User Environments - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

User Environments

Description:

... to look for security holes. find out about networked machines ... sticky bit. set group id (so that all files are owned by the directory group) $ ls -al /shared ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 13
Provided by: ings
Category:

less

Transcript and Presenter's Notes

Title: User Environments


1
User Environments
  • Objectives
  • to provide appropriate environments for different
    types of users
  • Contents
  • different login programs
  • user profiles
  • restricted shells
  • security issues
  • Practicals
  • to provide special user accounts
  • Summary

2
Login Shell
  • The password file defines the user's login shell
  • full program pathname must be specified
  • no parameters allowed
  • Standard programs are interactive shells
  • Bash, Bourne Again Shell (bash)
  • Bourne shell (sh)
  • C shell (csh)
  • Specialist programs can be provided
  • pppd
  • Any executable program can be provided
  • database front end query programs
  • simple menu selection programs

3
Restricted Shells
  • A restricted shell stops the user from
  • changing directories with cd
  • changing the value of the PATH variable
  • specifying command names containing /
  • using output redirection gt and gtgt
  • Restrictions only apply to interactive session
  • profiles can still perform all functions
  • Restricted shells apply to some standard
    applications
  • Sendmail uses /usr/sbin/smrsh
  • Create a special bin directory for restricted
    users
  • often in /usr/rbin with links to required
    programs in /usr/bin

4
Restricted root Access
  • Administrator provided shell scripts are useful
    for providing restricted root access to the
    system
  • user written shell scripts
  • shutdown or backup programs

cat gt/home/admin/bin/shutdown !/usr/bin/sh
shutdown script trap "" 2 3 echo "Type number of
seconds to shutdown or" echo -n "Ctrl-D to
abandon shutdown 180? " if read N then -z
"N" N180 echo "Shutting down in N
seconds" /sbin/shutdown -i0 -gN -y fi useradd
-o -u 0 -d / -s /home/admin/bin/shutdown
shutdown passwd shutdown
5
Environment Files
  • Two environment files are executed at login time
    when a Bourne or Korn shell is executed
  • /etc/profile
  • contains system commands
  • common environment (set of variable definitions)
    for all users
  • may define variable ENV, describing the location
    of Shell specific environment file, usually set
    to HOME/.bashrc
  • HOME/.bash_profile
  • contains user commands and definitions
  • run once at login
  • Finally, if the variable ENV is defined then the
    shell executes the file given by its value
  • use to set up shell environment aliases,
    functions, prompts, etc.
  • Many definitions are predefined in the
    /etc/profile file

6
Environmental Definitions
  • Most users will need to modify some of the
    environmental definitions to suit their
    requirements
  • Good system administrator will make sure that
    user has a basic set of definitions available
    when account is created
  • These may include
  • PATHPATH/usr/X/bin. include required search
    directories
  • EDITORvi define line editting editor (for
    history mechanism)
  • TERMvt100 must reflect terminal used,
    otherwise all non-
  • character-based applications, including vi,
    will fail
  • MAIL/var/mail/LOGNAME location for your mail
    box
  • SHELL/bin/bash shell used for 'escape' from
    program. eg. when you
  • type !cmd within vi, the cmd is executed
    by the shell
  • defined here
  • ENVHOME/.bashrc location of bash shell run
    command file
  • All variable must be exported after they have
    been set

7
The umask Command
  • Used to define default permissions on newly
    created files
  • The user mask (umask) is part of the process
    environment
  • used when creating files to remove permissions
  • the creating process defines the file permissions
  • then the umask value is subtracted
  • Each bit set in the octal umask clears the
    corresponding bit in the permissions

umask plain text files (vi) directories
(mkdir) rw-rw-rw- rwxrwxrwx 000 rw-rw-rw- rwxrwxr
wx 022 rw-r--r-- rwxr-xr-x 033 rw-r--r-- rwxr--r--
027 rw-r----- rwxr-x--- 077 rw------- rwx------
8
Message of the day
  • Profiles often display a message of the day
  • traditionally stored in /etc/motd
  • Keep message short and up to date
  • otherwise users will stop reading it
  • Include a restricted access notice

more /etc/motd Welcome to Acme's Development
System. Access to this system is restricted to
authorised users only. Unauthorised access is
prohibited and offenders are liable to
prosecution. System will be down all day on Sun
23 April for preventative maintenance.
9
Exercise - Example Environment
  • Which file is maintained by the administrator?
  • What do the two trap commands imply for
    /etc/profile?

A typical system profile (/etc/profile) trap
"" 2 3 ENVHOME/.kshrc export ENV ulimit -c
0 umask 022 cat /etc/motd trap 2 3
A typical user profile (.bash_profile)
PATHPATHHOME/bin TERMvt100
A typical user bashrc file (.bashrc) alias
dirls lf'ls -FC' export PS1'PWD! ' set -o
vi
what do you think this line should contain?
10
Guest Accounts
  • Many systems define a login called guest
  • password null or set to guest
  • Disable or remove this account
  • it is a security risk
  • System hackers logging in as guest can
  • get a list of login names (/etc/passwd)
  • look at encrypted passwords on older unix
    systems
  • use find to look for security holes
  • find out about networked machines (/etc/hosts)
  • access the network via telnet, rlogin rsh rcp
  • If someone wants to use your system you should
    know about them and provide an account accordingly

11
Shared Group Directories
  • Users working on a common set of files should
    belong to the same group
  • Files should be stored in a common directory
  • Directory should have
  • sticky bit
  • set group id (so that all files are owned by the
    directory group)

ls -al /shared drwxrwsr-t 1 trapper staff
1024 Dec 25 0930 . drwxr-xr-x 1 root sys
512 Dec 25 0930 .. id -a uid318(hawkeye)
gid300(users) groups100(staff),300(users) cp
lfile /shared ls -l lfile /shared/lfile -rw-r--r
-- 1 hawkeye users 232 Jan 18 0958
lfile -rw-r--r-- 1 hawkeye staff 232 Jan 19
1142 /shared/lfile
12
Summary
  • Users can be provided any login program not just
    an interactive shell
  • A standard user environment should be set and
    maintained by the administrator using
    /etc/default/login and /etc/profile
  • Users may be restricted in their access to the
    system and what they can do
  • /usr/lib/rsh /usr/bin/rksh
  • Users can be setup to share directories by using
    combination of guid and sticky bits
  • Guest account without a password is bad news
Write a Comment
User Comments (0)
About PowerShow.com