate the bottom line and edit the new line by making a new username, allocating anew userid, fixing the home directory field, etc. But this is tedious and prone to error, and there are otherthings that have to be done (like making a home directory & making an entry in /etc/shadow) so we don'trecommend doing this manually.

Instead you should use the commands useradd, usermod, and userdel which do all these things correctlyfor you. These commands are fairly standard, and are found on the other UNIX systems as well as RedHat Enterprise Linux. You must be root to use these commands, so type "su - root" (and give the rootpassword) before typing these commands.

The useradd commandAs you expect, useradd creates new users. It takes numerous options, but most of the time they aren'tneeded, and adding a user named alice is as simple as typing useradd alice:

[root@system root]# useradd alice[root@system root]#

Used in this simple style, the command does a number of things for you:

1. Allocates a new userid, one higher than the largest human userid found in /etc/passwd. (If you haveonly a few users, the userids will be in the 500's.)

2. Adds a line to /etc/passwd with appropriate values for this user.

3. Adds a line to /etc/shadow, if shadow passwords are being used. (By default, they are. More aboutthem later.)

4. Creates a new home directory for the user, with a name like /home/alice, and sets the owner useridof the directory correctly.

5. Copies all files from /etc/skel into the new home directory. These files are usually initializationcommands for various programs, including shell profiles like .bashrc and .bash_profile.

Adding, Modifying,and Deleting Users


6. Creates a new private group for the user in /etc/group. A later chapter will discuss groups.

Options for useradd and usermodIn some situations, the defaults for the useradd command are inappropriate, or the user's attributes needto be changed later. You can override the defaults by giving options to useradd, or change the attributeslater with the usermod command.

The following options are allowed on both useradd and usermod:

-c "comment" It's best to only use the comment (or GECOS) fieldto store the user's full name. If the comment containsspaces, don't forget to put quotation marks around it,so that the shell will pass it to the command as a singleargument. Don't put anything personal or secret here,since some mail programs will add this text withthe user's email address on the "From:" header whenemail is sent.

-d homedir There may be times when you want a user's homedirectory somewhere besides in /home. Perhapssome users need their home on a larger disk partition,or on a network partition (like an NFS mount).

Also notice the root user in Red Hat Enterprise Linuxhas home directory /root, not /home/root. (This isspecial, so that in emergency situations, root can belogged in before /home is mounted.)

-e expireDate If someone should only have access to the computerfor a limited time, you can set their account to expireon a certain date. The date is specified in the new"ISO standard" format YYYY-MM-DD.

-g primaryGroup Red Hat Enterprise Linux has a particular schemefor assigning a user's primary group, so you probablyshouldn't use this option to change it. We'll talkmore about that later. Instead, consider using the nextoption to assign groups.

-G group1,group2,... This option sets the user's secondary groups. Youcan name up to 31 secondary groups, separated bycommas. A user is a member of their primary groupand of all of their secondary groups.

-a This option adds or appends a user to a supplementarygroup. It is only valid when used with the -G option.Normally when using the -G option, all groupsmust be specificied. When the -aoption is included,only the new groups need to be listed. Previoussupplementary group membership will not change.

-s loginShell /bin/bash is an excellent login shell, and it is thedefault in Red Hat Enterprise Linux. But if a userwants a different shell, you can set it here.



-u userid It's best to let useradd determine the next highestuserid for human users, but you can override it if youneed to. This option also lets you add system userswith specific userids.

usermod optionsThe usermod command can be used to change the user's attributes later, after they were created.

usermod takes all of the options described above, plus a few more:

-l newUsername Change the username. It is difficult to change a user's username withoutcreating some inconsistencies, so it's not recommended that you do this.But if you try it, look around for little things that need fixing.

-u newUserid Change the integer userid. usermod will try to update the userids ofthe files and directories in the user's home directory, but the user mayown other files on the system which do not get updated, so it's notrecommended that you do this, either.

-L This option locks the user out, so they cannot log in. It does this byinserting an extra ! in front of their encrypted password field, whichprevents it from matching any password.

-U This option reverses the effect of -L, allowing the user to log in again.

Deleting Users with userdelDeleting users is done with the userdel command. Deleting users is a little tricky because users may ownother resources on the computer, and you need to decide if you want to delete those or save them. Thiscommand with delete Alice's account:

userdel alice

If the -r option is specified, the user's home directory and everything under it is (recursively) deleted:userdel -r alice

But there may still be other resources owned by alice that are left on the computer, and you will have todecide what to do with them.

If you want to keep all of the user's files, be sure to leave out the -r option!

