\input{gl2.slide-header-beamer}% \errorcontextlines=99 %% Subtopic Number = '1.111.1' %% Title: 'Manage users and group accounts and related system files' %% Weight: 4 %% Description: %% Candidate should be able to add, remove, suspend and change %% user accounts. Tasks include to add and remove groups, to change %% user/group info in passwd/group databases. The objective also includes %% creating special purpose and limited accounts. %% Key files, terms, and utilities include: %% /etc/passwd %% /etc/shadow %% /etc/group %% /etc/gshadow %% chage %% gpasswd %% groupadd %% groupdel %% groupmod %% grpconv %% grpunconv %% passwd %% pwconv %% pwunconv %% useradd %% userdel %% usermod \title{1.111.1\\Manage users and group accounts and related system files\\Weight 4} \date{2005 October} \author[Nick Urbanik]{Nick Urbanik \texttt{}\\ {\scriptsize This document Licensed under GPL---see section~\ref{sec:license}}}% \subtitle{Linux Professional Institute Certification --- 102}% \mode
{\chead{1.111.1}}% \usepackage{tikz} \begin{document} \maketitle \mode
{\thispagestyle{empty}} \begin{frame} \frametitle{Outline} \mode {% %\footnotesize \begin{multicols}{2} \tableofcontents \end{multicols} % You might wish to add the option [pausesections] }% \mode
{% \tableofcontents }% \end{frame} \section{Context} \label{sec:context} \begin{frame} \frametitle{Topic 111 Administrative Tasks [21]}% \framesubtitle{Where we are up to}% \begin{description} % \uline depends on \usepackage[normalem]{ulem}: \item[1.111.1] \textbf{\uline{Manage users and group accounts and related system files [4]}} \item[1.111.2] Tune the user environment and system environment variables [3] \item[1.111.3] Configure and use system log files to meet administrative and security needs [3] \item[1.111.4] Automate system administration tasks by scheduling jobs to run in the future [4] \item[1.111.5] Maintain an effective data backup strategy [3] \item[1.111.6] Maintain system time [4] \end{description} \end{frame} \section{Objectives} \label{sec:objectives} \begin{frame} \frametitle{Description of Objective}% \framesubtitle{1.111.1\ \ Manage users and group accounts and related system files [4]}% \mode{\Large}% Candidate should be able to \alert{add}, \alert{remove}, \alert{suspend} and \alert{change} user accounts. Tasks include to add and remove groups, to change user/group info in passwd/group databases. The objective also includes creating \alert{special purpose} and \alert{limited accounts}. \end{frame} \begin{frame}[allowframebreaks] \frametitle{Key files, terms, and utilities include:}% \framesubtitle{1.111.1\ \ Manage users and group accounts and related system files [4]}% % \mode{\large}% \begin{description} \item[\texttt{/etc/passwd}] --- text file containing user account information \item[\texttt{/etc/shadow}] --- text file containing user password information \item[\texttt{/etc/group}] --- text file containing groups \item[\texttt{/etc/gshadow}] --- text file that may contain group passwords \item[\texttt{chage}] --- change user password expiry information \item[\texttt{gpasswd}] --- change group membership, group passwords \item[\texttt{groupadd}] --- create a new group \item[\texttt{groupdel}] --- delete an existing group \item[\texttt{groupmod}] --- modify a group \item[\texttt{grpconv}] --- moves all group password information to \texttt{/etc/gshadow} \item[\texttt{grpunconv}] --- creates group from group and gshadow and then removes gshadow. \item[\texttt{passwd}] --- set or change passwords to authenticate users \item[\texttt{pwconv}] --- moves all user password information from \texttt{/etc/passwd} to \texttt{/etc/shadow} \item[\texttt{pwunconv}] --- moves all password information from \texttt{/etc/shadow} to \texttt{/etc/passwd} then deletes \texttt{/etc/shadow} \item[\texttt{useradd}] --- create a new user account \item[\texttt{userdel}] --- delete an existing user account \item[\texttt{usermod}] --- modify a user account \end{description} \end{frame} \section{Account information files} \label{sec:account-info-files} \begin{frame} \frametitle{The account information files} \begin{description} \item[\texttt{/etc/passwd}] --- text file containing user account information \item[\texttt{/etc/shadow}] --- text file containing user password information \item[\texttt{/etc/group}] --- text file containing groups \item[\texttt{/etc/gshadow}] --- text file that may contain group passwords \end{description} \begin{itemize} \item Note that all are simple text files that can be edited with an editor (best to use \texttt{vipw} and \texttt{vigr} so that file is not edited while others are changing it) \item These are for \alert{local} accounts only: network accounts may be obtained through LDAP, Samba or active directory through Winbind, NIS or NIS+ or Hessiod, to name a