Part 1-Linux-Chapter 3-User Management and Access Permission
Part 1-Linux-Chapter 3-User Management and Access Permission
Access Permission
Content
• User management
• Configuration files for user account and groups
• Root users
• User management utilities
• Group management utilities
• Access Permission
• Introduction
• Directories and File Permission
• Changing Permission
• User Masks
• Special Permissions
1
• User management
• Configuration files for user account and
groups
• Root users
• User management utilities
• Group management utilities
2
Configuration files for user account
and group
• User account information stored in following
files:
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
3
/etc/passwd
Username:password:UID:GID:Info:Home:Shell
• Username: It is used when user logs in. It should be between 1 and 32 characters
in length.
• Password: An x character indicates that encrypted password is stored in
/etc/shadow file.
• User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is
reserved for root and UIDs 1-99 are reserved for other predefined accounts.
Further UID 100-999 are reserved by system for administrative and system
accounts/groups.
• Group ID (GID): The primary group ID (stored in /etc/group file)
• User ID Info: The comment field. It allow you to add extra information about the
users such as user's full name, phone number etc. This field use by finger
command.
• Home directory: The absolute path to the directory the user will be in when they log
in. If this directory does not exists then users directory becomes /
• Shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell.
Please note that it does not have to be a shell.
$ grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin
/etc/shadow
Username:Password:Last_pwd_change:Minimum:Maximum:Warn:Inactive :Expire
• Username: It is your login name
• Password: It your encrypted password. The password should be minimum 6-8
characters long including special characters/digits
• Last password change: number of days since Jan 1, 1970 that password was last
changed
• Minimum: The minimum number of days required between password changes i.e. the
number of days left before the user is allowed to change his/her password
• Maximum: The maximum number of days the password is valid (after that user is forced
to change his/her password)
• Warn : The number of days before password is to expire that user is warned that his/her
password must be changed
• Inactive : The number of days after password expires that account is disabled
• Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying
when the login may no longer be used
4
/etc/group
Group_name:Password:Group_ID(GID):Group_li
st
• Group name: It is the name of group. If you run ls -
l command, you will see this name printed in the
group field.
• Password: Generally password is not used, hence
it is empty/blank. It can store encrypted password.
This is useful to implement privileged groups. X
means passwd is stored in /etc/gshadow
• Group ID (GID): Each user must be assigned a
group ID. You can see this number in your
/etc/passwd file.
• Group list: It is a list of user names of users who
are members of the group. The user names, must
be separated by commas.
/etc/gshadow
Group_name:Encrypted_password:Group_admin:
Group_members
5
Root
• Superuser is a privileged account with
unrestricted access to all files and command
• The username of superuser is “root”
• Root has a user ID of 0
• There are two ways to become the superuser
• Login as root directly
• Execute command su to change privileged
% su
11
Sudo command
• The sudo utility allows users defined in the
/etc/sudoers configuration file to have temporary
access to run commands they would not normally be
able to due to file permission restrictions
• Sudo (superuser do) allows a system administrator
to give certain users (or groups of users) the ability
to run some (or all) commands as root
• The /etc/sudoers file contains all the
configuration and permission parameters
needed for sudo to work
12
6
/etc/sudoers Examples
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
• root and users in group wheel can run anything on any machine
as any user
srk,rp ALL = NOPASSWD: ALL
• User srk and rp can run anything on any machine without a
password
peter, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl
• user peter and all the members of the group operator to gain
access to all the program files in the /sbin and /usr/sbin
directories, plus the privilege of running the command
/usr/local/apps/check.pl
13
14
7
User management ultility
• useradd/mod/del
• passwd
• groupadd/mod/del
• gpasswd
• sg/newgrp
• su
• users/groups
• id
Managing Users
• utility to manage users
• adding users: #useradd or #adduser
• modifying user details: #usermod
• Managing passwords: #passwd
• deleting users: #userdel
8
Adding Users
• Should not edit the /etc/passd manually
• Utility useradd creates required record in /etc/passwd and /etc/shadow
files
• Useful options to useradd to override defaults
-u uid specify new user id (default: next available number)
-g group specify default group (default other, GID=1)
-c comment description of user (default blank)
-d dir home directory
-m make home directory (recommended otherwise /home/username is not
created)
-s shell specify login program
# useradd -m henry
# useradd -u 321 -g 152 -m -s /bin/bash bill
Modifying user
• Ultility Usermod
• usermod uses the same basic set of options
that are used with useradd
• if you modify UID then use -U option as well, to
change the UID of files belonging to the user
# usermod -g users -c "Henry Blake"
henry
# usermod -U -u 321 -s /bin/bash bill
9
Setting Passwords
• New user accounts have to have an initial password
• If new user is added by useradd command, passwd command is
needed
Account Security
• Use preset expiry dates for temporary employees
• very useful for contract staff
# usermod -e 12/24/05 hotlips
• Use inactivity counts to lock unused accounts
• perhaps the user has left the company
and no one told you # usermod -f 5 hotlips
10
Removing User Account
• Delete user account only when his/her data is safe
• Use userdel utility (SVR4) or rmuser (AIX)
• Without any options userdel will leave all files owned by that user
untouched and open to misuse.
• the -r option with userdel will remove user files, but
only those in the home directory (including the home
directory itself)
# userdel -r henry
11
Managing Groups
• utility to manage groups
• Adding group: groupadd
• Modifying group: groupmod
• Deleting group: groupdel
• gpasswd
• sg/newgrp
• users/groups
12
Adding group
• Add linux group
#groupadd students
#groupadd staff
#groupadd teachers
# groupadd -g 151 swamp
# groupadd -g 152 barracks
• Add the Linux users and assign them to their respective groups
#useradd –g teachers rp
#useradd –g staff srk
25
13
Access Permission
• Introduction
• Directories and File Permission
• Changing Permission
• User Masks
• Special Permissions
Introduction
The system determines whether a user or
group can access a file based on the
permissions assigned to them.
14
Linux assigns different permission to 3
categories of user: owner, group and other
users (others)
• owner - The user who creates the file
• group - The members of a group that owns the file
(the primary group of the owner)
• others - All other users with access to the
system.
• Types of files
• Directories
• Other files
15
Access Types
Checking permissions
• To check the permissions of an
existing file or an existing directory,
use the command: ls -l
• Example:
ux% ls -l unix
total 387
drwxr--r-- 1 z036473 student 862 Feb 7 19:22
unixgrades
-rw-r--r-- 1 z036473 student 0 Jun 24 2003 uv.nawk
-rw-r--r-- 1 z036473 student 0 Jun 24 2003 wx.nawk
-rw-r--r-- 1 z036473 student 0 Jun 24 2003 yz.nawk
16
Changing permissions
17
Changing Permissions: Symbolic Mode
35
36
18
Changing Permissions: Symbolic Mode
Answer:
chmod ug=rwx,o=rx sort.c
chmod ugo+rx,g+w sort.c
37
38
19
Changing Permissions: Octal Mode
20
Figure 4-10
41
User Mask
User mask Directory File (666)
Value Default: 777 Default: 666
000 777 (rwx rwx rwx) 666 (rw- rw- rw-)
111 666 (rw- rw- rw-) 666 (rw- rw- rw-)
222 555 (r-x r-x r-x) 444 (r- - r- - r- -)
333 444 (r- - r- - r- -) 444 (r- - r- - r- -)
444 333 (-wx –wx –rx) 222 (-w- -w- -w-)
555 222 (-w- -w- -w-) 222 (-w- -w- -w-)
666 111 (- -x - -x - -x) 000 (--- --- --- )
777 000 (--- --- --- ) 000 (--- --- --- )
42
21
The command: umask
% umask 000
For regular files: rw-rw-rw- 666
For directories: rwxrwxrwx 777
43
44
22
Special Permissions
• The regular file permissions (rwx) are used to
assign security to files and directories.
• Three additional special permissions can be
optionally used on files and directories.
– Set User Id (SUID)
– Set Group ID (SGID)
– Sticky bit
45
23
Special Permissions
• The access permission status that is displayed
using the “ls –l” command does not have a section
for special permissions
• However, since special permissions required
“execute”, they mask the execute permission when
displayed using the “ls –l” command.
rwxrwxrwx
rwsrwsrwt
SUID SGID STICKY
BIT
47
Special Permissions
• All special permissions also required the “execute” permission
to work properly.
• Usually, the SUID and SGID apply to executable files.
• The sticky bit applies to directories, which must have execute
permission for access.
• If special permissions are set on a file or a directory without
“execute” permission, the special permissions are shown in
capital letters.
rw-rw-rw-
rwSrwSrwT
SUID SGID STICKY
BIT
48
24
Special Permissions: GUID
• Like SUID, SGID enables regular users to execute
a program file and become a member of the group
that is attached to the file.
• If a file is owned by the system group and also has
the SGID permission, then any user who executes
that file will be a member of the system group
during the execution.
49
50
25
Special Permissions: Sticky Bit
Scenario: A company provides a common directory
that gives all employees the ability to add and
remove files in it. This directory must give user
“write” permissions. Unfortunately, the “write”
permissions also gives all employees the ability to
delete all files and subdirectories within it, including
the ones that others have added to the directory.
51
Sticky Bit
52
26
Setting Special Permissions
27