Linux Based Networks

Zahid Shafique, Instructor

Linux Based Networks

Punjab University College of Information Technology Instructor: Zahid Shafique <[email protected]>

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

User Administration

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

User Accounts
Because Linux is a multi-user system, the task of adding and maintaining user accounts is common in Linux system administration. Upon a successful installation of a Linux distribution, two user accounts are configured: the root user and a normal user. These two user accounts represent the two basic types of users that are configurable with Linux.

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

The first type

The first type, the root user, is unique for several reasons. It is the only user account with system wide privileges. Other accounts can be set up as an exact clone of the root user account, but it is strongly discouraged.

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

System Accounts
In your Linux distribution, you will see a number of accounts set up, like bin, daemon, adm, Ip, sync, shutdown, mail, operator, and others. They are called "system accounts" and are used for varying purposes, some self-explanatory, some not. These accounts do not have passwords because they are not designed for login. These special-purpose accounts are also called nonlogin Do not accounts. delete them or some programs will not run.
User Administration Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

Default Users

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

Default Groups

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

Privileges of a root user

System administration tasks are performed from the root or super user account. The following list summarizes some of the duties and privileges of a system administrator: Has complete access to all files and directories regardless of owner and permissions Controls user account administration Performs system maintenance Halts the system when necessary Sets up initial user passwords Changes passwords when necessary. Installs software on theClass Meeting # system User Administration

Slide :

Linux Based Networks

Zahid Shafique, Instructor

The Second Type

A normal user account, is the type of account that is set up for each individual user. This type of account differs only in respect to access privileges and home directories.

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

Important

It is good system practice to have a separate account for each individual user. Avoid accounts that are shared, if possible.

User Administration

Class Meeting #

Slide : 1

Linux Based Networks

Zahid Shafique, Instructor

Adding New Users

Required steps:
Edit the /etc/passwd file to define the user's account. Set an initial password. Create the user's home directory.

Extra steps (optional):

Copy default startup files to the user's home directory. Add the user to the /etc/group file. Set the user's mail home and establish mail aliases. Enter the user in the site-wide user database (NIS). Configure disk quotas. Verify that the account is set up correctly. Record accounting information.
Class Meeting #

User Administration

Slide : 1

Linux Based Networks

Zahid Shafique, Instructor

User Accounts Utilities

Managing users and groups has traditionally been tedious, Red Hat Linux has a few tools and conventions that make users and groups easier to manage. You can use useradd to create a new user from the shell prompt

$ redhat-config-users The easiest way to manage usersredhat-config-users $ and groups is through

User Administration Class Meeting #

Slide : 1

Linux Based Networks

Zahid Shafique, Instructor

Account Setup
Adding and deleting users is simple, but understanding the files involved with user account management is a bit more complex. The key to managing user accounts is to understand the underlying configuration files.

User Administration

Class Meeting #

Slide : 1

Linux Based Networks

Zahid Shafique, Instructor

Key Configuration File

The key file used in user account setup and configuration is the /etc/passwd file. This file is a simple ASCII text file.

User Administration

Class Meeting #

Slide : 1

Linux Based Networks

Zahid Shafique, Instructor

/etc/passwd File
Upon a successful installation, the contents of the /etc/passwd file resemble the following:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/var/ftp: nobody:x:99:99:Nobody:/: xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false apache:x:48:48:Apache:/var/www:/bin/false named:x:25:25:Named:/var/named:/bin/false gdm:x:42:42::/home/gdm:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false rpc:x:32:32:Portmapper RPC user:/:/bin/false postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash mailnull:x:47:47::/var/spool/mqueue:/dev/null mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash nscd:x:28:28:NSCD Daemon:/:/bin/false pvm:x:24:24::/usr/share/pvm3:/bin/bash squid:x:23:23::/var/spool/squid:/dev/null

User Administration

Class Meeting #

Slide : 1

Linux Based Networks

Zahid Shafique, Instructor

The /etc/passwd file

root:*:0:3:The Big Guy,143 MSB:/:/bin/sh root:*:0:3:The Big Guy,143 MSB:/:/bin/sh daemon:*:1:5::/:/bin/sh daemon:*:1:5::/:/bin/sh farrell:*:100:15:Paul Farrell:/users/research/farrell/:/bin/csh farrell:*:100:15:Paul Farrell:/users/research/farrell/:/bin/csh stacke:*:101:15:Olaf P. Stackelberg:/users/fac/stack:/bin/csh stacke:*:101:15:Olaf P. Stackelberg:/users/fac/stack:/bin/csh pwang:*:102:15:Paul S. Wang:/users/research/wang:/usr/local/bin/tcsh pwang:*:102:15:Paul S. Wang:/users/research/wang:/usr/local/bin/tcsh abaqus57:x:53:13:License Manager:/var/log/abaqus57:/usr/bin/csh abaqus57:x:53:13:License Manager:/var/log/abaqus57:/usr/bin/csh matlab:x:54:13:Matlab License Manager:/usr/local/matlab5:/usr/bin/csh matlab:x:54:13:Matlab License Manager:/usr/local/matlab5:/usr/bin/csh catadm:x:55:13::/usr/local/abaqus:/bin/csh catadm:x:55:13::/usr/local/abaqus:/bin/csh

/etc/passwd

: info:home:shell

login_name password user_id group_id user

Note

Each entry in /etc/passwd must be on one line. Each field within each user's entry is separated from the next by a colon.
User Administration Class Meeting #

Slide : 1

Linux Based Networks

Zahid Shafique, Instructor

The /etc/passwd file contents

Login name
case sensitive and unique for users. no more than 8 chars long, may include numbers, except in position 1. (for some old system only) /etc/aliases can be used to set the alias of user name for most mail system like sendmail. Pseudo-Logins execute the corresponding commands as their shells. Eg daemon, bin. Look like Xv8Q981g71oKKrequ, encrypted by MD5 or DES algorithms. If null, no password is required, ie Press Enter directly! change user's password with passwd. /etc/passwd is world readable -> no security.
(refer to the /etc/shadow section)
Class Meeting #

Encrypted password

User Administration

Slide : 1

Linux Based Networks

User ID

Zahid Shafique, Instructor

The /etc/passwd file contents

uid is the ID for the user, which must be unique. UID 0 is reserved for root, and traditionally the lower number are kept for systems programs. It is recommended that human users start at 500. uid is a value between 0 and 65536. It is a good idea to avoid reusing UIDs, since this avoids confusion when backups are restored. gid is the ID of the group that the user belongs to. gid is generally a value between 0 an 65536. GID 0 is reserved for root and 1 is usually reserved for daemon. Groups' info are defined in /etc/groups.
(GECOS field)

Group ID

User Info

No particular format, can be Full name, Address, Contact number, etc. The finger command expects one to have comma. delimited Can be modified by the chfn command.
Class Meeting #

User Administration

Slide : 1

Linux Based Networks

Home directory

Zahid Shafique, Instructor

The /etc/passwd file contents

Users are placed in their home directory when they log in. Eg. /home/staff/zahid. Home directories are usually named with the user's login name, and should be read, write and executable by the user. If it is missing or invalid, a message such as "no home directory" will be printed or login disabled or login to the root directory.

# mkdir # mkdir # chown # chown # chgrp # chgrp # chmod # chmod

/home/staff/zahid /home/staff/zahid zahid /home/staff/zahid zahid /home/staff/zahid zahid /home/staff/zahid zahid /home/staff/zahid 700 /home/staff/zahid 700 /home/staff/zahid

Shell
Specify a standard shell (sh, csh, bash, ksh, etc.), but can be a restricted shell, or a program. Can be changed by chsh commands. If the shell field is null, Bourne Shell is used.
User Administration Class Meeting #

Slide : 1

Linux Based Networks

Zahid Shafique, Instructor

daemon: Owner of Unprivileged Software

Important Users

Usually has uid 1. Controls the files that belong to UNIX system. bin: Owner of System Commands Owns directories that contain the system's command and most of the executable files. sys (kmem): Owner of the Kernel and Memory Images Owns special files such as /dev/kmem (kernel's address space), /dev/mem (the physical memory of system), and /dev/swap (image of the system's swap space). nobody: Owner of Nothing The owner of software that doesn't need or shouldn't have special permissions, eg fingerd.
User Administration Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

The /etc/group file

root:X:0:root root:X:0:root daemon:X:1: daemon:X:1:

/ etc/grou bin:X:2:root,bin,daemon bin:X:2:root,bin,daemon sys:X:3:root,bin,sys,adm p sys:X:3:root,bin,sys,adm

adm:X:4:root,adm,daemon adm:X:4:root,adm,daemon

Each line has, 4 colon separated fields,

Group name password - never used GID - group ID number list of members

In practice, users are in the group given in the password file whether or not they are entered in that group in /etc/group
User Administration Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

The Startup Files

Startup files traditionally start with period (.) and end with rc (run command). Eg .cshrc, .login, .profile, etc It is useful to place system defaults setting in these files. Depends on the shell used, common startup files are:
csh csh .login .login .cshrc .cshrc .logout .logout sh /etc/profile sh /etc/profile .profile .profile ksh /etc/profile ksh /etc/profile .profile .profile .kshrc .kshrc started. started. bash /etc/profile bash /etc/profile /etc/bashrc /etc/bashrc .bash_profile .bash_profile .bash_login .bash_login .bashrc .bashrc .bash_logout .bash_logout
User Administration

Sets the terminal type, environment variables. Sets the terminal type, environment variables. Sets command aliases, path, umask value, prompt. Sets command aliases, path, umask value, prompt. Execute when users logout. Execute when users logout. System wide setup procedure at login. System wide setup procedure at login. Similar to .login and .cshrc for csh. Similar to .login and .cshrc for csh. System wide setup procedure at login. System wide setup procedure at login. User-specific setup for ksh at login. User-specific setup for ksh at login. Addition command to the shell when a new ksh Addition command to the shell when a new ksh System wide setup procedure at login. System wide setup procedure at login. System wide setup when bash started. System wide setup when bash started. User-specific setup for bash at login User-specific setup for bash at login read by bash if .bash_profile does not exist. read by bash if .bash_profile does not exist. read by bash only when a new bash started. read by bash only when a new bash started. read by bash when the shell is exited. read by bash when the shell is exited.
Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

/etc/shadow File
The /etc/shadow password file looks similar to the following:

ot:$1$d5.gDvSX$nyQhvBgUGbw0GcNTxAdKR1:11507:0:99999:7:

bin:*:11458:0:99999:7::: daemon:*:11458:0:99999:7::: adm:*:11458:0:99999:7::: lp:*:11458:0:99999:7::: sync:*:11458:0:99999:7::: shutdown:*:11458:0:99999:7::: halt:*:11458:0:99999:7::: mail:*:11458:0:99999:7:::

User Administration

Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

Secure Password Files

Modern UNIX systems like Linux and Solaris, place the passwords in a secure file (commonly called a shadow password file) or files elsewhere. The format and location differs between systems, as does the entry in the password section of the normal password file. The /etc/shadow file: Its access permissions are much more restricted, only view by the root. Provides also Password Aging, like password expiration.

User Administration

Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

root:$1$d5X$nyQBgUGbw0GcNTxAdKR1:11507:0:99999:7:::

Much like the /etc/passwd file, the /etc/shadow file consists of single-line entries with colon-delimited fields.

sername:password:lastchg:min:max:warn:inactive:expire:fla
username password lastchg min max warn inactive expire flag
User Administration

The user's login name (UID). An encrypted password for the user, a lock string to indicate that the login is not accessible, or no string, which shows that there is no password for the login. The number of days between 1/1/70 and the date that the password was last modified. The minimum number of days required between password changes. The maximum number of days the password is valid. The number of days before password expires that the user is warned. The number of days after password expires until the a/c is permanently disable. (-1 for disable the feature) A date, YYYY-MM-DD, specifying when the user will be disabled. (-1 for disable) Reserved for future use.
Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

Adding Users
User accounts can be added by directly editing the /etc/passwd file or by using a utility such as useradd, available in all Linux distributions. Default characteristics for each user account are defined by the settings in the /etc/login .defs file, as follows

User Administration

Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

/etc/login.defs
#QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 500 UID_MAX 60000 # # Min/max values for automatic gid selection in groupadd # GID_MIN 500 GID_MAX 60000 # # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local # # If useradd should create home directories for users by default # On RH systems, we do. This option is ORed with the -m flag on # useradd command line. # CREATE_HOME yes

User Administration

Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

When we create a new home directory

A new directory, /home/username, is created and populated with copies of the default files in the /etc/skel and /etc/skel.d directories (in that order).

User Administration

Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

Managing Users with Command Line Tools

Creating a new user account

To create a user from your command line you can run the useradd command. #useradd newuser This will add a new entry in /etc/passwd and in /etc/shadow if you use shadow passwords using system defaults.

User Administration

Class Meeting #

Slide : 2

Linux Based Networks

Zahid Shafique, Instructor

Creating a new user account

When I run the preceding command on my Red Hat system, /etc/passwd shows a new line such as the following:

newuser:!!:506:506::/home/newuser:/bin/bash If you remember the /etc/passwd fields from earlier discussion, You will see that the password field (the second field) is set to !!. This means that this password is not set and the user cannot log in just yet. So you will need to create a password for this user by running the passwd command as follows: #passwd newuser
User Administration Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

Default Settings
The UID and the GID values will be automatically selected by useradd. The home directory is created in the default top-level home directory The login shell is also selected from a system default. You will learn to set these defaults in a later section.

User Administration

Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

Overriding System Default

If you would like to override a system default, you can specify a command line option To override the default home directory, use the -d new directory option #useradd /www/newuser newuser -d

Note: useradd will create only the final directory and not the entire path.

User Administration

Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

Private Group

The useradd that comes with Red Hal Linux creates a private group for the user with the same name as the username.

User Administration

Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

Overriding System Default

You can override the idea of private group by using the -g group option For example: #useradd mjkabir -g users This will make useradd create the new user (mjkabir) with the default group set to the users.

User Administration

Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

Assigning user an additional group

You can use the -G comma-separated list of groups option. For example:mjkabir #useradd -G
wheel,admins

Here the new user (mjkabir) will be added to the wheel and admins groups in the /etc/group file.

User Administration

Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

To Find Out which groups user belong to

You can use the #groups username command to find out which user belongs to what group.

User Administration

Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

Creating a new group

To create a new group, use the groupadd command. For example: #groupadd

mygroup

User Administration

Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

CHANGING A PASSWORD
To change or set a user's password, use the passwd command. For example: #passwd zahid Note: When an ordinary user runs the passwd program, no username argument is required, because it will allow her to change only her own password.

User Administration

Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

CHANGING THE SHELL

If the default shell is not appropriate for a user, you may change it to any shell you list in /etc/shells. Use the chsh command to change a user's shell. For example: #chsh zahid Note that a user can change her own shell using this command as well. You can also use the usermod command to modify the shell information as follows: #usermod -s new shell path username
User Administration Class Meeting #

Slide : 3

Linux Based Networks

Zahid Shafique, Instructor

CHANGING THE HOME DIRECTORY

To change the home directory of an existing user, run the usermod command as follows: #usermod -d new home directory username For example, you can run the command as follows: #usermod -d /home2/zahid zahid However, if you would like to move the home directory contents to the new location, use the -m option as follows: #usermod -d /home2/zahid -m zahid

User Administration

Class Meeting #

Slide : 4

Linux Based Networks

Zahid Shafique, Instructor

CHANGING A DEFAULT GROUP

To change the default group for a user, use the usermod command as follows:
#usermod -g group name or GID username

#usermod -g 777 For example: zahid

User Administration

Class Meeting #

Slide : 4

Linux Based Networks

Zahid Shafique, Instructor

CHANGING ACCOUNT EXPIRATION DATE

If you are using shadow passwords, you can change the expiration date of a user account using the usermod command as follows:

#usermod -e MM/DD/YY username

For example:

#usermod -e 12/31/2002 zahid

This command will reset the account expiration date for user zahid to 12/31/2002.

User Administration

Class Meeting #

Slide : 4

Linux Based Networks

Zahid Shafique, Instructor

CHANGING FINGER INFORMATION

You can also change the finger information, such as the full name and phone numbers. Run the chfn command to change a user's finger information. For example:

#chfn zahid
User Administration Class Meeting #

Slide : 4

Linux Based Networks

Zahid Shafique, Instructor

Modifying an existing group

To modify an existing group name or GID, use the groupmod command. To rename a group to a new name, use the following syntax:

#groupmod -n new group current group

For example:

#groupmod -n experts novices

Here the existing novices group is renamed to experts.

User Administration

Class Meeting #

Slide : 4

Linux Based Networks

Zahid Shafique, Instructor

Deleting a user account

To delete an existing user use the userdel command. For example:

# userdel snake
This deletes a user called snake. If you would like to remove the user's home directory and all the contents within the directory, use the -r option.

User Administration

Class Meeting #

Slide : 4

Linux Based Networks

Zahid Shafique, Instructor

Caution!!

userdel will not delete the user if the user is currently logged in.

User Administration

Class Meeting #

Slide : 4

Linux Based Networks

Zahid Shafique, Instructor

Disabling a user account

If you would like to temporarily disable a user account, you can do one of the following: Use the usermod -s new shell username' command to change the shell to /bin/false (make sure it is in your / etc/shells). This will disallow the user from logging into the system If you are using the shadow passwords, you can use the usermod -e MM/DD/YY username command to cause the user account to expire. If you would like to disable all user account access for a

temporary reason, you can create a file called Class Meeting # User Administration Slide /etc/nologin with a message explaining why you arc : 4

Linux Based Networks

Zahid Shafique, Instructor

Creating default user settings

The default settings for creating new users using useradd come from /etc/default/useradd. An example /etc/default/useradd file GROUP=100 HOME= /home INACTIVE= -1 EXPIRE= SHELL= /bin/bash SKEL= /etc/skel

User Administration

Class Meeting #

Slide : 4

Linux Based Networks

Zahid Shafique, Instructor

GROUP=100
The GROUP=100 line specifics that the default group ID is 100. This value is used only when you disable (using the -n option) the default private group (that is the group with the same name as the new user). You can specify a group name instead of the numeric value as well. The value you specify in this line must exist In /etc/group. Yon can change this value as follows: #useradd -D -g news group name or GID

User Administration

Class Meeting #

Slide : 4

Linux Based Networks

Zahid Shafique, Instructor

HOME=/home

The HOME=/home line specifies the default top-level home directory for new users. You can change this value as follows: #useradd directory -D -b

User Administration

Class Meeting #

Slide : 5

Linux Based Networks

Zahid Shafique, Instructor

INACTIVE=-1
The INACTIVE=-1 line specifies when (in days) the account will become inactive after the password expires. This is useful only if you are using shadow passwords. The default value of -l states that accounts are never inactive. You can change this value as follows: #useradd -D -f number of days

User Administration

Class Meeting #

Slide : 5

Linux Based Networks

Zahid Shafique, Instructor

EXPIRE=
The EXPIRE= line specifics when a account should he disabled. This is useful only if you are using shadow passwords. By default, accounts never become disabled. You can change this value as follows: #useradd D -e MM/DD/YY

User Administration

Class Meeting #

Slide : 5

Linux Based Networks

Zahid Shafique, Instructor

SHELL=/bin/bash
The SHELL=/bin/bash line specifies the default login shell path. You can change this value as follows: #useradd /bin/tcsh D -s

User Administration

Class Meeting #

Slide : 5

Linux Based Networks

Zahid Shafique, Instructor

SKEL=/etc/skel
The files in this directory are copied to the new home directory of a new user account. Normally, you do not want to change this path to some other directory.

User Administration

Class Meeting #

Slide : 5

Linux Based Networks

Zahid Shafique, Instructor

User Administration

Class Meeting #

Slide : 5

Linux Based Networks

Zahid Shafique, Instructor

Exercise:

User Administration

Class Meeting #

Slide : 5

Linux Based Networks

Zahid Shafique, Instructor

Homework
Homework this week: Next week:

User Administration

Class Meeting #

Slide : 5