Systems Administration CSCI 6175.01 Fall 2016 User and Group permissions
Systems Administration CSCI 6175.01 Fall 2016 User and Group permissions Creating groups and user accounts Users and groups are used on Linux for access control—that is, to control access to the system's files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL and PAM#Configuration How-Tos. A user is anyone who uses a computer. Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser (root) has complete access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users can use the su and sudo programs for controlled privilege escalation. Any individual may have more than one account, as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as "root". Users may be grouped together into a "group", and users may be added to an existing group to utilize the privileged access it grants. Information referenced here from: https://wiki.archlinux.org/index.php/Users_and_groups
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts In UNIX Everything is a File. Permissions and Ownership Every file on a Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. A file's owners and permissions can be determined by viewing the long listing format of the ls command: $ ls -l /boot/ owner==root total 13740 group=root drwxr-xr-x 2 root root 4096 Jan 12 00:33 grub -rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img -rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan 8 08:19 System.map26 -rw-r--r-- 1 root root 2209920 Jan 8 08:19 vmlinuz-linux
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Permissions and Ownership Linux Symbolic Notation Numeric Notation Description ---------- 0000 no permissions -rwx------ 0700 read, write, & execute only for owner -rwxrwx--- 0770 read, write, & execute for owner and group -rwxrwxrwx 0777 read, write, & execute for owner, group and others ---x--x--x 0111 execute --w--w--w- 0222 write --wx-wx-wx 0333 write & execute -r--r--r-- 0444 read -r-xr-xr-x 0555 read & execute -rw-rw-rw- 0666 read & write -rwxr----- 0740 owner can read, write, & execute; group can only read; others have no permissions
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Modifying group and user permissions: Linux Linux Changing permissions and ownership with chmod command Add user read, write, execute permissions to a file - chmod u+rwx file - chmod 700 file Remove all write permissions - chmod –w file - chmod 555 file
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Changing permissions and ownership for Linux # Permission rwx 7 read, write and execute 6 read and write rw- 5 read and execute r-x 4 read only r-- 3 write and execute -wx 2 write only -w- 1 execute only --x none ---
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Changing permissions and ownership for Linux # Permission rwx 7 read, write and execute 6 read and write rw- 5 read and execute r-x 4 read only r-- 3 write and execute -wx 2 write only -w- 1 execute only --x none ---
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Modifying group and user permissions: Linux Linux File ownership using the chown command Change/set file ownership - chown user:user file Change ownership recursively and suppress messages - chown –Rf user.user file Change/set/add groups - groupadd group_name Examples: # groupadd -g 1040 accounting add group with 1040 as group id (gid) # grep 1040 /etc/group list group in group file accounting:x:1040: # groupdel accounting delete group accounting
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Modifying group and user permissions: Linux Change/set/add Users (local) # useradd -m -g initial_group -G additional_groups -s login_shell username Examples: # useradd jimmy add user jimmy # grep jimmy /etc/passwd list user in password file jimmy:x:504:506::/home/fred:/bin/bash # grep jimmy /etc/group jimmy:x:506: # useradd -g 100 -c “Robert B" bob add user with gid=100 # grep bob /etc/passwd bob:x:505:100:Robert B:/home/bob:/bin/bash # grep bob /etc/group bob:x:100: # userdel -r username delete user including home directory and mail spool # usermod -d /my/new/home -m username change users home directory
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Modifying group and user permissions: Windows Log into Windows as an administrator. Right-click on the file or folder you want to change permissions for. Select "Properties." Click the "Security" tab. Click the "Edit" button. Click the "Add" button to add a new user or group to the list. Select the user that you want to change permissions for. Check the boxes for the permissions you want to add for that user or group.
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Modifying group and user permissions: Windows continued. 9) Adjust your settings if the boxes are grayed out. - If you aren't able to change any of the permissions, you may have to adjust some settings:[3] Click the "Advanced" button in the Security tab. - Select your user and click "Change Permissions/Edit." -Uncheck "Include inheritable permissions from this object's parent." -Save your changes. You should now be able to check the permissions boxes. 10) Click "Apply" to save your changes.
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Changing Windows permissions. Standard Permissions Files: Modify Read & Execute Read Write
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Changing Windows permissions. Advanced Permissions Full Control Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Read Permissions Change Permissions Take Ownership
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Change/set/add Windows Groups (local) To create a Windows group 1) On the desktop, right-click My Computer, and then click Manage. 2) In the Computer Management window, under System Tools, expand Local Users and Groups. 3) Right-click Groups, and then click New Group. 4) In the New Group dialog box,enter group nameenter descriptionclick addenter membersclick createclick close.
Systems Administration CSCI 6175.01 Fall 2016 Creating groups and user accounts Change/set/add Windows Users (local) To create a Windows Users 1) On the desktopclick startclick control panel. 2) In the control panelclick User Accountsclick Add or remove user accountsclick Add a new userfollow the prompts to add users.
Systems Administration CSCI 6175.01 Fall 2016 Modifying group and user permissions: AD, Group Policy Adding groups with Active Directory To create a group account in Active Directory on the Domain Controller 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In Active Directory Users and Computers window, expand <domain name>.com 3. In the console tree, right-click the folder in which you want to add a new group. 4. Click New, and then click Group. 5. Type the name of the new group. Use a name that you can easily associate with the role or service for which you are creating. 6. In the New Object - Group dialog box, do the following: a. In Group scope, click Global scope. b. In Group type, click Security. 7. Click Finish. 8. Repeat steps 3 through 7 for any remaining groups to add.
Systems Administration CSCI 6175.01 Fall 2016 Modifying group and user permissions: AD, Group Policy Creating users with Active Directory To create a user account 1. On Server, click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com. 2. In the details pane, right-click the folder in which you want to add a user account. Where? ◦ Active Directory Users and Computers/domain node/folder 3. Point to New, and then click User. 4. In First name, type the user's first name. 5. In Initials, type the user's initials. 6. In Last name, type the user's last name. 7. Modify Full name to add initials or reverse the order of first and last names. 8. In User logon name, type the user logon name. Click Next. 9. In New Object - User, in Password and Confirm password, type the user's password, and then select the appropriate password options. 10. Click Next, review the new user account settings, and then click Finish.
Systems Administration CSCI 6175.01 Fall 2016 Modifying group and user permissions: AD, Group Policy Configuring Windows User Rights Microsoft defines user rights in two types of categories: Logon Rights and Privileges. These are defined as follows: - Logon Right: A user right that is assigned to a user and specifies the ways in which a user can log onto a system. An example of a logon right is the right to log on to a system remotely. - Privilege: A user right that is assigned to a user and specifies allowable actions on the system. An example of a privilege is the right to shut down a system.
Systems Administration CSCI 6175.01 Fall 2016 Modifying group and user permissions: AD, Group Policy Configuring Windows User Rights Assigning User Rights - User rights are assigned through the Local Policies node of Group Policy. As the name implies, local policies pertain to a local computer. However, local policies can be configured and then imported into Active Directory. Local policies can also be configured as part of an existing Group Policy for a site, domain, or organizational unit. When this is done, the local policies will apply to computer accounts in the site, domain, or organizational unit.
Systems Administration CSCI 6175.01 Fall 2016 Modifying group and user permissions: AD, Group Policy Configuring Windows User Rights User rights policies can be administered as follows: 1) Log on using an administrator account. 2) Open the Active Directory Users and Computers tool. 3) Right-click the container holding the domain controller and click Properties. 4) Click the Group Policy tab, and then click Edit to edit the Default Domain Policy. 5) In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies. 6) Select User Rights Assignment. 7) To configure user rights assignment, double-click a user right or right-click on it and select Security. This opens a Security Policy Setting dialog box. 8) Open the Security Policy Setting dialog box for the user right to be modified. 9) Select Define these policy settings to define the policy. 10) To apply the right to a user or group, click Add.
Systems Administration CSCI 6175.01 Fall 2016 Modifying group and user permissions: AD, Group Policy Configuring Windows User Rights continued 11) In the Add user or group dialog box, click Browse. This opens the Select Users Or Groups dialog box. The right can now be applied to users and groups: - check Name for available accounts - Add selected names to list - Check Names to validate a user or group entered into list
Systems Administration CSCI 6175.01 Fall 2016 Modifying group and user permissions: AD, Group Policy How to apply a Group Policy Object to individual users or computer Select the Group Policy Object in the Group Policy Management Console (GPMC) and the click on the “Delegation” tab and then click on the “Advanced” button. Select the “Authenticated Users” security group and then scroll down to the “Apply Group Policy” permission and un-tick the “Allow” security setting. Now click on the “Add” button and select the group (recommended) that you want to have this policy apply. Then select the group (e.g. “Accounting Users”) and scroll the permission list down to the “Apply group policy” option and then tick the “Allow” permission. This Group Policy will now only apply to users or computers that are a member of the Accounting Users security group. However you still need to remember that the user and/or computer still needs to located under the scope of the Group Policy Object for this policy to be applied.
Systems Administration CSCI 6175.01 Fall 2016 Q&A