Computer Center, CS, NCTU

Similar documents
User Management. lctseng

User Management. Lctseng, arr. by pschiu

Chapter 6 Adding New Users

CSE 265: System and Network Administration

Everything about Linux User- and Filemanagement

Course 144 Supplementary Materials. UNIX Fundamentals

System Administration

Users and Groups. his chapter is devoted to the Users and Groups module, which allows you to create and manage UNIX user accounts and UNIX groups.

NETW 110 Lab 5 Creating and Assigning Users and Groups Page 1

Chapter 5: User Management. Chapter 5 User Management

User & Group Administration

UNIT V. Dr.T.Logeswari. Unix Shell Programming - Forouzan

Introduction to Computer Security

User accounts and authorization

Hands-on Keyboard: Cyber Experiments for Strategists and Policy Makers

Linuxing In London - 19/10/2016. session 1: root, su or sudo? ALINA ŚWIĘTOCHOWSKA PRINCIPAL TECHNOLOGIST UNIX/LINUX

Processes are subjects.

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

User Management. René Serral-Gracià Xavier Martorell-Bofill 1. May 26, Universitat Politècnica de Catalunya (UPC)

MANAGING THE NONUNIFORM BEHAVIOUR OF TERMINALS AND KEYBOARDS. : WHEN THINGS GO WRONG

LAB #7 Linux Tutorial

Sudo: Switch User Do. Administrative Privileges Delegation Campus-Booster ID : **XXXXX. Copyright SUPINFO. All rights reserved

CST8207: GNU/Linux Operating Systems I Lab Seven Linux User and Group Management. Linux User and Group Management

Processes are subjects.

Linux Kung Fu. Ross Ventresca UBNetDef, Fall 2017

User Accounts. The Passwd, Group, and Shadow Files

Commands are in black

Project #3: Implementing NIS

OPERATING SYSTEMS LINUX

NETW 110 Lab 3 Post-Installation Configuration Page 1

Linux Kung Fu. Stephen James UBNetDef, Spring 2017

Introduction to Linux

22-Sep CSCI 2132 Software Development Lecture 8: Shells, Processes, and Job Control. Faculty of Computer Science, Dalhousie University

The kernel is the low-level software that manages hardware, multitasks programs, etc.

1Z Oracle Linux 5 and 6 System Administration Exam Summary Syllabus Questions

10 userdel: deleting a user account 9. 1 Context Tune the user environment and system environment variables [3]

Operating Systems Lab 1 (Users, Groups, and Security)

Pre-Assessment Answers-1

CIT 470: Advanced Network and System Administration. Topics. Namespaces. Accounts and Namespaces. 1. Namespaces 2. Policies

CST8207: GNU/Linux Operating Systems I Lab Seven Linux User and Group Management. Linux User and Group Management

Lab Authentication, Authorization, and Accounting

Chapter 8: Security under Linux

Introduction. What is Linux? What is the difference between a client and a server?

Passwords CSC 193 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Spring 2014

Information System Audit Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000)

System Programming. Introduction to Unix

Managing Users, Managing Security

Advanced Linux System Administra3on

INSE 6130 Operating System Security. Overview of Design Principles

Linux & Shell Programming 2014

Lab 2A> ADDING USERS in Linux

INSE 6130 Operating System Security

Linux Essentials Objectives Topics:

SUDO(8) System Manager s Manual SUDO(8)

Race Condition Vulnerability Lab

Welcome to getting started with Ubuntu Server. This System Administrator Manual. guide to be simple to follow, with step by step instructions

CS246 Spring14 Programming Paradigm Notes on Linux

02. At the command prompt, type usermod -l bozo bozo2 and press Enter to change the login name for the user bozo2 back to bozo. => steps 03.

FreeBSD 6 Unleashed. Michael Urban Brian Tiemann ISBN: Copyright 2006 by Sams Publishing

Deploying Rubrik Datos IO to Protect MongoDB Database on GCP

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

INF322 Operating Systems

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

CSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions

Files. Computer Center, CS, NCTU. % ls l. d rwx--x--x 7 liuyh gcs 1024 Sep 22 17:25 public_html. File type. File access mode.

Exam Linux-Praxis - 1 ( From )

UNIX/Linux Auditing. Baccam Consulting, LLC Training Events

8 User Administration

Operating system security

Q) Q) What is Linux and why is it so popular? Answer - Linux is an operating system that uses UNIX like Operating system...

