School of Informatics & Electrical Engineering Department

of Computer Science Network and System Administration

Chapter 2: Account and Security Administration, and

Access
Control (DAC, RBAC)

Network and System Administration

Lecture Note Compiled by: Mr.
 Topics
1. User and Group Concepts, and User Private Group
Scheme
2. User Administration, Modifying Accounts and Group
Administration
3. Password Aging and Default User Files
4. Managing File Ownership
5. Controlling Access to files
6. Managing Disk Quotas

Network and System Administration Slide #2

Lecture Note Compiled by: Mr.
User and Group Concepts, and User
Private Group Scheme
Linux is a multi-user operating system, which means more
than one user can use Linux at the same time.
A user or account of a system is uniquely identified by a
numerical number called the UID (User Identification
number) and GID(Group Identification Number).
The user full account information is stored in the
/etc/passwd file and a hash password is stored in the file
/etc/shadow
/etc/group file contains group information for each account
/etc/gshadow contains secure group account information.
Network and System Administration Slide #3
Lecture Note Compiled by: Mr.
User and Group Concepts, and User
Private Group Scheme
Two different types of user accounts can be created
1. Local user accounts: stored on local computer
2. Domain user accounts: stored in active directory
Account names can be between 1 and 20 characters (letters
and/or numbers)
Account names are not case sensitive
The following characters cannot be used in the account
name: “/ \ [ ] : ; | , + = * ? < > @

Network and System Administration Slide #4

Lecture Note Compiled by: Mr.
User and Group Concepts, and User
Private Group Scheme
Using groups you can perform a variety of tasks that will
affect the accounts and groups that are members.
Assigning rights to group account to authorize them to
perform a certain task.
Assigning permissions on shared resources to a group so
that all members can access the resource in the same
manner.
Distributing bulk e-mail to all members of the group.
There are two different types of groups.
1. Security groups
2. Distribution groups
Network and System Administration Slide #5
Lecture Note Compiled by: Mr.
User and Group Concepts, and User
Private Group Scheme
Security groups is a collection of users who have specific
rights and permissions to resources.
Permissions are used to control access to resources.
Distribution groups are used for sharing information.
This group allow applications such as Microsoft exchange
to send e-mails to collection of users.
Active directory provides three different scopes for groups
1. Universal: used for assigning permission to related
resources in multiple domains.
2. Global: shares similar network access requirement
3. Domain Network
Local: assigning permissions to resources
and System Administration
Lecture Note Compiled by: Mr.
 User Administration, Modifying
Accounts and Group Administration
The following are basic commands for user administration in
Linux OS:

Network and System Administration Slide #7

Lecture Note Compiled by: Mr.
 User Administration, Modifying
Accounts and Group Administration
The following are basic commands for user administration
in Linux OS:

Network and System Administration Slide #8

Lecture Note Compiled by: Mr.
 User Administration, Modifying
Accounts and Group Administration
The following are basic commands for user administration

Network and System Administration

SystemAdministration Slide #9
Lecture Note Compiled by: Mr.
 User Administration, Modifying
Accounts and Group Administration
The following are basic commands for user administration

Network and System Administration Slide #10

Lecture Note Compiled by: Mr.
 User Administration, Modifying
Accounts and Group Administration
User account management

Network and System Administration Slide #11

Lecture Note Compiled by: Mr.
 User Administration, Modifying
Accounts and Group Administration
Group administration

Network and System Administration Slide #12

Lecture Note Compiled by: Mr.
 User Administration, Modifying
Accounts and Group Administration
Group administration

Network and System Administration

SystemAdministration Slide #13
Lecture Note Compiled by: Mr.
 User Administration, Modifying
Accounts and Group Administration
Group administration

Network and System Administration Slide #14

Lecture Note Compiled by: Mr.
Password Aging and Default User Files
•Linux user accounts is the mechanism by which the
Linux operating system is able to handle the task of
protection.
•In Linux, there are three forms of user accounts:
1- root
2-user (human)
accounts
3-software accounts

Network and System Administration

Lecture Note Compiled by: Mr.
Password Aging and Default User Files
• Username
• Password
✓ By default, all user home directories are

created and maintained in the /home

directory.
✓ However, the root user’s home directory
is /root
Network and System Administration
Lecture Note Compiled by: Mr.
Password Aging and Default User Files
• To view information about the user_name account
on Linux system, you would enter finger user_name
• The following information about the user account:
➔ Login This is the username that is used to
authenticate to the system.
➔ Name This is the user’s full name.
➔ Directory This is the user’s home directory.

