600 likes | 813 Views
itec 400 User Administration Unix System Directories. George Vaughan Franklin University. Topics. User Administration The password file The shadow password file The group file Adding Users Disabling Users Removing Users Unix/Linux System Directories. User Administration. The Pieces:
E N D
itec 400User AdministrationUnix System Directories George Vaughan Franklin University
Topics • User Administration • The password file • The shadow password file • The group file • Adding Users • Disabling Users • Removing Users • Unix/Linux System Directories
User Administration • The Pieces: • /etc/passwd • /etc/shadow • /etc/group • The Function: • Username Policy • Password Policy • Group Membership Policy • User related commands
The Password file • Located in /etc/passwd. • Serves as the user database for the system. • Information in /etc/passwd is useful for applications. Readable by all. • Historically, /etc/passwd contained user’s password in encrypted form. • Today, encrypted passwords readable by all is too dangerous. • Today, passwords are stored in /etc/shadow. Readable only by root.
The Password File • Format of /etc/passwd (colon separated fields): userName:passWord:UID:GID:userInfo:homeDir:loginApplication Example: vaughang:x:257:100:George Vaughan:/export/home/vaughang:/bin/ksh
The Password File • User Name: • Often generated by a script • Often limited to 8 characters • RedHat: 32 char – any char except newline and colon • Password: • ‘x’ indicates use of /etc/shadow • ‘*’ indicates account is disabled. • Standard limit, 8 chars, unencrypted • Redhat limit, arbitrary length, unencrypted • Never leave this field empty. • UID • A unique user identifier • unsigned 32 bit Integer • root has UID 0 • Most systems: UID < 100: system accounts, UID >= 100: user accounts • Redhat: UID < 500: system accounts, UID >= 500: user accounts
The Password File • GID • A unique group identifier • unsigned 32 bit Integer • 0 for group root, 1 for bin, 2 for daemon • Most systems: UID < 100: system groups, UID >= 100: user groups • Redhat: UID < 500: system groups, UID >= 500: user groups • User Info: • usually user name • can support up to 5 comma-separated subfields used by “finger” command. • GECOS field. Originally used at Bell Labs to store user info for rje to a GE mainframe • Home Directory • Initial directory after login • Login Application • Usually a shell. • /etc/shells contains a list of valid shells on system - user cannot change shell to something not in /etc/shells. • Can be any application - does not have to be in /etc/shells.
The Password File • A simple ASCII file. • Can be edited with standard editor • ‘vipw’ (vi the password file) • allows only one editing session at a time • minimizes corruption due to pilot error or abnormal terminations.
The Shadow Password File • Location on both Linux and Solaris: /etc/shadow • Readable only by root • If used, contains the encrypted password. • Used by default on RH Linux • In RH Linux, /etc/shadow can be edited by vipw.
The Shadow Password File • Format of /etc/shadow (colon separated fields): userName:passWord:changedDate:minLife:maxLife:warn:disable:expireDate:unused example: gvaughan:$1$ItpbrZB2$2g/qNx0DhRmnoXbpA1EQJ/:12198:0:99999:7:::
Encrypted Passwords • Encrypted Passwords: • DES (13 characters in encrypted form) • MD5 (34 characters in encrypted form) • Most Linux distributions support MD5. • MD5 is the default in Redhat • MD5 passwords always begin with “$1$”
The Group File • Permissions for users can be managed on a group basis. • Defines which users are members of which group. • A user can be a member of more than one group (Some systems restrict number of groups a user can be a member of). • The group associated with a user in /etc/passwd file is the user’s primary group.
The Group File • Format of /etc/group (colon separated list): groupName:passWord:GID:userList • Example: cs::102:lint,cs,chen04,christcl,olinger
The Group File • Group Name: on many systems, restricted to 8 char. • Password: • Obsolete, still used in Linux. • Often contains an ‘x’ or nothing. • If field has ‘*’, means group is disabled. • GID • A unique group identifier • unsigned 32 bit Integer • 0 for group root, 1 for bin, 2 for daemon • Most systems: UID < 100: system groups, UID >= 100: user groups • Redhat: UID < 500: system groups, UID >= 500: user groups • User List: comma separated, no spaces
The Group File • If a user is defined as a member of a group in /etc/passwd but not in /etc/group, the file /etc/passwd takes precedence. • On Linux, the file /etc/group can be edited with vigr • Linux supports a shadow group file. • Its location is /etc/gshadow • It is used to store group passwords.
User Related Commands Note: User administration commands will be addressed in later slides. • id • reports UID and GID from /etc/passwd • example: >id root uid=0(root) gid=1(other)groups • groups • reports groups that user is a member of. • example: >groups root other root bin sys adm uucp mail tty lp nuucp daemon
User Related Commands • newgrp • Logs user into new group (that user is a member of) • Example: >groups faculty wheel >touch trash1 >newgrp wheel >touch trash2 >ls –l -rw-rw-r-- 1 vaughang faculty … trash1 -rw-rw-r-- 1 vaughang wheel … trash2
User Related Commands • finger • displays information about a user • example: >finger vaughang Login name: vaughang In real life: George Vaughan Directory: /export/home/vaughang Shell: /bin/ksh On since Feb 17 15:48:34 on pts/7 from dhcp9544228.inet.com 13 seconds Idle Time
Adding Users • 3 different ways to add users: • Manually • Using the ‘useradd’ command • Using a GUI based system administration tool.
Adding Users • Many Unix and Linux distributions provide GUI applications that allow for the creation of user accounts. • However these GUI systems tend to be distribution specific. • Large sites have custom scripts for adding users that enforce local policies
Adding Users • It is good to know how to add users manually: • Useful if problems occur with GUI apps • Useful for writing scripts with site specific policies. • Useful for understanding how user management works at the O.S. level. • Lecture will focus on adding users manually. • Book has good description of GUI apps for adding users.
Adding Users Manually • Activities when adding users: • Edit /etc/passwd file • Edit /etc/shadow file • Edit /etc/group (if necessary) • Set initial password • Setup the new user’s home directory • Copy startup files to user’s home directory • Test the account
Adding Users Manually (Red Hat) • The following scenario adds a new user named ‘dummy1’. • The scenario is simplified yet complete
Adding Users Manually (Red Hat) • Edit /etc/passwd • Use ‘vipw’ for safety dummy1:x:502:502:Mr. Dummy:/home/dummy1:/bin/bash • Edit /etc/shadow • Continue using ‘vipw’ Would you like to edit /etc/shadow now [y/n]? y dummy1:*:0:0:30:7:::
Adding Users Manually (Red Hat) • Change new user’s password # passwd dummy1 Changing password for user dummy1 New password: Retype new password: passwd: all authentication tokens updated successfully • Re-edit /etc/shadow • Set the ‘password changed’ to 0 (1/1/70) • Will force user to change immediately • Edit /etc/group vi /etc/group dummy1:x:502:
Adding Users Manually (Red Hat) • Create user’s home directory # mkdir /home/dummy1 # chown dummy1 /home/dummy1 # ls -ld /home/dummy1 drwxr-xr-x 2 dummy1 root 4096 Feb 17 23:20 /home/dummy1 # chmod 700 /home/dummy1 drwx------ 2 dummy1 root 4096 Feb 17 23:20 /home/dummy1 • Copy login initialization files # cp -rf /etc/skel/.[a-zA-Z]* ~dummy1 # chmod 644 ~dummy1/.[a-zA-Z]* # chown dummy1 ~dummy1/.[a-zA-Z]* # chgrp dummy1 ~dummy1/.[a-zA-Z]*
Adding Users Manually (Red Hat) • Test new account # su - dummy1 # ls -al ~dummy1 total 52 drwx------ 4 dummy1 root 4096 Feb 17 23:47 . drwxr-xr-x 6 root root 4096 Feb 17 23:20 .. -rw------- 1 dummy1 dummy1 28 Feb 17 23:48 .bash_history -rw-r--r-- 1 dummy1 dummy1 24 Feb 17 23:33 .bash_logout -rw-r--r-- 1 dummy1 dummy1 191 Feb 17 23:33 .bash_profile -rw-r--r-- 1 dummy1 dummy1 124 Feb 17 23:33 .bashrc -rw-r--r-- 1 dummy1 dummy1 5450 Feb 17 23:33 .canna -rw-r--r-- 1 dummy1 dummy1 820 Feb 17 23:33 .emacs -rw-r--r-- 1 dummy1 dummy1 118 Feb 17 23:33 .gtkrc drw-r--r-- 3 dummy1 dummy1 4096 Feb 17 23:33 .kde -rw-r--r-- 1 dummy1 dummy1 3511 Feb 17 23:33 .screenrc drwx----- 2 dummy1 dummy1 4096 Feb 17 23:46 .xauth
Adding Users (Notes) • Distributions often come with /etc/skel directory which contains default initialization files that are copied in user home directories. • System wide initialization files: • /etc/profile • /etc/bashrc • Initialization files in user home directory: • $HOME/bash_profile • $HOME/bashrc
Adding Users (Notes) • What is the order of execution of initilaization files upon login? • I added echo statements to the initialization files and here is what I found: • START /etc/profile • END /etc/profile • START /home/gvaughan/.bash_profile • START /home/gvaughan/.bashrc • START /etc/bashrc • END /etc/bashrc • END /home/gvaughan/.bashrc • END /home/gvaughan/.bash_profile • So BASH executes /etc/profile and then $HOME/bash_profile and $HOME/bash_profile executes $HOME/bashrc which then executes /etc/bashrc
Adding Users (Notes) • In Linux, the file /etc/login.defs contains system-wide login controls, such as: • system location of mailboxes • number of login retries • delay between failed login attempts • default values for user admin commands • many other controls…
Adding Users with useradd (Red Hat) • In this scenario, we will add a user with the ‘useradd’ command. • ‘useradd’ has many options - see man page • The user’s name is Michael Johnson
Adding Users with useradd (Red Hat) • Find out the default settings for useradd useradd -DGROUP=100HOME=/homeINACTIVE=-1EXPIRE=SHELL=/bin/bashSKEL=/etc/skel
Adding Users with useradd (Red Hat) • Create user with useradd • useradd -c "Michael Johnson" -g students -G wheel -m -s /bin/ksh johnsonm • -c specifies user information in /etc/passwd • -g defines primary GID (in /etc/passed) • -G defines secondary GID (in /etc/group) • -m creates a home directory in /home if one does not exist • -s overrides default system shell (affects /etc/passwd)
Adding Users with useradd (Red Hat) • Check contents of /etc/passwd, /etc/shadow and /etc/group: # tail /etc/passwdjohnsonm:x:503:200:Michael Johnson:/home/johnsonm:/bin/ksh • Notice in /etc/passwd: • useradd uses next available UID • primary GID is students (see /etc/group below) • home directory is /home/johnsonm • default shell is ksh
Adding Users with useradd (Red Hat) # tail /etc/shadowjohnsonm:!!:12102:0:99999:7::: • Notice in /etc/shadow • password is !! (not defined) • practically infinite max password age
Adding Users with useradd (Red Hat) # tail /etc/groupstudents:x:200:wheel:x:10:root,gvaughan,johnsonm • Notice in /etc/group • johnsonm is explicitly in group wheel • Johnson is not listed in group students, but this Johnson’s primary GID (why?)
Adding Users with useradd (Red Hat) • Change password on johnsonm: # passwd johnsonmChanging password for user johnsonmNew password:Retype new password:passwd: all authentication tokens updated successfully • Test user account: # su - johnsonm$ pwd/home/johnsonm$ ls -altotal 48drwx------ 4 johnsonm students 4096 Feb 18 23:02 .drwxr-xr-x 7 root root 4096 Feb 18 22:58 ..-rw-r--r-- 1 johnsonm students 24 Feb 18 22:58 .bash_logout
Adding Users with useradd (Red Hat) • Switch back to ‘root’ • Reset password age to Jan. 1st, 1970 so new user has to change password upon first login: chage -d 0 –M 15 user_ID • “-d 0” sets last password change to 01/01/70 • “-M 15” requires password to have a max age of 15 days.
Disabling A User Account • Sometimes you may want to disable a user, but not remove user (e.g. really old password) • This can be done quickly by prefixing an ‘*’ to the password in /etc/shadow. • Can also use ‘passwd -l userName’
Disabling A User Account • We can also create a program (pseudo shell) that just displays message why user is prevented access and then just exit. • We than edit /etc/passwd and set the user’s default shell to the pseudo shell. • Don’t add pseudo shell to /etc/shells.
Removing Users • Book provides a list of tasks to be performed if you wish to remove a user account (including home directory, etc.). • See man page for ‘userdel’.
System Directories / bin boot dev home initrd lib lost+found etc misc mnt opt proc usr root sbin tftboot tmp var vmlinuz grub null rc*.d group passwd src include
/bin • Contains executables for basic commands • Examples of commands in /bin: awk, bash, cat, chmod, cp, date, echo, grep, kill, ls, ps, pwd, … • If you create a useful shell or perl script that others would find useful, this is a good location for the script • Don’t replace or change existing system commands in this directory – unless upgrading O.S.
/boot • Contains Kernel executable • /boot/vmlinuz • Contains directory for grub (boot loader) • /boot/grub • The ascii configuration file for grub is: • /boot/grub/grub.conf • Note that /etc/grub.conf is a symbolic link to /boot/grub/grub.conf
/dev • Contains entries for devices such as disk portions, tape drives, printers, etc. • In Unix/Linux, every device is treated as if it were a file. Very nice – O.S. provides a generalized file-like interface to hardware. • /dev/null is a ‘fake’ device which stores nothing: • a ‘bit’ bucket • useful for “throwing away” error or warning messages • example: myprog 2>/dev/null will throw away all error messages.
/etc • Contains many system configuration files. • System Administrators do much work with files here. • Examples of config files and config directories in /etc: passwd, group, shadow, rc*.d, init.d, inittab, hosts, httpd
/home • Usual location for user home directories (other directories may be used for home directories)
/initrd • Facilitates the use of a RAM disk during boot sequence. • the RAM disk version of initrd is used during boot the process to store a minimum set of drivers. • When initrd is no longer needed, it is moved to /initrd so it can be unmounted.
/lost+found • fschk (File System Check) is a utility that is run during the boot process to check the integrity of file systems. • fschk can also be run after the boot process on unmounted files systems. • If fschk finds corrupted files, the corrupted files are placed in /lost+found directory
/misc • Used for mounting: • removable devices such as zip drives • remote filesystems when using network file systems