OS Fundamentals - Linux User Management PDF
Document Details
Uploaded by TopnotchJubilation234
KU Leuven
Phaedra Degreef
Tags
Summary
This document provides an introduction to Linux user management. It explains Linux user accounts, user IDs, groups, permissions, and commands. It is designed for undergraduate-level students.
Full Transcript
OS FUNDAMENTALS Linux user management 1 Phaedra Degreef USER MANAGEMENT WHY MULTI-USER? • Linux is multi-user. − Authentication • Prove that you are who you claim to be − Authorisation • What are you allowed to do? • Ensures security & privacy 3 USER • A user is defined via − Username − U...
OS FUNDAMENTALS Linux user management 1 Phaedra Degreef USER MANAGEMENT WHY MULTI-USER? • Linux is multi-user. − Authentication • Prove that you are who you claim to be − Authorisation • What are you allowed to do? • Ensures security & privacy 3 USER • A user is defined via − Username − User ID (UID) • Unique (numeric) number for each user • Behind the scenes, UIDs are used • Display user info: 4 GROUPS • Why? − Makes system management easier − It is easier to define something like security (authorisations) for a whole group than for each user individually 5 GROUPS • A group is defined by − Group name − Group ID (GUID) • A user can belong to more than one group − When a user is created, it is added to a default user group • Usually called “users” 6 USER AND GROUP IDS 7 DISPLAY MORE USER INFO 8 WHERE IS THE INFO STORED? • Users: − /etc/passwd − /etc/shadow • Groups: − /etc/group 9 /ETC/PASSWD • contains user account information with the exception of the user account passwords − These are contained in the “shadow file” (/etc/shadow) • This is in fact an option, enabled by default • Can be read by everyone (!) − Necessary for the login process, where the username needs to be verified • You have no user privileges yet when not logged in! /ETC/PASSWD 11 /ETC/PASSWD 12 /ETC/SHADOW • Is used to store the passwords • Passwords are encrypted! − Hashing: one-way encryption − Can not be decrypted • Shadow file can only be read by root 13 SHADOW FILE 14 LOGIN PROCESS • When username is entered, it is looked up in the passwd file • If username exists, password is asked − User enters password − Entered password is encrypted − Encrypted result is compared to encrypted password in shadow file − If they match, user is authenticated 15 USER MANAGEMENT COMMANDS 16 USERS AND GROUPS • Users can be member of one or more groups − Group definitions in /etc/group • “root” user has all possible rights on the computer by definition • Security is defined in terms of users and/or groups 17 IDENTITY SWITCHING: SU • su <username> command: “switch user” − Become another user temporarily • sudo command: su root for one command • sudo –h : switch to root for multiple commands − Use exit command to exit sudo session 18 SUDO 19 SELECTIVE SUDO • Delegate administrative privileges − For example: shutdown commands requires root privileges − One option: give root password to users • What could possibly go wrong? ;-) − Better: selectively give rights for specific commands to specific users ➔ sudoers file 20 SUDOERS FILE • /etc/sudoers • Requires sudo ☺ to edit • Tool: visudo 21 SUDOERS FILE - SYNTAX By default, the account password will be asked every five minutes in order to perform sudo operations. If you want to remove the password verification, you can simply add the “NOPASSWD” option 22 23 AUTHORIZATION LOGS…. • But an admin has equal rights to Santa Claus: 24 ADDING USERS • 2 commands are available to add users − adduser • Is interactive (asks questions to the user) • Not fit for scripting (automation) » Try to add 150 users with this command….. − useradd • Has a lot of options » When in doubt about options: use help! Just type useradd without options or argument (see next slide) • Preferred • Will be required for the lab exam! 25 26 useradd (!= adduser) -c: “Denayer User Account” -d: /home/denayer -g: <groupname> -G: adm,admin,cdrom -m: make user directory <user login name> 27 RESULT • /etc/passwd file: • /etc/shadow: • /etc/group 28 FILE PERMISSIONS 29 FILE PERMISSIONS 30 FILE PERMISSIONS 31 32 MODIFY PERMISSIONS 34 MODIFY PERMISSIONS • The chmod command can be used to change the mode or permission of a file. • You can use either − octal permission or − the letters representing the permission relative to the owner to change the permission. • Only the file/directory owner or the root user can change the permissions on a file/directory 35 EXAMPLES 36 CHMOD 37 DIRECTORY PERMISSION • x setting provides control for access to file listing and other things 38 CHANGE OWNER - CHOWN • The chown command can be used to change the user owner, the group owner or both the user and group owners of a file/directory. 39 UMASK – DEFAULT PERMISSIONS • The umask value defines what the default permissions will be when a file/directory is created. • Without a umask value, the default permissions for files would be 666 (rw-rw-rw-) and for directories 777 (rwxrwxrwx). When set, the umask “masks” off permissions from being set 40 UMASK 41 STICKY BIT 42 STICKY BIT • The extra octal digit (or three extra binary bits) is actually placed before the common 3 digits (9 binary bits) in the file's mode. • This digit (or bits) is used to represent a special type of permission. − If the first octal digit is set to 1 (or binary bits are set to 001) then the sticky bit is set on the directory. − Files in a directory with the sticky bit set can only be deleted by the user owner of the file even if everyone has write permissions to the folder containing the file with the sticky bit. • The mode on the /tmp directory is a good example of how the sticky bit is used. • Setting the Sticky Bit on a file has no particular effect. 43 ELEVATING STATUS • Some commands need root privileges − Not all users can use sudo! − For example: “passwd” command • Is used to change your password • Problem: it needs access to the shadow file » Only owner “root” has Write access » All others have no access at all: 44 ELEVATING STATUS • Solution: the SUID (Set User ID) bit − Sets the user ID to the owner of the file (command) when the command is run − /usr/bin/passwd is run as user “root” 45 SUID - EXAMPLE • When we run the passwd command, and have a look at the processes: 46 SETTING THE SUID BIT • chmod u+s <filename> Create new (empty) file Lowercase s for executable files, uppercase S for non-executable files 47 “alias” for ls –al command Executable file ONE LAST THING • The SUID bit is used to have the file executed under the user ID of the owner of the file − Not always root!!!! Owner of the file can be any user ID • The SUID bit has no effect on directories 48 SET GROUP ID (SGID) BIT • The SGID bit behaves the same as the SUID bit, but it applies to the owning group of the file − When set, the file will be executed under the group ID of the owning group • When the SGID bit is set on a directory − Files created in this directory are owned by the group that owns the directory − Sub-directories will inherit the SGID bit 49 SGID EXAMPLE 50 EXAMPLES 54 ACCESS CONTROL LISTS (ACL) 55 ACL EXAMPLE 56 ACL EXAMPLE • Much simpler than with conventional tools/commands: − you would have to create a new group, − make the two users involved (owner + geeko) members of the group, − change the owning group of the file to the new group, − and then grant write access to the file for the group. − root access would be required to create the group and to make the two users members of that group 57 ACL EXAMPLE • With ACLs, you can achieve the same results by making the file writable for the owner plus the named user • Another advantage of this approach is that the system administrator does not have to get involved to create a group. − The user can decide on his own whom he grants access to his files 58