ExamplesAdding Three Musicians with useradd

Let's add three users to our system: Blondie, Prince, and Madonna. They all want to be in a secondarygroup music. Blondie requests a special comment in her password entry, Prince is a csh advocate (a dyingbreed!), and Madonna's contract expires in the middle of the year 2005.[root@system root]# useradd -c "heart of glass" -G music blondie[root@system root]# useradd -s /bin/csh -G music prince[root@system root]# useradd -e 2005-07-01 -G music madonna[root@system root]# tail -3 /etc/passwdblondie:x:505:508:heart of glass:/home/blondie:/bin/bash



prince:x:506:509::/home/prince:/bin/cshmadonna:x:507:510::/home/madonna:/bin/bash[root@system root]# ls -l /hometotal 23drwx------ 2 blondie blondie 4096 May 22 04:34 blondiedrwx------ 2 madonna madonna 4096 May 22 04:35 madonnadrwx------ 2 prince prince 4096 May 22 04:34 princedrwx------ 2 student student 4096 May 22 04:18 student[root@system root]#

You can see all of these details (except the expiration date of Madonna's account) in the tail of /etc/passwd.Their home directories were also made by the useradd command.

usermod For Fickle MusiciansNow Blondie decides to join the wrestling club, and Prince convinces her to try out csh as her login shell.(Notice we must still name music as a secondary group, or she will be removed from the music group whenwe put her in the wrestle group.) Prince (just to annoy us) wants his username changed to tafkap. Madonnadiscovers fengshui, joins the group fengshui, and asks if she can have the userid 888. We grudginglyhumor her but this time make use of the append option when adding the additional group. Prince wants tochange his name again, but we're tired of this, and we just lock his account so he can't bug us anymore.[root@system root]# usermod -s /bin/csh -G music,wrestle blondie[root@system root]# usermod -l tafkap prince[root@system root]# usermod -u 888 -a -G fengshui madonna[root@system root]# usermod -L tafkap[root@system root]# tail -3 /etc/passwdblondie:x:505:508:heart of glass:/home/blondie:/bin/cshmadonna:x:888:510::/home/madonna:/bin/bashtafkap:x:506:509::/home/prince:/bin/csh[root@system root]# tail -3 /etc/shadowblondie:$2$/M6N3hLH$28C8WmV/HPuadtPwOvfhK/:12194:0:99999:7:::madonna:$2$7UhjcWoN$MNGDm1IqzTOtVPnf.Skrz0:12194:0:99999:7::12965:tafkap:!$2$v2gjY/jZ$FjJW4O9MByPRnd8okG8sP1:12194:0:99999:7:::[root@system root]# ls -l /hometotal 20drwx------ 2 blondie blondie 4096 May 22 04:34 blondiedrwx------ 2 madonna madonna 4096 May 22 04:35 madonnadrwx------ 2 tafkap prince 4096 May 22 04:34 princedrwx------ 2 student student 4096 May 22 04:18 student[root@system root]# ls -ln /hometotal 20drwx------ 2 505 508 4096 May 22 04:34 blondiedrwx------ 2 888 510 4096 May 22 04:35 madonnadrwx------ 2 506 509 4096 May 22 04:34 princedrwx------ 2 504 504 4096 May 22 04:18 student[root@system root]#

Notice that the prince line in /etc/passwd was deleted, and a new tafkap line appears at the bottomof the file, with the same userid and groupid formerly known as prince. Madonna's userid is in fact isnow 888, and her home directory (and its contents) were automatically chowned for us by the usermodcommand. Tafkap's home is still named /home/prince. Weird things like that is why changing usernamesand groupnames is not recommended in general!

Finally, notice the ! after the first : on tafkap's entry in /etc/shadow. Inserting that ! disables his account,the result of usermod -L (locking his account).

userdel For Evicting ThemWell, it soon becomes apparent that celebrities are more trouble than they are worth, and we evict them,deleting their userids and (recursively) their home directories.



[root@system root]# userdel -r blondie[root@system root]# userdel -r tafkap[root@system root]# userdel madonna[root@system root]# ls -l /hometotal 12drwx------ 2 888 510 4096 May 22 04:35 madonnadrwx------ 2 student student 4096 May 22 04:18 student[root@system root]#

We forgot the -r option when deleting Madonna, and so it left her home directory.

ExerciseLab ExerciseObjective: Manage users with useradd, usermod, and userdel.Estimated Time: 30 mins.

SpecificationIn this exercise, you will be adding users to groups. If the group you need does not exist, you will haveto make it using the groupadd command. It is very simple and takes only one argument, the name of thegroup to add.

groupadd groupname

Use the id command at appropriate points to confirm your configuration.

1. Using useradd, you are to add three users, larry3, curly3, and moe3, and add them to the secondarygroup comedy.

2. Create four more users, georgeh, paulm, ringos, and johnl, and add them to both secondary groupsmusic and beatles.

3. Create one more user, weird_al, and add him to both secondary groups comedy and music.

Now you are to make some changes with usermod.

