1. The Saigon CTT Chapter 10 Managing Users

2. The Saigon CTT  Objectives  Define the requirements for user accounts  Explain group and group accounts  Construct configuration files (group, passwd, shadow)  Demonstrate adding users  Describe modifying user details  Explain user passwords  Demonstrate deleting users

3. The Saigon CTT  New User Requirements  When adding a new user, you need be familiar with files : passwd, shadow, group, gshadow under /etc directory  /etc/passwd contains information of all users : Login name, User ID, Group ID, Descriptive name, Home directory, Login shell  /etc/shadow stores parameters to control account access: user’s password hash and password aging information  /etc/group contains information about user’s groups  /etc/gshadow stores group’s password hash,…(rarely used)

4. The Saigon CTT  Preparing Groups  Carefully constructed groups are very useful to users who are all working in the same department or project  Groups not only allow for a second level of access control but also allow the members in group to share files in secured environment  Each line in /etc/group file correspond to a group  Commands to modify groups: groupadd, groupmod, groupdel

5. The Saigon CTT  The /etc/passwd  Each line in this file correspond to a user, has the following form : name:password:UID:GID:comment:home directory:shell # more /etc/passwd root:x:0:0:Super User:/root:/bin/bash henry:x:101:101:Thiery Henry:/home/henry:/bin/ksh...

6. The Saigon CTT  Allocating User IDs  All Linux system come with several administrator users pre-configured, are intended to perform certain administrative work. They are typically assigned UID less than 100: root, bin, daemon, sys, adm, lp, …  System with administration tools allocate UIDs automatically, greater than 100 in general

7. The Saigon CTT  Adding Users  The useradd utility is recommended for administering users. It creates the required record in /etc/passwd and /etc/shadow  A list of options can be used with useradd to override defaults: -u UID Specify new user ID (default: next available number) -g GID Specify default (primary) group ( default other group ) -c comment Description of user ( default: blank ) -d directory Define home directory ( default /home/username ) -m Make home directory -k skel_dir Skeleton directory ( default /etc/skel ) -s shell Specify login shell ( default /bin/bash )

8. The Saigon CTT  Changing User Attributes  If you edit files manually, you risk corrupting file, resulting with users not being able to log in at all. Instead, use usermod utility # usermod –g users –c “Henry Blake” henry # usermod –u 321 –s /bin/ksh majorh # usermod –f 10 henry # usermod –e 2004-12-20 majorh

9. The Saigon CTT  Changing Group Membership  Each user belongs to a group (primary) that can be changed by usermod –g  User can also belongs to secondary groups, controlled by usermod –G # grep blofeldt /etc/passwd blofeldt:x:416:400::/home/blofeldt:/bin/bash # groups blofeldt blofeldt: : mash # groupadd –g 600 fleming # usermod –G fleming blofeldt # grep blofeldt /etc/group fleming:x:600: blofeldt

10. The Saigon CTT  Removing Users  When a user leaves, there are two main concerns:  Protect the system from unauthorized access via his/her account  Protect and manage his/her files, directories left on the system  The userdel command takes care of removing a user account. userdel can remove user’s home directory but does not user’s mail, crontab table, atd queues, …

11. The Saigon CTT  Removing Users - userdel  Command format: userdel [option] -r This option will remove home directory

12. The Saigon CTT  To safely remove a user from a system: 1.Lock the account password until you are ready to remove it altogether ( use chage command ) # chage –E 1999-01-01 henry 2.Save all file owned by the user somewhere outside the home directory # find / -user henry –print | cpio ov | gzip >/hold/henry # find / -user henry –type f –exec rm –f {} \; # find / -user henry –type d –depth –exec rmdir {} \;

13. The Saigon CTT  To safely remove a user from a system: 3.Change access permission on saved files to root only # chown root /hold/henry ; chmod 700 /hold/henry 4.Consider crontab and at jobs setup by the user 5.Setup mail forwarding to send mail to a manager

14. The Saigon CTT  Security  Use passwd command to change the password : # passwd henry current password : new password: retype new password:  Choosing password: Not use proper words or names Use letters and digits Include symbols: !, @, #, $, %, …  Do not allow guest account to login to your system

15. The Saigon CTT  The /etc/shadow File  If shadow passwords are used, encrypted passwords are stored in this file: name:password:lastchange:min:max:warn:inactive:expire:flag name User login name, mapped to /etc/passwd password Encrypted password. If this field is blank, then there is no password ; “*” : account is locked, … lastchange Number of days since the last password change, from 1/1/70 min Minimum number of days between password changes max Maximum number of days password is valid warn Number of days before expiration that user will be warned inactive Number of inactivity days allowed for this user expire Absolute date, beyond which the account will be disabled

16. The Saigon CTT  Account Security  Actions you can take to improve security:  Use preset expiration date for temporary employees # usermod –e 2003-12-20 henry  Use inactivity counts to lock unused accounts # usermod –f 5 henry  Change passwords known by someone who leaves. If they know the root password, change ALL password

17. The Saigon CTT  Account Security  Password aging with chage command: chage [options]  Options: -m Minimum days -M Maximum days -d Day last changed -I Inactive lock -E Expiration (YYYY-MM-DD or MM/DD/YY) -W Warning days

18. The Saigon CTT  Summary  Define the requirements for user accounts  Explain group and group accounts  Construct configuration files (group, passwd, shadow)  Demonstrate adding users  Describe modifying user details  Explain user passwords  Demonstrate deleting users