Chapter 11: Managing Users
The Complete Guide to Linux System Administration
�Objectives
Create and manage user accounts Manage complex file permissions Review advanced user security issues
The Complete Guide to Linux System Administration
�Creating and Managing User Accounts
Process of creating new user accounts
Add default files to be part of every users home directory to /etc/skel directory Create home directory for all users Configure default settings for all users Create groups Create user account for each person Create valid password for each user
The Complete Guide to Linux System Administration
�Managing User Accounts Graphically
/etc/passwd file defines user accounts, including:
User name Password UID GID Comment field Users home directory Users default shell
vipw command edits /etc/passwd file passwd command defines password
The Complete Guide to Linux System Administration
�Managing User Accounts Graphically (continued)
Utilities to create new user accounts
Graphical tools Command-line utilities
system-config-users utility
Red Hat graphical user account creation tool Information from /etc/passwd file shown in window Can edit each fields Edit password information stored in /etc/shadow
5
The Complete Guide to Linux System Administration
�Managing User Accounts Graphically (continued)
The Complete Guide to Linux System Administration
�Managing User Accounts Graphically (continued)
User Properties dialog, User Data tab
User name Full name Password and confirm password Home directory Login shell
User Properties dialog, Account Info tab
Enable account expiration Lock local password
The Complete Guide to Linux System Administration 7
�Managing User Accounts Graphically (continued)
User Properties dialog, Password Info tab
View when user last changed password Enable password expiration
Experts recommend changing password every 30 to 60 days User Properties dialog, Groups tab
Lists groups from /etc/group file Each user assigned primary group
The Complete Guide to Linux System Administration
�Managing User Accounts Graphically (continued)
User private group model
Used by Red Hat Linux and Fedora Users primary group has same name as user Contains only user as member
Create new user
system-config-users utility Add User button Enter information on dialog Utility creates home directory based on user name
9
The Complete Guide to Linux System Administration
�Managing User Accounts Graphically (continued)
/etc/login.defs file
Stores settings used to create new users Comments describe settings
Create new group
Click Add Group button Enter group name
The Complete Guide to Linux System Administration
10
�Managing User Accounts Graphically (continued)
Delete user
Select user name on Users tab Click delete button Some administrators prefer to permanently disable, not delete
The Complete Guide to Linux System Administration
11
�Creating New Users at the Command Line
useradd utility
Create new users Must be logged in as root Example: useradd -g sales -c Raley Solomon" rsolomon -D option displays the default settings Edit /etc/default/useradd to change defaults
The Complete Guide to Linux System Administration
12
�Creating New Users at the Command Line (continued)
passwd command
Change users password Lock user account: passwd -l thomas Unlock account: passwd -u thomas
The Complete Guide to Linux System Administration
13
�Creating New Groups
groupadd command
Preferred method for adding new group Example: groupadd managers
The Complete Guide to Linux System Administration
14
�Modifying User and Group Accounts at the Command Line
usermod command
Modify user account Uses same options as useradd command
groupmod command
Modify group -g option: change GID -n option: change name
The Complete Guide to Linux System Administration
15
�Modifying User and Group Accounts at the Command Line (continued)
grpck command
Check integrity of /etc/group and /etc/gshadow files Uses no parameters
chage command
Alter password aging information View password expiration Change aging for user Interactive mode
16
The Complete Guide to Linux System Administration
�Modifying User and Group Accounts at the Command Line (continued)
pwconv utility converts older /etc/passwd password storage to /etc/shadow password storage pwunconv utility converts existing /etc/shadow passwords to older /etc/passwd system for compatibility pwck command shows formatting errors that make accounts unusable
The Complete Guide to Linux System Administration
17
�Automating Home Directory Creation
Files in /etc/skel automatically copied into each users home directory
At time account created Includes hidden configuration files Files not added to existing user home directories
The Complete Guide to Linux System Administration
18
�Disabling User Accounts
Temporarily disable users account
Change password
passwd command
passwd -l [username] to lock account Edit /etc/shadow file in text editor
Place asterisk before encrypted password
Place # at beginning of line for user account in /etc/passwd
Make line into comment
The Complete Guide to Linux System Administration 19
�Disabling User Accounts (continued)
userdel command
Delete user account permanently Does not remove users home directory or contents
groupdel command
Remove group Be careful deleting groups
The Complete Guide to Linux System Administration
20
�Complex File Permissions
Sticky bit
Directory can only be renamed or unlinked by
User that owns it root
Often used on directories all users should be able to create files such as /tmp To set: chmod a+t /tmp
