www.math.hcmus.edu.vn
Download
Report
Transcript www.math.hcmus.edu.vn
The Saigon CTT
Chapter 10
Managing Users
The Saigon CTT
Objectives
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd,
shadow)
Demonstrate adding users
Describe modifying user details
Explain user passwords
Demonstrate deleting users
The Saigon CTT
New User Requirements
When adding a new user, you need be familiar with files :
passwd, shadow, group, gshadow under /etc directory
/etc/passwd contains information of all users : Login
name, User ID, Group ID, Descriptive name, Home
directory, Login shell
/etc/shadow stores parameters to control account
access: user’s password hash and password aging
information
/etc/group contains information about user’s groups
/etc/gshadow stores group’s password hash,…(rarely
used)
The Saigon CTT
Preparing Groups
Carefully constructed groups are very useful to
users who are all working in the same
department or project
Groups not only allow for a second level of
access control but also allow the members in
group to share files in secured environment
Each line in /etc/group file correspond to a group
Commands to modify groups: groupadd,
groupmod, groupdel
The Saigon CTT
The /etc/passwd
Each line in this file correspond to a user,
has the following form :
name:password:UID:GID:comment:home directory:shell
# more /etc/passwd
root:x:0:0:Super User:/root:/bin/bash
henry:x:101:101:Thiery Henry:/home/henry:/bin/ksh
...
The Saigon CTT
Allocating User IDs
All Linux system come with several
administrator users pre-configured, are
intended to perform certain administrative
work. They are typically assigned UID less
than 100: root, bin, daemon, sys, adm, lp, …
System with administration tools allocate
UIDs automatically, greater than 100 in
general
The Saigon CTT
Adding Users
The useradd utility is recommended for administering
users. It creates the required record in /etc/passwd and
/etc/shadow
A list of options can be used with useradd to override
defaults:
-u UID
Specify new user ID (default: next available number)
-g GID
Specify default (primary) group ( default other group )
-c comment
Description of user ( default: blank )
Define home directory ( default /home/username )
-d directory
-m
-k skel_dir
Make home directory
Skeleton directory ( default /etc/skel )
-s shell
Specify login shell ( default /bin/bash )
The Saigon CTT
Changing User Attributes
If you edit files manually, you risk corrupting
file, resulting with users not being able to log
in at all. Instead, use usermod utility
# usermod –g users –c “Henry Blake” henry
# usermod –u 321 –s /bin/ksh majorh
# usermod –f 10 henry
# usermod –e 2004-12-20 majorh
The Saigon CTT
Changing Group Membership
Each user belongs to a group (primary) that can be
changed by usermod –g
User can also belongs to secondary groups, controlled by
usermod –G
# grep blofeldt /etc/passwd
blofeldt:x:416:400::/home/blofeldt:/bin/bash
# groups blofeldt
blofeldt: : mash
# groupadd –g 600 fleming
# usermod –G fleming blofeldt
# grep blofeldt /etc/group
fleming:x:600: blofeldt
The Saigon CTT
Removing Users
When a user leaves, there are two main concerns:
Protect the system from unauthorized access via his/her
account
Protect and manage his/her files, directories left on the
system
The userdel command takes care of removing a
user account. userdel can remove user’s home
directory but does not user’s mail, crontab table,
atd queues, …
The Saigon CTT
Removing Users - userdel
Command format:
userdel [option] <login_name>
-r
This option will remove home directory
The Saigon CTT
To safely remove a user from a system:
1. Lock the account password until you are
ready to remove it altogether ( use chage
command )
# chage –E 1999-01-01 henry
2. Save all file owned by the user somewhere
outside the home directory
# find / -user henry –print | cpio ov | gzip >/hold/henry
# find / -user henry –type f –exec rm –f {} \;
# find / -user henry –type d –depth –exec rmdir {} \;
The Saigon CTT
To safely remove a user from a system:
3. Change access permission on saved files to
root only
# chown root /hold/henry ; chmod 700 /hold/henry
4. Consider crontab and at jobs setup by the
user
5. Setup mail forwarding to send mail to a
manager
The Saigon CTT
Security
Use passwd command to change the password :
# passwd henry
current password :
new password:
retype new password:
Choosing password:
• Not use proper words or names
• Use letters and digits
• Include symbols: !, @, #, $, %, …
Do not allow guest account to login to your system
The Saigon CTT
The /etc/shadow File
If shadow passwords are used, encrypted passwords are
stored in this file:
name:password:lastchange:min:max:warn:inactive:expire:flag
name
User login name, mapped to /etc/passwd
password
Encrypted password. If this field is blank, then there is no
password ; “*” : account is locked, …
lastchange
Number of days since the last password change, from 1/1/70
min
Minimum number of days between password changes
max
Maximum number of days password is valid
warn
Number of days before expiration that user will be warned
inactive
Number of inactivity days allowed for this user
expire
Absolute date, beyond which the account will be disabled
The Saigon CTT
Account Security
Actions you can take to improve security:
Use preset expiration date for temporary employees
# usermod –e 2003-12-20 henry
Use inactivity counts to lock unused accounts
# usermod –f 5 henry
Change passwords known by someone who leaves.
If they know the root password, change ALL
password
The Saigon CTT
Account Security
Password aging with chage command:
chage [options] <user>
Options:
-m
-M
-d
-I
-E
<mindays>
<maxdays>
<lastdays>
<inactive>
<expiredate>
-W <warndays>
Minimum days
Maximum days
Day last changed
Inactive lock
Expiration (YYYY-MM-DD or
MM/DD/YY)
Warning days
The Saigon CTT
Summary
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd,
shadow)
Demonstrate adding users
Describe modifying user details
Explain user passwords
Demonstrate deleting users