Unix System Admin

Download Report

Transcript Unix System Admin

Managing Users

• • • •

Objectives

to be able to add, modify and remove Unix user accounts Contents

requirements for a user account

configuration files (passwd, shadow)

adding users

modifying user details

passwords

deleting users

working with groups Practicals

to add several user accounts Summary

New User Requirements

• • • •

An entry in

/etc/passwd

, which will define the user

login name

user id

default group

descriptive name

login program (shell) An entry in

/etc/shadow

, which will control account access

initial password

password aging information An entry in

/etc/group

, for the default group assignment

one of the existing groups in this file will become user's primary group

user access to other than primary group can be allowed in this file And somewhere to store files

a home directory

an initial .bash_profile and application startup files

Preparing Groups (/etc/group)

• • •

Use groups for working on projects and in departments

groups provide a second level of access control

groups will allow users to share files Setup groups before adding new users One line per group in

/etc/group

name

::

gid

:

user1,user2

group name numeric id list of users allowed 'secondary' access to this group

• •

Entry for a new group added with

groupadd

utility To change or remove group use

groupmod

and

groupdel

#

groupadd -g 151 swamp

#

groupadd -g 152 barracks

The /etc/passwd file

• •

Each valid user must have an entry in this file One line per user of the form

name

::

UID

:

GID

:

comment

:

home directory

:

shell

– – – – – –

name

must be unique, up to 8 alphanumeric characters, usually lower case

UID

user id, a numeric value within the range of 0 to 65535

GID

user primary group, a numeric value within the range of 0 to 65535

comment

this field is free format text, usually fuller description of the user

home directory

this is the account location, usually under /home

shell

startup program, it is optional (but last colon isn't)

if no value given, it defaults to /usr/bin/sh

recommended shell is /usr/bin/ksh

the shell can be any executable program

$

grep root /etc/passwd

root:x:0:0:root:/root:/bin/bash operator:x:11:0:operator:/root:/sbin/nologin

Allocating User IDs (UIDs)

• • • •

Zero always used by root Entries less than 100 refer to special system accounts root daemon bin uucp superuser - unrestricted access to entire system looks after background processes owns some system commands owns uucp files and processes mail news at batch daemon jobs ftp owns ftp filesharing named ntp mailserver daemon internet news daemon nameserver user for the dns timeserver user sshd haldaemon Secure shell subsystem hardware abstraction layer daemon lp line printing subsystem user nobody guest user Local user accounts normally start at 100 or higher

each user should have a unique user id User accounts normally start at 500 or higher

networked systems should use consistent user UIDs

Adding Users

• • •

Don't edit the control files manually Use utilities such as useradd (SVR4), mkuser (AIX)

– –

useradd creates required record in /etc/passwd and /etc/shadow files allows to create directory structure for the new user Useful options to useradd to override defaults -u

uid

specify new user id (default: next available number) -g

group

specify default group (default other, GID=1) -c

comment

description of user (default blank) -d

dir

-m home directory make home directory (recommended, default /home/username ) -k

skel_dir

-s

shell

skeleton home directory (default /etc/skel) specify login program (default /bin/bash)

#

useradd -m henry

#

useradd -u 321 -g 152 -m -s /bin/bash hotlips

Don't forget to give the user an initial password

Changing User Attributes

• •

Don't edit the control files manually Use supplied utilities such as

usermod

(SVR4),

chuser

(AIX)

– –

usermod uses the same basic set of options that are used with useradd if you modify UID then use -U option as well, to change the UID of files belonging to the user, but...

...only files in user's home directory, mail file and cron file will be affected, other files must be located and ownership modified manually

#

usermod -g users -c "Henry Blake" henry

#

usermod -U -u 321 -s /bin/bash hotlips

Account inactivity and expiry date can also be set by usermod

#

usermod -f 10 henry

#

usermod -e 01/31/05 hotlips

Changing Group Membership

• •

Each user belongs to a group (defined in /etc/passwd)

primary membership can be changed with usermod -g User can also be allowed access to other groups

secondary membership is controlled by usermod -G

the group must already exist

trapper's primary group is 400 add new group

# #

grep trapper /etc/passwd

trapper::416:400::/home/trapper:/bin/bash

groupadd -g 600 swamp

#

usermod -G swamp trapper

#

grep trapper /etc/group

swamp::600:trapper

add trapper to group 600 (his primary membership unchanged)

