The Saigon CTT Chapter 10 Managing Users. The Saigon CTT Objectives Define the requirements for...
-
Upload
charles-hicks -
Category
Documents
-
view
217 -
download
0
Transcript of The Saigon CTT Chapter 10 Managing Users. The Saigon CTT Objectives Define the requirements for...
Th
e S
aig
on
CT
T
Chapter 10
Managing Users
Th
e S
aig
on
CT
T
ObjectivesObjectives
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd,
shadow)
Demonstrate adding users
Describe modifying user details
Explain user passwords
Demonstrate deleting users
Th
e S
aig
on
CT
T
New User Requirements New User Requirements
When adding a new user, you need be familiar with files :
passwd, shadow, group, gshadow under /etc directory
/etc/passwd contains information of all users : Login
name, User ID, Group ID, Descriptive name, Home
directory, Login shell
/etc/shadow stores parameters to control account
access: user’s password hash and password aging
information
/etc/group contains information about user’s groups
/etc/gshadow stores group’s password hash,…(rarely
used)
Th
e S
aig
on
CT
T
Preparing GroupsPreparing Groups
Carefully constructed groups are very useful to
users who are all working in the same
department or project
Groups not only allow for a second level of
access control but also allow the members in
group to share files in secured environment
Each line in /etc/group file correspond to a group
Commands to modify groups: groupadd,
groupmod, groupdel
Th
e S
aig
on
CT
T
The /etc/passwdThe /etc/passwd
Each line in this file correspond to a user,
has the following form :
name:password:UID:GID:comment:home directory:shell
# more /etc/passwd
root:x:0:0:Super User:/root:/bin/bash
henry:x:101:101:Thiery Henry:/home/henry:/bin/ksh
...
Th
e S
aig
on
CT
T
Allocating User IDsAllocating User IDs
All Linux system come with several
administrator users pre-configured, are
intended to perform certain administrative
work. They are typically assigned UID less
than 100: root, bin, daemon, sys, adm, lp, …
System with administration tools allocate
UIDs automatically, greater than 100 in
general
Th
e S
aig
on
CT
T
Adding UsersAdding Users
The useradd utility is recommended for administering
users. It creates the required record in /etc/passwd
and /etc/shadow
A list of options can be used with useradd to override
defaults:
-u UID Specify new user ID (default: next available number)
-g GID Specify default (primary) group ( default other group )
-c comment Description of user ( default: blank )
-d directory Define home directory ( default /home/username )
-m Make home directory
-k skel_dir Skeleton directory ( default /etc/skel )
-s shell Specify login shell ( default /bin/bash )
Th
e S
aig
on
CT
T
Changing User AttributesChanging User Attributes
If you edit files manually, you risk corrupting
file, resulting with users not being able to log
in at all. Instead, use usermod utility
# usermod –g users –c “Henry Blake” henry
# usermod –u 321 –s /bin/ksh majorh
# usermod –f 10 henry
# usermod –e 2004-12-20 majorh
Th
e S
aig
on
CT
T
Changing Group MembershipChanging Group Membership
Each user belongs to a group (primary) that can be
changed by usermod –g
User can also belongs to secondary groups, controlled by
usermod –G
# grep blofeldt /etc/passwd
blofeldt:x:416:400::/home/blofeldt:/bin/bash
# groups blofeldt
blofeldt: : mash
# groupadd –g 600 fleming
# usermod –G fleming blofeldt
# grep blofeldt /etc/group
fleming:x:600: blofeldt
Th
e S
aig
on
CT
T
Removing UsersRemoving Users
When a user leaves, there are two main concerns:
Protect the system from unauthorized access via his/her
account
Protect and manage his/her files, directories left on the
system
The userdel command takes care of removing a
user account. userdel can remove user’s home
directory but does not user’s mail, crontab table,
atd queues, …
Th
e S
aig
on
CT
T
Removing Users - Removing Users - userdeluserdel
Command format:
userdel [option] <login_name>
-r This option will remove home directory
Th
e S
aig
on
CT
T
To safely remove a user from a system:To safely remove a user from a system:
1.Lock the account password until you are
ready to remove it altogether ( use chage
command )# chage –E 1999-01-01 henry
2.Save all file owned by the user somewhere
outside the home directory# find / -user henry –print | cpio ov | gzip >/hold/henry
# find / -user henry –type f –exec rm –f {} \;
# find / -user henry –type d –depth –exec rmdir {} \;
Th
e S
aig
on
CT
T
To safely remove a user from a system:To safely remove a user from a system:
3.Change access permission on saved files to
root only
# chown root /hold/henry ; chmod 700 /hold/henry
4.Consider crontab and at jobs setup by the
user
5.Setup mail forwarding to send mail to a
manager
Th
e S
aig
on
CT
T
SecuritySecurity
Use passwd command to change the password :
# passwd henry
current password :
new password:
retype new password:
Choosing password:
• Not use proper words or names
• Use letters and digits
• Include symbols: !, @, #, $, %, …
Do not allow guest account to login to your system
Th
e S
aig
on
CT
T
The The /etc/shadow/etc/shadow File File
If shadow passwords are used, encrypted passwords are
stored in this file:
name:password:lastchange:min:max:warn:inactive:expire:flag
name User login name, mapped to /etc/passwdpassword Encrypted password. If this field is blank, then there is no
password ; “*” : account is locked, …lastchange Number of days since the last password change, from
1/1/70min Minimum number of days between password changesmax Maximum number of days password is validwarn Number of days before expiration that user will be warnedinactive Number of inactivity days allowed for this userexpire Absolute date, beyond which the account will be disabled
Th
e S
aig
on
CT
T
Account SecurityAccount Security
Actions you can take to improve security: Use preset expiration date for temporary employees
# usermod –e 2003-12-20 henry
Use inactivity counts to lock unused accounts
# usermod –f 5 henry
Change passwords known by someone who leaves.
If they know the root password, change ALL
password
Th
e S
aig
on
CT
T
Account SecurityAccount Security
Password aging with chage command:
chage [options] <user>
Options:
-m <mindays> Minimum days
-M <maxdays> Maximum days
-d <lastdays> Day last changed
-I <inactive> Inactive lock
-E <expiredate> Expiration (YYYY-MM-DD or MM/DD/YY)
-W <warndays> Warning days
Th
e S
aig
on
CT
T
SummarySummary
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd,
shadow)
Demonstrate adding users
Describe modifying user details
Explain user passwords
Demonstrate deleting users