System Administration II

Slides:



Advertisements
Similar presentations
Linux Users and Groups Management
Advertisements

Lesson 17: Configuring Security Policies
Chapter One The Essence of UNIX.
Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.
1 Web Server Administration Chapter 3 Installing the Server.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
Linux+ Guide to Linux Certification, Second Edition
Installing software on personal computer
V Avon High School Tech Crew Agenda Old Business –Delete Files New Business –Week 10 Topics: Coming up: –Yearbook Picture: Feb 7 12:20PM.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Lesson 7-Creating and Changing Directories. Overview Using directories to create order. Managing files in directories. Using pathnames to manage files.
V Avon High School Tech Crew Agenda Old Business –Delete Files New Business –Week 9 Topics: Coming up: –Yearbook Picture: Feb 7 12:20PM.
1 Guide to Novell NetWare 6.0 Network Administration Chapter 12.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
– Introduction to the Shell 10/1/2015 Introduction to the Shell – Session Introduction to the Shell – Session 2 · Permissions · Users.
IOS110 Introduction to Operating Systems using Windows Session 8 1.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
The In’s and Out’s of the IIS 6.0 Migration Tool The In’s and Out’s of the IIS 6.0 Migration Tool Chris Adams Web Platform Supportability Lead Microsoft.
Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.
IT2204: Systems Administration I 1 6b). Introduction to Linux.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Users Greg Porter V1.0, 26 Jan 09. What is a user? Users “own” files and directories Permission based on “ownership” Every user has a User ID (UID) 
There are three types of users in linux  System users: ?  Super user: ?  Normal users: ?
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 21 Administering User Accounts and Groups 1.
Introduction to Programming Using C An Introduction to Operating Systems.
Lesson 3-Touring Utilities and System Features. Overview Employing fundamental utilities. Linux terminal sessions. Managing input and output. Using special.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
SCSC 455 Computer Security Chapter 3 User Security.
FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).
CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
SPI NIGHTLIES Alex Hodgkins. SPI nightlies  Build and test various software projects each night  Provide a nightlies summary page that displays all.
Installing Applications in FreeBSD lctseng. Computer Center, CS, NCTU 2 Before we start  Permission issue root: the super user Like administrator in.
1Software Development Using KIDS Software Development using KIDS Developed by David Whitten WorldVistA Education Meeting Las Cruces, NM May 2007.
Introduction to AFS IMSA Intersession 2003 Managing AFS Services Brian Sebby, IMSA ‘96 Copyright 2003 by Brian Sebby, Copies of these slides.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
SQL Database Management
SYSTEM ADMINISTRATION PART I by İlker Korkmaz and Kaya Oğuz
© 2002, Cisco Systems, Inc. All rights reserved.
“given enough eyeballs, all bugs are shallow” -Linus Torvald
Overview – SOE Sudo SEP 2014.
Connect:Direct for UNIX v4.2.x Silent Installation
Authentication & .htaccess
Sudoers Meryll Larkin - that's me Why you are here:
Overview – SOE Sudo Dec 2013.
Introduction to Operating Systems
Chapter 11: Managing Users
Overview – SOE Sudo September 2016.
Overview – SOE Sudo November 2015.
Chapter 3 Rootly Powers.
The Linux Operating System
Ubuntu Working in Terminal
Chapter 2 User Management
Linux Users and Groups Management
INSTALLING AND SETTING UP APACHE2 IN A LINUX ENVIRONMENT
Chapter 8 Working with Databases and MySQL
MySQL User Privileges: Grant
User accounts.
Linux Shell Script Programming
User accounts.
Module 13 System and User Security
Rootly Powers Chapter 3.
Presentation transcript:

System Administration II Users and Security Software Management

Users and security Advanced

Quick Review: su

su switch user Temporarily become another user without Notes: logging out logging in as a different user do work as new user log in as the original user try to remember where you were as original user su [options] [commands] [-] [username] Notes: No username  become root - assume attributes of the new user

su Still have to know the password of the new user Have a new environment That of the new user (if – specified) When exited return to previous user Can su within su Considered poor practice Consumes extra resources How many times have you “su’ed” Who are you now? Are you the same user in a higher layer Best to su, do the task and return to base user Start a new su from base if needed

Problem Root authority is required for many System Administration duties Systems can be large and complex  Requires more than 1 person to run Need backup personnel Vacations, sickness, etc  Must share the root ID and password Security problem If an error or sabatage Who did it?

sudo and sudoers

SUDO and SUDOERS The sudo command and the sudoers file work together Allows access as needed to system resources As permitted At the appropriate level What can be accessed Allows tracking of who did what

