User accounts and authorization Authentication vs authorization Authentication: proving the identity of someone Authorization: allowing a user to access certain resources 1
Government authorization documents have classifications employees have clearances confidential secret top secret z = f ( x, y ) access decision = = f ( document s classification, clearance ) Computer auth not so different linux files have permissions for particular user accounts processes (the true file users ) carry a user account identity Windows resource security policies processes carry user and group affiliation access decision = = f ( file s permissions, user ) 2
Linux users system keeps a list of user accounts system usage demands a user identification supplied at login no login, no usage a user id is implicit in all session activities all session activities are performed by processes every process has some user id as an attribute helps determine access to resources by that process users can be grouped The files of record /etc/passwd holds list of recognized users /etc/shadow holds their passwords /etc/group holds list of recognized groups, names of member users for each 3
Editing the files of record safely plain editors invite error introduction and multiuser conflicts /etc/passwd use usermod or vipw /etc/shadow use passwd, chage, usermod /etc/group use groupmod and usermod, or vigr /etc/passwd entries hold user information craig:x:507:507:craig Smith:/home/craig:/bin/bash official name password (placeholder) UID GID real name home directory login shell 4
/etc/shadow entries hold ancillary user information reserved craig:$1$2yl52jhl$:11992:60:75:3:14:12417:134550548 user name hashed password various values all relating to password aging /etc/group entries hold group information children:x:522:hansel, pinochio,gretel,heidi official name pass word (not used) GID member list 5
Adding users actions involved record added to /etc/passwd record added to /etc/shadow record added to /etc/group create user home directory /home/<username> copy default startup files to home directory set permissions on new files and directories set password customize user info with, e.g., usermod or chage Ways to add users do everything by hand let account management utilities do most of it useradd passwd write/get a custom program to do it to your taste 6
Adding users in 2 steps use useradd then set password with passwd Adding users in batch mode Set up a source file listing users in the form username:password e.g., file userinfo able:apple baker:banana charlie:cantelope 7
Assigning passwords in batch mode with chpasswd command man chpasswd: chpasswd reads a file of user name and password pairs from standard input and uses this information to update a group of existing users. [but] The named user must exist. Solution: make the named users exist first, with a script that useradd s them by looping through the list, then feed the list to chpasswd Adding users in batch mode #!/bin/bash while read LINE do user=`echo $LINE cut -f 1 -d :` useradd $user done < userinfo cat userinfo chpasswd file userinfo: able:apple baker:banana charlie:cantelope 8
Security drawback of chpasswd uses a file of cleartext passwords keep it on/use it from removable media only when finished destroy it Adding users in 2 steps [root@emach1 /root]# useradd charlie [root@emach1 /root]# passwd charlie step 1 step 2 Changing password for user charlie New UNIX password: Retype new UNIX password: Now find out what happened! passwd: all authentication tokens updated successfully [root@emach1 /root]# su charlie become charlie [charlie@emach1 /root]$ cd enter his home directory [charlie@emach1 charlie]$ pwd /home/charlie identify home directory [charlie@emach1 charlie]$ ls -a..xdefaults.bash_profile.kde.screenrc directory is populated...bash_logout.bashrc.kderc Desktop [charlie@emach1 charlie]$ cat /etc/passwd grep charlie charlie:x:531:539::/home/charlie:/bin/bash charlie s in the list alright 9
Ways to remove users do everything by hand let account management utilities to most of it userdel r write/get a custom program to do it to your taste Deleting users [root@emach1 /root]# userdel -r charlie [root@emach1 /root]# su charlie su: user charlie does not exist [root@emach1 /root]# ls -a /home/charlie ls: /home/charlie: No such file or directory [root@emach1 /root]# cat /etc/passwd grep charlie [root@emach1 /root]# doesn t live here anymore home directory who?? gone. really! 10