Introduction to FreeBSD (Additional Material)

GNU/Linux 101. Casey McLaughlin. Research Computing Center Spring Workshop Series 2018

INTRODUCTION TO LINUX

HANDS UP IF YOU DON T HAVE A VM OR IF YOU DON T REMEMBER YOUR PASSWORDS. Or something broke

Introduction to Linux (Part I) BUPT/QMUL 2018/03/14

BPPM Patrol Agent Installation Steps on Linux and Automation Integration

CS615 - Aspects of System Administration. Multiuser Fundamentals

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Redhat Basic. Need. Your. What. Operation G U I D E. Technical Hand Note template version

Introduction to UNIX/LINUX Security. Hu Weiwei

Why secure the OS? Operating System Security. Privilege levels in 80X86 processors. The basis of protection: Seperation. Privilege levels - A problem

Linux Reference Card - Command Summary

SUDO(8) System Manager s Manual SUDO(8)

UNIX. Basic UNIX Command

System Programming. Unix Shells

Introduction to Unix Part II: Special Topics

Introduction to Unix May 24, 2008

Operating Systems 3. Operating Systems. Content. What is an Operating System? What is an Operating System? Resource Abstraction and Sharing

Operating Systems. Copyleft 2005, Binnur Kurt

CompTIA Linux Course Overview. Prerequisites/Audience. Course Outline. Exam Code: XK0-002 Course Length: 5 Days

Lab Working with Linux Command Line

Internet Security General Unix Security

Week 5 Lesson 5 02/28/18

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

Cyber Security. General Unix Security

Basic Linux Security. Roman Bohuk University of Virginia

SUDO(8) System Manager s Manual SUDO(8)

Welcome. Introduction to FreeBSD. Class Schedule. Some Practical Matters. Outline continued. Outline. Introduction. Pre-SANOG VI Workshop

Contents. Note: pay attention to where you are. Note: Plaintext version. Note: pay attention to where you are... 1 Note: Plaintext version...

Chp1 Introduction. Introduction. Objective. Logging In. Shell. Briefly describe services provided by various versions of the UNIX operating system.

Transcription:

User Management

Adding New Users

ID User ID, Group ID % id liuyh uid=10047(liuyh) gid=200(dcs) groups=200(dcs),0(wheel),700(ta),800(security),888(wwwadm) % id 10047 Super user root uid=10047(liuyh) gid=200(dcs) groups=200(dcs),0(wheel),700(ta),800(security),888(wwwadm) uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) Other Important Users daemon: owner of unprivileged software bin: owner of system commands sys: owner of the kernel and memory images nobody: owner of nothing 3

Steps to add a new user 1. Edit the password and group files > vipw, pw 2. Set an initial password > passwd liuyh 3. Set quota > edquota liuyh 4. Create user home directory > mkdir /home/liuyh 5. Copy startup files to user s home (optional) 6. Set the file/directory owner to the user > chown R liuyh:dcs /home/liuyh 4

Step to add a new user 1. password and group file (1) /etc/passwd Store user information: Login name Encrypted password (* or x) UID Default GID GECOS information Full name, office, extension, home phone Home directory Login shell Each is separated by : liuyh@nasa /etc $ grep liuyh passwd liuyh:*:1002:20:user &:/home/liuyh:/bin/tcsh 5

Step to add a new user 1. password and group file (2) Encrypted password The encrypted password is stored in shadow file for security reason /etc/master.passwd /etc/shadow liuyh@nasa /etc $ grep liuyh passwd liuyh:*:1002:20:user &:/home/liuyh:/bin/tcsh (BSD) (Linux) /etc/passwd (BSD) liuyh@nasa /etc $ sudo grep liuyh master.passwd liuyh:$1$4kqcupbi$/nvs5bpduxoyllxw9yp9d.:1002:20::0:0:user &:/home/liuyh:/bin/tcsh /etc/master.passwd [liuyh@yhlinux /etc] grep liuyh passwd liuyh:x:1002:20:user &:/home/liuyh:/bin/tcsh /etc/passwd (Linux) [liuyh@yhlinux /etc] sudo grep liuyh passwd liuyh:$1$4kqcupbi$/nvs5bpduxoyllxw9yp9d.:14529:0:99999:7::: /etc/shadow 6