Exercise - Adding and Modifying Users

Write down the commands to perform the following:

#

add a user called frank

#

add a user called radar specifying the Korn shell

#

add a user called klinger using /home2/klinger as the home directory

#

add a user called mulcahy specifying a UID of 400 and a group of staff

#

modify the user frank to use the korn shell

#

modify radar to give him a new UID of 401

Setting Passwords

• • •

New user accounts have to have an initial password Forgotten passwords have to be reset

Verify that the person asking to reset the password is the account owner Use the standard passwd program with a username

#

passwd henry

new password: retype password:

as root you will not be prompted for an existing password

choose a simple password and inform the user verbally Lock the user account

#

passwd -l henry

Choosing Passwords

• • • • •

Too many passwords are easy to guess

– –

1980's survey on US systems guessed 80% of passwords standard password guessing programs readily available Advise users on sensible passwords

– – –

no proper words or names use letters and digits include symbols Most systems enforce basic rules

– – –

minimum password length use of non alphanumerics some system can use dictionaries of disallowed words Systems like SuSE and RedHat keep a password history

used to stop users cycling round a few favourite passwords Don't have guest accounts

if someone has to use your system give them an account with password

The /etc/shadow file

Each valid user must have an entry, of the format:

name

:

password

:

last change

:

min

:

max

:

warn

:

inactive

:

expire

:

flag

– – – – – – – –

name

user login name, cross-reference to /etc/passwd file

password

valid (encrypted) passwords have exactly 13 characters

if this field is blank there is no password

NP in this field implies no password has been set (login not accessible)

LK or * in this field implies the account is never used (locked)

last change min max warn

minimum number of days between password changes maximum number of days the password is valid

inactive expire

number of days of last password change since 1/1/70 number of days before expiry that user will be warned number of inactivity days allowed for this user an absolute date, beyond which the account will be disabled

$

grep root /etc/shadow

root:b93.GT2r.7IZ6:9718:0:60:7:::

Account Security

Use preset expiry dates for temporary employees

very useful for contract staff

#

usermod -e 12/24/05 hotlips

• •

Use inactivity counts to lock unused accounts

perhaps the user has left the company

#

usermod -f 5 hotlips and no one told you Change passwords known by someone who leaves

change ALL passwords if they knew the root password

Lock accounts if they are temporarily unused

user is on secondment or holiday

#

passwd -l trapper

Use the password ageing mechanism!

#

passwd -n 27 -x 30 -w 3 radar

Exercise - Account Security

Write down the commands to perform the following:

#

add a password for user frank

#

force frank to change his password at next login

#

enable password ageing for trapper (min 21 max 31 warn 7)

#

set the expiry date for hawkeye to 31 Jan 2005

#

lock henry's account

#

now unlock henry's account

Removing User: Preparation

• •

When a user leaves there are two main concerns:

protect the system from unauthorised access via his/her account

protect and manage his/her files and directories left on the system Proposed sequence of steps

lock the account password, until you are ready to remove it altogether

save all files owned by the user, somewhere outside the home directory

change access permission on saved files, allowing access to root only

consider cron or at jobs setup by the user

set up mail forwarding to send mail to a manager

# # #

passwd -l henry mkdir /hold; chmod 000 /hold cd /

#

find . -user henry -print | cpio -ov | compress >/hold/henry

#

find . -user henry -type f -exec rm -f {} \;

#

find . -user henry -type d -exec rmdir {} \;

#

su - henry -c ”echo ’bigboss’ > ~henry/.forward"

Removing User Account

• • •

Delete user account only when his/her data is safe Use userdel utility (SVR4) or rmuser (AIX) Without any options userdel will leave all files owned by that user untouched and open to misuse.

the -r option with userdel will remove user files, but only those in the home directory (including the home directory itself)

#

userdel -r henry

userdel does not remove mail file

more significantly, userdel does not remove user's cron table or stop cron from executing the task scheduled by that user

Summary

• • •

User account information stored in 3 files: /etc/passwd /etc/shadow /etc/group Account information contains:

login name

password

user and group ids

full name

– –

home directory login shell SVR4 provides utilities for manipulating user details passwd useradd, usermod, userdel groupadd, groupmod, groupdel