Transcript Unix System Admin
Managing Users
• • • •
Objectives
–
to be able to add, modify and remove Unix user accounts Contents
–
requirements for a user account
–
configuration files (passwd, shadow)
–
adding users
–
modifying user details
–
passwords
–
deleting users
–
working with groups Practicals
–
to add several user accounts Summary
New User Requirements
• • • •
An entry in
/etc/passwd
, which will define the user
–
login name
–
user id
–
default group
–
descriptive name
–
login program (shell) An entry in
/etc/shadow
, which will control account access
–
initial password
–
password aging information An entry in
/etc/group
, for the default group assignment
–
one of the existing groups in this file will become user's primary group
–
user access to other than primary group can be allowed in this file And somewhere to store files
–
a home directory
–
an initial .bash_profile and application startup files
Preparing Groups (/etc/group)
• • •
Use groups for working on projects and in departments
–
groups provide a second level of access control
–
groups will allow users to share files Setup groups before adding new users One line per group in
/etc/group
name
::
gid
:
user1,user2
group name numeric id list of users allowed 'secondary' access to this group
• •
Entry for a new group added with
groupadd
utility To change or remove group use
groupmod
and
groupdel
#
groupadd -g 151 swamp
#
groupadd -g 152 barracks
The /etc/passwd file
• •
Each valid user must have an entry in this file One line per user of the form
name
::
UID
:
GID
:
comment
:
home directory
:
shell
– – – – – –
name
must be unique, up to 8 alphanumeric characters, usually lower case
UID
user id, a numeric value within the range of 0 to 65535
GID
user primary group, a numeric value within the range of 0 to 65535
comment
this field is free format text, usually fuller description of the user
home directory
this is the account location, usually under /home
shell
startup program, it is optional (but last colon isn't)
–
if no value given, it defaults to /usr/bin/sh
–
recommended shell is /usr/bin/ksh
–
the shell can be any executable program
$
grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash operator:x:11:0:operator:/root:/sbin/nologin
Allocating User IDs (UIDs)
• • • •
Zero always used by root Entries less than 100 refer to special system accounts root daemon bin uucp superuser - unrestricted access to entire system looks after background processes owns some system commands owns uucp files and processes mail news at batch daemon jobs ftp owns ftp filesharing named ntp mailserver daemon internet news daemon nameserver user for the dns timeserver user sshd haldaemon Secure shell subsystem hardware abstraction layer daemon lp line printing subsystem user nobody guest user Local user accounts normally start at 100 or higher
–
each user should have a unique user id User accounts normally start at 500 or higher
–
networked systems should use consistent user UIDs
Adding Users
• • •
Don't edit the control files manually Use utilities such as useradd (SVR4), mkuser (AIX)
– –
useradd creates required record in /etc/passwd and /etc/shadow files allows to create directory structure for the new user Useful options to useradd to override defaults -u
uid
specify new user id (default: next available number) -g
group
specify default group (default other, GID=1) -c
comment
description of user (default blank) -d
dir
-m home directory make home directory (recommended, default /home/username ) -k
skel_dir
-s
shell
skeleton home directory (default /etc/skel) specify login program (default /bin/bash)
#
useradd -m henry
#
useradd -u 321 -g 152 -m -s /bin/bash hotlips
•
Don't forget to give the user an initial password
Changing User Attributes
• •
Don't edit the control files manually Use supplied utilities such as
usermod
(SVR4),
chuser
(AIX)
– –
usermod uses the same basic set of options that are used with useradd if you modify UID then use -U option as well, to change the UID of files belonging to the user, but...
