Environment Configuration Files

 /etc/profile: Generic file that is processed by all users

upon login
 /etc/bashrc: This file is processed when subshells are
started
 ~/.bashrc: In this user-specific file, subshell variables
can be defined
 ~/.bash_profile: In this file, user-specific login shell
variables can be defined
 ~/.bash_history: Store users command history
 ~/.bash_logout: File is processed during logout
Login shell vs Non login shell

Login shell
 /etc/profile
 /etc/profile.d/
 /etc/bashrc
 ~/.bashrc
 ~/.bash_profile

Non login shell

 /etc/bashrc
 ~/.bashrc
getent

 getent checks not only local users but also users from
active directory and openldap domain.
 grep passwd /etc/nsswitch.conf
 getent passwd
 getent group
 getent networks
 getent services
 getent shadow
 getent gshadow
UID ranges

 UID 0 is always root

 UID 1-200 is system users assigned statically for
system processes
 UID 201-999 is system users assigned dynamically for
system processes when software that needs them is
installed. These unprivileged system users have
limited access to just the resources they need.
 UID 1000+ is for regular users
create local users

 useradd username
 -u for uid
 -g for gid
 -c for comment
 -d for home directory
 -s for shell
 -N for not creating a group with the same name as
user but add the user to the group specified by –g
 -G supplementary group
 Note: adduser is symbolic link to useradd on redhat
and on Debian and ubuntu systems a perl script
setting passwords

 Local users cannot set weak passwords

 passwd –n 30 –w 3 -x 90 user sets the password for
user to a minimal usage of 30 days and expiry after
90 days generating a warning 3 days before expiry.
 echo “password” | passwd --stdin username
 echo “username:password” | sudo chpasswd
/etc/shadow

1. login name
2. encrypted password which contains hashing algorithm, salt
and encrypted hash.
3. Number of days since the last password change from 1-Jan-
1970
4. Minimum number of days before a password may be
changed, where 0 means no minimum age required.
5. Maximum number of days before a password must be
changed.
6. Warning period that a password is about to expire, 0 means
no warning given.
7. The number of days an account remains active after a
password has expired.
8. Account expiration date
9. Blank field for future use
chage for password aging

 chage –d 0 username will force a password update on next

login
 chage –E YYYY-MM-DD will expire an account on a specific
day
 chage –l username will list usernames current setting
login defaults

 useradd uses 2 configuration files for default values

 /etc/login.defs
 /etc/default/useradd
Modify and Delete User Accounts
 usermod options
 -c comment
 -g primary group
 -G supplementary groups
 -a append, should be used with -G option without
removing the user from other groups
 -d specify a new home directory
 -m move home directory to new location. Must be used
with -d option
 -s specify new login shell
 -L lock user account
 -U Unlock user account
 userdel -r option removes user and users home directory
creating groups

 newgrp groupname changes current group id during

a login session
 groups username current effective primary group
 getent gshadow user to check group password
 gpasswd to administer /etc/group /etc/gshadow
 gpasswd command is used to set group password
and if the newgrp command is not a member of
target group, the shell prompts for a group password
 gpasswd -a user group
 gpasswd -M user1,user2,user3 group
Configuring Permissions

 chown user1 myfile sets user1 as the owner of myfile

 chown user1.sales myfile sets user1 as owner and group
sales as group owner of myfile
 chown user1:sales myfile sets user1 as user owner and
group sales as group owner of myfile
 chown .sales myfile sets group sales a group owner of
myfile without changing the owner
 chown :sales myfile sets group sales a group owner of
myfile without changing the owner
 chown –R user /home/username
 chgrp –R account /home/account
Understanding Read, Write and Execute Permissions

Permission Applied to Files Applied to Directories

Read Open a file List contents of directory
Write Change contents of a file Create and delete files and modify
permissions on files
Execute Run a program file Change to the directory