The Complete Guide to Linux System Administration
21
�Complex File Permissions (continued)
Set user ID permission
SUID Can be added to file that has execute permission set Causes user who executes file to take on file permissions of owner of file Very useful for few specialized programs To set: chmod u+s file
The Complete Guide to Linux System Administration
22
�Complex File Permissions (continued)
Permissions not always what they seem at first Set group ID permission
SGID Person who executes program has permissions of files group while executing program To set: chmod g+s file Can also be set numerically
The Complete Guide to Linux System Administration
23
�Complex File Permissions (continued)
SGID set on directory
Any file created within directory assigned to group of directory
Permissions examined in order
Owner first Group second Others third Can deny group permission without users having other permission
24
The Complete Guide to Linux System Administration
�User Security Issues
Other ways of securing Linux
Additional communications User security mechanisms
The Complete Guide to Linux System Administration
25
�Communicating with Users
/etc/motd file
Contents displayed just before shell is started each time user logs in Message of the day Does not appear unless:
User opens command line Or logs in at text-mode console
The Complete Guide to Linux System Administration
26
�Communicating with Users (continued)
wall command
Write all Communicate immediate message to all users who are logged in to system Displays broadcast message on command line for all users
Working in text mode Or with open terminal window
The Complete Guide to Linux System Administration
27
�Communicating with Users (continued)
fuser command
Learn about what users are doing View users accessing
File system Serial port Network connection
-k option kills processes
The Complete Guide to Linux System Administration
28
�Granting Limited Root Access
sudo command
Assign root privileges to any user account User can execute just programs that sudo configuration specifies
/etc/sudoers configuration file
Syntax can be very complex Basic format: user host = command_list
The Complete Guide to Linux System Administration
29
�Granting Limited Root Access (continued)
/etc/sudoers configuration file
Can define aliases for:
Collection of users Collection of hosts Collection of programs Set of sudo options
visudo program edits /etc/sudoers file System administrator must hand out sudo power carefully
The Complete Guide to Linux System Administration 30
�Using Pluggable Authentication Modules
Pluggable authentication module (PAM)
Architecture and set of libraries Programmer can create module to perform specific security-related function System administrators can select, configure, and use one or more modules
Control operation of program that is aware of PAM capabilities
Configured by default for Red Hat Linux
The Complete Guide to Linux System Administration 31
�Using Pluggable Authentication Modules (continued)
To use PAM, select PAM modules for program Configured using:
Single configuration file /etc/pam.conf Series of configuration files in directory /etc/pam.d Person compiling software selects which configuration style is used
The Complete Guide to Linux System Administration
32
�Using Pluggable Authentication Modules (continued)
Red Hat Linux and Fedora use directory configuration method /etc/pam.d directory contains file with name matching program being configured When PAM-compatible program executed, checks to see which applicable modules are configured for given task Stacked modules
Multiple modules are listed for module type
The Complete Guide to Linux System Administration 33
�Using Pluggable Authentication Modules (continued)
control_flag element
Determines how PAM processes stacked modules Has two forms
The Complete Guide to Linux System Administration
34
�Using Network Information Service
Network Information Service (NIS)
Lets system administrator manage single set of configuration files for multiple Linux servers Sometimes called yellow pages service or yp
When user logs in, server contacts NIS server to see if user has valid user account
The Complete Guide to Linux System Administration
35
�Using Network Information Service (continued)
NIS+ or NISplus
More recent version of NIS
authconfig program
Set up system to use NIS server
/etc/nsswitch.conf file
Instructs various system programs in Linux on where to look for configuration information Often includes multiple options
The Complete Guide to Linux System Administration
36
�Summary
User accounts can be managed graphically useradd command creates user accounts on the command line usermod command modifies existing user accounts User accounts can be disabled using various methods
The Complete Guide to Linux System Administration
37
�Summary (continued)
SUID and SGID permissions cause user to assume permissions of owner of executable file when program is executed Sticky bit and other special file permissions allow administrators to control shared files Administrators can broadcast messages to users sudo program lets regular users perform tasks that require root privileges
The Complete Guide to Linux System Administration
38
�Summary (continued)
PAMs provide flexible and powerful way for system administrators to configure exactly how user security is handled NIS or NIS+ server
Multiple systems can share user files
The Complete Guide to Linux System Administration
39