Step to add a new user 1. password and group file (3) Encrypted methods des Plaintext: at most 8 characters Cipher: 13 characters long vfj42r/hzgqxk md5 Plaintext: arbitrary length Cipher: 34 characters long started with $1$ $1$xbFdBaRp$zXSp9e4y32ho0MB9Cu2iV0 blf Plaintext: arbitrary length Cipher: 60 characters long started with $2a$ $2a$04$jn9vc7dDJOX7V335o3.RoujuK/uoBYDg1xZs1OcBOrIXve3d1Cbm6 login.conf(5), AUTHENTICATION section: passwd_format 7

Step to add a new user 1. password and group file (4) GECOS General Electric Comprehensive Operating System Commonly used to record personal information, separated finger command will use it Use chfn to change your GECOS liuyh:*:1002:20:user &:/home/liuyh:/bin/tcsh #Changing user information for liuyh. Shell: /bin/tcsh Full Name: User & Office Location: Office Phone: Home Phone: Other information: 8

9 Step to add a new user 1. password and group file (5) Login shell Command interpreter /bin/sh /bin/csh /bin/tcsh /bin/bash /bin/zsh (/usr/ports/shells/bash) (/usr/ports/shells/zsh) Use chsh to change your shell #Changing user information for liuyh. Shell: /bin/tcsh Full Name: User & Office Location: Office Phone: Home Phone: Other information: liuyh:*:1002:20:user &:/home/liuyh:/bin/tcsh

Step to add a new user 1. password and group file (6) /etc/group Contains the names of UNIX groups and a list of each group s member: Group name Encrypted password GID List of members, separated by, wheel:*:0:root,liuyh daemon:*:1:daemon staff:*:20: Only in wheel group can do su command 10

Step to add a new user 1. password and group file (7) In FreeBSD Use vipw to edit /etc/master.passwd Three additional fields Login class Refer to an entry in the /etc/login.conf Determine user resource limits and login settings default Password change time Expiration time liuyh@nasa /etc $ sudo grep liuyh master.passwd liuyh:$1$4kqcupbi$/nvs5bpduxoyllxw9yp9d.:1002:20::0:0:user &:/home/liuyh:/bin/tcsh liuyh@nasa /etc $ grep liuyh passwd liuyh:*:1002:20:user &:/home/liuyh:/bin/tcsh 11

Step to add a new user 1. password and group file (8) /etc/login.conf of FreeBSD Set account-related parameters including Resource limits Process size, number of open files Session accounting limits When logins are allowed, and for how long Default environment variable Default path Location of the message of the day file Host and tty-based access control Default umask Account controls login.conf(5) Minimum password length, password aging 12

13 Step to add a new user 1. password and group file (9) default:\ :passwd_format=md5:\ :copyright=/etc/copyright:\ :welcome=/etc/motd:\ :setenv=mail=/var/mail/$,blocksize=k,ftp_passive_mode=yes:\ :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin:\ :nologin=/var/run/nologin:\ :cputime=unlimited:\ :datasize=unlimited:\ :stacksize=unlimited:\ :memorylocked=unlimited:\ :memoryuse=unlimited:\ :filesize=unlimited:\ :coredumpsize=unlimited:\ :openfiles=unlimited:\ :maxproc=unlimited:\ :sbsize=unlimited:\ :vmemoryuse=unlimited:\ :priority=0:\ :ignoretime@:\ :umask=022:

Step to add a new user 1. password and group file (10) In Linux Edit /etc/passwd and then Use pwconv to transfer into /etc/shadow Fields of /etc/shadow Login name Encrypted password Date of last password change Minimum number of days between password changes Maximum number of days between password changes Number of days in advance to warn users about password expiration Number of inactive days before account expiration Account expiration date Flags [liuyh@yhlinux /etc] sudo grep liuyh passwd liuyh:$1$4kqcupbi$/nvs5bpduxoyllxw9yp9d.:14529:0:99999:7::: 14

Step to add a new user 2, 3, 4 Initialize password passwd liuyh Set quota edquota liuyh edquota p dcsq liuyh Quotas for user liuyh: /raid: kbytes in use: 705996, limits (soft = 4000000, hard = 4200000) inodes in use: 9728, limits (soft = 50000, hard = 60000) Home directory mkdir /home/liuyh 15