➔ Shell This is the default shell that will be provided

to the user.
Network and System Administration
Lecture Note Compiled by: Mr.
Password Aging and Default User Files

➔ Last Login This displays the last time the user

logged in and where from.
• To view the UID for a given user account:
id username
Example: to view information about our chun user
account, we can enter
id chun

Network and System Administration

Lecture Note Compiled by: Mr.
Password Aging and Default User Files
• The root user account is always assigned a UID of 0
on most Linux distributions.
• Other distributions may use a different numbering
scheme for the UID, however. For example, UIDs
on a Red Hat system start at 500 instead of 1000.
• It’s this UID that the operating system actually
uses to control access to files and directories in
the file system.

Network and System Administration

Lecture Note Compiled by: Mr.
 Where Linux User Accounts Are
Stored
➢Linux is a very flexible operating system. One
of its flexible features is the location of user
accounts on the system.
➢When you originally installed the system, your
distribution may have given you several options for
where you wanted to store your user accounts. This
screen allows you to choose from the following
authentication methods:

Network and System Administration

Lecture Note Compiled by: Mr.
 Where Linux User Accounts Are
Stored?
[Link] This option stores user accounts in the
/etc/passwd file. This has been the default
configuration used by Linux systems for many years.
2. LDAP This is a newer option that many Linux
administrators are starting to adopt. Instead of storing
user accounts in a file in the file system, user accounts
are stored in a directory service provided by
OpenLDAP. Unlike local authentication, which is a
flat file, the directory service is hierarchical in nature,
allowing you to sort and organize your user accounts
by location,function, or department.
Network and System Administration
Lecture Note Compiled by: Mr.
 Where Linux User Accounts Are
Stored?
• /etc/passwd: This file contains the user
account information for your system.
• /etc/shadow: This file contains passwords for
your user accounts.
• /etc/group: This file contains your system’s
groups.

Network and System Administration

Lecture Note Compiled by: Mr.
 Where Linux User Accounts Are
Stored
➢ Username:Password:UID:GID:Full_Name:Home_D
irectory:Default_Shell
• Username: The Username field simply identifies the
username the user will supply when logging in to the
system
• Password: This is a legacy field. At one time, the
user’s password was stored in encrypted form in this
field in the passwd file. However, for security
reasons, the password has been moved from
/etc/passwd to /etc/shadow.
Network and System Administration
Lecture Note Compiled by: Mr.
 Where Linux User Accounts Are
Stored
• UID This is the user ID for the user account
• GID This field references the group ID number of
the user’s default group
• Full_Name This field contains the user’s full name
• Home_Directory This field contains the path to the
user’s home directory.
• Default_Shell This field specifies the shell that will
be used by default

Network and System Administration

Lecture Note Compiled by: Mr.
 Local options
• Username:Password:Last_Modified:Min_Day
s:Max_Day
s:Days_Warn:Disabled_Days:Expire
• Username This is the user’s login name from