1. You have trouble remembering how to spell Ringo's last name, so put his full name, Ringo Starr, inhis comment field.

2. John was caught protesting the war, so your manager says you must disable his login.

3. Add Paul to the walrus group. He should remain a member of the groups beatles and music.

4. Curly never figured out how to log on, so just delete his account and his home directory; he'll nevernotice.

Deliverables1.

1. The specified 8 (well, 7) users with the appropriate memberships.

2. The user ringos has his name, Ringo Starr, in his comment field.

3. The user johnl's account is "disabled".



Questions1. Which usermod option should you use to add a user to group?

a. -c

b. -D

c. -e

d. -G

e. -u

2. What information is usually provided to the -c option of useradd?

a. personal comments about the user

b. the user's full name

c. line printer parameters

d. commands for the login shell

e. metacharacters

3. How many secondary groups can a user be in?

a. one primary and one secondary group

b. one for each field in /etc/passwd

c. exactly 1

d. up to 31

e. up to 499

4. How many primary groups can a user be in?

a. one primary and one secondary group

b. one for each field in /etc/passwd

c. exactly 1

d. up to 31

e. up to 499

5. What is Red Hat Enterprise Linux's default login shell for human users?

a. /etc/passwd

b. /sbin/nologin

c. /bin/bash



d. /bin/csh

e. /etc/shells

6. When new users are added with useradd, suppose you want them to each get their own copy ofthe file named .blog.prefs. Where should you put the master copy?

a. /etc

b. /etc/profile

c. /etc/profile.d

d. /home/skel

e. /etc/skel

7. Which options to usermod do you use (1) to lock a user out, and (2) to allow them access again?

a. (1) -L and (2) -U

b. (1) -L and (2) -A

c. (1) -l and (2) -a

d. (1) -u and (2) -l

e. (1) -G and (2) -g

8. What's the problem with changing a user's userid with usermod?

a. /etc/passwd may not be updated

b. /etc/group can become inconsistent

c. the user may own some files whose userid is not fixed

d. if userids are wasted, they may run out

e. other users will have to be informed

9. What's wrong with this /etc/passwd line? bob:x:543:music:bob:/home/bob:/bin/bash

a. music is not an integer

b. bob is not an integer

c. x is not an integer

d. /home/bob does not exist

e. 543 is not an integer

10. What's the best reason for using -u with useradd?

a. making a specific username

b. overriding the default shell



c. modifying an existing user

d. unmounting the home directory

e. making a system user with a specific userid

11. What's really wrong with this command? usermod -g wheel -G math,science -c Beverly Wongbev90210

a. there should be a space between math and science

b. wheel is a nonstandard group

c. the comment should precede the group

d. Beverly Wong should be in quotation marks

e. Red Hat Enterprise Linux discourages postal codes in usernames


Chapter 3. Managing PasswordsKey Concepts

Passwords are administered with the passwd command.

The /etc/shadow file maintains password aging information in addition to the users password.

Password aging policies can be maintained with the chage command.

DiscussionIn the previous chapter we made a number of accounts, but never set passwords on them. Oops -- howcould they log in? In this chapter we'll talk about passwords.

Setting passwordsThe passwd command sets or changes passwords. It can be run either by root or by a user who wants tochange their own password.

If it's being run by a user changing their own password, it takes no arguments.

If it's being run by root, it takes one argument, the name of the account whose password is being set. Don'tforget this argument, or root will change root's own password instead!

Here is root creating a password for Alice's new account. Root is setting her password to "tofu!43*".

[root@system root]# passwd aliceChanging password for user alice.New password: tofu!43*Retype new password: tofu!438Sorry, passwords do not matchNew password: tofu!43*Retype new password: tofu!43*passwd: all authentication tokens updated successfully.[root@system root]#

Ordinarily the passwords would not show on the screen, but we've shown them for you in this chapter.Note that root typed "8" rather than "*" the second time the password was typed, and because of thismistake, had to type it in again.

Root told Alice this password was set for her, but Alice didn't like this password (she hates anything withtofu in it) so she decided to change it to "Mary". But that was not a very good password, and the systemwould not let her set it, so she used "stake-ribs-ketchdown" instead.

[alice@system alice]$ passwdChanging password for alice(current) UNIX password: tofu!43*New password: MaryBAD PASSWORD: it is too shortNew password: stake-ribs-ketchdownRetype new password: stake-ribs-ketchdownpasswd: all authentication tokens updated successfully.[alice@system alice]$

(Actually, that's a really good password -- especially the pun changing ketchup to ketchdown, whichprobably doesn't appear in word lists in any language -- yet it is not too hard to remember.)

Managing Passwords


Where Passwords Go -- Old SchoolOriginally UNIX passwords were stored in the /etc/passwd file, but not in an easily recognizable way.You don't need to understand all of this, but here's how they were saved:

1. First, if the password is longer than 8 characters, everything after the eighth character is forgotten.

2. A random 12-bit number is chosen, called the "salt".

3. Then the eight-character password (and the 12-bit salt) is sent through a one-way function named"crypt". The output of crypt is 13 characters (two of which represent the salt).

4. The 13 character output, called the "encrypted password", is saved in the second field of /etc/passwd.

When the user logs in later, they type in their password. UNIX doesn't actually know the user's correctpassword -- it's never saved -- but it does know the encrypted password. So it looks up the saved encryptedpassword, and then encrypts the password the user has provided (with the same salt), and it checks to seethat the saved encrypted password matches the newly encrypted one.

If the user types in the correct password, its encrypted version will match the saved encrypted password,and UNIX will let them login.

Where Passwords Go -- TodayMost of those ideas are still used today. Linux still does not save passwords without encrypting them. Butthere are some important new options today:

MD5 option: MD5 is a better one-way function than crypt.It is cryptographically a much better hashfunction, and its output is 128 bits rather than64 bits. Also its input can be very long; nolonger is the password truncated to only eightcharacters.

Hashing Algorithm option: While MD5 is a better one-way functionthan crypt, even newer algorithms exist.Beginning in Red Hat Enterprise Linux6, sha-256 and sha-512 are also availablechoices for how passwords are stored.

Shadow Password option: With this option, the passwords are no longerstored in /etc/passwd -- they are now storedin /etc/shadow. This is better because /etc/passwd is readable by all users on the system,but /etc/shadow has its permissions set sothat only the superuser can read it.

Other Authentication options: Many network-based authentication systemsare supported by Red Hat Enterprise Linux.These will allow many users to share manydifferent computers, with the same useraccounts on all of the machines.

You can choose which encryption algorithm to use when you install Red Hat Enterprise Linux or afterinstallation using the system-config-authentication utility which will be discussed later in this workbook.It is strongly recommended that you do use the MD5 or SHA Password options. If you share passwords

Managing Passwords


with other UNIX systems, you may need to use the MD5 instead of the new default SHA encryptionalgorithms. Red Hat Enterprise Linux gives you the option of using the older crypt scheme, but it defaultsto the new way, and there's little reason not to use it, unless you have to share passwords with very oldUNIX systems.

The Shadow FileYou've already looked at /etc/passwd and you remember that the second field, the password field, containsan only "x" if the password is actually being stored in /etc/shadow. Here's a sample line from /etc/passwd:alice:x:510:920::/home/alice:/bin/bash

Now we'll look at the corresponding line in /etc/shadow, which begins with the same username in thefirst column:alice:$2$HjurSvoW$uLtD6XOQ7/YS6bc3cZawE1:12198:0:99999:7:::

On a new Red Hat Enterprise Linux 6 system, the encrypted password string is even longer. Look at thefollowing entry for elvis:

elvis:$6$4yFyTln.rAWbAnB4$Tolut.3Dc6UOAHuDs/5Txrm4ZS3Y518Bh5STaqQVb4B8WP1uN2BTtN7zao1che3.B7ruQ7On9IjclZKLnaYMu.:15160:0:99999:7:::

The fields in /etc/shadow are also delineated by colons.

The encrypted password can be broken into three parts.

6 The hashing algorithm. A 6 indicatesSHA-512. SHA256 would appear as a 5 andMD5 would appear as a 1. A 2 indicates aBlowfish algorithm.

4yFyTln.rAWbAnB4 The salt used to encrypt the hash.

Tolut.3Dc6UOAHuDs/5Txrm4ZS3Y518Bh5STaqQVb4B8WP1uN2BTtN7zao1che3.B7ruQ7On9IjclZKLnaYMu.The encrypted hash. An MD5 hash is 22characters, A SHA-256 is 43 characters, anda SHA-512 hash is 86 characters.

You don't need to know what all of the fields in the shadow file, except that the first field is the username,and the second is the encrypted password. The rest are aging and expiration information that we'll talkabout next.

Password AgingIt's not a good idea to use the same password forever, but some people would if you didn't force them tochange it occasionally. So there is a mechanism called Password Aging which requires users to change theirpasswords regularly. Password aging is optional, and is not used by default. But if it is used, the superusercan set a Minimum and a Maximum number of days for passwords to be changed. After a password ischanged, the Minimum number of days must pass before the user is allowed to change the password again.Users are required to change their password before the Maximum number of days passes.

The most recent day on which the password was changed is called the Last Day, and the day after themaximum period is called the Maximum Day (or the Password Expiration Day).Two other days are computed as offsets from the Maximum day: the Warning Day and the Inactive Day.The superuser must set how many days before the Maximum day that the user will begin receiving warningsthat the password will soon expire and therefore needs to be changed. The Inactive Day is a certain numberof days (a grace period) after the Maximum day. If the user still hasn't changed the password by the InactiveDay, they will be locked out, and will have to talk to the superuser about reactivating it.

Managing Passwords


The chage commandThe chage command lets you examine and control the details of password aging. It'll be easiest understandwith an example, so let's look at the status of the user alice. The -l option lists the password aging details:

[root@system root]# chage -l aliceMinimum: 3Maximum: 180Warning: 45Inactive: 7Last Change: May 01, 2003Password Expires: Oct 28, 2003Password Inactive: Nov 04, 2003Account Expires: Dec 31, 2015[root@system root]#

Here's what the fields mean:

Last Change: May 1, 2003 The date her password was last changed. Itis important for Linux to remember the datethe password was last changed, because thefollowing dates are all calculated from it. Thisdate can be artificially set by the superuser.

Minimum: 3 Three days must pass before Alice can changeher password again. So she will be ableto change it beginning on May 4. If theMinimum is set to zero, then there is nowaiting period -- she can change it anytime.

Maximum: 180 This is the maximum number of days thatmust pass before she is supposed to changeher password again. So Alice should changeher password before October 28. Althoughthis is the official maximum number of days,Linux does not actually do anything at the endof this period. Instead the end of this periodis used for calculating two other days, theWarning Day and the Inactive Day.

Warning: 45 This many days before the Maximum Day,Alice starts receiving a warning, whenevershe logs in, that she needs to change herpassword soon.

Inactive: 7 Alice has a seven-day grace period. Thismany days after the Maximum Day, if shestill hasn't changed her password, her accountbecomes inactive, and she cannot login. Atthis point, she'll have to get the superuser tochange the password for her.

Account ExpirationThe Account Expire feature is totally separate from, and should not be confused with, Password Aging.Unfortunately it has been grafted onto the chage command, which prints both a "Password Expire" andan "Account Expire" date, so it is easy to get confused.

Managing Passwords


Account Expiration is for the case when a user should be using the system only for a specific period oftime: the user is a conference guest for a week, a student for a three-month term, a contractor on a six-month contract, or a senator for six years.

The superuser can set the account expiration date for a user, and there's nothing the user can do to avoid it.It has nothing to do with changing passwords. After the Account Expiration date, the user will no longerbe able to log into the system.

In Alice's example above, her account will expire on December 31, 2015. Maybe that's the date she plansto graduate!

Setting Password Aging ParametersThe chage command is also used to change all of these parameters. It takes the following options, andthen the name of the user being changed.

option meaning-d YYYY-MM-DD artificially set the "Last Day", when Linux believes the password was last changed.-m mindays the minimum number of days since the Last Day before the password can be changed

again.-M maxdays the maximum number of days since the Last Day during which the password should

be changed again. The end of this period is called the Maximum Day or the PasswordExpiration Day.

-W warndays the number of days before the Maximum Day when the user starts receivingwarnings to change their password.

-I inactivedays the number of days after the Maximum Day when the user can no longer login ifthe password has not been changed.

-E YYYY-MM-DD set the date on which the account (not the password) expires

You may use one or more of these options at a time with the chage command. As a large example, here'sthe command that will set all of Alice's features given in the example above:

chage -d 2003-05-01 -m 3 -M 180 -W 45 -I 7 -E 2015-12-31 alice

If you have not been using password aging and you decide to begin using it, remember that somepasswords probably have not been changed in a long time, and you will have to choose a reasonable "LastDay" (probably the current day) for existing accounts with the -d option.

ExamplesUsing chage

First notice the date in the following example is May 22, 2003. Various dates will be calculated from that.

We add three users: Einstein, Maxwell, and Nero. Einstein gets the default aging parameters, which is tohave no password expiration. Maxwell gets a password expiration period of 90 days, with warnings 14days before expiration, a grace period of five days, and a minimum of seven days before changing hispassword again. Nero, being an emperor, needs some limitations, but weak ones: he has a year until hispassword expires, and a year of grace period, and no minimum.

[root@system root]# dateThu May 22 05:33:13 GMT 2003

Managing Passwords


[root@system root]# useradd einstein[root@system root]# useradd maxwell[root@system root]# useradd nero[root@system root]# chage -m 7 -M 90 -W 14 -I 5 maxwell[root@system root]# chage -m 0 -M 365 -W 60 -I 365 nero[root@system root]# chage -l einsteinMinimum: 0Maximum: 99999Warning: 7Inactive: -1Last Change: May 22, 2003Password Expires: NeverPassword Inactive: NeverAccount Expires: Never[root@system root]# chage -l maxwellMinimum: 7Maximum: 90Warning: 14Inactive: 5Last Change: May 22, 2003Password Expires: Aug 20, 2003Password Inactive: Aug 25, 2003Account Expires: Never[root@system root]# chage -l neroMinimum: 0Maximum: 365Warning: 60Inactive: 365Last Change: May 22, 2003Password Expires: May 21, 2004Password Inactive: May 21, 2005Account Expires: Never[root@system root]#

Notice in Einstein's listing that his Maximum is 99999. Apparently 99999 equals infinity, to the chagecommand.