SUDO Program that allows users to run programs with “elevated” (different) privilages E.g. at the root level Each sysadmin uses their own personal id  Knows who did a command Typically via a log file Each sudo ID can have its own privilages From full root authority To only being able to run a single command with a specific limit on parameters as a specific user

SUDO Installation (Debian) Configuration apt-get install sudo /etc/sudoers Contains who can do what

SUDO Permitted users can execute a commands as a different user As specified in the sudoers file Can be: any user even root Real and effective uid and gid are set to match those of the target user as specified in the passwd file

SUDO sudo requires users authenticate themselves with a password By default the current user's password NOT the other user’s password Once a user has been authenticated, a timestamp is set User may sudo without a password for a short period of time Typically 5 minutes unless overridden in sudoers

SUDO Authorized users are determined from the file /etc/sudoers -v flag updates the time stamp without running a command Password prompt will also time out if the user's password is not entered within 5 minutes Default can be overridden via sudoers An email can be sent if a non-sudoer tries to sudo Defined at configure time or the sudoers file Destination defaults to root -l or -v flags allows users to determine if they can sudo Mail will not be sent if an unauthorized user tries use sudo with these flags

Popular Options -l -k -b -l (list) option will list out the allowed (and forbidden) commands for the user on the current host. -k -k (kill) option to sudo invalidates the user's timestamp by setting the time on it to the epoch. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file. -b -b (background) option tells sudo to run the given command in the background. Note that if you use the -b option you cannot use shell job control to manipulate the process.

Other Options -V -L -h -v -V (version) option causes sudo to print the version number and exit. If the invoking user is already root the -V option will print out a list of the defaults sudo was compiled with as well as the machine's local network addresses. -L -L (list defaults) option will list out the parameters that may be set Defaults line along with a short description for each. This option is useful in conjunction with grep(1). -h -h (help) option causes sudo to print a usage message and exit. -v -v (validate) option will update the user's timestamp Prompts for the user's password if necessary Extends the sudo timeout for another 5 minutes Or whatever the timeout is set to in sudoers Does not run a command

Other Options -K -K (sure kill) option to sudo removes the user's timestamp entirely. Likewise, this option does not require a password. -p -p (prompt) option allows you to override the default password prompt and use a custom one. If the password prompt contains the %u escape, %u will be replaced with the user's login name. Similarly, %h will be replaced with the local hostname. -u -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a username, use #uid.

Other Options -c -c (class) option causes sudo to run the specified command with resources limited by the specified login class. class argument can be either a class name as defined in /etc/login.conf, or a single '-' character. Specifying a class of - indicates that the command should be run restricted by the default login capabilities for the user the command is run as. If the class argument specifies an existing user class, the command must be run as root, or the sudo command must be run from a shell that is already root. This option is only available on systems with BSD login classes where sudo has been configured with the --with-logincap option. -a -a (authentication type) option causes sudo to use the specified authentication type when validating the user, as allowed by /etc/login.conf. The system administrator may specify a list of sudo-specific authentication methods by adding an ``auth-sudo'' entry in /etc/login.conf. This option is only available on systems that support BSD authentication where sudo has been configured with the --with-bsdauth option.

Other Options -s -H -P -S -- -s (shell) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in passwd(5). -H -H (HOME) option sets the HOME environment variable to the homedir of the target user (root by default) as specified in passwd(5). By default, sudo does not modify HOME. -P -P (preserve group vector) option causes sudo to preserve the user's group vector unaltered. By default, sudo will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. -S -S (stdin) option causes sudo to read the password from standard input instead of the terminal device. -- -- flag indicates that sudo should stop processing command line arguments. It is most useful in conjunction with the -s flag.

Return Values sudo will the return value of the program that was executed Only if the program successfully executes sudo quits with an exit value of 1 if: there is a configuration/permission problem sudo cannot execute the given command An error string is sent to stderr sudo cannot stat one or more entries in the user's PATH an error is printed on stderr the directory does not exist or if it is not really a directory The entry is ignored and no error is printed This should not happen under normal circumstances. The most common reason for stat to return ''permission denied'' is if an automounter is running and one of the directories in the PATH is on a machine that is currently unreachable