/etc/passwd.
• Password This is the user’s password in
encrypted format
• Last_Modified This field displays the
number of days since the password was
Network and System Administration
Lecture Note Compiled by: Mr.
 Password security mechanisms
• Min_Days This field displays the minimum number of days
required before a password can be changed.
• Max_Days This field displays the maximum number of
days before a password must be changed.
• Days_Warn This field displays the number of days prior to
password expiration that the user will be warned of the
pending expiration.
• Disabled_Days This field displays the number of days to
wait after a password has expired to disable the account.
• Expire This field displays the number of days since after
which the account will be disabled.
Network and System Administration
Lecture Note Compiled by: Mr.
 Controlling Access to files and
permission
• Permissions are a mechanism to support operating system
protection.
• Protection ensures that users do not misuse system
resources (CPU, memory, network, partitions, directories
and files).
• Permissions specify who can access a file or directory and
the types of access.
• In Linux, permissions are controlled at three levels:
• 1- Owner (called user, or ‘u’ for short)
• 2- Group (‘g’ for short)
• 3- The rest of the world (called other, or ‘o’ for short)
Network and System Administration
Lecture Note Compiled by: Mr.
 Controlling Access to files
➢ Each level of access provides:
• Read: for a file, it can be viewed or copied. For a
directory, the directory’s contents can be viewed by ls.
• Write: for a file, it can be overwritten (e.g., using save as).
for a
directory, files can be written there.
• Execute: for a file, it can be executed (this is necessary for
executable programs and
• shel l scripts). for a directory, a user can cd into it
• Note: to delete a file, you must have write access to the
directory that contains it.
Network and System Administration
Lecture Note Compiled by: Mr.
 Controlling Access to files
➢ In the long listing (ls -l) The first 10 characters of a line are a
combination of letters and hyphens.

Network and System Administration

Lecture Note Compiled by: Mr.
 File Permission
➢On a Linux system, each file and directory is
assigned access rights for the owner of the file,
the members of a group of related users, and
everybody else.
➢Rights can be assigned to read a file, to write a
file, and to execute a file.
➢To see the permission settings for a file, we can
use the ls -l command.

Network and System Administration

Lecture Note Compiled by: Mr.
 File Permission
➢Example, we will look at the [Link]
permissions:
$ ls –l [Link]
$ -rwxr-xr-x 1 root root 316848 Feb 27
2017
➢Here we can see:
➢ The file “[Link]" is owned by user "root"
➢ The super user has the right to read, write, and
execute this file
Network and System Administration
Lecture Note Compiled by: Mr.
 File Permission
➢ The file is owned by the group "root"
➢ Members of the group "root" can also read and
execute this file
➢ Everybody else can read and execute this file
➢To change a file’s permission, the command is
chmod. The command’s syntax is
• chmod permissions file(s)
➢where permissions can be specified using one of
three different approaches:
Network and System Administration
Lecture Note Compiled by: Mr.
 File Permission
• 1-Describe the changes to be applied as a
combination of u, g, o along with r, w, x. To add a
permission, use + and to remove a permission, use –
.
➢Example: [Link] currently readable and writable
by u and g and readable by o. To remove writable by
group and remove readable by other. The command
would be:
• chmod g–w,o–r [Link]
Network and System Administration
Lecture Note Compiled by: Mr.
 File Permission
• 2-Altering permissions uses an = to assign new
permissions rather than a change to the permissions.
• Example: To make [Link] readable, writable, and
executable to the user, readable to the group, and
nothing to the world, this could be done with:
• chmod u=rwx,g=r,o= [Link]
• Can combine =, +, and - as in:
• chmod u=rwx,g–w+x,o–r [Link]

Network and System Administration

Lecture Note Compiled by: Mr.
 File Permission
• 3-Using a 3-digit number. Each digit is the
summation of the access rights granted to that
party (user, group, other) where readable is a 4,
writable is a 2, and executable is a 1.
• Readability, write ability, and execute ability would
be 4 + 2 + 1 = 7.
• Readability and execute ability would be 4+1=5.
• N.B:No access at all would be 0.

Network and System Administration

Lecture Note Compiled by: Mr.
 File Permission
• Example: we want file1. txt to have
readable, writable, and executable access
for the owner, readable, and executable
access for the group and no access for
the world/other. The command would be:
• chmod 750 [Link]

Network and System Administration

Lecture Note Compiled by: Mr.
 Managing File Ownership
• You can specify a different user and/or group
as the owner of a given file or directory.
• To change the user who owns a file, you
must be logged in as root.
• To change the group that owns a file, you
must be logged in as root or as the user who
currently owns the file.
✓ Using chown

✓ Using chgrp
Network and System Administration
Lecture Note Compiled by: Mr.
 Using chown
– The chown utility can be used to change the
user or group that owns a file or directory.
Syntax chown [Link] file or directory.
Ex:If I wanted to change the file’s owner to the
ncth1 user,
I would enter
Chown ncth1 /tmp/[Link]

Network and System Administration

Lecture Note Compiled by: Mr.
 Using chown
– If I wanted to change this to the users group, of which
users is a member, I would enter
chown .users /tmp/[Link]
Notice that I used a period (.) before the group name to tell
chown that the entity specified is a group, not a user
account.
Ex: chown [Link] /tmp/[Link]
Note: You can use the –R option with chown to change
ownership on many files at once recursively.

Network and System Administration

Lecture Note Compiled by: Mr.
 Using chgrp
• In addition to chown, you can also use chgrp to change the
group that owns a file or directory.
• Syntax:
chgrp group file (or directory)
• For example:
chgrp student /tmp/[Link].

Network and System Administration

Lecture Note Compiled by: Mr.
 Managing Disk Quotas
➢ Implementing a disk quota will prevent users or groups
from using too much storage space on a Linux system.
➢ This is very useful on systems such as file servers that
allow many users to connect and store data, as it ensures
that no particular user can utilize an unexpected amount of
storage and interrupt storage or processes on the server by
making it run out of disk space.
➢ Linux administrators should always put a quota on the
maximum storage usage for users, as well as other user
environment limits like max number of processes and open
files.
Network and System Administration
Lecture Note Compiled by: Mr.
 Managing Disk Quotas
There are three major concepts that you should
understand prior to implementing disk quotas:
1. Hard Limit
The hard limit defines the absolute maximum amount
of disk space that a user or group can use. Once this
limit is reached, no further disk space can be used.
2. Soft Limit
The soft limit defines the maximum amount of disk
space that can be used. However, unlike the hard
limit, the soft limit can be exceeded for a certain
amount of time.
Network and System Administration
Lecture Note Compiled by: Mr.
 Managing Disk Quotas
3. Grace Period
The grace period is the time during which the soft
limit may be exceeded.
The grace period can be expressed in seconds,
minutes, hours, days, weeks, or months, giving the
system administrator a great deal of freedom in
determining how much time to give users to get their
disk usage below their soft limit.

Network and System Administration

Lecture Note Compiled by: Mr.
 Managing Disk Quotas
These steps:
[Link] quota
a) sudo apt-get install quota
2. Inform system about quota
a) Edit /ect/fstab
a) append defaults,[usrquota],[grpquota]
3. Remount the disk
a) Mount –o remount /home
4. Create the quota database
a) Quotacheck –c <u/g> filesystem
5) Assign the quotas
a) Assign perNetwork
userandor per
System group quotas
Administration
Lecture Note Compiled by: Mr.
 Managing Disk Quotas
To implement disk quotas, use the following steps:

Enable quotas per file system by modifying /etc/fstab

Remount the file system(s)
Create the quota files and generate the disk usage table
Assign quotas
1. modify /etc/fstab
2. Remounting the file system(s)
3. Running quotacheck
4. Assigning quotas

Network and System Administration

Lecture Note Compiled by: Mr.
 Managing Disk Quotas
Enabling Quotas: Edit fstab to enable usrquota

LABEL=/1 / ext3 defaults 11

LABEL=/boot /boot ext3 defaults 12
LABEL=/users /users ext3 exec,dev,suid,rw,usrquota 12
LABEL=/var /var ext3 defaults 12
LABEL=SWAP-sda5 swap swap defaults 00

Network and System Administration

Lecture Note Compiled by: Mr.
 Managing Disk Quotas
Remounting the File Systems: Issue the umount command followed
by the mount command to remount the file system in which quota has
been implemented (umount /users;mount /users)

Creating the Quota Database Files: Use quotacheck command to

create [Link] file
quotacheck -cu /users

Assigning Quotas per User: assigning the disk quotas with the
edquota command (edquota <username>)
Disk quotas for user web_cc (uid 524):
Filesystem blocks soft hard inodes soft hard
/dev/sdb1 988612 1024000 1075200 7862 0 0

Network and System Administration

Lecture Note Compiled by: Mr.
 Thank You all!!
?

Network and System Administration

Lecture Note Compiled by: Mr.