itec 400 user administration unix system directories
DESCRIPTION
itec 400 User Administration Unix System Directories. George Vaughan Franklin University. Topics. User Administration The password file The shadow password file The group file Adding Users Disabling Users Removing Users Unix/Linux System Directories. User Administration. The Pieces: - PowerPoint PPT PresentationTRANSCRIPT
1
itec 400User Administration
Unix System DirectoriesGeorge Vaughan
Franklin University
2
Topics
• User Administration– The password file– The shadow password file– The group file– Adding Users– Disabling Users– Removing Users
• Unix/Linux System Directories
3
User Administration
• The Pieces:– /etc/passwd– /etc/shadow– /etc/group
• The Function:– Username Policy– Password Policy– Group Membership Policy
• User related commands
4
The Password file
• Located in /etc/passwd.• Serves as the user database for the system.• Information in /etc/passwd is useful for
applications. Readable by all.• Historically, /etc/passwd contained user’s
password in encrypted form. • Today, encrypted passwords readable by all is
too dangerous.• Today, passwords are stored in /etc/shadow.
Readable only by root.
5
The Password File
• Format of /etc/passwd (colon separated fields):userName:passWord:UID:GID:userInfo:homeDir:loginApplication
Example: vaughang:x:257:100:George Vaughan:/export/home/vaughang:/bin/ksh
userName The login name of the user
passWord Where password used to be stored. ‘x’ indicates use of shadow password.
UID A unique user identifier
GID A unique group identifier
userInfo User Information such as user name (GECOS field)
homeDir Initial directory after login
loginApplication Initial application after shell (usually a shell)
6
The Password File• User Name:
– Often generated by a script– Often limited to 8 characters
• RedHat: 32 char – any char except newline and colon • Password:
– ‘x’ indicates use of /etc/shadow– ‘*’ indicates account is disabled.– Standard limit, 8 chars, unencrypted– Redhat limit, arbitrary length, unencrypted– Never leave this field empty.
• UID– A unique user identifier– unsigned 32 bit Integer– root has UID 0– Most systems: UID < 100: system accounts, UID >= 100: user accounts– Redhat: UID < 500: system accounts, UID >= 500: user accounts
7
The Password File• GID
– A unique group identifier– unsigned 32 bit Integer– 0 for group root, 1 for bin, 2 for daemon– Most systems: UID < 100: system groups, UID >= 100: user groups– Redhat: UID < 500: system groups, UID >= 500: user groups
• User Info: – usually user name– can support up to 5 comma-separated subfields used by “finger” command.– GECOS field. Originally used at Bell Labs to store user info for rje to a GE
mainframe• Home Directory
– Initial directory after login• Login Application
– Usually a shell.– /etc/shells contains a list of valid shells on system - user cannot change shell to
something not in /etc/shells.– Can be any application - does not have to be in /etc/shells.
8
The Password File
• A simple ASCII file.
• Can be edited with standard editor
• ‘vipw’ (vi the password file) – allows only one editing session at a time– minimizes corruption due to pilot error or
abnormal terminations.
9
The Shadow Password File
• Location on both Linux and Solaris: /etc/shadow
• Readable only by root
• If used, contains the encrypted password.
• Used by default on RH Linux
• In RH Linux, /etc/shadow can be edited by vipw.
10
The Shadow Password File
• Format of /etc/shadow (colon separated fields):userName:passWord:changedDate:minLife:maxLife:warn:disable:expireDate:unused
example: gvaughan:$1$ItpbrZB2$2g/qNx0DhRmnoXbpA1EQJ/:12198:0:99999:7:::
userName Login ID of User (REQUIRED)
passWord Encrypted Password (REQUIRED)
changedDate Date password was last changed (Unix time)
minLife Minimum number of days between password changes
maxLife Maximum number of days between password changes
warn Number of days to warn user in advance of password expiration
disable Number of days of inactivity before account is disabled
expireDate Date that account will expire (Unix time)
unused Reserved for future use
11
Encrypted Passwords
• Encrypted Passwords:– DES (13 characters in encrypted form)– MD5 (34 characters in encrypted form)
• Most Linux distributions support MD5.
• MD5 is the default in Redhat
• MD5 passwords always begin with “$1$”
12
The Group File
• Permissions for users can be managed on a group basis.
• Defines which users are members of which group.
• A user can be a member of more than one group (Some systems restrict number of groups a user can be a member of).
• The group associated with a user in /etc/passwd file is the user’s primary group.
13
The Group File
• Format of /etc/group (colon separated list):
groupName:passWord:GID:userList• Example: cs::102:lint,cs,chen04,christcl,olinger
groupName Name of group
passWord Obsolete
GID Unique group identifier
userList Comma separated list of users
14
The Group File
• Group Name: on many systems, restricted to 8 char.• Password:
– Obsolete, still used in Linux. – Often contains an ‘x’ or nothing.– If field has ‘*’, means group is disabled.
• GID– A unique group identifier– unsigned 32 bit Integer– 0 for group root, 1 for bin, 2 for daemon– Most systems: UID < 100: system groups, UID >= 100: user
groups– Redhat: UID < 500: system groups, UID >= 500: user groups
• User List: comma separated, no spaces
15
The Group File
• If a user is defined as a member of a group in /etc/passwd but not in /etc/group, the file /etc/passwd takes precedence.
• On Linux, the file /etc/group can be edited with vigr
• Linux supports a shadow group file. – Its location is /etc/gshadow– It is used to store group passwords.
16
User Related Commands
Note: User administration commands will be addressed in later slides.
• id– reports UID and GID from /etc/passwd– example:
>id rootuid=0(root) gid=1(other)groups
• groups– reports groups that user is a member of.– example:
>groups rootother root bin sys adm uucp mail tty lp nuucp daemon
17
User Related Commands
• newgrp– Logs user into new group (that user is a member of)– Example:
>groups
faculty wheel
>touch trash1
>newgrp wheel
>touch trash2
>ls –l-rw-rw-r-- 1 vaughang faculty … trash1
-rw-rw-r-- 1 vaughang wheel … trash2
18
User Related Commands
• finger– displays information about a user– example:
>finger vaughang
Login name: vaughang In real life: George Vaughan
Directory: /export/home/vaughang Shell: /bin/ksh
On since Feb 17 15:48:34 on pts/7 from dhcp9544228.inet.com
13 seconds Idle Time
19
Adding Users
• 3 different ways to add users:– Manually– Using the ‘useradd’ command– Using a GUI based system administration
tool.
20
Adding Users
• Many Unix and Linux distributions provide GUI applications that allow for the creation of user accounts.
• However these GUI systems tend to be distribution specific.
• Large sites have custom scripts for adding users that enforce local policies
21
Adding Users• It is good to know how to add users manually:
– Useful if problems occur with GUI apps– Useful for writing scripts with site specific policies.– Useful for understanding how user management
works at the O.S. level.
• Lecture will focus on adding users manually.• Book has good description of GUI apps for
adding users.
22
Adding Users Manually
• Activities when adding users:– Edit /etc/passwd file– Edit /etc/shadow file– Edit /etc/group (if necessary)– Set initial password– Setup the new user’s home directory– Copy startup files to user’s home directory– Test the account
23
Adding Users Manually (Red Hat)
• The following scenario adds a new user named ‘dummy1’.
• The scenario is simplified yet complete
24
Adding Users Manually (Red Hat)
• Edit /etc/passwd– Use ‘vipw’ for safetydummy1:x:502:502:Mr. Dummy:/home/dummy1:/bin/bash
• Edit /etc/shadow– Continue using ‘vipw’Would you like to edit /etc/shadow now [y/n]? y
dummy1:*:0:0:30:7:::
25
Adding Users Manually (Red Hat)• Change new user’s password
# passwd dummy1Changing password for user dummy1New password:Retype new password:passwd: all authentication tokens updated successfully
• Re-edit /etc/shadow– Set the ‘password changed’ to 0 (1/1/70)– Will force user to change immediately
• Edit /etc/groupvi /etc/groupdummy1:x:502:
26
Adding Users Manually (Red Hat)
• Create user’s home directory# mkdir /home/dummy1# chown dummy1 /home/dummy1# ls -ld /home/dummy1drwxr-xr-x 2 dummy1 root 4096 Feb 17 23:20 /home/dummy1# chmod 700 /home/dummy1drwx------ 2 dummy1 root 4096 Feb 17 23:20 /home/dummy1
• Copy login initialization files# cp -rf /etc/skel/.[a-zA-Z]* ~dummy1# chmod 644 ~dummy1/.[a-zA-Z]*# chown dummy1 ~dummy1/.[a-zA-Z]*# chgrp dummy1 ~dummy1/.[a-zA-Z]*
27
Adding Users Manually (Red Hat)
• Test new account# su - dummy1# ls -al ~dummy1total 52drwx------ 4 dummy1 root 4096 Feb 17 23:47 .drwxr-xr-x 6 root root 4096 Feb 17 23:20 ..-rw------- 1 dummy1 dummy1 28 Feb 17 23:48 .bash_history-rw-r--r-- 1 dummy1 dummy1 24 Feb 17 23:33 .bash_logout-rw-r--r-- 1 dummy1 dummy1 191 Feb 17 23:33 .bash_profile-rw-r--r-- 1 dummy1 dummy1 124 Feb 17 23:33 .bashrc-rw-r--r-- 1 dummy1 dummy1 5450 Feb 17 23:33 .canna-rw-r--r-- 1 dummy1 dummy1 820 Feb 17 23:33 .emacs-rw-r--r-- 1 dummy1 dummy1 118 Feb 17 23:33 .gtkrcdrw-r--r-- 3 dummy1 dummy1 4096 Feb 17 23:33 .kde-rw-r--r-- 1 dummy1 dummy1 3511 Feb 17 23:33 .screenrcdrwx----- 2 dummy1 dummy1 4096 Feb 17 23:46 .xauth
28
Adding Users (Notes)
• Distributions often come with /etc/skel directory which contains default initialization files that are copied in user home directories.
• System wide initialization files:– /etc/profile– /etc/bashrc
• Initialization files in user home directory:– $HOME/bash_profile– $HOME/bashrc
29
Adding Users (Notes)• What is the order of execution of initilaization files upon login?• I added echo statements to the initialization files and here is what
I found:
1. START /etc/profile2. END /etc/profile3. START /home/gvaughan/.bash_profile
A. START /home/gvaughan/.bashrci. START /etc/bashrcii. END /etc/bashrc
B. END /home/gvaughan/.bashrc4. END /home/gvaughan/.bash_profile
• So BASH executes /etc/profile and then $HOME/bash_profile and $HOME/bash_profile executes $HOME/bashrc which then executes /etc/bashrc
30
Adding Users (Notes)
• In Linux, the file /etc/login.defs contains system-wide login controls, such as:– system location of mailboxes– number of login retries– delay between failed login attempts– default values for user admin commands– many other controls…
31
Adding Users with useradd (Red Hat)
• In this scenario, we will add a user with the ‘useradd’ command.
• ‘useradd’ has many options - see man page
• The user’s name is Michael Johnson
32
Adding Users with useradd (Red Hat)
• Find out the default settings for useradduseradd -DGROUP=100HOME=/homeINACTIVE=-1EXPIRE=SHELL=/bin/bashSKEL=/etc/skel
33
Adding Users with useradd (Red Hat)
• Create user with useradd– useradd -c "Michael Johnson" -g students -G wheel -m -s /bin/ksh
johnsonm
-c specifies user information in /etc/passwd -g defines primary GID (in /etc/passed) -G defines secondary GID (in /etc/group) -m creates a home directory in /home if one does not exist -s overrides default system shell (affects /etc/passwd)
34
Adding Users with useradd (Red Hat)
• Check contents of /etc/passwd, /etc/shadow and /etc/group:
# tail /etc/passwdjohnsonm:x:503:200:Michael Johnson:/home/johnsonm:/bin/ksh
• Notice in /etc/passwd:– useradd uses next available UID– primary GID is students (see /etc/group below)– home directory is /home/johnsonm– default shell is ksh
35
Adding Users with useradd (Red Hat)
# tail /etc/shadowjohnsonm:!!:12102:0:99999:7:::
• Notice in /etc/shadow– password is !! (not defined)– practically infinite max password age
36
Adding Users with useradd (Red Hat)
# tail /etc/groupstudents:x:200:wheel:x:10:root,gvaughan,johnsonm
• Notice in /etc/group– johnsonm is explicitly in group wheel– Johnson is not listed in group students, but
this Johnson’s primary GID (why?)
37
Adding Users with useradd (Red Hat)
• Change password on johnsonm:# passwd johnsonm
Changing password for user johnsonmNew password:Retype new password:passwd: all authentication tokens updated successfully
• Test user account:# su - johnsonm
$ pwd/home/johnsonm$ ls -altotal 48drwx------ 4 johnsonm students 4096 Feb 18 23:02 .drwxr-xr-x 7 root root 4096 Feb 18 22:58 ..-rw-r--r-- 1 johnsonm students 24 Feb 18 22:58 .bash_logout
38
Adding Users with useradd (Red Hat)
• Switch back to ‘root’• Reset password age to Jan. 1st, 1970 so
new user has to change password upon first login:
chage -d 0 –M 15 user_ID– “-d 0” sets last password change to 01/01/70– “-M 15” requires password to have a max age
of 15 days.
39
Disabling A User Account
• Sometimes you may want to disable a user, but not remove user (e.g. really old password)
• This can be done quickly by prefixing an ‘*’ to the password in /etc/shadow.
• Can also use ‘passwd -l userName’
40
Disabling A User Account
• We can also create a program (pseudo shell) that just displays message why user is prevented access and then just exit.
• We than edit /etc/passwd and set the user’s default shell to the pseudo shell.
• Don’t add pseudo shell to /etc/shells.
41
Removing Users
• Book provides a list of tasks to be performed if you wish to remove a user account (including home directory, etc.).
• See man page for ‘userdel’.
42
System Directories/
mnt tmpusr varbin boot dev home etclost+foundinitrd misc tftbootsbinlib opt proc root
rc*.d includegrub srcnullvmlinuz group passwd
43
/bin
• Contains executables for basic commands• Examples of commands in /bin: awk, bash, cat,
chmod, cp, date, echo, grep, kill, ls, ps, pwd, …• If you create a useful shell or perl script that
others would find useful, this is a good location for the script
• Don’t replace or change existing system commands in this directory – unless upgrading O.S.
44
/boot
• Contains Kernel executable– /boot/vmlinuz
• Contains directory for grub (boot loader)– /boot/grub– The ascii configuration file for grub is:
• /boot/grub/grub.conf
– Note that /etc/grub.conf is a symbolic link to /boot/grub/grub.conf
45
/dev
• Contains entries for devices such as disk portions, tape drives, printers, etc.
• In Unix/Linux, every device is treated as if it were a file. Very nice – O.S. provides a generalized file-like interface to hardware.
• /dev/null is a ‘fake’ device which stores nothing: – a ‘bit’ bucket– useful for “throwing away” error or warning messages– example: myprog 2>/dev/null will throw away all error
messages.
46
/etc
• Contains many system configuration files.
• System Administrators do much work with files here.
• Examples of config files and config directories in /etc: passwd, group, shadow, rc*.d, init.d, inittab, hosts, httpd
47
/home
• Usual location for user home directories (other directories may be used for home directories)
48
/initrd
• Facilitates the use of a RAM disk during boot sequence.
• the RAM disk version of initrd is used during boot the process to store a minimum set of drivers.
• When initrd is no longer needed, it is moved to /initrd so it can be unmounted.
49
/lost+found
• fschk (File System Check) is a utility that is run during the boot process to check the integrity of file systems.
• fschk can also be run after the boot process on unmounted files systems.
• If fschk finds corrupted files, the corrupted files are placed in /lost+found directory
50
/misc
• Used for mounting:– removable devices such as zip drives– remote filesystems when using network file
systems
51
/mnt
• A directory containing mount points for filesystems.
• Usually used for mounting filesystems after system boot.
• For example, a windows filesystem may be mounted at:/mnt/dos
52
/opt
• Used for installing “optional” software packages
53
/proc
• Virtual filesystem• Contains a directory for each running process.• Each process directory has the executing image.• Also has files containing different types of
process statistics for the given process such as current working directory, process state, PID, etc
• Information in these “files” is updated by the Kernel in real-time.
54
/root
• Home directory of super user ‘root’.
• Not to be confused with the root directory. ‘/’.
• Why do you think the home directory for root is not in /home?
55
/sbin
• Contains many commands for system administration
• Examples: fschk, fdisk, halt, shutdown, nologin, mkfs
56
/tftboot
• Used to allow client machines and diskless work stations to boot off of a central server.
57
/tmp
• Used for temporary files
• Any user can read and write to this directory
• Cleaned by tmpwatch
• tmpwatch runs periodically under cron, removing old files in /tmp
• /tmp is not intended for permanent storage
58
/usr
• Use to be location of user home directories.• Contains many common library and header files.• Contains many sub directories such as
/usr/bin, /usr/include, /usr/lib• /usr/src/linux-2.4 contains the source code for
the Linux kernel.• /usr/src/linux-2.4/init contains the source for the
init process• /usr/include/stdio.h is the standard I/O header
file for the ‘C’ language• /usr/share/man – location of system man pages
59
/var
• Contains files which a constantly varying.
• Examples:– log files– print spoolers– mail spoolers
60
References
• Essential System Administration, Aeleen Frisch, 2002
• Linux Administration Handbook, Evi Nemeth, et. al., 2002
• Redhat Fedora and Enterprise Linux 4, Christopher Negus, 2005