Step to add a new user 5, 6 Startup files System wide /etc/{csh.cshrc, csh.login, csh.logout, profile} Private csh/tcsh sh vi startx.login,.logout,.tcshrc,.cshrc.profile.exrc.xinitrc In this step, we usually copy private startup files Change onwer /usr/share/skel/dot.* /usr/local/share/skel/zh_tw.big5/dot.* chown R liuyh:dcs /home/liuyh 16

Remove accounts Delete the account entry [FreeBSD] vipw, pw userdel [Linux] remove the row in /etc/passwd and pwconv Backup file and mailbox tar jcf liuyh-home-20101005.tar.bz /home/liuyh tar jcf liuyh-mail-20101005.tar.bz /var/mail/liuyh chmod 600 liuyh-*-20091013.tar.bz Delete home directory rm rf /home/liuyh rm f /var/mail/liuyh 17

Disabling login Ways to disable login Change user s login shell as /sbin/nologin Put a # in front of the account entry Put a '-' in front of the account entry Put a * in the encrypted password field Add *LOCKED* at the beginning of the excrypted password field pw lock/unlock Write a program to show the reason and how to remove the restriction pw(8) 18

Rootly Powers

The Root Root Root is God, also called super-user. UID is 0 UNIX permits the superuser to perform any valid operation on any file or process, such as: Changing the root directory of a process with chroot Setting the system clock Raising anyone s resource usage limits and process priorities (renice, edquota) Setting the system s hostname (hostname command) Configuring network interfaces (ifconfig command) Shutting down the system (shutdown command) 20

Becoming root (1) Login as root Console login Allow root login on console. If you don t want to permit root login in the console (in /etc/ttys) ttyv1 "/usr/libexec/getty Pc" cons25 on secure ttyv1 "/usr/libexec/getty Pc" cons25 on insecure Remote login (login via ssh) sshd: /etc/ssh/sshd_config #PermitRootLogin yes DON T DO THAT!!! 21

Becoming root (2) su : substitute user identity su, su -, su username Environment is unmodified with the exception of USER, HOME, SHELL which will be changed to target user. su - will simulate as a full login. sudo : a limited su (security/sudo) Subdivide superuser s power Who can execute what command on which host as whom. Each command executed through sudo will be logged Sep 20 02:10:08 NASA sudo: liuyh : TTY=pts/1 ; PWD=/tmp ; USER=root ; COMMAND=/etc/rc.d/pf start Edit /usr/local/etc/sudoers using visudo command visudo can check mutual exclusive access of sudoers file 22

Becoming root (3) sudoers format Who can execute what command on which host as whom The user to whom the line applies The hosts on which the line should be noted The commands that the specified users may run The users as whom they may be executed Use absolute path Host_Alias BSD=bsd1,bsd2,alumni Host_Alias LINUX=linux1,linux2 Cmnd_Alias Cmnd_Alias Cmnd_Alias DUMP=/usr/sbin/dump, /usr/sbin/restore PRINT=/usr/bin/lpc, /usr/bin/lprm SHELLS=/bin/sh, /bin/tcsh, /bin/csh 23

Becoming root (4) Host_Alias BSD=bsd1,bsd2,alumni Host_Alias LINUX=linux1,linux2 Cmnd_Alias PRINT=/usr/bin/lpc, /usr/bin/lprm Cmnd_Alias SHELLS=/bin/sh, /bin/tcsh, /bin/csh Cmnd_Alias SU=/usr/bin/su User_Alias wwwta=jnlin, ystseng User_Alias printta=thchen, jnlin 24 Runas_Alias liuyh chiahung printta wwwta %wheel NOBODY=nobody ALL=ALL ALL=(ALL)ALL,!SHELL,!SU csduty=print BSD=(NOBODY)/usr/bin/more ALL=NOPASSWD:/sbin/shutdown

Becoming root (5) % sudo u nobody more /usr/local/etc/apache/httpd.conf % cp p /bin/csh /tmp/csh; sudo /tmp/csh 25

sudoers Example liuyh ALL=(ALL) ALL %wheel ALL=(ALL) NOPASSWD: ALL 26

Advantage of sudo Accountability is much improved because of command logging Operators can do chores without unlimited root privileges The real root password can be known to only one or two people It s faster to use sudo than to run su or login as root Privileges can be revoked without the need to change the root password A canonical list of all users with root privileges is maintained There is less chance of a root shell being left unattended A single file can be used to control access for an entire network 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback