System and Network Administration

(ITec4112)

Chapter Five

Security

1
 Operating System
 What is an Operating System?
 A program that acts as an intermediary between a user of
a computer and the computer hardware.
 What is the purpose of an operating system?
 To provide an environment in which a user can execute
programs.
 What are the goals of an Operating System?
 The primary goal of an Operating System is to make the
computer system convenient to use.
 The secondary goal is to make the computer system
efficient to use.

2
Components of OS
Process Management

Memory Management

I/O Management

File System
Management

User Interface
 Unix/Linux-like Systems Vs Windows Systems

 Linux is an open source operating system whereas

Windows OS is a commercial operating system so user
doesn’t have access to source code.
 Linux peripherals like hard drives, CD-ROMs, printers are
considered files whereas Windows, hard drives, CD-ROMs,
printers are considered as devices
 UNIX is a command-based OS. In contrast, Windows is a
menu-based OS
 Windows are comparatively way less efficient than Linux.
 It is more secure than Windows OS.

4
 Linux Distributions and UIs
 A Linux distribution is an operating system based on a Linux
Kernel
 Components
 Kernel
 Package Management
 Libraries
 Other software
 A distribution is built around a package management system

5
 Linux Distros
 Debian – non-commercial;  Mandriva Linux
developed by community  OpenSUSE
 Knoppix  Arch Linux
 Linux Mint
 Gentoo
 Ubuntu
 Kubuntu  Chrome OS
 Linux Mint  Chromium OS
 Trisquel  Slackware
 Elementary OS
 Fedora – community
distribution sponsored by Red
Hat
 Red Hat Enterprise Linux
(RHEL)
 CentOS
 Oracle Linux
 Scientific Linux
Linux Distros
 Linux Operations Review
 File system Hierarchy
 When we compare file system in Windows and Linux, in Microsoft
Windows, files are stored in folders on different data drives like C:
D: E:
 But, in Linux, files are ordered in a tree structure starting with the
root directory.
 This root directory can be considered as the start of the file system,
and it further branches out various other subdirectories.
 The root is denoted with a forward slash ‘/’.
 A general tree file system on your UNIX may look like this.

8
 Linux Operations Review
 Single-rooted hierarchy and Extensible File systems
 Linux uses single rooted, inverted tree like File System Hierarchy
[FHS]
 / –This is top level directory
 It is parent directory for all other directories
 It is called as ROOT directory
 It is represented by forward slash (/)

9
 Linux Operations Review
 Extensible File systems
 Linux file system has a hierarchal file structure as it contains a root
directory and its subdirectories.
 All other directories can be accessed from the root directory.
 A partition usually has only one file system, but it may have more
than one file system.
 Linux file system contains two-part file system software
implementation architecture

10
 Directory Structure
 The directories help us to store the files and locate them
when we need them.
 Also, directories are called folders
 Directories can be organized in a tree-like hierarchy in Linux
and several other operating systems
 The directory structure of Linux is well-documented and
defined in the Linux FHS (Filesystem Hierarchy Standard).

11
 Directory Structure
 The below table gives a very short standard, defined, and
well-known top-level Linux directory list and their purposes:
 / (root filesystem): It is the top-level filesystem directory. It must
include every file needed to boot the Linux system before another
filesystem is mounted.
 /boot: It includes the static kernel and bootloader configuration and
executable files needed to start a Linux computer.
 /bin: This directory includes user executable files.
 /dev: It includes the device file for all hardware devices connected to
the system.
 /etc: It includes the local system configuration files for the host
system.
 /lib: It includes shared library files that are needed to start the system.
 /home: The home directory storage is available for user files.
 /mnt: It is a temporary mount point for basic filesystems that can be
used at the time when the administrator is working or repairing a
filesystem.
12
 Directory Structure
 top-level Linux directory list and their purposes:
 /media: A place for mounting external removable media devices like
USB thumb drives that might be linked to the host.
 /opt: It contains optional files like vendor supplied application
programs that must be placed here.
 /root: It's the home directory for a root user. Keep in mind that it's not
the '/' (root) file system.
 /tmp: It is a temporary directory used by the OS and several programs
for storing temporary files.
 /sbin: These are system binary files. They are executables utilized for
system administration.
 /usr: They are read-only and shareable files, including executable
libraries and binaries, man files, and several documentation types.
 /var: Here, variable data files are saved. It can contain things such as
MySQL, log files, other database files, email inboxes, web server data
files, and so on.

13
 Types of Linux File System
 When we install the Linux operating system, Linux offers
many file systems such as Ext, Ext2, Ext3, Ext4, JFS,
ReiserFS, XFS, btrfs, and swap.
 Ext, Ext2, Ext3 and Ext4 file system
 The file system Ext stands for Extended File System.
 Ext2 is the first Linux file system that allows managing two terabytes
of data.
 Ext3 is developed through Ext2; it is an upgraded version of Ext2 and
contains backward compatibility. The major drawback of Ext3 is that it
does not support servers
 Ext4 file system is the faster file system among all the Ext file
systems.
 It is a very compatible option for the SSD (solid-state drive) disks,

and it is the default file system in Linux distribution.

14
 Types of Linux File System…
 JFS File System
 JFS stands for Journaled File System, and it is developed by IBM
for Unix.
 It is an alternative to the Ext file system.
 It can also be used in place of Ext4, where stability is needed with few
resources.
 It is a handy file system when CPU power is limited.
 ReiserFS File System
 ReiserFS is an alternative to the Ext3 file system.
 It has improved performance and advanced features.
 In the earlier time, the ReiserFS was used as the default file system in
SUSE Linux, but later it has changed some policies, so SUSE
returned to Ext3.
 XFS File System
 XFS file system was considered as high-speed JFS, which is
developed for parallel I/O processing.
 NASA still using this file system with its high storage server (300+
15
Terabyte server).
 Types of Linux File System…
 Btrfs File System
 Btrfs stands for the B tree file system.
 It is used for fault tolerance, repair system, fun administration,
extensive storage configuration, and more.
 It is not a good suit for the production system.
 Swap File System
 The swap file system is used for memory paging in Linux operating
system during the system hibernation.
 A system that never goes in hibernate state is required to have swap
space equal to its RAM size.

16
17
Linux File and Directory Permissions
 File ownership is an important component of Linux that
provides a secure method for storing files.
 Every file in Unix has the following attributes −
 Owner permissions − The owner's permissions determine what
actions the owner of the file can perform on the file.
 Group permissions − The group's permissions determine what
actions a user, who is a member of the group that a file belongs to,
can perform on the file.
 Other (world) permissions − The permissions for others indicate
what action all other users can perform on the file.
 The letters rwx represent different permission levels:
Permission Files Directories
r can read the file can ls the directory
w can write the file can modify the directory's contents
x can execute the file can cd to the directory
18
Linux File and Directory Permissions
 For example, if you enter:
 ls -l
 You should see output similar to the following:
 -rw-r--r-- 1 user1 group1 62 Jan 15 16:10 myfile.txt
 drwxr-xr-x 2 user1 group1 2048 Jan 15 17:10 Example
 The first character in each line indicates whether the listed
object is a file or a directory. Directories are indicated by a
(d); the absence of a d at the beginning of the first line
indicates that myfile.txt is a regular file.

19
Linux File and Directory Permissions
 Note the multiple instances of r, w, and x.
 These are grouped into three sets that represent different
levels of ownership:
 Owner or user permissions: After the directory (d) slot,. -rw-r--r--,
the owner permissions are rw-, indicating that the owner can read
and write to the file but can't execute it as a program.
 In the example drwxr-xr-x, the owner permissions are rwx, indicating
that the owner can view, modify, and enter the directory.
 Group permissions: The second rwx set indicates the group
permissions. In the fourth column of the example above, group1 is
the group name. In the example -rw-r--r--, group members can only
read the file.
 In the example drwxr-xr-x, group members can view as well as enter
the directory.
 Other permissions: The final rwx set is for "other" (sometimes
referred to as "world"). This is anyone outside the group. In both
examples above, these are set to the same permissions as the group.
20
 File and directory permisions
 File permissions for (-rw-rw-r--)

position characters ownership

1 - denotes file type

2-4 rw- permission for user
5-7 rw- permission for group
8-10 r-- permission for other

21
22
 User and group account
 User account
 Users are identified by User Accounts
 Every user account is identified by User ID (UID)
 The kernel uses the UID rather than the username

 Users also belong to Groups

 GIDs identify group IDs
 By Default, every Unix user belongs to a group which has the
same name
 And this user is the only member of the group
 Eg: username: john  Group Name: john

 Other member could also join the group and the user John
could also join other groups.

23
 Users and Group account
 User accounts
 User
 Name

 UID

 Group(GID)

 Account information is stored in

 Password file

 Shadow file

 Password file
 /etc/passwd
 This file contains the user account information for your system.
 Ordinary ASCII text file
 Master list of information about users
 Password information not stored
 Entry
 Username:Password:UID:GID:User-Info:Home_Directory:Default_Shell 24
 User and group account
 User accounts…
 Username: The Username field simply identifies the username
the user will supply when logging in to the system
 Password: This is a legacy field. At one time, the user’s
password was stored in encrypted form in this field in the
passwd file.
 However, for security reasons, the password has been

moved from /etc/passwd to /etc/shadow.

 UID This is the user ID for the user account
 GID This field references the group ID number of the user’s
default group
 User-Info/Full_Name This field contains the user’s full name
 Home_Directory This field contains the path to the user’s home
directory.
 Default_Shell This field specifies the shell that will be used by
default
25
 User and group account…

 Password file…
 User name : alebachew
 Public

 Usually limited to 8 characters

 X
 Holds user encoded password in the absence of shadow password

file
 UID
 User identification number: 1000

 Administrative (root):0
 Regular :>500
 Service :1 to 500
 GID: 1000
 Users primary group membership

 Determine group ownership of files

26
 User and group account…
 Password file …
 User information : alebachew
 Contains information such as a user’s full name

 Contains up to 5 items that are separated by comma

 Home directory
 Initial working directory

 Login shell
 The program used as command interpreter for the user

 /etc/shell

27
 User and group account…
 Shadow password file
 Stored in /etc/shadow
 Stores encrypted passwords
 Could be accessed by only superuser
 Editing by hand is not recommended
 Entry
 Username: Encoded-
password:Last_Modified:Min_Days:Max_Days:Days_Warn:Disabled_Da
ys:Expire:flag
 Username This is the user’s login name from /etc/passwd.
 Password This is the user’s password in encrypted format
 Last_Modified
 Stores the date of the last password change
 Expressed as the number of days since Jan 1,1970
 0 forces a password change on next login

28
 User and group account…
 Shadow password file…
 Minlife
 Prevents a user from changing back to the old password
 Specify the minimum number of days required before a password
can be changed.
 0 disables this feature
 Maxlife
 Specifies the maximum number of days that the user is allowed to
keep the same password
 It is set to high value (99999 days) to disable this feature
 Effectively, this means a password isn’t required
 Days_Warn
 This field displays the number of days prior to password
expiration that the user will be warned of the pending
expiration.
 Leave blank to disable

29
 User and group account…
 Shadow password file…
 Inactive/Disabled_Days
 This field displays the number of days to wait after a
password has expired to disable the account.
 Days after the password expires that the account will be
automatically disabled
 Set to -1 to disable
 Expire
 Date on which the account expires and will be automatically
disabled
 It is set to a null value, indicating the account never expires.

30
 User and group Account…
 Group Account
 Enables users to share files and system resource

 Could be defined based on

 Need to share files

 Need to protect files from unwanted access
 May involve combining several organization unit into one group or
splitting a single OU in to several distinct group
 Group file
 Groups are defined in the /etc/group file.
 Users could be member of multiple groups
 Primary group
 Other groups

31
User and group Account…
 Entry in /etc/group
 Each record is composed of the following four fields:

Group-name:Password:GID:Users
 Group-name
 Specifies the name of the group.

 Usually limited to 8 chars

 Password (*)
 Specifies the group password.

 Passwords are no longer store here

 GID
 Specifies the group ID (GID) number of the group.

 Users
 Lists the user name of members of the group.
 Names are separated by commas
 No space should be appear within the list
 Most Unix systems impose a limit of 16 (sometimes 32 ) group
memberships per user
32
 User and group Account…
 Group Shadow file
 As with /etc/shadow, each line in /etc/gshadow represents a record
for a single group.
 Each record is composed of the following fields:
Group_Name:Encoded-Password:Group_Admins:Group_Members
 Encoded-Password (*)

 Could also be empty ,*or !

 Passwords are no longer store here

 Group-admins

 List of users who are allowed to administer the group

 Change group password , modify membeships

 Not necessarily member of the group

 Comma separated list , no space

 Group-Member/Additional-Users

 Copy of additional group members list from /etc/group

 Used by newgrp

 Comma separated list , no space 33

 User and group account…
 Defining User account
 Decide on

 Username

 UID

 Primary group

 Home directory location

 Login shell

 Default is /bin/bash
 $ chsh –s shellPath username
 $ sudo chsh -s {shell-name-here} {user-name-here}
-$ chsh -s /bin/bash
-$ chsh -s /bin/bash Abraham
 /bin/false - Disables access to an account

34
 User and group account…
 Defining password
 $ passwd userName
 Traditionally 8 chars
 Linux allows more
 Creating Home directory
 Set permision and ownership
 Example
 Mkdir /home/abraham
 Chown abraham./home/araham
 Chmod 755 /home/abraham

35
 Creating and Managing User Accounts
 There are two approaches to creating user accounts and groups.
 There is a GUI tool, the User Manager, and
 There are command line programs.
 Defining user accounts
 Using Utilities

 useradd
 passwd
 usermod
 userdel
 userdd is the command used to create a new user for the
Linux system.
Syntax: useradd options username
Example (1): useradd amanuel
 Amanuel account is created using the default parameters contained in
the following configuration files: /etc/default/useradd
Example (2): useradd -e 2023-05-30 amanuel
36
 Options
–c Includes the user’s full name.
–e Specifies the date when the user account will be disabled. Format the
date as yyyy-mm-dd.
–f Specifies the number of days after password expiration before the
account is disabled. Use a value of –1 to disable this functionality,
e.g., useradd –f –1 amanuel.
–g Specifies the user’s default group.
-G Specifies additional groups that the user is to be made a member of.
–M Specifies that the user account be created without a home directory.
–m Specifies the user’s home directory.
–p Specifies the user’s password.

37
 Using Passwd
 The passwd utility is used to change an existing user’s password
 You can find out this information using the –S option with passwd.
Syntax: passwd username
Example: passwd –S amanual

38
 Using usermod
 From time to time, you will need to modify an existing user account.
The syntax for usermod is very similar to that used by useradd.
Syntax:
usermod options username
options
-c Edits the user’s full name.
–e Sets the date when the user account will be disabled. Format the date as yyyy-mm-dd.
–f Sets the number of days after password expiration before the account is disabled. Use a
value of –1 to disable this functionality.
–g Sets the user’s default group.
–G Specifies additional groups that the user is to be made a member of.
-l Changes the username.
–L Locks the user’s account. This option invalidates the user’s password.
–m Sets the user’s home directory.
–p Sets the user’s password.
–s Specifies the default shell for the user.
–u Sets the UID for the user.
–U Unlocks a user’s account that has been locked.
39
 Using userdel
 The userdel command is used to delete user accounts.
 This can but does not have to delete the associated files (the user’s home
directory, temporary files, and mail file).
Syntax: userdel username
Example: userdel Amanuel
 If you do want to remove the home directory when you delete the
user,
 you need to use the –r option in the command line.
 Example: userdel –r Amanuel, will remove the account and delete
his home directory.

40
 Managing groups
 Using utilities
 Using groupadd
 Using groupmod

 Using groupdel

 Groupadd
 Syntax:
 groupadd options groupname

 groupadd –r student
 Options:
–g Specifies a GID for the new group.
–p Specifies a password for the group.
–r Specifies that the group being created is a system group.

41
 Managing groups
 Using groupmod
 To modify a group, including adding users to the group

membership, you use the groupmod utility.

 Syntax: groupmod options group
 Options:
–g Changes the group’s GID number.
–p Changes the group’s password.
–A Adds a user account to the group.
–R Removes a user account from the group.
 If we wanted to add “Alex” to the group, we would enter
groupmod –A “Alex” student at the shell prompt.

42
Managing groups
 Using groupdel
 There are no options; instead it is simply
groupdel groupname
 The group is deleted from the /etc/group and /etc/gshadow files,
and the group is removed from any user’s list of groups as stored in
/etc/passwd.
Example: groupdel student

43
 Password Aging
 Allows you to specify a time period during which a password
is valid
 Has a benefit of ensuring
 passwords are changed regularly

 a password that is stolen, cracked, or known by a former

employee will have a time limited value

 A password aged between 30 and 60 days is recommended
 Two ways of handling password aging
 chage

 chage is a cmd tool or program allows the system

administrator to change user password expiration dates of a

user
 The syntax: chage [options] username

 Example: $ sudo –M 30 Amanuel # After 30 days user’s

password will expire

44
45
 Password aging …
 using /etc/login.defs
 Set defaults for all users in the file

46
 Disabling user account
 Lock the account
 #passwd –l username

 Locks the user form logging into the host using his/her password

 Change the login shell to /bin/false

 Restoring an account
 Unlock a user account
 #passwd –u username

 Restore the login shell

47
 Deleting user account
 Manually
 Remove home directory
 Change file ownership
 Remove account entry from password and shadow files
 Take backup
 Change all other passwords the users knows
 Not recommended
 Userdel
 Delete user account permanently

 By default it doesn’t delete the user’s home directory

 Using the –r options forces linux to delete user’s home

directory

48
Managing files and folder permission

 Managing ownership
 Managing permissions

49
 What Are Permissions
 Permissions are a mechanism to support operating system
protection.
 Protection ensures that users do not misuse system resources
(CPU, memory, network, partitions, directories and files).
 Permissions specify who can access a file or directory and the
types of access.
In Linux, permissions are controlled at three levels:
1- Owner (called user, or ‘u’ for short)
2- Group (‘g’ for short)
3- The rest of the world (called other, or ‘o’ for short)
 Each level of access provides:
 Read: for a file, it can be viewed or copied. For a
directory, the directory’s contents can be viewed
by ls.
 Write: for a file, it can be overwritten (e.g., using
save as). for a directory, files can be written there.
 Execute: for a file, it can be executed (this is
necessary for executable programs and shell
scripts). for a directory, a user can cd into it

Note: to delete a file, you must have write access to the

directory that contains it.
Typical file permissions
 In the long listing (ls -l) The first 10 characters of a line
are a combination of letters and hyphens.
Managing Permissions with chmod
chmod entity=permissions filename
 File Permissions
 On a Linux system, each file and directory is assigned access
rights for the owner of the file, the members of a group of
related users, and everybody else.
 Rights can be assigned to read a file, to write a file, and to
execute a file.
 To see the permission settings for a file, we can use the ls -l
command.
 Example, we will look at the file1.txt permissions:
$ ls –l file.txt
$ -rwxr-xr-x 1 root root 316848 Mar 27 2023
 Here we can see:
 The file “file1.txt" is owned by user "root"
 The super user has the right to read, write, and execute this file
 The file is owned by the group "root"
 Members of the group "root" can also read and execute this file
 Everybody else can read and execute this file
 Altering Permissions
 To change a file’s permission, the command is chmod. The
command’s syntax is
 chmod permissions file(s)
 where permissions can be specified using one of three different
approaches:
1. Describe the changes to be applied as a combination of u, g, o
along with r, w, x. To add a permission, use + and to remove a
permission, use –.
 Example: file1.txt currently readable and writable by u and g
and readable by o.
 To remove writable by group and remove readable by other.
The command would be:

chmod g–w,o–r file1.txt

 Altering Permissions Cont..
2. Altering permissions uses an = to assign new permissions
rather than a change to the permissions.
Example: To make file1.txt readable, writable, and executable to
the user, readable to the group, and nothing to the world, this
could be done with:
chmod u=rwx,g=r,o= file1.txt
Can combine =, +, and - as in:
chmod u=rwx,g–w+x,o–r file1.txt
 Altering Permissions Cont..
3. Using a 3-digit number. Each digit is the summation of the
access rights granted to that party (user, group, other) where;
readable is a 4, writable is a 2, and executable is a 1.
Readability, write ability, and execute ability would be 4 + 2 + 1
= 7.
Readability and execute ability would be 4+1=5.
No access at all would be 0.
Example: we want file1. txt to have readable, writable, and
executable access for the owner, readable, and executable
access for the group and no access for the world. The
command would be:

chmod 750 file1.txt

3-Digit Permissions:
 How ownership works
 Anytime a user creates a new file or directory,
his or her user account is assigned as that file or
directory’s “owner.”
 Example, suppose amanuel is a user logs in to
his Linux system and creates a file named
file1.txt in home directory.
 Because he created this file, automatically
assigned ownership of file1.txt to “amanuel”.
 You can also view file ownership from the command
line using the : ls –l
 Managing ownership
 You can specify a different user and/or group
as the owner of a given file or directory.
 To change the user who owns a file, you must
be logged in as root.
 To change the group that owns a file, you must
be logged in as root or as the user who
currently owns the file.
 Using chown
 Using chgrp
 Using chown
 The chown utility can be used to change the user or group
that owns a file or directory.
 Syntax : chown user.group file or directory.

 Ex: If I wanted to change the file’s owner to the alice

user, I would enter

 chown alice /tmp/myfile.txt
 chown
 If I wanted to change this to the users group, of
which users is a member, I would enter
chown .users /tmp/myfile.txt
 Notice that I used a period (.) before the group
name to tell chown that the entity specified is a
group, not a user account.
 Ex: chown student.users /tmp/myfile.txt
 Note: You can use the –R option with chown to
change ownership on many files at once
recursively.
 Using chgrp
 In addition to chown, you can also use chgrp to
change the group that owns a file or directory.
 Syntax:
 chgrp group file (or directory)‫‏‬
 For example:
 chgrp student /tmp/newfile.txt.
THANK YOU!!

64