\chapter{Managing Users--quotas} \label{cha:managing-groups-and-users} {\mns \subsection{Objectives} On completion of this module you should be able to: \begin{itemize} \item Understand key Unix user management issues \item Use key Unix user management tools~\footnote{Many user management issues and tools are dealt with in other GBdirect modules, e.g. admin of users, passwords, groups, permissions, etc is covered in the Key Configuration Files module and the Filesystem modules. This module only covers points {\em not} dealt with there.} \end{itemize} \section{Checking {\fn /etc/passwd} and {\fn /etc/shadow} with {\pgn pwck}} \label{sec:pwck} \begin{itemize} \item {\cmdn pwck} verifies the integrity of password files \item It checks: \begin{itemize} \item Number of fields \item Uniqueness of user names \item Validity of user and group identifiers \item Validity of primary groups \item Validity of home directories \item Validity of login shells \end{itemize} \item Typically, offers to delete error-ridden or duplicate lines \item Checks both {\fn /etc/passwd} and {\fn /etc/shadow} by default \item Can be run in read-only mode ({\cmdn -r}) \end{itemize} \section{Checking {\fn /etc/group} with {\pgn grpck}} \label{sec:grpck} \begin{itemize} \item {\pgn grpck} checks {\fn /etc/group} for: \begin{itemize} \item Correct number of fields \item Uniqueness of group names \item To ensure all group members are defined in {\fn /etc/passwd} \end{itemize} \item Typically prompts to delete error-ridden or duplicate lines \item Can be run in read-only mode ({\cmdn -r}) \end{itemize} \section{Managing User Connections: {\pgn login}, {\fn /etc/securetty}, {\fn /etc/usertty}} \label{sec:user-connect-login-securetty-usertty} \begin{itemize} \item {\pgn login} configures user connections \begin{itemize} \item Most notably by setting what's available at login time \item Part of the Shadow software suite \item Works closely with {\fn /etc/login.defs} \item See {\cmdn man login} \end{itemize} \item {\fn /etc/securetty} restricts the terminals that system administrators can use \begin{itemize} \item One device name per line (no {\fn /dev} prefix) \item Consulted by {\pgn login} \end{itemize} \item {\fn /etc/usertty} restricts general user access \begin{itemize} \item According to user ID and/or time of login \item One rule per line, 3 colon separated fields \begin{enumerate} \item Terminal (no {\fn dev} prefix), * means all \item Users, * means all \item Lists of allowed times \begin{itemize} \item {\bf Times} in HHMM format, e.g. 0800-1732 \item {\bf Days} Su Mo Tu We Th Fr Sa Wk (mon-fri) Al (all days, default) \end{itemize} \end{enumerate} \end{itemize} \end{itemize} \section{Limiting User Resources with {\pgn ulimit}} \label{sec:ulimit} \begin{itemize} \item {\pgn ulimit} prevents users exhausting system resources \begin{itemize} \item By limiting access to those resources \end{itemize} \item Built-in to {\pgn bash} and {\pgn Ksh} shells \item Two types of restriction: \begin{itemize} \item Soft limits, set default resource usage when a process is created, variable \item Hard limits, set upper threshold soft limits can't exceed \end{itemize} \item {\cmdn ulimit -a} displays current soft limits \item {\cmdn ulimit -Ha} displays hard limits \item There are about a dozen more options \begin{itemize} \item See {\cmdn man ulimit} for details \end{itemize} \end{itemize} \section{Managing Disk Use with Quotas} \label{sec:quotas} \begin{itemize} \item Limit the amount of fs storage a user can consume \item Available on most Unix systems \begin{itemize} \item As optional patch to Linux kernel~\footnote{Must be made available either by choosing to enable quotas at installation time, or by compiling the option into a new kernel. Kernel compilation is the subject of another GBdirect training module entirely.} \item Not on SCO UNIX \end{itemize} \item Two distinct types: \begin{itemize} \item Hard limits can {\em never} be exceeded \item Soft Limits allow temporary excesses, e.g. \begin{itemize} \item For a period of time \item For a number logins \end{itemize} \end{itemize} \item Typically applied to {\fn /home} filesystems \item {\em NOT} {\fn /tmp} or {\fn /} \item Main Commands: \\[12pt] {\myss \begin{tabular}{|l|l|} \hline Command & Description \\ \hline \hline {\pgn quotaon, quotaoff } & turn file system quotas on and off \\ \hline {\pgn quota } & display disk usage and limits \\ \hline {\pgn repquota } & summarize quotas for a file system \\ \hline {\pgn quotacheck } & scan a file system for disk usages \\ \hline {\pgn edquota } & edit user quotas \\ \hline {\pgn quotactl } & manipulate disk quotas \\ \hline \end{tabular} } \end{itemize} \section{Setting up Quotas on a Filesystem} \label{sec:quotas-in-fstab} \begin{itemize} \item Set quotas on a filesystem in the 4th field of {\fn /etc/fstab}~\footnote{BSD introduced quotas and configured them in this way. See {\cmdn man fstab} for details. Most actively developing Unixes e.g Linux, FreeBSD, NetBSD, etc follow the same pattern. System V format fs config files simply change {\sco rw} to {\sco rq}. AIX puts ``{\sco quota = userquota,groupquota}'' in {\fn /etc/filesystems}.