Disabling login without removing user replace shell substitute a do nothing program instead of /bin/bash /bin/false does nothing, returns immediately usermod -s /bin/false <username> Diabling a user s s login ability [root@emach1 /root]# su charlie [charlie@emach1 /root]$ exit exit [root@emach1 /root]# usermod -s /bin/false charlie [root@emach1 /root]# su charlie [root@emach1 /root]# cat /etc/passwd grep charlie charlie:x:531:539::/home/charlie:/bin/false [root@emach1 /root]# usermod -s /bin/bash charlie [root@emach1 /root]# cat /etc/passwd grep charlie charlie:x:531:539::/home/charlie:/bin/bash [root@emach1 /root]# su charlie [charlie@emach1 /root]$ login as charlie works, gets a prompt /bin/false returns, does nothing login as charlie works, but reverts right back to root s prompt bash shell is back, login as charlie gets a user prompt again 11
Groups Purpose Let a set of users share files by extending common permissions to them Mechanism Files have a group affiliation Users have group memberships Separate access to a file can be extended to members of its group There are groups Groups are defined in /etc/group file /etc/group.. administrators:x:542:socrates,roy teachers:x:543:plato students:x:544:aristotle.. Groups 12
Creating/destroying groups create a group groupadd employees remove a group groupdel employees man page caveats: You must manually check all file systems to insure that no files remain with the named group as the file group ID... You may not remove the primary group of any existing user. You must remove the user before you remove the group." Composing a group assign groups to users use usermod usermod -G employees,salesmen willie or, assign users to groups use gpasswd gpasswd a willie employees gpasswd a willie salesmen same result gpasswd M willie,billy,milly fools 13
Files have (1) a user affiliation Files user affiliations are shown by the ls l command: [root@emach1 schools]# ls -l Files total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries Their affiliated users Files have (2) a group affiliation Files group affiliations are shown by the ls l command: [root@emach1 schools]# ls -l Files total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries Their affiliated groups 14
Files have (3) a permissions setting Files permissions settings are shown by the ls l command: [root@emach1 schools]# ls -l Files total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries Their permissions settings Users have group memberships Users memberships appear in the file that defines the groups, (/etc/group) not the one that defines the users (/etc/passwd) file /etc/group The. group. administrators:x:542:socrates,roy teachers:x:543:plato students:x:544:aristotle The members.. 15
One of 3 permissions triplets applies in any given case -rwxr-x--- File type (file, directory, device, ) Accesses granted to file s associated User Accesses granted to members of file s Group Accesses granted to all Other users Meaning for files letter : -or else- hyphen : r can read can open file w write can modify file x execute can execute file - can t read can t open file - can t write can t modify file - can t execute can t execute file 16
Commands for controlling these [root@emach1 schools]# ls -l total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries chmod chown chgrp chmod change file permissions To restrict/extend access to others To enable script execution 17
chmod change file permissions entire granularity (all 9-at-a-time) use octal specification surgical granularity (just 1, or a couple, at a time) use who/how/what specification changing all permissions octal specification - - - - - x - w - - w x r - - r x r w r w x 0 0 0 0 0 1 0 1 0 0 1 1 1 0 0 1 0 1 1 1 0 1 1 1 0 1 2 3 4 5 6 7 Used in triples: e.g., 750 = rwxr-x--- 18
changing just some permissions who/how/what specification who how what u g o a + - = r w x s who/how/what u for that user associated with the file ( owner ) g for those users in group associated with the file o for anybody else ( world ) a all three of them 19
who/how how/what + - = add, other existing permissions unaffected remove, other existing permissions unaffected set, existing permissions replaced who/how/what what r - read w - write x execute s establish set id behavior 20
chmod examples Access decision mechanics the actor which user? the file s affiliated user which is that? if one and the same 1st triplet applies, else the file s affiliated group which is it? if actor in that group 2nd triplet applies, else actor is unrelated to file, a bystander 3rd triplet applies 21
Who can read what? [root@emach1 schools]# ls -l total 12 -rw-r--r-- 1 root students 121 Dec 8 17:15 assignments -rw-rw---- 1 root teachers 119 Dec 8 17:13 grades -rw-r----- 1 root administ 95 Dec 8 17:10 salaries socrates (an administrator) can read: salaries (because he s an administrator) assignments (because bystanders can) aristotle (a student) can read: assignments (because he s student) plato (a teacher) can read: grades (because he s a teacher) assignments (because bystanders can) Permission sets don t t overlap because david is xxx400 s affiliated user because tom is xxx040 s affiliated group s member because mary is xxx400 s 3 rd -party bystander prohibited! because david is xxx004 s affiliated user ( owner ) He is not in xxx004 s other category, which would permit. Owner more restricted than others, on his own file. 22
Non-file resources similarly everything is a file in unix directories devices (disk partition) kernel memory flag (suppress ping response) How to extend permission to a certain group, plus one other guy (who doesn t belong in it)? two groups? three? miscellaneous ungrouped users? 23
Access contol lists (ACLs( ACLs) ACLs extend the rules to define more fine-grained discretionary access rights ACL man page apply arbitrary permissions for arbitrary users on arbitrary files in any combination ACLs reside in the filesystem (ext2) each file can have its own for users in a file s ACL ACL s triplet eclipses/replaces permission string s for any others permission string s sub-triplet still governs unaffected Access contol lists (ACLs( ACLs) ACL exists for this file student can t read grades, teacher can make special changes, via ACL student can now read grades, teacher no longer can (ACL overrides) grades ACL 24
Windows Authorization Windows has a different form of authorization, depending on the network workgroups small networks Each client must specify his/her own authorization Local Security Policies domains large networks with domain controllers group policies - policies that are set forth for the entire network, based on user permissions Windows Authorization* *ntfs filesystem 25
Password aging features time since last password change number of days before password can be changed number of days after which password must be changed days before password expiry to give warning at login days after password expiry to expire account deadline at which to auto-disable account /etc/shadow entries hold password aging information reserved craig:$1$2yl52jhl$:11992:60:75:3:14:12417:134550548 user name hashed password last password change (11/1/02) chage -d days therafter before change permitted chage -m days thereafter when change required (password expires) chage -M login warning pre-expiry leadtime days auto-disablement deadline (12/31/03) chage -E post-expiry inactivity interval before account locked chage -I chage -W 26
Use chage to view [root@emach1 /root]# chage -l craig Minimum: 60 Maximum: 75 Warning: 3 Inactive: 14 Last Change: Nov 01, 2002 Password Expires: Jan 15, 2003 Password Inactive: Jan 29, 2003 Account Expires: Dec 31, 2003 last change + maximum + inactive or to modify Item modified Minimum Maximum Warning Inactive Last Change chage option used -m -M -W -I -d Account Expires -E 27
Login during warning period EMACH1 login: craig Password: Warning: your password will expire in 3 days Last login: Sat Jan 11 16:03:31 on tty2 [craig@emach1 craig]$ date Sat Jan 11 16:04:37 PST 2003 date of this login Login after password expiry EMACH1 login: craig Password: Your password has expired; please change it! Changing password for craig (current) UNIX password: New UNIX password: Retype new UNIX password: Last login: Sat Jan 11 16:04:34 on tty2 [craig@emach1 craig]$ [craig@emach1 craig]$ date Thu Jan 16 16:00:34 PST 2003 user asked to change password he changes it date of this login 28
New values thereafter [root@emach1 /root]# chage -l craig Minimum: 60 Maximum: 75 Warning: 3 Inactive: 14 Last Change: Jan 17, 2003 Password Expires: Apr 02, 2003 Password Inactive: Apr 16, 2003 Account Expires: Dec 31, 2003 new change date reflected deadlines advanced accordingly Webmin 29
Webmin Webmin 30