SUDO sudo can log both successful and unsuccessful attempts (as well as errors) to: syslog a log file or both By default sudo will log via syslog Changeable at configure time Via the sudoers file

sudoers file – simple example Example sudo entries with all four fields: superadm ALL=(ALL) ALL superadm ALL=(ALL:ALL) ALL First field specifies user that will be granted privileges for some command(s) superadm in this case Second field is rarely used It's a list of hostnames on which this sudo entry will be effective. On standard setups only localhost is relevent so this field is usually left as ALL Fourth (last) field is the list of commands superadm will be able to run with elevated privileges ALL means all commands Otherwise use a comma separated list of commands Third field specifies which users (and groups) the superadm user will be able to run the following commands as Optional and written within the () (ALL:ALL) specifies user:group ALL means anyone can be chosen (unrestricted). If this field is omitted, it means the same as (root).

sudoers examples operator ALL= /sbin/poweroff the UID operator to run the command poweroff from any terminal pete boa = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root pete may change passwords from the boa host for any purely alphabetic id but not root jill viking, queen = (operator) /usr/local/op_commands/ jill can run any command in the directory /usr/local/op_commands/ as user operator from the viking and queen hosts

sudoers aliases Sudo supports aliases for: users -> User_Alias run commands as other users -> Runas_Alias host -> Host_Alias command -> Cmnd_Alias User_Alias OPERATORS = joe, mary, jude Runas_Alias OP = root, operator Host_Alias OFNET = 10.1.2.0/255.255.255.0 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Where: User alias OPERATORS includes the users joe, mary and jude Run alias OP includes the users root and operator, Host alias OFNET includes the network 10.1.2.0 (the /24 subnet) Command alias PRINTING includes the commands lpc and lprm

Sample sudoders file User_Alias OPERATORS = joe, mary, jude Runas_Alias OP = root, operator Host_Alias OFNET = 10.1.2.0/255.255.255.0 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm OPERATORS ALL=ALL # users in the OPERATORS group can run any command from any terminal linus ALL=(OP) ALL # linus can run any command from any terminal as any user in the OP group # (root or operator) user2 OFNET=(ALL) ALL # user2 may run any command from any machine in the OFNET network, as any user user3 ALL= PRINTING # user3 may run lpc and lprm from any machine go2linux ALL=(ALL) ALL # go2linux may run any command from any machine acting as any user

sudo oddities sudo works on programs  cannot su cd /path Solution: sudo –i Elevate to root Starts a new shell, root since no ID specified Run your command(s) End with <ctrl-D>

Sudoers Manual Sudoers directives can get as complicated as you need This was just a simple introduction Here is a site with more gory details: http://www.gratisoft.us/sudo/sudoers.man.html

Sudo Summary sudo and sudoers was created to: Allow certain users to run as other users with specific restrictions Can be set up so root is not required or even allowed System can still be maintained Can track who made each change Requires a unique id per system admin Note: Ubuntu installs with root disabled

Use sudo to Make executing root commands easier Make it easier for users to use new commands Restrict and track who has run sensitive commands Understand how Ubuntu works Use su, it’s easier

Program management

Installing and Maintaining Software Software on a system must be maintained: Correct installation of new software Updating of existing software Removal of unneeded data/software Task automated by: Installer Package management system

package manager (package management system) For software it is a collection of tools that automates the process of installing upgrading configuring removing Packages contain metadata consisting of: software's name description of its purpose checksum version number vendor list of dependencies After installation the metadata is stored in a local package database Maintains a database of software dependencies and version information Prevents software mismatches and missing prerequisites

Package Management System Many varieties depending on base OS 2 main Linux styles Debian dpkg – base tool apt – cli interface synaptic – gui interface Red Hat yum – base tool Has a cli PackageKit – gui interface

Windows Windows Installer Package Manager InstallShield Old school Windows XP, Server 2003, Server 2008… Package Manager Comes with Vista and later Install/remove hotfixes Enable/disable services Use an answer file Do multiple installs/uninstalls with one command InstallShield #1 vendor install tool Complete toolset to "productize, bundle and install" prodcuts MSI format Virtual Format Old school setup.exe or install.exe Custom script to install program

Package Management System PMS vs. Installer Package Management System Installer Typically part of the operating system. Each product comes bundled with its own installer. Uses a single installation database. Performs its own installation, sometimes recording information about that installation in a registry. Can verify and manage all packages on the system. Only works with its bundled product. Single package management system vendor. Multiple installer vendors. Single package format. Multiple installation formats.

Last Notes Cross Platform installers exist InstallAnywhere Windows NT, mas OS, Unix-like Installer VISE Winddows, Mac OS X InstallJammer Windows, Linux, Unix-like and others…

Package Managers Make installing easier Make updating easier Make removing programs easier All of the above None of the above