User accounts and authorization

Similar documents
User & Group Administration

Chapter 5: User Management. Chapter 5 User Management

10 userdel: deleting a user account 9. 1 Context Tune the user environment and system environment variables [3]

Lab 2A> ADDING USERS in Linux

CST8207: GNU/Linux Operating Systems I Lab Seven Linux User and Group Management. Linux User and Group Management

NETW 110 Lab 5 Creating and Assigning Users and Groups Page 1

User Accounts. The Passwd, Group, and Shadow Files

Lab Authentication, Authorization, and Accounting

CST8207: GNU/Linux Operating Systems I Lab Seven Linux User and Group Management. Linux User and Group Management

Redhat Basic. Need. Your. What. Operation G U I D E. Technical Hand Note template version

The kernel is the low-level software that manages hardware, multitasks programs, etc.

Operating Systems Lab 1 (Users, Groups, and Security)

User Management. René Serral-Gracià Xavier Martorell-Bofill 1. May 26, Universitat Politècnica de Catalunya (UPC)

Hands-on Keyboard: Cyber Experiments for Strategists and Policy Makers

MANAGING THE NONUNIFORM BEHAVIOUR OF TERMINALS AND KEYBOARDS. : WHEN THINGS GO WRONG

CSE 265: System and Network Administration

Users and Groups. his chapter is devoted to the Users and Groups module, which allows you to create and manage UNIX user accounts and UNIX groups.

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Adding users actions/mechanics

CS/CIS 249 SP18 - Intro to Information Security

Chapter 8: Security under Linux

Please choose the best answer. More than one answer might be true, but choose the one that is best.

Privileges: who can control what

Exercise 4: Access Control and Filesystem Security

RH-202. RedHat. Redhat Certified Technician on Redhat Enterprise Linux 4 (Labs)

Introduction to Linux

Introduction to Unix May 24, 2008

Processes and authentication

Working with Basic Linux. Daniel Balagué

Unix Introduction to UNIX

CSE 390a Lecture 3. Multi-user systems; remote login; editors; users/groups; permissions

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

Overview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions

Operating system security

Operating Systems. Copyleft 2005, Binnur Kurt

Course 144 Supplementary Materials. UNIX Fundamentals

CENG 334 Computer Networks. Laboratory I Linux Tutorial

Unix, History

Operating Systems 3. Operating Systems. Content. What is an Operating System? What is an Operating System? Resource Abstraction and Sharing

CSE 390a Lecture 4. Persistent shell settings; users/groups; permissions

DELL EMC UNITY: DR ACCESS AND TESTING. Dell EMC Unity OE 4.3

Introduction to Computer Security

Files (review) and Regular Expressions. Todd Kelley CST8207 Todd Kelley 1

UNIT 10 Ubuntu Security

RedHat. Rh202. Redhat Certified Technician on Redhat Enterprise Linux 4 (Labs)

Linux Essentials Objectives Topics:

Exercise Sheet 2. (Classifications of Operating Systems)

Everything about Linux User- and Filemanagement

Processes are subjects.

SANJAY GHODAWAT POLYTECHNIC

Processes are subjects.

TEL2821/IS2150: INTRODUCTION TO SECURITY Lab: Operating Systems and Access Control

Commands are in black

Operating Systems Security Access Control

CS246 Spring14 Programming Paradigm Notes on Linux

Linux Operating System Environment Computadors Grau en Ciència i Enginyeria de Dades Q2

Exam Linux-Praxis - 1 ( From )

Linux Kung-Fu. James Droste UBNetDef Fall 2016

Linux Kung Fu. Ross Ventresca UBNetDef, Fall 2017

Perl and R Scripting for Biologists

DELL EMC UNITY: DR ACCESS AND TESTING. Dell EMC Unity OE 4.5

Basic Linux Security. Roman Bohuk University of Virginia

The Unix Shell & Shell Scripts

UNIT V. Dr.T.Logeswari. Unix Shell Programming - Forouzan

Outline. UNIX security ideas Users and groups File protection Setting temporary privileges. Examples. Permission bits Program language components

OPERATING SYSTEMS LINUX

h/w m/c Kernel shell Application s/w user

INTRODUCTION TO LINUX

Pre-Assessment Answers-1

Exploring UNIX: Session 3

CST8207: GNU/Linux Operating Systems I Lab Six Linux File System Permissions. Linux File System Permissions (modes) - Part 1

bash startup files Linux/Unix files stty Todd Kelley CST8207 Todd Kelley 1

Computer Center, CS, NCTU

Hitchhiker s Guide to VLSI Design with Cadence & Synopsys

Embedded System Design

CSC209. Software Tools and Systems Programming.