} \\[12pt] {\myss \begin{verbatim} # device directory type options /dev/hda1 / ext2 defaults /dev/hda2 none swap sw /dev/hda3 /usr ext2 defaults /dev/hdb1 /usr/users ext2 defaults,usrquota,grpquota /dev/hdb2 /usr/src ext2 defaults,usrquota none /proc proc defaults \end{verbatim}} \item Create quota records {\fn quota.user} and {\fn quota.group} at the root of relevant filestems:~\footnote{Record files {\fn quota.user} and {\fn quota.group}, should be owned by root, and {\fn read-writeable} by root alone.} {\myss \begin{verbatim} $ cd filesystem $ su Password: $ touch /partition/quota.user $ touch /partition/quota.group $ chmod 600 /partition/quota.user $ chmod 600 /partition/quota.group $ halt -r now \end{verbatim}}%$ \end{itemize} \section{Specifying Quotas for Users and Groups} \label{sec:specify-users-quotas} \begin{itemize} \item Set Users' quotas using {\pgn edquota} \item Invoking it with a user or group name creates a tmp file containing hard and soft limits for them {\cmdn \$ edquota {\usb username(s)}} \item Then opens the file with the editor specified in {\var \$EDITOR} environment variable \item Each line describes one filesystem~\footnote{Formats vary between Unixes, the example above is from Linux.} {\myfs \begin{verbatim} Quotas for group www: /dev/hda4: blocks in use: 5349, limits (soft = 8000, hard = 10000) inodes in use: 1745, limits (soft = 3000, hard = 4000) \end{verbatim}} \item If saved before exit, the editor auto-writes details to the quota records \item Can be used just on the command line, e.g. \begin{verbatim} $ edquota -p davef lee julie \end{verbatim}%$ Sets Julie and Lee's quotas to match Dave's \item Options: \\[12pt] {\myfs \begin{tabular}{|p{130pt}|p{270pt}|} \hline Command & Meaning \\ \hline \hline {\pgn edquota -u } & Set individual user quotas \\ \hline {\pgn edquota -g } & Set group quotas \\ \hline {\pgn edquota -t } & Set grace period in days, hours, minutes or seconds \\ \hline {\pgn edquota -p {\usb username} } & Set others' quotas equal to match {\usb username's} \\ \hline \end{tabular}} \end{itemize} \section{Checking and Reporting on Quotas} \label{sec:check-report-quotas} \begin{itemize} \item Use {\cmdn quotaon} to activate quota system and enable quota checking \\[12pt] {\myss \begin{tabular}{|p{150pt}|p{250pt}|} \hline {\pgn quotaon {\usb filesystem} } & Enable quota system on specified fs \\ \hline {\pgn quotaon -a } & Enable on all filesystems\\ \hline \end{tabular}} \\[12pt] \item {\cmdn quotaoff} does the obvious \item {\cmdn quotacheck} looks for consistency \begin{itemize} \item Within quota records \item Between records and current disk usage \end{itemize} {\myss \begin{tabular}{|p{170pt}|p{230pt}|} \hline {\pgn quotacheck {\usb filesystem} } & Check consistency on specified fs \\ \hline {\pgn quotacheck -a } & Check on all filesystems\\ \hline \end{tabular}} \\[12pt] \item {\pgn quotaon -a} and {\pgn quotacheck -a} should run at boot time, i.e. be in system init scripts \item {\cmdn repquota} reports the current quotas for specified filesystems \begin{itemize} \item Can take multiple filesystems as arguments \item Can report on all filesystems ({\cmdn -a}) \end{itemize} \item {\cmdn quota} gives ordinary users basic info on current quota status \end{itemize} \section{Managing Users--quotas: Exercises} \label{sec:manage-users-exs} {\normalsize \begin{enumerate} \item {\em Checking Password and Group Files} \begin{enumerate} \item Use {\pgn pwck} and {\pgn grpck} to check their respective user detail files, twice. \begin{enumerate} \item Begin in read-only mode. \item Switch to write-mode if you find errors, \end{enumerate} \item If you found no errors, assume super-user status and introduce some. Then try these commands in write-mode. N.B. Don't mess with the root user's details \end{enumerate} \item {\em User Connections} \begin{enumerate} \item Create a new fictitious user on your system \item Edit {\fn /etc/usertty} to prevent their access at particular times and terminals \item Attempt to login as the fictitious user at a ``banned'' terminal/time. \end{enumerate} \item {\em Quotas} \begin{enumerate} \item Set quotas for a fictitious new user on their {\fn /etc/home} directory \item Use the quota checking tools to test your set up \item Try to figure out and implement a practical test to see that it is really working on a live system. \end{enumerate} \end{enumerate} }% matches \normalsize }% matches \mns %%% Local Variables: %%% mode: latex %%% TeX-master: "masterfile" %%% End: