Upload
m3onh0x84
View
216
Download
0
Embed Size (px)
Citation preview
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 1/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Chapter 10
Managing Users
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 2/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Objectives
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd,
shadow)
Demonstrate adding users
Describe modif ying user details
Explain user passwords
Demonstrate deleting users
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 3/18
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 4/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Preparing Groups
Caref ully constructed groups are very usef ul to users who
are all work ing in the same department or project
Groups not only allow for a second level of access control
but also allow the members in group to share files in securedenvironment
Each line in /etc/group file correspond to a group
Commands to modif y groups: groupadd, groupmod,
groupdel
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 5/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
The /etc/passwd
Each line in this file correspond to a user, has the following
form :
name:password:UID:GID:comment:home directory:shell
# more /etc/passwd
root:x:0:0:Super User:/root:/bin/bash
henry:x:101:101:Thiery Henry:/home/henry:/bin/ksh
...
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 6/18
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 7/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Adding Users
The useradd utility is recommended for administering users.
It creates the required record in /etc/passwd and /etc/shadow
A list of options can be used with useradd to override
def aults:-u UID Specif y new user ID (def ault: next available number)
-g GID Specif y def ault (primary) group ( def ault other group )
-c comment Description of user ( def ault: blank )
-d directory Define home directory ( def ault /home/username )-m Mak e home directory
-k skel_dir Sk eleton directory ( def ault /etc/sk el )
-s shell Specif y login shell ( def ault /bin/bash )
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 8/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Changing User Attributes
If you edit files manually, you risk corrupting file, resulting
with users not being able to log in at all. Instead, use usermod
utility
# usermod ±g users ±c ³Henry Blak e´ henry# usermod ±u 321 ±s /bin/ksh ma jorh
# usermod ± f 10 henry
# usermod ± e 2004-12-20 ma jorh
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 9/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Changing Group Membership
Each user belongs to a group (primary) that can be changed by usermod ±g
User can also belongs to secondary groups, controlled by usermod ±G
# grep blofeldt /etc/passwd
blofeldt:x:416:400::/home/blofeldt:/bin/bash
# groups blofeldt
blofeldt: : mash
# groupadd ±g 600 fleming
# usermod ±G fleming blofeldt
# grep blofeldt /etc/group
f leming:x:600: blofeldt
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 10/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Removing Users
When a user leaves, there are two main concerns:
Protect the system f rom unauthorized access via his/her
account
Protect and manage his/her files, directories lef t on the system
The userdel command tak es care of removing a user account.
userdel can remove user¶s home directory but does not user¶s
mail, crontab table, atd queues, «
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 11/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Removing Users - userdel
Command format:
userdel [option] <login_name>
-r This option will remove home directory
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 12/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
To safely remove a user from a system:
1. Lock the account password until you are ready to remove it
altogether ( use chage command )
# chage ±E 1999-01-01 henry
2. Save all file owned by the user somewhere outside the home directory
# find / -user henry ±print | cpio ov | gzip >/hold/henry
# find / -user henry ±type f ± exec rm ± f {} \;
# find / -user henry ±type d ±depth ± exec rmdir {} \;
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 13/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
To safely remove a user from a system:
3. Change access permission on saved files to root only
# chown root /hold/henry ; chmod 700 /hold/henry
4. Consider crontab and at jobs setup by the user
5. Setup mail forwarding to send mail to a manager
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 14/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Security
Use passwd command to change the password :
# passwd henry
current password :
new password:retype new password:
Choosing password:
Not use proper words or names Use letters and digits
Include symbols: !, @, #, $, %, «
Do not allow guest account to login to your system
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 15/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
The /etc/shadow File
If shadow passwords are used, encrypted passwords are stored in this file:
name:password:lastchange:min:max:warn:inactive:expire:f lag
name User login name, mapped to /etc/passwd
password Encrypted password. If this field is blank, then there is no password ; ³*´ : account is lock ed, «
lastchange Number of days since the last password change, f rom 1/1/70
min Minimum number of days between password changes
max Maximum number of days password is valid
warn Number of days before expiration that user will be warned
inactive Number of inactivity days allowed for this user
expire Absolute date, beyond which the account will be disabled
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 16/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Account Security
Actions you can tak e to improve security:
Use preset expiration date for temporary employees
# usermod ± e 2003-12-20 henry
Use inactivity counts to lock unused accounts# usermod ± f 5 henry
Change passwords known by someone who leaves. If
they know the root password, change ALL password
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 17/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Account Security
Password aging with chage command:
chage [options] <user>
Options:
-m <mindays> Minimum days
-M <maxdays> Maximum days
-d <lastdays> Day last changed
-I <inactive> Inactive lock -E <expiredate> Expiration (YYYY-MM-DD or
MM/DD/YY)
-W <warndays> Warning days
8/9/2019 Ch05 Managing Users
http://slidepdf.com/reader/full/ch05-managing-users 18/18
SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102
Summary
Define the requirements for user accounts
Explain group and group accounts
Construct configuration files (group, passwd, shadow)
Demonstrate adding users Describe modif ying user details
Explain user passwords
Demonstrate deleting users