190 likes | 400 Views
User Account Management. WeeSan Lee <weesan@cs.ucr.edu>. Roadmap. Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A. Add An Account. To create an account for user foo Create /home/foo $ cp -a /etc/skel/* /home/foo
E N D
User Account Management WeeSan Lee <weesan@cs.ucr.edu>
Roadmap • Add An Account • Delete An Account • /etc/{passwd,shadow} • /etc/group • How To Disable An Account? • Root Account • Q&A
Add An Account • To create an account for user foo • Create /home/foo • $ cp -a /etc/skel/* /home/foo • $ chown -R foo:users /home/foo • $ chmod 711 /home/foo • $ chmod u=rwx,g=x,o=x /home/foo • Add foo into /etc/passwd and /etc/shadow • $ vipw • $ passwd foo • Alternatively, use useradd • $ useradd foo • $ passwd foo
Delete An Account • To remove the account foo • Revert what we did before • Or, use userdel • $ userdel foo • $ userdel -r foo • Delete /home/foo as well • To find files left behind • $ find -nouser -xdev /
/etc/passwd • A file that contains a list of users recognized by the system • World readable • Why? • Each line represents one user, eg. • foo:x:500:500:Foo Bar:/home/foo:/bin/bash • 7 fields separated by colons • Login name or username • Encrypted passwd • UID • Default GID • “GECOS” information: fullname, office, extension, phone # • Home directory • Login shell
/etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Login name • 32 chars long • 8 for NIS (Network Information Service) • Case sensitive, usually lower case • Usually used as email address • Encrypted passwd • See /etc/shadow • UID • 32-bit unsigned integers • Start from 500. See /etc/logins.defs
/etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Login name • 32 chars long • 8 for NIS (Network Information Service) • Case sensitive, usually lower case • Usually used as email address • Encrypted passwd • See /etc/shadow • UID • 32-bit unsigned integers • Start from 500. See /etc/logins.defs
/etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Login name • 32 chars long • 8 for NIS (Network Information Service) • Case sensitive, usually lower case • Usually used as email address • Encrypted passwd • See /etc/shadow • UID • 32-bit unsigned integers • Start from 500. See /etc/logins.defs
/etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Default GID • Defined in /etc/group • GECOS field • For personal information • $ finger foo • Home directory • Cd to home directory after login • Login shell • Valid shells defined in /etc/shells
/etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Default GID • Defined in /etc/group • GECOS field • For personal information • $ finger foo • Home directory • Cd to home directory after login • Login shell • Valid shells defined in /etc/shells
/etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Default GID • Defined in /etc/group • GECOS field • For personal information • $ finger foo • Home directory • Cd to home directory after login • Login shell • Valid shells defined in /etc/shells
/etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Default GID • Defined in /etc/group • GECOS field • For personal information • $ finger foo • Home directory • Cd to home directory after login • Login shell • Valid shells defined in /etc/shells
/etc/shadow • A file contains the encrypted passwd for the users • Only readable by root or processes with root privilege • Each line represents user, eg. • foo:$1$naYPGQnr$2Xyp.Q1KrWSf//VFR.yBL0:13690:0:99999:7::: • 9 fields separated by colons • Login name or username • Encrypted passwd • Date of last passwd change • Min. # of days between password changes • Max # of days between password changes • # of days in advance to warn users about passwd expiration • # of days after passwd expiration that account is disabled • Account expiration date • A reserved field • Usually login name and passwd are enough
/etc/shadow (cont) • usermod • $ usermod -e 2007-06-26
/etc/group • A file contains the names of UNIX groups and a list of group’s members, eg. • foo:x:500: • installer:x:200:foo,bar • Each line represents one group • 4 fields separated by colons • Group name (8 chars) • Encrypted passwd or x for /etc/gshadow • GID (starts from 500. see /etc/login.defs) • List of members, separated by commas (no space)
How To Disable An Account? • Append username with a ‘*’ in /etc/passwd • $ usermod -L foo • Put a ‘!’ in front of the encrypted passwd • To undo: $ usermod -U foo • usermod -e yyyy-mm-dd • Replace login shell with • /etc/false • /sbin/nologin
Root Account • Special and powerful account • UID 0 • Guard your root passwd “with your life!!!” • At least 8 chars. long • Don’t write it down • Mix letters, numbers and punctuations • Eg. Bambo0! • Don’t login root as a normal user • Use su when needed • Don’t share your root passwd with others
Root Account (cont) • Use sudo instead • $ sudo /bin/bash • /etc/sudoers • All commands are logged • To edit /etc/sudoers • $ visudo • foo ALL=(root) ALL • User foo can run ALL commands on ALL machines as root • Host_Alias CS=eon,orpheus • Cmnd_Alias SNOOP=/usr/sbin/tcpdump,/usr/sbin/ethereal • bar CS=SNOOP
References • LAH • Ch 3: Rootly Powers • Ch 6: Adding New Users