Changing PasswordsNone of them have passwords yet, so they can't yet log in. For demonstration, we'll set Einstein's password,and then change it, so you can see the encrypted password found in /etc/shadow change. Maxwell's andNero's password field still says !! meaning a password needs to be set, so they can't log in yet.

[root@system root]# passwd einsteinChanging password for user einstein.New password:Retype new password:passwd: all authentication tokens updated successfully.[root@system root]# tail -3 /etc/shadoweinstein:$2$.r71/IMJ$p7duYZmUD4Zr7vNKdEqAz/:12194:0:99999:7:::maxwell:!!:12194:7:90:14:5::nero:!!:12194:0:365:60:365::[root@system root]# passwd einsteinChanging password for user einstein.New password:Retype new password:passwd: all authentication tokens updated successfully.[root@system root]# tail -3 /etc/shadoweinstein:$2$pL2GHaEm$Y9cAaaGCWWpJ4vMUdWHdp.:12194:0:99999:7:::maxwell:!!:12194:7:90:14:5::nero:!!:12194:0:365:60:365::[root@system root]#

Einstein's first encrypted password ended in "Az/", and his second one ended in "dp.". Encrypted passwordsare encoded using "/" and "." as well as letters and numbers.

Managing Passwords


More chageFinally we put some aging requirements on Einstein's password and set an expiration date for Maxwell.

[root@system root]# chage -M 180 -W 30 -I 30 einstein[root@system root]# chage -E 2003-12-31 maxwell[root@system root]# chage -l einsteinMinimum: 0Maximum: 180Warning: 30Inactive: 30Last Change: May 22, 2003Password Expires: Nov 18, 2003Password Inactive: Dec 18, 2003Account Expires: Never[root@system root]# chage -l maxwellMinimum: 7Maximum: 90Warning: 14Inactive: 5Last Change: May 22, 2003Password Expires: Aug 20, 2003Password Inactive: Aug 25, 2003Account Expires: Dec 31, 2003[root@system root]#

You can actually count 180 days from Einstein's Last Change date, May 22, until the Expiration Day,November 18, and another 30 days until Inactivation, December 18.

ExerciseSetup

In the last chapter, you made four Beatles accounts, georgeh, paulm, ringos, and johnl. If they are nolonger on your system, make them again quickly with useradd. Don't worry about their groups or anyother details from the previous chapter.

SpecificationYour CFO read a magazine article about homeland security during an airplane flight, and now he informsyou, the system administrator, that the Beatles will have to start changing their passwords every month.

1. Give them a minimum of two days between password changes, a maximum of 30 days before passwordexpiration, seven days of warning, and five days of grace period before inactivation.

2. He also reminds you that their contract expires in four years, so their accounts should expire exactlyfour years from today.

3. Since they probably haven't changed their password in a long time, artificially set the Last Change Dateto today.

Deliverables1.

Four accounts with aging and expiration configured as described.

Managing Passwords


QuestionsOn January 1, 2011, the superuser executes this command: chage -d 2011-01-01 -m 3 -M 90 -W 7 -I 5martha. The first four questions are about martha.

1. When does martha's password expire?

a. every year

b. around March 24, 2011

c. around April 1, 2011

d. around April 8, 2011

e. around her birthday

2. How often can martha change her password?

a. every day

b. every three days

c. every seven days

d. every 90 days

e. on her birthday

3. How long is martha's grace period, between when her password expires, and when it is inactive?

a. 0 days: she has no grace period

b. three days

c. five days

d. 12 days

e. 90 days

4. How long does martha have from when she receives Warnings until the password is actuallyInactive?

a. zero days

b. three days

c. five days

d. 12 days

e. 90 days

5. Which users are allowed to change another user's password by naming the other user as an argumentto the passwd command?

a. only users in a common group

Managing Passwords


b. only users added with useradd

c. only system users

d. only the superuser

e. only really good friends

6. Why would you use the Shadow Password option?

a. to separate policy for mechanism

b. to isolate password changes

c. it's easier for users to understand

d. /etc/shadow can only be read by root

e. so the passwd command will work

7. How are lines in /etc/passwd and /etc/shadow related?

a. lines about the same user begin with the same username in the first field

b. by system maintenance commands at night

c. by matching group ids

d. by the number of colons

e. by items in the comment field

8. When does Account Expiration (not password expiration) occur?

a. on the date specified with chage -E

b. after a grace period after the password expires

c. after a grace period after the Warning Day

d. on the Last Day specified with chage -d

e. on the day following the Minimum Day


Chapter 4. Adding, Modifying, andDeleting Groups

Key Concepts

Every user has a primary group, as defined in the /etc/passwd file.

Every user may have zero or more secondary groups, as defined in the /etc/group file.

Red Hat Enterprise Linux uses the User Private Group scheme, where a user is the only member oftheir primary group.

Group memberships can be examined with the id or groups commands.

Groups are managed with the groupadd, groupmod, and groupdel commands.

User membership in groups is managed with the useradd, usermod, and gpasswd commands.

DiscussionJust like usernames and userids, Linux groups are identified by both an alphanumeric groupname and aninteger groupid.

Similar to how the file /etc/passwd is used to convert between usernames and userids, the file /etc/groupis used to convert between groupname and group ids. It also records secondary group memberships.

Creating GroupsThe command to create groups is groupadd. It takes exactly one argument, the name of the group to beadded:

groupadd

Deleting GroupsThe command to delete groups is groupdel. It also takes exactly one argument, the name of the groupto be deleted:

groupdel

Modifying GroupsThere are only two things you can do with the groupmod command, change the name of the group orchange the groupid. If you change the groupid of a group, any files or directories that were in the group willstill have the old groupid. Changing groupnames is cleaner, but still can present problems, for examplewith backups and archives. So the use of this command is not really recommended, if you can avoid it.

To change the groupname of a group, use the -n option:

groupmod -n

To change the groupid of a group, use the -g option:

Adding, Modifying,and Deleting Groups


groupmod -g

Adding Users to Groups or Removing ThemTraditionally there was no option that just adds a user to a group, or removes a user from a group. Insteadwe have to use the usermod command with the -G option. Remember that this option takes a list of onea more groupnames, separated by commas (with no extra spaces), that you want the person to be in.

To add a user to groups, use usermod -G with the list of their current groups and the groups you want toadd them to. (If you omit their current groups, they'll be removed from them.)

This process of always listing all groups is tedious. The usermod now includes a -a to "add" or "append"a group to a user. It can only assist in adding groups, not deleting groups.

To remove a user from groups, use usermod -G with the list of their current groups, but omitting thegroups you want to remove them from.

A final command-line alternative for adding and removing users from groups is the gpasswd. Thiscommand can be used to add or remove users from an individual group. It can also be used to assign agroup administrator which is just an ordinary user who can use this command to add and remove membersfrom a particular group.

To add a user to a group use the -a option:

gpasswd -a

To remove (delete) a user to a group use the -d option:gpasswd -d

To set an adminstrator for a group use the -A option:

gpasswd -A

The /etc/group FileTake a look at your /etc/group file.

[student@system student]$ tail /etc/groupstudent:x:504:wrestle:x:505:ventura,hogan,nerogovernor:x:506:ventura,pataki,neroemperors:x:507:julius,neroventura:x:508:hogan:x:509:pataki:x:510:julius:x:511:nero:x:512:alice:x:920:[student@system student]$

Notice each line has four fields:

1. Groupname

2. Not used (actually for a Group Password)

3. Groupid

4. Secondary members



We are ignoring the Group Password feature, which is obsolete today since Linux has secondary groups.(In the old days, a UNIX process could only be in one group at a time. There were no secondary groups.The group password let you change groups. Today you're in many secondary groups simultaneously, andso you don't need to change groups.)

Primary and Secondary GroupsWhen you log in, the groupid in the fourth field of your entry in /etc/passwd becomes your primary group.Any entry in /etc/group that lists your name as a secondary group member becomes one of your secondarygroups. In Red Hat Enterprise Linux, you can have up to 31 secondary groups. (Actually you can have 32secondary groups, but your primary group is also entered as a secondary group, taking up one slot.)

ExamplesAdding Groups

We will make three new groups with groupadd. Then we will make five new users, adding them to variousgroups. The Emperor Nero wants to be in a bunch of random groups, and we'll give him his way.

Sharing One File with a Group[root@system root]# groupadd wrestle[root@system root]# groupadd governor[root@system root]# groupadd emperors[root@system root]# useradd -G wrestle,governor ventura[root@system root]# useradd -G wrestle hogan[root@system root]# useradd -G governor pataki[root@system root]# useradd -G emperors julius[root@system root]# useradd -G wrestle,governor,emperors,wheel,root nero[root@system root]#

The wrestlers can't remember who is in their group, and they don't know how to look in the /etc/groupfile to see. So root creates them a file /home/buddy-list and puts the file in group wrestle. The file allowsread and write access to group wrestle but not to others.

[root@system root]# echo "ventura, hogan, nero" > /home/buddy.list[root@system root]# chgrp wrestle /home/buddy.list[root@system root]# chmod 660 /home/buddy.list[root@system root]# tail -8 /etc/groupwrestle:x:505:ventura,hogan,nerogovernor:x:506:ventura,pataki,neroemperors:x:507:julius,neroventura:x:508:hogan:x:509:pataki:x:510:julius:x:511:nero:x:512:[root@system root]# tail -5 /etc/passwdventura:x:505:508::/home/ventura:/bin/bashhogan:x:506:509::/home/hogan:/bin/bashpataki:x:507:510::/home/pataki:/bin/bashjulius:x:508:511::/home/julius:/bin/bashnero:x:509:512::/home/nero:/bin/bash[root@system root]# ls -l /hometotal 32-rw-rw---- 1 root wrestle 21 May 23 06:01 buddy.listdrwx------ 2 hogan hogan 4096 May 23 05:59 hogandrwx------ 2 julius julius 4096 May 23 05:59 juliusdrwx------ 2 nero nero 4096 May 23 06:00 nero



drwx------ 2 pataki pataki 4096 May 23 05:59 patakidrwx------ 2 student student 4096 May 22 04:18 studentdrwx------ 2 ventura ventura 4096 May 23 05:59 ventura[root@system root]#

We examined /etc/passwd, /etc/group, and /home to check our work.

Notice the tail end of /etc/group not only has the three groups we explicitly added, but it has private groupsfor each user, too.

Two of Nero's secondary groups (wheel and root) were system groups, and their entries are up higher inthe /etc/group file, so they didn't show up in the tail.

The buddy-list shows up in /home with the correct group wrestle and mode -rw-rw----, so any wrestlerscan read or write it.

Now three different users try to read the buddy-list file. Only the two who are in the wrestler group,Ventura and Nero, succeed.

[ventura@system ventura]$ iduid=505(ventura) gid=508(ventura) groups=508(ventura),505(wrestle),506(governor)[ventura@system ventura]$ groupsventura wrestle governor[ventura@system ventura]$ cat /home/buddy.listventura, hogan, nero[ventura@system ventura]$

[nero@system nero]$ iduid=509(nero) gid=512(nero) groups=512(nero),0(root),10(wheel),505(wrestle),506(governor),507(emperors)[nero@system nero]$ groupsnero root wheel wrestle governor emperors[nero@system nero]$ cat /home/buddy.listventura, hogan, nero[nero@system nero]$

[pataki@system pataki]$ iduid=507(pataki) gid=510(pataki) groups=510(pataki),506(governor)[pataki@system pataki]$ groupspataki governor[pataki@system pataki]$ cat /home/buddy.listcat: /home/buddy.list: Permission denied[pataki@system pataki]$

Pataki, who is only a governor, cannot read it.

Modifying GroupsNero's spin doctors insist that the emperors group be renamed defenders. When the wrestlers'headquarters move to Raleigh, North Carolina, they want their groupid changed to telephone area code 919.We explain patiently that there is no reason to do that, but they're wrestlers, and a lot bigger than we are.

[root@system root]# groupmod -n defenders emperors[root@system root]# groupmod -g 919 wrestle[root@system root]# tail -8 /etc/groupwrestle:x:919:ventura,hogan,nerogovernor:x:506:ventura,pataki,neroventura:x:508:hogan:x:509:pataki:x:510:julius:x:511:nero:x:512:defenders:x:507:julius,nero[root@system root]# ls -l /home



total 32-rw-rw---- 1 root 505 21 May 23 06:01 buddy.listdrwx------ 2 hogan hogan 4096 May 23 05:59 hogandrwx------ 2 julius julius 4096 May 23 05:59 juliusdrwx------ 2 nero nero 4096 May 23 06:07 nerodrwx------ 2 pataki pataki 4096 May 23 06:07 patakidrwx------ 2 student student 4096 May 22 04:18 studentdrwx------ 2 ventura ventura 4096 May 23 06:06 ventura[root@system root]# chgrp wrestle /home/buddy.list[root@system root]# ls -l /hometotal 32-rw-rw---- 1 root wrestle 21 May 23 06:01 buddy.listdrwx------ 2 hogan hogan 4096 May 23 05:59 hogandrwx------ 2 julius julius 4096 May 23 05:59 juliusdrwx------ 2 nero nero 4096 May 23 06:07 nerodrwx------ 2 pataki pataki 4096 May 23 06:07 patakidrwx------ 2 student student 4096 May 22 04:18 studentdrwx------ 2 ventura ventura 4096 May 23 06:06 ventura[root@system root]#

Changing the wrestle groupid did not change the groupid of the buddy-list, which still has the old groupid505, for which no groupname now exists. So we fixed it with chgrp.

ExercisesLog in as root and do the following.

1. Use the useradd and groupadd commands to create the following users, and subscribe them to thethe specified secondary groups (which you must to create as well). Assign each user a password sothat they can login.

User Secondary Groupsxander mortal, greekyves mortal, greekzeus olympian, greek

5. Workbook 5 (1).pdf

Documents

Transcript of 5. Workbook 5 (1).pdf