Ch05 Managing Users

8/9/2019 Ch05 Managing Users

http://slidepdf.com/reader/full/ch05-managing-users 1/18

SAIGONLAB 83 Nguyn Th Nh, P9, Q.Tân B ình, Tp. HCM LPI 102

Chapter 10

Managing Users




Objectives

Define the requirements for user accounts

Explain group and group accounts

Construct configuration files (group, passwd,

shadow)

Demonstrate adding users

Describe modif ying user details

Explain user passwords

Demonstrate deleting users






Preparing Groups

Caref ully constructed groups are very usef ul to users who

are all work ing in the same department or project

Groups not only allow for a second level of access control

but also allow the members in group to share files in securedenvironment

Each line in /etc/group file correspond to a group

Commands to modif y groups: groupadd, groupmod,

groupdel




The /etc/passwd

Each line in this file correspond to a user, has the following

form :

name:password:UID:GID:comment:home directory:shell

# more /etc/passwd

root:x:0:0:Super User:/root:/bin/bash

henry:x:101:101:Thiery Henry:/home/henry:/bin/ksh

...






Adding Users

The useradd utility is recommended for administering users.

It creates the required record in /etc/passwd and /etc/shadow

A list of options can be used with useradd to override

def aults:-u UID Specif y new user ID (def ault: next available number)

-g GID Specif y def ault (primary) group ( def ault other group )

-c comment Description of user ( def ault: blank )

-d directory Define home directory ( def ault /home/username )-m Mak e home directory

-k skel_dir Sk eleton directory ( def ault /etc/sk el )

-s shell Specif y login shell ( def ault /bin/bash )




Changing User Attributes

If you edit files manually, you risk corrupting file, resulting

with users not being able to log in at all. Instead, use usermod

utility

# usermod ±g users ±c ³Henry Blak e´ henry# usermod ±u 321 ±s /bin/ksh ma jorh

# usermod ± f 10 henry

# usermod ± e 2004-12-20 ma jorh




Changing Group Membership

Each user belongs to a group (primary) that can be changed by usermod ±g

User can also belongs to secondary groups, controlled by usermod ±G

# grep blofeldt /etc/passwd

blofeldt:x:416:400::/home/blofeldt:/bin/bash

# groups blofeldt

blofeldt: : mash

# groupadd ±g 600 fleming

# usermod ±G fleming blofeldt

# grep blofeldt /etc/group

f leming:x:600: blofeldt




Removing Users

When a user leaves, there are two main concerns:

Protect the system f rom unauthorized access via his/her

account

Protect and manage his/her files, directories lef t on the system

The userdel command tak es care of removing a user account.

userdel can remove user¶s home directory but does not user¶s

mail, crontab table, atd queues, «




Removing Users - userdel

Command format:

userdel [option] <login_name>

-r This option will remove home directory




To safely remove a user from a system:

1. Lock the account password until you are ready to remove it

altogether ( use chage command )

# chage ±E 1999-01-01 henry

2. Save all file owned by the user somewhere outside the home directory

# find / -user henry ±print | cpio ov | gzip >/hold/henry

# find / -user henry ±type f ± exec rm ± f {} \;

# find / -user henry ±type d ±depth ± exec rmdir {} \;




To safely remove a user from a system:

3. Change access permission on saved files to root only

# chown root /hold/henry ; chmod 700 /hold/henry

4. Consider crontab and at jobs setup by the user

5. Setup mail forwarding to send mail to a manager




Security

Use passwd command to change the password :

# passwd henry

current password :

new password:retype new password:

Choosing password:

Not use proper words or names Use letters and digits

Include symbols: !, @, #, $, %, «

Do not allow guest account to login to your system




The /etc/shadow File

If shadow passwords are used, encrypted passwords are stored in this file:

name:password:lastchange:min:max:warn:inactive:expire:f lag

name User login name, mapped to /etc/passwd

password Encrypted password. If this field is blank, then there is no password ; ³*´ : account is lock ed, «

lastchange Number of days since the last password change, f rom 1/1/70

min Minimum number of days between password changes

max Maximum number of days password is valid

warn Number of days before expiration that user will be warned

inactive Number of inactivity days allowed for this user

expire Absolute date, beyond which the account will be disabled




Account Security

Actions you can tak e to improve security:

Use preset expiration date for temporary employees

# usermod ± e 2003-12-20 henry

Use inactivity counts to lock unused accounts# usermod ± f 5 henry

Change passwords known by someone who leaves. If

they know the root password, change ALL password




Account Security

Password aging with chage command:

chage [options] <user>

Options:

-m <mindays> Minimum days

-M <maxdays> Maximum days

-d <lastdays> Day last changed

-I <inactive> Inactive lock -E <expiredate> Expiration (YYYY-MM-DD or

MM/DD/YY)

-W <warndays> Warning days




Summary

Define the requirements for user accounts

Explain group and group accounts

Construct configuration files (group, passwd, shadow)

Demonstrate adding users Describe modif ying user details

Explain user passwords

Demonstrate deleting users

Documents

Ch05 Managing Users