–
...only files in user's home directory, mail file and cron file will be affected, other files must be located and ownership modified manually
#
usermod -g users -c "Henry Blake" henry
#
usermod -U -u 321 -s /bin/bash hotlips
•
Account inactivity and expiry date can also be set by usermod
#
usermod -f 10 henry
#
usermod -e 01/31/05 hotlips
Changing Group Membership
• •
Each user belongs to a group (defined in /etc/passwd)
–
primary membership can be changed with usermod -g User can also be allowed access to other groups
–
secondary membership is controlled by usermod -G
–
the group must already exist
trapper's primary group is 400 add new group
# #
grep trapper /etc/passwd
trapper::416:400::/home/trapper:/bin/bash
groupadd -g 600 swamp
#
usermod -G swamp trapper
#
grep trapper /etc/group
swamp::600:trapper
add trapper to group 600 (his primary membership unchanged)
Exercise - Adding and Modifying Users
•
Write down the commands to perform the following:
#
add a user called frank
#
add a user called radar specifying the Korn shell
#
add a user called klinger using /home2/klinger as the home directory
#
add a user called mulcahy specifying a UID of 400 and a group of staff
#
modify the user frank to use the korn shell
#
modify radar to give him a new UID of 401
Setting Passwords
• • •
New user accounts have to have an initial password Forgotten passwords have to be reset
–
Verify that the person asking to reset the password is the account owner Use the standard passwd program with a username
#
passwd henry
new password: retype password:
•
–
as root you will not be prompted for an existing password
–
choose a simple password and inform the user verbally Lock the user account
#
passwd -l henry
Choosing Passwords
• • • • •
Too many passwords are easy to guess
– –
1980's survey on US systems guessed 80% of passwords standard password guessing programs readily available Advise users on sensible passwords
– – –
no proper words or names use letters and digits include symbols Most systems enforce basic rules
– – –
minimum password length use of non alphanumerics some system can use dictionaries of disallowed words Systems like SuSE and RedHat keep a password history
–
used to stop users cycling round a few favourite passwords Don't have guest accounts
–
if someone has to use your system give them an account with password
The /etc/shadow file
•
Each valid user must have an entry, of the format:
name
:
password
:
last change
:
min
:
max
:
warn
:
inactive
:
expire
:
flag
– – – – – – – –
name
user login name, cross-reference to /etc/passwd file
password
valid (encrypted) passwords have exactly 13 characters
–
if this field is blank there is no password
–
NP in this field implies no password has been set (login not accessible)
–
LK or * in this field implies the account is never used (locked)
last change min max warn
minimum number of days between password changes maximum number of days the password is valid
inactive expire
number of days of last password change since 1/1/70 number of days before expiry that user will be warned number of inactivity days allowed for this user an absolute date, beyond which the account will be disabled
$
grep root /etc/shadow
root:b93.GT2r.7IZ6:9718:0:60:7:::
Account Security
•
Use preset expiry dates for temporary employees
–
very useful for contract staff
#
usermod -e 12/24/05 hotlips
• •
Use inactivity counts to lock unused accounts
–
perhaps the user has left the company
#
usermod -f 5 hotlips and no one told you Change passwords known by someone who leaves
–
change ALL passwords if they knew the root password
•
Lock accounts if they are temporarily unused
–
user is on secondment or holiday
#
passwd -l trapper
•
Use the password ageing mechanism!
#
passwd -n 27 -x 30 -w 3 radar
Exercise - Account Security
•
Write down the commands to perform the following:
#
add a password for user frank
#
force frank to change his password at next login
#
enable password ageing for trapper (min 21 max 31 warn 7)
#
set the expiry date for hawkeye to 31 Jan 2005
#
lock henry's account
#
now unlock henry's account
Removing User: Preparation
• •
When a user leaves there are two main concerns:
–
protect the system from unauthorised access via his/her account
–
protect and manage his/her files and directories left on the system Proposed sequence of steps
–
lock the account password, until you are ready to remove it altogether
–
save all files owned by the user, somewhere outside the home directory
–
change access permission on saved files, allowing access to root only
–
consider cron or at jobs setup by the user
–
set up mail forwarding to send mail to a manager
# # #
passwd -l henry mkdir /hold; chmod 000 /hold cd /
#
find . -user henry -print | cpio -ov | compress >/hold/henry
#
find . -user henry -type f -exec rm -f {} \;
#
find . -user henry -type d -exec rmdir {} \;
#
su - henry -c ”echo ’bigboss’ > ~henry/.forward"
Removing User Account
• • •
Delete user account only when his/her data is safe Use userdel utility (SVR4) or rmuser (AIX) Without any options userdel will leave all files owned by that user untouched and open to misuse.
–
the -r option with userdel will remove user files, but only those in the home directory (including the home directory itself)
#
userdel -r henry
–
userdel does not remove mail file
–
more significantly, userdel does not remove user's cron table or stop cron from executing the task scheduled by that user
Summary
• • •
User account information stored in 3 files: /etc/passwd /etc/shadow /etc/group Account information contains:
–
login name
–
password
–
user and group ids
–
full name
– –
home directory login shell SVR4 provides utilities for manipulating user details passwd useradd, usermod, userdel groupadd, groupmod, groupdel