few. \end{itemize} \end{frame} \subsection{\texttt{/etc/passwd}} \label{sec:etc-passwd} \begin{frame} \frametitle{\texttt{/etc/passwd}} \begin{itemize} \item The \texttt{passwd} file is documented with \mbox{\cmd{man 5 passwd}} \item Each line of the file corresponds to one user; here is mine: \end{itemize} \includegraphics[width=\linewidth]{passwd-line} % \begin{tikzpicture} % \draw\node(n){nicku}:\node(p){x}:\node(u){1000}:\node(g){1000}:\node(G){Nick Urbanik}:\node(h){/home/nicku}:\node(s){/bin/bash} % \node(tn){User name}\node(tp){Password}\node(tu){User ID number}% % \node(tg){Group ID number}\node(tG){GECOS}\node(th){Home Directory}% % \node(ts){Shell}; % \draw[->] (n) .. (tn); % \draw[->] (p) .. (tp); % \draw[->] (u) .. (tu); % \draw[->] (g) .. (tg); % \draw[->] (G) .. (tG); % \draw[->] (h) .. (th); % \draw[->] (s) .. (ts); % \end{tikzpicture} \end{frame} \subsection{Fields in \texttt{/etc/passwd}} \label{sec:etc-passwd-fields} \begin{frame} \frametitle{Fields in \texttt{/etc/passwd}} \begin{description} \item[user name] --- account name. Tradition has it in lower case. \item[password] --- This is always `\texttt{x}' unless you have run \texttt{pwunconv} to move the hashed password from the \texttt{shadow} file back here. You can change it to a star `\texttt{*}' to \alert{disable} the account \alert{if \texttt{shadow} is not used} \item[user ID number] --- an integer that uniquely identifies a particular user to the system. Call it UID \item[group ID number] --- an integer that uniquely identifies the \alert{primary group} of this user to the system. \item[GECOS] --- holds the user's actual name, and perhaps their phone number, or any information about the user you like! Called GECOS for hysterical reasons: read \par% \mbox{\cmd{man 5 passwd}} \item[home directory] --- after the user logs in, this directory is made their current directory \item[login shell] --- after logging in, the user has this shell. Usually the shell should be listed in \path{/etc/shells} \end{description} \end{frame} \begin{frame} \frametitle{More about the \texttt{passwd} fields} \begin{itemize} \item The computer identifies files, processes,\,\ldots\ by the UID and GID. \item the passwd file (or its equivalent) is the only link to the account name. \item the group ID number links the account to the one group that (by default) owns files and processes created by the user \item Although you can suspend an account to prevent logging in by replacing the login shell with something like \texttt{/bin/false} or \texttt{/bin/nologin}, a user can \texttt{su} to this account. \end{itemize} \end{frame} \section{The \texttt{/etc/group} file} \label{sec:group} \begin{frame}[fragile] \frametitle{The \texttt{/etc/group} file} \label{sld:group-file} \begin{itemize} \item Here are two lines from my \texttt{/etc/group} file: \end{itemize} \begin{semiverbatim} nicku:x:1000: linusgames:x:516:linus,pam,nicku \end{semiverbatim} \begin{itemize} \item The first says group with GID 1000 has the name \texttt{nicku}. It has no members, except for the user for whom this is the primary group ID \item The second line maps the group name \texttt{linusgames} to the GID 516. It has the members with user names \texttt{linus}, \texttt{pam} and \texttt{nicku}. \end{itemize} \end{frame} \subsection{Primary and Secondary Groups} \label{sec:primary-and-secondary-groups} \begin{frame} \frametitle{Primary Group} \begin{itemize} \item Every user has a \alert{primary group} \item This is the default group attached to any files or processes created by the user \item A member can belong to any number of \alert{secondary groups} \item An example from earlier: \texttt{nicku} has a primary group called \texttt{nicku} and a secondary group called \texttt{linusgames}. \item You can change your group to any of your other groups with the \texttt{newgrp} command. \end{itemize} \end{frame} \begin{frame} \frametitle{\texttt{newgrp}: Changing to other Groups} \begin{itemize} \item A group may have a password associated with it \begin{itemize} \item I do not recommend shared passwords, hence do not use group passwords \item A shared secret remains a secret only if no one else is interested \end{itemize} \item The password is put into \texttt{/etc/gshadow} \item If group has a password associated with it, a user who is not a member can change to this group using the \texttt{newgrp} command by entering the password when prompted. \item group members can change their current group to a group they are a member of using the \texttt{newgrp} command regardless of whether there is a password with that group. \item Group passwords are created using the \texttt{gpasswd} command. \end{itemize} \end{frame} \section{The \texttt{/etc/shadow} file} \label{sec:shadow-file} \begin{frame}[fragile] \frametitle{\texttt{/etc/shadow} must be readable only by \texttt{root}} \begin{itemize} \item The \texttt{/etc/shadow} file must be \alert{readable only by \texttt{root}} \item This is to avoid other people getting a copy of all the hashed passwords and running Crack or John the Ripper to recover passwords at leisure \end{itemize} \mode{\small} \begin{semiverbatim} \cmd{ls -l /etc/shadow} -rw-{}-{}-{}-{}-{}-{}- 1 root root 2085 Aug 24 13:13 /etc/shadow \end{semiverbatim} \end{frame} \begin{frame} \frametitle{Fields in \texttt{/etc/shadow}}% \par\bigskip\par From \mbox{\cmd{man 5 shadow}} the nine fields are: \begin{itemize} \item login name \item encrypted password \begin{itemize} \item This is incorrect, wrong,\ldots\ and makes me splutter!! \item It is a \alert{hash} of the password \item Prefix with an exclamation mark `\texttt{!}' to \alert{disable an account temporarily}. \end{itemize} \item days since Jan 1, 1970 that password was last changed \item days before password may be changed \item days after which password must be changed \item days before password is to expire that user is warned \item days after password expires that account is disabled \item days since Jan 1, 1970 that account is disabled \item a reserved field \end{itemize} \end{frame} \section{Making accounts} \label{sec:making-accounts} \begin{frame} \frametitle{Making a user account}% Any method of creating an account goes through the following steps (assuming the use of local files to hold account information) \begin{enumerate} \item Find the next available UID and GID numbers, or use the ones provided, checking they are unique \item Add an entry to the \texttt{/etc/passwd} and \texttt{/etc/shadow} files using all the information provided, including a hash of the password into \texttt{/etc/shadow} \item Create the home directory \item Create a mail spool file \texttt{/var/spool/mail/\meta{username}} \item Copy the files and directories from \texttt{/etc/skel} to the home directory \item Change the ownership of the home directory and all its contents to the user, and the group ownership to the primary group of the user \item Change the ownership of the mail spool file to the user, and make the group owner equal to \texttt{mail} \end{enumerate} \end{frame} \subsection{\texttt{useradd}, \texttt{adduser}} \label{sec:useradd-adduser} \begin{frame}[fragile] \frametitle{\texttt{/usr/sbin/useradd}} \begin{itemize} \item On Red Hat/Fedora (and some other UNIX systems), \texttt{useradd} does all the above, although you need to create a hash of the password beforehand \item On Debian systems, the program \texttt{adduser} is more capable, and \texttt{useradd} less so \item See \mbox{\cmd{man useradd}}, \mbox{\cmd{man adduser}} \item Make an account for me: \mode{\small} \begin{semiverbatim} \cmd{sudo useradd -c "Nick Urbanik" nicku} \cmd{sudo passwd nicku} Changing password for user nicku. New password: Retype new password: passwd: all authentication tokens updated successfully. \end{semiverbatim} \end{itemize} \end{frame} \begin{frame} \frametitle{Differences between Debian and Red Hat \texttt{useradd}} \begin{itemize} \item On Debian systems, you need to specify the \texttt{-m} option to \texttt{useradd} or the home directory will not be created. \item People use \texttt{adduser} instead on Debian systems. \end{itemize} \end{frame} \subsection{Modifying an account with \texttt{usermod}} \label{sec:usermod} \begin{frame} \frametitle{\texttt{/usr/sbin/usermod}} \begin{itemize} \item You can modify the account parameters in the \texttt{/etc/passwd} file for an existing account using \texttt{usermod}. \item See \cmd{man usermod} \end{itemize} \end{frame} \section{Creating a group} \label{sec:groupadd} \begin{frame} \frametitle{\texttt{/usr/sbin/groupadd}} \begin{itemize} \item You can create a new group with: \cmd{sudo groupadd \meta{groupname}} \item Note that \texttt{useradd} (and \texttt{adduser} on Debian/Ubuntu) will automatically create the primary group for a user if it does not already exist \end{itemize} \end{frame} \section{Deleting a group} \label{sec:groupdel} \begin{frame} \frametitle{\texttt{/usr/sbin/groupdel}} \begin{itemize} \item You can remove an existing group with: \cmd{sudo groupdel \meta{groupname}} \end{itemize} \end{frame} \section{Adding a user to a group} \label{sec:adding-user-to-a-group} \begin{frame} \frametitle{Adding a user to a group} \begin{itemize} \item It may seem that \texttt{usermod} is the best tool, but it actually removes the user from any groups not specified! \item Use \texttt{gpasswd} instead \texttt{:-)} \item Syntax: \mbox{\rootcmd{gpasswd -a \meta{user} \meta{group}}} \item To add the user \texttt{nicku} to the group \texttt{linusgames} without removing \texttt{nicku} from any existing group memberships: \end{itemize} \cmd{sudo gpasswd -a nicku linusgames} \end{frame} \section{\texttt{userdel}: deleting a user account} \label{sec:userdel} \begin{frame} \frametitle{\texttt{/usr/sbin/userdel}} \begin{itemize} \item To delete the \texttt{nicku} account \alert{including the home directory}: \end{itemize} \cmd{sudo userdel -r nicku} \end{frame} \section{Suspending an account} \label{sec:suspending-an-account} \begin{frame} \frametitle{Suspending an account} \begin{itemize} \item You can suspend (``lock'') a \texttt{shadow} account by inserting an exclamation mark `\texttt{!}' in front of the password field in \texttt{/etc/shadow} using \texttt{vipw} \item \ldots\,or you can use \mbox{\cmd{sudo passwd -l \meta{username}}} to do the same thing \item You can unlock the account by removing the `\texttt{!}' either manually with \texttt{vipw} or with \mbox{\cmd{sudo passwd -u \meta{username}}} \end{itemize} \end{frame} \section{Setting the password expiry information} \label{sec:expirey} \begin{frame} \frametitle{Setting the password expiry information} \begin{itemize} \item The easiest program to use for this is \texttt{chage} \item You can also use \texttt{passwd} to change some password information. \item Ordinary users can use \cmd{chage~-l} to read the account aging information for their own account. \end{itemize} \end{frame} \section{Creating special purpose accounts} \label{sec:special-accounts} \begin{frame}[allowframebreaks] \frametitle{Creating special purpose accounts} \begin{itemize} \item A number of special system accounts are needed:, e.g., \end{itemize} {\ttfamily% \mode{\scriptsize}% \mode
{\footnotesize}% \noindent% bin:x:1:1:bin:/bin:/sbin/nologin\linebreak[4] daemon:x:2:2:daemon:/sbin:/sbin/nologin\linebreak[4] adm:x:3:4:adm:/var/adm:/sbin/nologin\linebreak[4] lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\linebreak[4] sync:x:5:0:sync:/sbin:/bin/sync\linebreak[4] shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\linebreak[4] halt:x:7:0:halt:/sbin:/sbin/halt\linebreak[4] mail:x:8:12:mail:/var/spool/mail:/sbin/nologin\linebreak[4] news:x:9:13:news:/etc/news:\linebreak[4] uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\linebreak[4] operator:x:11:0:operator:/root:/sbin/nologin\linebreak[4] games:x:12:100:games:/usr/games:/sbin/nologin\linebreak[4] gopher:x:13:30:gopher:/var/gopher:/sbin/nologin\linebreak[4] ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\linebreak[4] nobody:x:99:99:Nobody:/:/sbin/nologin\linebreak[4] dbus:x:81:81:System message bus:/:/sbin/nologin\linebreak[4] vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\linebreak[4] nscd:x:28:28:NSCD Daemon:/:/sbin/nologin\linebreak[4] rpm:x:37:37::/var/lib/rpm:/sbin/nologin\linebreak[4] haldaemon:x:68:68:HAL daemon:/:/sbin/nologin\linebreak[4] netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash\linebreak[4] sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\linebreak[4] rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin\linebreak[4] rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin\linebreak[4] nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin\linebreak[4] mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin\linebreak[4] smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin\linebreak[4] pcap:x:77:77::/var/arpwatch:/sbin/nologin\linebreak[4] xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin\linebreak[4] ntp:x:38:38::/etc/ntp:/sbin/nologin\linebreak[4] gdm:x:42:42::/var/gdm:/sbin/nologin } \begin{itemize} \item These accounts generally have a user ID that is lower than some particular value \item Use the user ID numbers and names recommended by the distribution to avoid unintentional conflicts \begin{itemize} \item See \path{/usr/share/doc/setup-*/uidgid} on Red Hat/Fedora systems \end{itemize} \end{itemize} \end{frame} \section{Creating limited accounts} \label{sec:limited} \begin{frame} \frametitle{Creating limited accounts} \begin{itemize} \item Network servers such as Apache, Sendmail, Postfix, Samba, Bind, ntpd,\ldots all run under special accounts that have limited access to the system \item You may need to create accounts for users who are just there for accessing email by POP3 or IMAP, or just for Samba \item To do this: create an account with a login shell of \texttt{/bin/false} (or possibly \texttt{/sbin/nologin}), and a disabled password. \end{itemize} \end{frame} \mode {% \begin{frame} \frametitle{Topics Covered} %\footnotesize %\begin{multicols}{2} \tableofcontents[pausesections,pausesubsections] %\end{multicols} % You might wish to add the option [pausesections] \end{frame} } \section{License Of This Document} \label{sec:license} \begin{frame} \frametitle{License Of This Document} \raggedright% Copyright \copyright\ 2005 Nick Urbanik \par You can redistribute modified or unmodified copies of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation---either version 2 of the License or (at your option) any later version. \end{frame} \end{document}