Presentation is loading. Please wait.

Presentation is loading. Please wait.

SUSE Linux Enterprise Desktop Administration Chapter 9 Manage Users, Groups, and Permissions.

Published byCornelius Carson Modified over 9 years ago

Similar presentations

Presentation on theme: "SUSE Linux Enterprise Desktop Administration Chapter 9 Manage Users, Groups, and Permissions."— Presentation transcript:

1 SUSE Linux Enterprise Desktop Administration Chapter 9 Manage Users, Groups, and Permissions

2 SUSE Linux Enterprise Desktop Administration Objectives Objective 1—Understand the Multiuser Environment Objective 2—Manage User and Group Accounts Objective 3—Manage File Permissions and Ownership Objective 4—Perform Tasks as a Different User Objective 5—Use Encrypted File Systems 2

3 SUSE Linux Enterprise Desktop Administration Objective 1—Understand the Multiuser Environment Multiuser capability –Allows a number of users to use the system simultaneously Multitasking capability –Allows programs to run simultaneously Implementation of a multiuser and multitasking system –Only appears to be simultaneous in a single processor system –Advantage: waiting times for input or output from processes can be used for other processes 3

4 SUSE Linux Enterprise Desktop Administration Objective 1—Understand the Multiuser Environment (continued) UNIX implements preemptive multitasking –Each process is allowed a certain amount of time during which it can work –When this time has expired, the operating system temporarily stops the execution of one process And executes another process that is waiting to run –UNIX controls this sharing of processing time, which avoids one process hijacking the processor The OS coordinates access to the resources –Only one process can be granted access –This coordination task is very complex 4

5 SUSE Linux Enterprise Desktop Administration Objective 1—Understand the Multiuser Environment (continued) 5 Figure 9-1 Two or more processes need the same resources exclusively

6 SUSE Linux Enterprise Desktop Administration Objective 1—Understand the Multiuser Environment (continued) Multithreading –An extension of multitasking and helps solve this problem –A number of parts independent from one another (threads) can be created within a process –Increases the level of parallel processes with each thread A program exists only once in the system –However, there can be several processes performing the same program 6

7 SUSE Linux Enterprise Desktop Administration Objective 2—Manage User and Group Accounts You can manage users and groups with YaST or with command-line tools To do this, you need to understand the following: –Basics About Users and Groups –Manage User and Group Accounts with YaST –Manage Group Accounts from the Command Line –User and Group Configuration Files 7

8 SUSE Linux Enterprise Desktop Administration Basics About Users and Groups UNIX system must be able to uniquely identify all users Every user must log in with a username and a password Users are represented internally as numbers –The number that a user receives is a UID (User ID) A Linux system has three kinds of users: –Regular (normal) user –System user –The root user 8

9 SUSE Linux Enterprise Desktop Administration Basics About Users and Groups (continued) Users can be grouped together based on shared characteristics or activities As with users, each group is also allocated a number internally called the GID (Group ID) The GID can be one of the following types: –Normal groups—GID 100 and above –System groups—GIDs from 1 to 99, used by system services –Root group—GID = 0 9

10 SUSE Linux Enterprise Desktop Administration Manage User and Group Accounts with YaST You can access YaST user and group account administration in the following ways: –User administration –Group administration If you selected LDAP for authentication during the installation –You are prompted for the LDAP server administrator password 10

11 SUSE Linux Enterprise Desktop Administration Manage User and Group Accounts with YaST (continued) User administration –With the Users button selected, the User and Group Administration window lists the existing user accounts See Figure 9-2 –To create a new user account or edit an existing account, select Add or Edit See Figure 9-3 –To set the properties of the user, select the Details tab See Figure 9-4 11

12 SUSE Linux Enterprise Desktop Administration12 Figure 9-2 User administration

13 SUSE Linux Enterprise Desktop Administration13 Figure 9-3 Create a new user account

14 SUSE Linux Enterprise Desktop Administration14 Figure 9-4 Set user properties

15 SUSE Linux Enterprise Desktop Administration Manage User and Group Accounts with YaST (continued) User administration (continued) –To set various password parameters, select the Password Settings tab See Figure 9-5 Set Defaults for New User Accounts –You can use YaST to select default settings to be applied to new user accounts –See Figure 9-6 –The values are written to the file /etc/default/useradd 15

16 SUSE Linux Enterprise Desktop Administration16 Figure 9-5 Set user password properties

17 SUSE Linux Enterprise Desktop Administration17 Figure 9-6 Set defaults for new user accounts

18 SUSE Linux Enterprise Desktop Administration Manage User and Group Accounts with YaST (continued) Group Administration –To administer groups, start YaST and select Security and Users > Group Management See Figure 9-7 –You can create a new group or edit an existing group by selecting Add or Edit See Figure 9-8 18

19 SUSE Linux Enterprise Desktop Administration19 Figure 9-7 Group administration

20 SUSE Linux Enterprise Desktop Administration20 Figure 9-8 Create a new group or edit an existing one

21 SUSE Linux Enterprise Desktop Administration Manage User and Group Accounts from the Command Line Manage User Accounts from the Command Line –The user root can use the following commands: useradd to create a new user account passwd to change a user’s password userdel to delete an existing user account usermod to modify settings for an existing user account –Standard configuration information is derived from the /etc/default/useradd and /etc/login.defs files 21

22 Manage User Accounts from the Command Line (continued) – passwd command can also be used for: Lock a user account Status of a user account Change password times SUSE Linux Enterprise Desktop Administration Manage User and Group Accounts from the Command Line (continued) 22 Table 9-1 Options for changing password times

23 SUSE Linux Enterprise Desktop Administration Manage User and Group Accounts from the Command Line (continued) Manage User Accounts from the Command Line (continued) –The /etc/default/passwd file is checked for the encryption method to be used The encryption method is set in the variable CRYPT –You can use the id command in a terminal window To display information about a user’s UID and which groups the user is assigned to 23

24 SUSE Linux Enterprise Desktop Administration Manage User and Group Accounts from the Command Line (continued) Manage Groups from the Command Line –You can use the following commands groupadd to create a new group groupdel to delete a group groupmod to modify the settings for an existing group gpasswd to change passwords for group accounts –If you want information on the groups in which you are a member, enter groups –The newgrp command allows you to change the effective group of the executing user 24

25 SUSE Linux Enterprise Desktop Administration User and Group Configuration Files /etc/passwd –Stores information for each user such as the username, the UID, home directory, and the login shell –In the past, it also contained the encrypted password The encrypted password is now stored in /etc/shadow –Only readable by root and members of the group shadow –Each line in the file represents one user See Figure 9-9 25

26 SUSE Linux Enterprise Desktop Administration User and Group Configuration Files (continued) 26 Figure 9-9 Information contained in each line of the /etc/passwd file

27 SUSE Linux Enterprise Desktop Administration User and Group Configuration Files (continued) /etc/shadow –Stores encrypted user passwords and password expiration information –Can only be changed by the user root and read by the user root and members of the group shadow –Each line in the file belongs to one user See Figure 9-10 27

28 SUSE Linux Enterprise Desktop Administration User and Group Configuration Files (continued) 28 Figure 9-10 Information contained in each line of the /etc/shadow file

29 SUSE Linux Enterprise Desktop Administration User and Group Configuration Files (continued) /etc/group –Stores group information –Each line in the file represents a single group record And contains the group name, the GID, and the members of the group 29

30 SUSE Linux Enterprise Desktop Administration Exercise 9-1: Manage User Accounts with YaST and Get User and Group Information from the Command Line In this exercise, first create and remove a user account with the YaST User Management module Perform the following tasks: –Create a new account labeled tux for the user Tux Penguin with the password of novell –Log in as the new user tux –Open the /etc/passwd file and look for the entries for geeko and tux –Log in as geeko and remove tux’s account using YaST 30

31 SUSE Linux Enterprise Desktop Administration Objective 3—Manage File Permissions and Ownership You can change the current values associated with ownership and permissions by knowing how to do the following: –Understand File Permissions –Change File Permissions with chmod –Change File Ownership with chown and chgrp –Modify Default Access Permissions –Configure Special File Permissions 31

32 SUSE Linux Enterprise Desktop Administration Understand File Permissions ls –l command –Displays the contents of the current directory Along with the assigned permissions for each file or subdirectory Each file (and directory) can belong to only one user and one group You can also view the permissions, owner, and group from the Nautilus file manager 32

33 SUSE Linux Enterprise Desktop Administration33 Figure 9-11 File properties in Nautilus file manager

34 SUSE Linux Enterprise Desktop Administration Change File Permissions with chmod You can use the chmod command to add or remove permissions The following options can be used to change the permissions: –u—Change permissions for the owner (user) –g—Change permissions for the group –o—Change permissions for others –a—Change permissions for all (owner, group, and others) 34

35 SUSE Linux Enterprise Desktop Administration Change File Permissions with chmod (continued) 35 Table 9-2 Examples of the chmod command

36 SUSE Linux Enterprise Desktop Administration Change File Permissions with chmod (continued) Using the option -R (recursive) and a specified directory –You can change the access permissions for the directory and all files and subdirectories beneath it Besides using letters (rwx), you can also use the octal way of representing the permission letters with groups of numbers –Read: 4 –Write: 2 –Execute: 1 36

37 SUSE Linux Enterprise Desktop Administration Change File Permissions with chmod (continued) 37 Table 9-3 Examples of the chmod command using numbers equivalents Table 9-4 Using numbers instead of letters

38 SUSE Linux Enterprise Desktop Administration Change File Ownership with chown and chgrp The user root can use the chown command to change the user and group affiliation of a file by using the following syntax: –chown new_user.new_group file To change the owner, but not the group –chown new_user file To change the group, but not the user –chown.new_group file 38

39 SUSE Linux Enterprise Desktop Administration Change File Ownership with chown and chgrp (continued) You can also change the group affiliation of a file with the chgrp command: –chgrp new_group file Normal users can use the chown command to allocate a file that they own to a new group: –chown.new_group file 39

40 SUSE Linux Enterprise Desktop Administration Exercise 9-2: Manage File Permissions and Ownership In this exercise, you create directories with different permissions 40

41 SUSE Linux Enterprise Desktop Administration Modify Default Access Permissions By default, files are created with the access mode 666 and directories with 777 To modify (restrict) these default access mode settings, you can use the umask command –With a three-digit numerical value –The permissions set in the umask are removed from the default permissions umask without any parameters shows the current value of the umask with a leading zero 41

42 SUSE Linux Enterprise Desktop Administration Modify Default Access Permissions (continued) 42 Table 9-5 Examples of the umask command

43 SUSE Linux Enterprise Desktop Administration Configure Special File Permissions 43 Table 9-6 Special file permissions

44 SUSE Linux Enterprise Desktop Administration Ensure File System Security In Linux, file system security is especially important –Because every resource available on the system is represented as a file The Basic Rules for User Write Access –Access permissions can be administered separately for file owners, user groups, and the rest of the world –As a general rule, a normal user should only have write access in the following directories: The home directory of the user The /tmp directory (to store temporary files) 44

45 SUSE Linux Enterprise Desktop Administration Ensure File System Security (continued) The Basic Rules for User Read Access –No normal user account should be able to read the content of files that store passwords, including: /etc/shadow /etc/samba/smbpasswd Files with Apache passwords /etc/openldap/sldap.conf /boot/grub/menu.1st –Some password files can be readable for a nonroot account This is normally the account under whose user ID a service daemon is running 45

46 SUSE Linux Enterprise Desktop Administration Objective 4—Perform Tasks as a Different User Some tasks can only be done from the root user account –Sometimes root might want to delegate tasks to normal users This objective covers both scenarios: –Perform Administrative Tasks as root –Delegate Administrative Tasks with sudo 46

47 SUSE Linux Enterprise Desktop Administration Perform Administrative Tasks as root As a system administrator, you are advised to log in as a normal user –And only switch to root to perform tasks that require root permissions Start Programs from GNOME as Another User –You can start any program with a different UID (as long as you know the password) Using the program gnomesu –You can specify a different user than root and also start a program directly with the following syntax: gnomesu--uuser command 47

48 SUSE Linux Enterprise Desktop Administration Perform Administrative Tasks as root (continued) Switch to Another User with su –You can use the su (switch user) command to assume the UID of root or of other users –su syntax: su[ options]...[-]user[argument]] Switch to Another Group with newgrp –A user can be a member of many different groups However, he or she can have only one effective (current) group at any one time –You can change the effective group GID with the command newgrp or sg 48

49 SUSE Linux Enterprise Desktop Administration Delegate Administrative Tasks with sudo The default configuration of sudo in SLED 10 requires the knowledge of the root password Advantages of using sudo: –Executed commands are logged to /var/log/messages –You do not need to retype the password for each command /etc/sudoers configuration file –Allows sudo to ask for the user password instead of the root password –Allows visudo to specify which command a user can or cannot enter 49

50 SUSE Linux Enterprise Desktop Administration Delegate Administrative Tasks with sudo (continued) 50 Figure 9-12 Example illustrating the flexibility of sudo

51 SUSE Linux Enterprise Desktop Administration Exercise 9-3: Use sudo to Perform Tasks as root In this exercise, you use sudo to view the /var/log/messages log file as a normal user First, use visudo as root to change the sudo configuration to allow geeko to use the tail command to view the last lines of /var/log/messages and any new lines added to it Then, as geeko, view the end of the /var/log/messages log file using sudo 51

52 SUSE Linux Enterprise Desktop Administration Objective 5—Use Encrypted File Systems With SLED 10, it is possible to encrypt a file system on a partition –Or to create encrypted home directories based on images that contain an encrypted file system Both can be set up with YaST: –Use YaST to Encrypt a Partition –Create an Encrypted Image as Home Directory for a User 52

53 SUSE Linux Enterprise Desktop Administration Use YaST to Encrypt a Partition You only need to select the appropriate option when creating the partition in YaST –Enter a password to unlock the partition when it is mounted –See Figures 9-13 and 9-14 The minimum password length required is eight characters, but a longer password is advisable 53

54 SUSE Linux Enterprise Desktop Administration54 Figure 9-13 Create an encrypted partition

55 SUSE Linux Enterprise Desktop Administration55 Figure 9-14 Enter a password for an encrypted partition

56 SUSE Linux Enterprise Desktop Administration Use YaST to Encrypt a Partition (continued) To unlock the partition when the system boots, a prompt appears during the boot process –The machine boots up even if no password is entered, but the partition is not accessible To access the partition, log in as root and enter /etc/init.d/boot.crypto start –Then enter the password for the partition 56

57 SUSE Linux Enterprise Desktop Administration Create an Encrypted Image as Home Directory for a User Another approach is offered in YaST as part of the User Management module –See Figure 9-15 Create a file of that size with an encrypted file system inside –File system can be mounted as a loop device The image file is named username.img and located in /home –The key used to decrypt the image is username.key in /home, and the user’s password is used to unlock it 57

58 SUSE Linux Enterprise Desktop Administration58 Figure 9-15 Create an encrypted image as a home directory for a user

59 SUSE Linux Enterprise Desktop Administration Summary Linux is a multiuser, multitasking, and multithreading operating system Users use normal user accounts to log in to the system Each user account is a member of one or more groups Linux systems store user information in /etc/passwd and password information in /etc/shadow For system identification, each user account has a UID, and each group account has a GID 59

60 SUSE Linux Enterprise Desktop Administration Summary (continued) The id command displays your UID, GIDs, and primary GID The su and gnomesu commands can be used to switch to another user account or run a program as another user account You can use the useradd, usermod, and userdel commands to add, modify, and remove user accounts on your system You can change user account passwords, lock user accounts, and control password expiry settings using the passwd command 60

61 SUSE Linux Enterprise Desktop Administration Summary (continued) YaST can be used to perform all user and group management functions You can assign read, write, and execute permissions to files and directories Permissions can be set on the owner of a file (owner), members of the group of the file (group), as well as everyone else on the system (others) using the chmod command Encryption can be used as an alternative to file and directory permissions 61

Download ppt "SUSE Linux Enterprise Desktop Administration Chapter 9 Manage Users, Groups, and Permissions."

Similar presentations

Unit 5 – User Administration Randy Marchany VA Tech Computing Center.

Unit 5 – User Administration Randy Marchany VA Tech Computing Center.
Linux Users and Groups Management

Linux Users and Groups Management
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
Linux File & Folder permissions. File Permissions In Ubuntu, files and folders can be set up so that only specific users can view, modify, or run them.

Linux File & Folder permissions. File Permissions In Ubuntu, files and folders can be set up so that only specific users can view, modify, or run them.
Chapter 2 Accessing Your System and the Common Desktop Environment.

Chapter 2 Accessing Your System and the Common Desktop Environment.
User Account Management WeeSan Lee. Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A.

User Account Management WeeSan Lee. Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
User Accounts and Permissions Chapter IV / Part II.

User Accounts and Permissions Chapter IV / Part II.
CS 497C – Introduction to UNIX Lecture 15: - File Attributes Chin-Chih Chang

CS 497C – Introduction to UNIX Lecture 15: - File Attributes Chin-Chih Chang
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 2 Manage User Access and Security.
Lecture 02CS311 – Operating Systems 1 1 CS311 – Lecture 02 Outline UNIX/Linux features – Redirection – pipes – Terminating a command – Running program.

Lecture 02CS311 – Operating Systems 1 1 CS311 – Lecture 02 Outline UNIX/Linux features – Redirection – pipes – Terminating a command – Running program.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
1. This presentation covers :  User Interface Administration  Files System and Services Management 2.

1. This presentation covers :  User Interface Administration  Files System and Services Management 2.
Workbook 3 Users and Groups

Workbook 3 Users and Groups
O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.

O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.
Introduction to Linux Installing Linux User accounts and management Linux’s file system.

Introduction to Linux Installing Linux User accounts and management Linux’s file system.
Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.

Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.
Guide to Operating System Security Chapter 4 Account-based Security.

Guide to Operating System Security Chapter 4 Account-based Security.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

Similar presentations

Ads by Google