UNIX / LINUX - GETTING STARTED

UTA Tech Orientation Spring 2019

GNU/Linux 101. Casey McLaughlin. Research Computing Center Spring Workshop Series 2018

The UNIX operating system is a set of programs that act as a link between the computer and the user.

Introduction to the UNIX command line

02. At the command prompt, type usermod -l bozo bozo2 and press Enter to change the login name for the user bozo2 back to bozo. => steps 03.

INF322 Operating Systems

Answers to Even- Numbered Exercises

Introduction: What is Unix?

File Properties and Permissions

Presented by Bill Genske Gary Jackson

Users, Groups and Permission in Linux

Unix. Examples: OS X and Ubuntu

CSE 303 Lecture 2. Introduction to bash shell. read Linux Pocket Guide pp , 58-59, 60, 65-70, 71-72, 77-80

CS197U: A Hands on Introduction to Unix

commandname flags arguments

MIS Week 10. Operating System Security. Unix/Linux basics

CSE 303 Lecture 4. users/groups; permissions; intro to shell scripting. read Linux Pocket Guide pp , 25-27, 61-65, , 176

CST Lab 2 Review #1

Operating systems fundamentals - B10

User Management. lctseng

O/S & Access Control. Aggelos Kiayias - Justin Neumann

Module 4: Access Control

Transcription:

User accounts and authorization Authentication vs authorization Authentication: proving the identity of someone Authorization: allowing a user to access certain resources 1

Government authorization documents have classifications employees have clearances confidential secret top secret z = f ( x, y ) access decision = = f ( document s classification, clearance ) Computer auth not so different linux files have permissions for particular user accounts processes (the true file users ) carry a user account identity Windows resource security policies processes carry user and group affiliation access decision = = f ( file s permissions, user ) 2

Linux users system keeps a list of user accounts system usage demands a user identification supplied at login no login, no usage a user id is implicit in all session activities all session activities are performed by processes every process has some user id as an attribute helps determine access to resources by that process users can be grouped The files of record /etc/passwd holds list of recognized users /etc/shadow holds their passwords /etc/group holds list of recognized groups, names of member users for each 3

Editing the files of record safely plain editors invite error introduction and multiuser conflicts /etc/passwd use usermod or vipw /etc/shadow use passwd, chage, usermod /etc/group use groupmod and usermod, or vigr /etc/passwd entries hold user information craig:x:507:507:craig Smith:/home/craig:/bin/bash official name password (placeholder) UID GID real name home directory login shell 4

/etc/shadow entries hold ancillary user information reserved craig:$1$2yl52jhl$:11992:60:75:3:14:12417:134550548 user name hashed password various values all relating to password aging /etc/group entries hold group information children:x:522:hansel, pinochio,gretel,heidi official name pass word (not used) GID member list 5

Adding users actions involved record added to /etc/passwd record added to /etc/shadow record added to /etc/group create user home directory /home/<username> copy default startup files to home directory set permissions on new files and directories set password customize user info with, e.g., usermod or chage Ways to add users do everything by hand let account management utilities do most of it useradd passwd write/get a custom program to do it to your taste 6

Adding users in 2 steps use useradd then set password with passwd Adding users in batch mode Set up a source file listing users in the form username:password e.g., file userinfo able:apple baker:banana charlie:cantelope 7

Assigning passwords in batch mode with chpasswd command man chpasswd: chpasswd reads a file of user name and password pairs from standard input and uses this information to update a group of existing users. [but] The named user must exist. Solution: make the named users exist first, with a script that useradd s them by looping through the list, then feed the list to chpasswd Adding users in batch mode #!/bin/bash while read LINE do user=`echo $LINE cut -f 1 -d :` useradd $user done < userinfo cat userinfo chpasswd file userinfo: able:apple baker:banana charlie:cantelope 8

Security drawback of chpasswd uses a file of cleartext passwords keep it on/use it from removable media only when finished destroy it Adding users in 2 steps [root@emach1 /root]# useradd charlie [root@emach1 /root]# passwd charlie step 1 step 2 Changing password for user charlie New UNIX password: Retype new UNIX password: Now find out what happened! passwd: all authentication tokens updated successfully [root@emach1 /root]# su charlie become charlie [charlie@emach1 /root]$ cd enter his home directory [charlie@emach1 charlie]$ pwd /home/charlie identify home directory [charlie@emach1 charlie]$ ls -a..xdefaults.bash_profile.kde.screenrc directory is populated...bash_logout.bashrc.kderc Desktop [charlie@emach1 charlie]$ cat /etc/passwd grep charlie charlie:x:531:539::/home/charlie:/bin/bash charlie s in the list alright 9

Ways to remove users do everything by hand let account management utilities to most of it userdel r write/get a custom program to do it to your taste Deleting users [root@emach1 /root]# userdel -r charlie [root@emach1 /root]# su charlie su: user charlie does not exist [root@emach1 /root]# ls -a /home/charlie ls: /home/charlie: No such file or directory [root@emach1 /root]# cat /etc/passwd grep charlie [root@emach1 /root]# doesn t live here anymore home directory who?? gone. really! 10

Disabling login without removing user replace shell substitute a do nothing program instead of /bin/bash /bin/false does nothing, returns immediately usermod -s /bin/false <username> Diabling a user s s login ability [root@emach1 /root]# su charlie [charlie@emach1 /root]$ exit exit [root@emach1 /root]# usermod -s /bin/false charlie [root@emach1 /root]# su charlie [root@emach1 /root]# cat /etc/passwd grep charlie charlie:x:531:539::/home/charlie:/bin/false [root@emach1 /root]# usermod -s /bin/bash charlie [root@emach1 /root]# cat /etc/passwd grep charlie charlie:x:531:539::/home/charlie:/bin/bash [root@emach1 /root]# su charlie [charlie@emach1 /root]$ login as charlie works, gets a prompt /bin/false returns, does nothing login as charlie works, but reverts right back to root s prompt bash shell is back, login as charlie gets a user prompt again 11

Groups Purpose Let a set of users share files by extending common permissions to them Mechanism Files have a group affiliation Users have group memberships Separate access to a file can be extended to members of its group There are groups Groups are defined in /etc/group file /etc/group.. administrators:x:542:socrates,roy teachers:x:543:plato students:x:544:aristotle.. Groups 12

Creating/destroying groups create a group groupadd employees remove a group groupdel employees man page caveats: You must manually check all file systems to insure that no files remain with the named group as the file group ID... You may not remove the primary group of any existing user. You must remove the user before you remove the group." Composing a group assign groups to users use usermod usermod -G employees,salesmen willie or, assign users to groups use gpasswd gpasswd a willie employees gpasswd a willie salesmen same result gpasswd M willie,billy,milly fools 13

Files have (1) a user affiliation Files user affiliations are shown by the ls l command: [root@emach1 schools]# ls -l Files total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries Their affiliated users Files have (2) a group affiliation Files group affiliations are shown by the ls l command: [root@emach1 schools]# ls -l Files total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries Their affiliated groups 14

Files have (3) a permissions setting Files permissions settings are shown by the ls l command: [root@emach1 schools]# ls -l Files total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries Their permissions settings Users have group memberships Users memberships appear in the file that defines the groups, (/etc/group) not the one that defines the users (/etc/passwd) file /etc/group The. group. administrators:x:542:socrates,roy teachers:x:543:plato students:x:544:aristotle The members.. 15

One of 3 permissions triplets applies in any given case -rwxr-x--- File type (file, directory, device, ) Accesses granted to file s associated User Accesses granted to members of file s Group Accesses granted to all Other users Meaning for files letter : -or else- hyphen : r can read can open file w write can modify file x execute can execute file - can t read can t open file - can t write can t modify file - can t execute can t execute file 16

Commands for controlling these [root@emach1 schools]# ls -l total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries chmod chown chgrp chmod change file permissions To restrict/extend access to others To enable script execution 17

chmod change file permissions entire granularity (all 9-at-a-time) use octal specification surgical granularity (just 1, or a couple, at a time) use who/how/what specification changing all permissions octal specification - - - - - x - w - - w x r - - r x r w r w x 0 0 0 0 0 1 0 1 0 0 1 1 1 0 0 1 0 1 1 1 0 1 1 1 0 1 2 3 4 5 6 7 Used in triples: e.g., 750 = rwxr-x--- 18

changing just some permissions who/how/what specification who how what u g o a + - = r w x s who/how/what u for that user associated with the file ( owner ) g for those users in group associated with the file o for anybody else ( world ) a all three of them 19

who/how how/what + - = add, other existing permissions unaffected remove, other existing permissions unaffected set, existing permissions replaced who/how/what what r - read w - write x execute s establish set id behavior 20

chmod examples Access decision mechanics the actor which user? the file s affiliated user which is that? if one and the same 1st triplet applies, else the file s affiliated group which is it? if actor in that group 2nd triplet applies, else actor is unrelated to file, a bystander 3rd triplet applies 21

Who can read what? [root@emach1 schools]# ls -l total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries socrates (an administrator) can read: salaries (because he s an administrator) assignments (because bystanders can) aristotle (a student) can read: assignments (because he s student) plato (a teacher) can read: grades (because he s a teacher) assignments (because bystanders can) Permission sets don t t overlap because david is xxx400 s affiliated user because tom is xxx040 s affiliated group s member because mary is xxx400 s 3 rd -party bystander prohibited! because david is xxx004 s affiliated user ( owner ) He is not in xxx004 s other category, which would permit. Owner more restricted than others, on his own file. 22

Non-file resources similarly everything is a file in unix directories devices (disk partition) kernel memory flag (suppress ping response) How to extend permission to a certain group, plus one other guy (who doesn t belong in it)? two groups? three? miscellaneous ungrouped users? 23

Access contol lists (ACLs( ACLs) ACLs extend the rules to define more fine-grained discretionary access rights ACL man page apply arbitrary permissions for arbitrary users on arbitrary files in any combination ACLs reside in the filesystem (ext2) each file can have its own for users in a file s ACL ACL s triplet eclipses/replaces permission string s for any others permission string s sub-triplet still governs unaffected Access contol lists (ACLs( ACLs) ACL exists for this file student can t read grades, teacher can make special changes, via ACL student can now read grades, teacher no longer can (ACL overrides) grades ACL 24

Windows Authorization Windows has a different form of authorization, depending on the network workgroups small networks Each client must specify his/her own authorization Local Security Policies domains large networks with domain controllers group policies - policies that are set forth for the entire network, based on user permissions Windows Authorization* *ntfs filesystem 25

Password aging features time since last password change number of days before password can be changed number of days after which password must be changed days before password expiry to give warning at login days after password expiry to expire account deadline at which to auto-disable account /etc/shadow entries hold password aging information reserved craig:$1$2yl52jhl$:11992:60:75:3:14:12417:134550548 user name hashed password last password change (11/1/02) chage -d days therafter before change permitted chage -m days thereafter when change required (password expires) chage -M login warning pre-expiry leadtime days auto-disablement deadline (12/31/03) chage -E post-expiry inactivity interval before account locked chage -I chage -W 26

Use chage to view [root@emach1 /root]# chage -l craig Minimum: 60 Maximum: 75 Warning: 3 Inactive: 14 Last Change: Nov 01, 2002 Password Expires: Jan 15, 2003 Password Inactive: Jan 29, 2003 Account Expires: Dec 31, 2003 last change + maximum + inactive or to modify Item modified Minimum Maximum Warning Inactive Last Change chage option used -m -M -W -I -d Account Expires -E 27

Login during warning period EMACH1 login: craig Password: Warning: your password will expire in 3 days Last login: Sat Jan 11 16:03:31 on tty2 [craig@emach1 craig]$ date Sat Jan 11 16:04:37 PST 2003 date of this login Login after password expiry EMACH1 login: craig Password: Your password has expired; please change it! Changing password for craig (current) UNIX password: New UNIX password: Retype new UNIX password: Last login: Sat Jan 11 16:04:34 on tty2 [craig@emach1 craig]$ [craig@emach1 craig]$ date Thu Jan 16 16:00:34 PST 2003 user asked to change password he changes it date of this login 28

New values thereafter [root@emach1 /root]# chage -l craig Minimum: 60 Maximum: 75 Warning: 3 Inactive: 14 Last Change: Jan 17, 2003 Password Expires: Apr 02, 2003 Password Inactive: Apr 16, 2003 Account Expires: Dec 31, 2003 new change date reflected deadlines advanced accordingly Webmin 29

Webmin Webmin 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback