Київський фаховий коледж зв'язку

Лабораторна робота №9.

Захист системи та користувачів у Linux.
Створення користувачів та груп
(на базі онлайн-курсу NDG Linux Essentials)

Циклова комісія “Комп'ютерної та програмної

інженерії”
Дисципліна “Операційні системи”
 Module 15
System and User Security
Exam Objective
5.1 Basic Security and Identifying User Types

Objective Description
Various types of users on a Linux system.
Identifying User Accounts
Users and Permissions
● User accounts are designed to provide security on a Linux operating
system.

● User accounts allow or disallow a person access to files and

directories using file permissions.

● User accounts also belong to groups.

● This chapter covers commands that provide the ability to view user
and group account information and how to switch to other user
accounts.
Administrative Accounts
● Some commands require administrative or root privileges.

● Using root has risks, it is recommended to use sudo or su

command to execute commands as root.

● Risks with logging in as root:

○ Everything will run as root (background processes,
executables)
○ May forget you are logged in as root
○ May accidentally run non-admin tasks as root
Switching Users
● The su command allows you to run a shell as a different user.
su [options] [username]

● Using the login shell option results in fully configuring the new shell with
settings of new user. If username is not specified su opens a new shell as
root
su -
user.
su - root

● After pressing Enter, user must provide password of root user.

● Use the exit command

sysadmin@localhost:~$ su - to return to original shell (user account).
Password:
root@localhost:~# exit
logout
Executing Privileged Commands
● The sudo command also allows users to execute commands
as another user.

● Can be used in distributions that do not allow root user

login.

● Prompts for the user’s own password instead that of the root
sysadmin@localhost:~$ sudo head /etc/shadow
user.
[sudo] password for sysadmin:

● Results in an entry placed in a log file for accountability and

User Accounts
● The /etc directory contains files which contain account data of
users and groups defined on the system.

● The /etc/passwd file defines some account information for user

accounts.
○ Each line contains informationAdministrator,,,,:/home/sysadmin:/bin/bash
sysadmin:x:1001:1001:System about a single user.

○ Contains; Name, Password Placeholder, User ID, Primary Group ID, Comment,
Home Directory, Shell (fields are separated by a colon)

● Use grep command to check if user is defined on system.

Passwords
● The etc/shadow file contains user password information (must
be logged in as root).
sysadmin:$6$c75ekQWF$.GpiZpFnIXLzkALjDpZXmjxZcIll14OvL2mFSIfnc1aU2cQ/
221QL5AX5RjKXpXPJRQ0uVN35TY3/..c7v0.n0:16874:5:30:7:60:15050::

● Fields include:
○ Username: Username of the account (matches username in /etc/passwd)
○ Password: Encrypted password for the account
○ Last Change: Last time password was changed
○ Min: Minimum # of days between password changes
○ Max: Max # of days password is valid
○ Warn: Number of days before password expiry in the system warns the user
○ Inactive: Grace period in which user’s password can be changed
○ Expire: Number of days when user accounts will expire (from January 1, 1970)
○ Reserved: Currently not used, this field is reserved for future use
System Accounts
● Users log in using regular accounts (UID > 1000).

● Special access root account (UID > 0).

● System accounts are designed for services running on the system

(UID 1-499)

● System accounts in /etc/passwd and /etc/shadow have some

different fields:
○ Home directory - typically do not have
○ Shell: Uses nologin
○ Password: Uses *
Group Accounts
● Each user can be a member of one or more groups.

● The /etc/passwd file defines the primary group membership for a

user.

● The /etc/group file defines supplemental (or secondary) group

membership.
mail:x:12:mail,postfix

● Fields include:
○ Group Name: Field contains the group name
○ Password Holder: The x means password is not stored in this file
○ GID: Unique group ID associated with group
○ User List: Lists members in the group
Viewing User Accounts
Viewing User Information
● The id command is used to print user and group information.
sysadmin@localhost:~$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin),4(adm),27(sudo)

● Output:
○ Lists user account information first (UID (uid=1001) and username (sysadmin))
○ After username, the primary group is listed (group ID and group name)
○ Other information includes other groups user belongs to (group IDs and group
names)

● To display information for a specific account, use the username as

an argument.

● To print only secondary group membership use the -G option.

Viewing Current Users
● The who command lists users who are currently logged in, as
well as where and when they logged in.
sysadmin@localhost:~$ who
root tty2 2013-10-11 10:00
sysadmin tty1 2013-10-11 09:58 (:0)
sysadmin pts/0 2013-10-11 09:59 (:0.0)

● Output:
○ Username: Indicates user who is logged in and has an open session.

○ Terminal: Indicates which terminal window the user is working in. tty
indicates a local login whereas pts indicates a pseudo terminal.

○ Date: Indicates when user logged in. A hostname means user logged in
remotely. A colon and number means a graphical local login. No location
info means user logged in via local command line.
Viewing Current Users
● The w command provides more detailed information about
users currently on the system.

● Provides info about system status.

● Output looks like:

sysadmin@localhost:~$ w
10:44:03 up 50 min, 4 users, load average: 0.78, 0.44, 0.19
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty2 - 10:00 43:44 0.01s 0.01s -bash
sysadmin tty1 :0 09:58 50:02 5.68s 0.16s pam: gdm-
password
sysadmin pts/0 :0.0 09:59 0.00s 0.14s 0.13s ssh 192.168.1.2
sysadmin pts/1 example.com 10:00 0.00s 0.03s 0.01s w
Viewing Login History
● The last command reads the /var/log/wtmp file all login records.

● Shows previous login sessions as well as current login information.

sysadmin@localhost:~$ last

sysadmin console Tue Sep 18 02:31 still logged in

sysadmin console Tue Sep 18 02:31 - 02:31 (00:00)

wtmp begins Tue Sep 18 02:31:57 2018
 Module 16
Creating Users and Groups
Exam Objective
5.2 Create Users and Groups

Objective Description
Creating users and groups on a new system.
Introduction
Introduction
● Remember: User account info and authentication info is stored in
the /etc/passwd and /etc/shadow files.

● Using these files to add users/groups is possible but not

recommended.

● Using commands is more appropriate.

● When creating a new users, some distributions create a User Private

Group (UPG).
Note: Before you begin creating users, you should plan how you will use
groups.
Creating Groups
Groups
● Groups provide a way for users to share files.

● When creating a group, the grep command can be used to verify

configuration and changes.

● The getent command can be used to show local and network-based

groups.
root@localhost:~# grep root /etc/group
root:x:0:
root@localhost:~# getent group root
root:x:0:
Creating a Group
● Execute the groupadd command by root user to create a new group.

● To specify a group ID (GID) for the group, use the -g option.

root@localhost:~# groupadd -g 506 research

● If -g option is not used, groupadd will automatically assign a GID

one value higher than the last added in /etc/group file.
root@localhost:~# grep research /etc/group
research:x:506:
root@localhost:~# groupadd development
root@localhost:~# grep development /etc/group
development:x:507:
Group ID Considerations
● Remember: In some distributions, when a user ID is created a UPG
is also created.

● Avoid creating GIDs in the same range as UIDs created in the future.

● GIDs under 1000 are reserved for system use. To bypass this and
assign a <1000 GID, use the -r option.
Group Naming Considerations
● A portable group name functions correctly with other systems.

● Guidelines for creating a portable group name:

○ For first character, use an underscore _ character or lowercase alphanumeric a-z
character

○ After first character, possible characters can be alphanumeric, dash, or underscore

○ Using more than 16 characters can be problematic

○ Last character should not be a hyphen -

Modifying a Group
● The groupmod command can be used to either change the name of
the group (with the -n option) or change the GID (with the -
g option).
root@localhost:~# groupmod -n clerks sales

root@localhost:~# groupmod -g 10003 clerks

● Changing the group name won’t cause any problems with accessing
files

● Changing the GID will cause files to no longer be associated with

that group.

● To search for orphaned files, use the find command with the -
Deleting a Group
● The groupdel command can be used to delete a group.

root@localhost:~# groupdel clerks

● Files in the deleted group will become orphaned.

● Only supplementary groups can be deleted.

User Configurations
Users
● During installation it is common to create a normal user with root
permissions using sudo.

● This works well when computer is used by one user.

● For computers with multiple users, creating separate user accounts

is ideal.
User Configuration
● Before creating users, verify the default values using the useradd command.

● The -D option to the useradd command will allow you to view or change
some of the default values. This can also be done by manipulating
the /etc/default/useradd file.

root@localhost:~# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
User Configuration
● What the values of useradd -D mean:

GROUP - default primary group for a new user. This setting affects the primary group ID
field of the /etc/passwd file.

GROUP=100

bob:x:600:600:bob:/home/bob:/bin/bash

HOME - the default base directory under which the user's new home directory will be
created. This setting affects the home directory field of the /etc/passwd file.

HOME=/home

bob:x:600:600:bob:/home/bob:/bin/bash
User Configuration
INACTIVE - This value represents the number of days after the password expires that
the account is disabled. This setting affects the inactive field of the /etc/passwd file.

INACTIVE=-1

bob:x:600:600:bob:/home/bob:/bin/bash

EXPIRED - By default, there is no value set for the expiration date. This setting affects
the expire field of the /etc/passwd file.

EXPIRE=

bob:pw:15020:5:30:7:60:15050:
User Configuration
SHELL - The default shell for a user when they log in to the system.
This setting affects the shell field of the /etc/passwd file.

SHELL=/bin/bash

bob:x:600:600:bob:/home/bob:/bin/bash

SKELETON DIRECTORY - The contents of this directory are copied into the new user's
home directory. This setting affects the expire field of the /etc/passwd file.

SKEL=/etc/skel

CREATE MAIL SPOOL - File where the incoming email is placed.

CREATE_MAIL_SPOOL=yes
User Configuration
● The /etc/login.defs file also contains values that will be applied by default to new
users you create with the useradd command.

● To view contents of /etc/login.defs file without comments and blank lines, use
the grep command.

root@localhost:~# grep -Ev '^#|^$' /etc/login.defs

MAIL_DIR /var/mail/spool
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
UID_MIN 500
UID_MAX 60000
Output omitted...
User Configuration
● Values of /etc/login.defs file include:

Mail Directory - The directory in which the user's mail spool file will be created.

MAIL_DIR /var/mail/spool

Password Max Days - The maximum number of days that a user can continue to use
the same password.

PASS_MAX_DAYS 99999

Password Min Days - The shortest time that a user is required to keep a password.

PASS_MIN_DAYS 0
User Configuration
Password Minimum Length - The minimum number of characters that a
password must contain.

PASS_WARN_AGE 7

UID Minimum - Determines the first UID that will be assigned to an ordinary
user.
UID_MIN 500

UID Maximum - Although it can go up to four billion, for maximum compatibility

it's recommended to leave it at its default value of 60000.
UID_MAX 60000
User Configuration
GID Minimum - Determines the first GID that will be assigned to an ordinary
group.
GID_MIN 500

GID Maximum - The maximum number of days that a user can continue to use
the same password.
GID_MAX 60000

Home Directory - Determines whether or not a new directory will be created for
the user when their account is created.
CREATE_HOME yes
User Configuration
Mail Directory - The directory in which the user's mail spool file will be created.

MAIL_DIR /var/mail/spool

Password Max Days - The maximum number of days that a user can continue to use
the same password.

PASS_MAX_DAYS 99999

Password Min Days - The shortest time that a user is required to keep a password.

PASS_MIN_DAYS 0
User Configuration
Umask- Determines what the default permissions will be on the user home directory.

UMASK 077

UPG - If UPG is used in the distribution, it will have a value of yes. If not, a value of no.

USERGROUPS_ENAB yes

Encryption - The encryption method that is used to encrypt the users' passwords in
the /etc/shadow file.

ENCRYPT_METHOD SHA512
Account Considerations
● Creating a user account may require additional information
○ You need the account name, you may also want to plan the UID, the primary
group, the supplementary groups, the home directory, the skeleton directory, and
the shell to be used.

● Guidelines for creating a portable group name:

○ For first character, use an underscore _ character or lowercase alphanumeric a-z
character

○ After first character, possible characters can be alphanumeric, dash, or underscore

○ Using more than 16 characters can be problematic

○ Last character should not be a hyphen -

Creating a User
● Once you know what values to use, you can create a user by using
the useradd command:

root@localhost:~# useradd -u 1000 -g users -G wheel,research -c 'Jane Doe' jane

● Information about new user jane is automatically added to

/etc/passwd and /etc/shadow while information about
supplemental groups is added to /etc/group and /etc/gshadow.

● A /var/spool/mail/jane file would also be created as well as

the /home/jane directory.
Passwords
● Factors to consider when you are trying to choose a password for an
account:
○ Length - Minimum length is specified in /etc/login.defs file

○ Composition - A combination of alphabetic, numeric and symbolic characters

○ Lifetime - Amount of time that a password can be used at maximum should be

limited to minimize security threats

Note: Requiring a user to change their password too often might also pose security
problems.
Setting a User Password
● There are a few ways a password can be set up:
○ User can execute passwd command

○ Admin can execute passwd command with username as an argument

○ Graphical tools

● Users must follow guidelines for entering passwords while root can
bypass warnings:
root@localhost:~# passwd jane
Enter new UNIX password:
BAD PASSWORD: it is WAY to short
BAD PASSWORD: is too simple
Retype new UNIX password:
Modifying a User
● Use who, w, and last commands to verify if user is currently logged
in.
● The usermod command offers multiple options for modifying users.
● Examples of usermod options include:
Short Option Long Option Description
-c COMMENT Sets the value of the GECOS or
comment field to COMMENT.

-d HOME_DIR --home HOME_DIR Sets HOME_DIR as a new home

directory for the user.

-e EXPIRE_DATE --expiredate EXPIRE_DATE Set account expiration date

to EXPIRE_DATE.
Deleting a User
● When you delete a user account, you also need to decide whether
to delete the user's home directory.
● To delete a user without deleting the user’s home directory execute:

root@localhost:~# userdel jane

● To delete a user and their home directory execute:

root@localhost:~# userdel -r jane