Category Operations Attribute Number

u-user +assigns permission r-read 4
g-group -remove permission w-write 2
o-others =assigns absolute x-execute 1
permission
a-all 7
chmod command

 chmod 755 /somefile

 chmod +x somefile
 chmod g+x, o-r somefile
 chmod –R o+rx /data will set execute permission on
all directories as well as file in the /data directory.
 chmod –R o+rX /data will set execute permission to
directories only and not to files
Special Permissions SUID

 By default, a user who runs an exe file runs with his

own permissions.
 In a situation where a user needs to change his
password, he needs to write his new password to the
/etc/shadow file which is not writeable for users who
don’t have root permissions.
 On /usr/bin/passwd utility this permission is applied
by default so the user temporary has root
permissions.
Special Permissions SGID

 When applied to a executable file, the user who

executes the file the permissions of the group owner
of that file is given.
 When applied to a directory, you can use it to set
default group ownership on files and subdirectories
created in that directory. So by default, files that a
user creates will be group shared.
Special Permissions Sticky bit

 Sticky bit is set to protect files against accidental

deletion in an environment where multiple users
have write permission in the same directory.
 When sticky bit is applied either the owner of the file
or owner of the directory where the file exists can
delete files.
SUID, SGID and Sticky Bit

Permission Numeric value Relative value On Files On Directories

SUID 4 chmod u+s User executes file No meaning
with permissions
of file owner
SGID 2 chmod g+s User executes file Inherits group
with permissions ownership to all
of group owner newly created
items below
Sticky Bit 1 chmod +t No meaning Prevents users
from deleting files
from other users
Limitations of standard permissions

 Permissions restricting access to file are limited to

 file owner
 member of a only a single group
 others
File System mount option for ACL

 xfs has built-in support for ACL in kernel

# grep ACL /boot/config-$(uname -r)
 ext4 on earlier versions may need acl option in
mount request. Check if it is available as default.
# tune2fs -l /dev/sdb1 | grep -i default
 mount ACL if it not available in kernel or filesystem
# mount -o remount,acl /
# vim /etc/fstab
/dev/mapper/volgroup / ext3 defaults,acl 1 1
Access control Lists

 New files and directories can automatically inherit

ACL settings from parent directory default ACLs.

 Changing group permissions on a file with an ACL

using chmod will change ACL mask but does not
change group owner permissions.

 To update group owner permissions use

 setfacl -m g::perms filename
Access control Lists

 When recursively setting ACLs, uppercase “X”

indicates that execute permission should only be set
on directories and not regular files.
 Output of getfacl can be used as input to setfacl
getfacl file1 | setfacl --set-file=- file
Access control Lists
Using ACL

 Display ACL on file using getfacl newfile

 Named user with read and execute permissions for a file
user:john:rx file
 File owner with read, execute permissions for a file
user::rw file
 Read, write permissions for a directory granted to the
directory group owner g::rw /dir
 Read, write, execute permissions for a directory granted
to a named group group:marketing:rwx /dir
 Read, execute permissions set as the default mask
default:m::rx /dir
 Named user granted initial read permission for new files
and read, execute permission for new subdirectories
default:user:john:rx /dir
Using ACL

 chmod has no effect on any group permissions for

files with ACL settings. It updates ACL mask.
 setfacl -b filename
Using PAM to control user access

 /etc/pam.d will contain configuration files

 /etc/security to configure modules
 /lib64/security will contain pam modules
create home directories during login

 /etc/login.defs
 CREATE_HOME no
 rpm -qa | grep oddjob
 rpm -ivh oddjob-mkhomedir-0.31.5-4.el7.x86_64
 systemctl start oddjobd
 systemctl enable oddjobd
 authconfig --enablemkdhomedir --update
Password Policies and limit access

 cat /etc/pam.d/system-auth is common auth

mechanism used by many services.
 less /etc/security/pwquality.conf is the
configuration file for password quality
 pwscore can be used to check the password quality
 /etc/security/limits.conf to limit access to resources
 ulimit -a
 vim /etc/pam.d/sshd
account required pam_time.so
 vim /etc/security/time.conf
*;*;root|user1;Wk0900-1800
lsattr / chattr common options