Managing Users

1
Managing Users

• By Clint Pate

2
Linux IDs

• Every file and program must be owned by a user in
  order to be utilized by the Operating System.
• User ID (UID)
• Unique to the user
• Group ID (GID)
• Unique to the group

3
UID/GID

• Linuxs User ID and the Group ID is much like the
  Windows NT/2000 Security Identifier (SID).
• Unlike Windows, Unix/Linux does not use ACLs.
• The ROOT is also known as superuser, and has
  access to all files and programs.

4
SUID

• Suid root refers to set user id root. This allows
  the program to do functions not normally allowed
  for users to do themselves.  Low level networking
  routines,  controlling graphical display
  functions, changing passwords, and logging in are
  all examples of programs that rely on executing
  their functions as a user that is not restricted
  by standard file permissions.  While many
  programs need this functionality,  the program
  must be bug free in only allowing the user to do
  the function the program was designed for.

5
Home Directories

• Users that log in to the system have
  configuration files which are placed in a
  directory called home.
• The home directory is usually located off the
  root (/home).
• An example
• /home/yourusername
• The home folder for ROOT is /, and is common in
  most variants of Linux.
• Some break up the home directory by department or
  some other method
• Example /home/cns
• /home/cst

6
Passwords

• Every account should have either have a password
  or be tagged as impossible to log in to.
• Users passwords are encrypted/encoded when
  entered at the login prompt using crypt(3).
• The encoded value is then matched with the
  encoded password store.
• The Linux password file can be accessed by any
  user on the system.

7
Shadow Passwords

• On a Linux system without the Shadow Suite
  installed, user information including passwords
  is stored in the /etc/passwd file. The password
  is stored in an encrypted format.
• If you ask a cryptography expert, however, he or
  she will tell you that the password is actually
  in an encoded rather than encrypted format
  because when using crypt(3), the text is set to
  null and the password is the key.
• The algorithm used to encode the password field
  is technically referred to as a one way hash
  function.

8
To Shadow Or Not???

• Why you might NOT want to shadow your passwd
  file.
• There are a few circumstances and configurations
  in which installing the Shadow Suite would NOT be
  a good idea
• The machine does not contain user accounts.
• Your machine is running on a LAN and is using NIS
  (Network Information Services) to get or supply
  user names and passwords to other machines on the
  network. (This can actually be done, but is
  beyond the scope of this document, and really
  won't increase security much anyway)
• Your machine is being used by terminal servers to
  verify users via NFS (Network File System), NIS,
  or some other method.
• Your machine runs other software that validates
  users, and there is no shadow version available,
  and you don't have the source code.

9
Root Access Only!

• The Shadow Suite solves the problem by relocating
  the passwords to another file (usually
  /etc/shadow).
• The /etc/shadow file is set so that it cannot be
  read by just anyone.
• Only root will be able to read and write to the
  /etc/shadow file.
• Some programs (like xlock) don't need to be able
  to change passwords, they only need to be able to
  verify them. These programs can either be run
  suid root or you can set up a group shadow that
  is allowed read only access to the /etc/shadow
  file. Then the program can be run sgid shadow.

10
Shadowing Features

• A configuration file to set login defaults
  (/etc/login.defs)
• Utilities for adding, modifying, and deleting
  user accounts and groups
• Password aging and expiration
• Account expiration and locking
• Shadowed group passwords (optional)
• Double length passwords (16 character passwords)
  NOT RECOMMENDED
• Better control over user's password selection
• Dial-up passwords
• Secondary authentication programs NOT
  RECOMMENDED

11
Startup Scripts

• Remember the old days of DOS?
• Autoexec.bat
• Linuxs Autoexec which sets all environment
  variables. The dot means that it is hidden.
• .bashrc

12
User Database

• Locally, Linux is not like Windows when it comes
  to managing a user database!
• Linux uses textfiles based on appropriate rights.
• LinuxConf utilizes the user/group text file for
  database functionality which is flat (not
  relational)

13
Password File

• Format of the /etc/passwd file
• A non-shadowed /etc/passwd file has the following
  format
• usernamepasswdUIDGIDfull_namedirectoryshell
  Where
• username
• The user (login) name
• passwd
• The encoded password
• UID
• Numerical user ID
• GID
• Numerical default group ID
• full_name
• The user's full name - Actually this field is
  called the GECOS (General Electric Comprehensive
  Operating System) field and can store information
  other than just the full name. The Shadow
  commands and manual pages refer to this field as
  the comment field.
• directory
• User's home directory (Full pathname)
• shell
• User's login shell (Full Pathname)
• For example usernameNpge08pfz4wuk503100Full
  Name/home/username/bin/sh

14
Shadow File

• Format of the shadow file
• The /etc/shadow file contains the following
  information
• usernamepasswdlastmaymustwarnexpiredisable
  reserved Where
• username
• The User Name
• passwd
• The Encoded password
• last
• Days since Jan 1, 1970 that password was last
  changed
• may
• Days before password may be changed
• must
• Days after which password must be changed
• warn
• Days before password is to expire that user is
  warned
• expire
• Days after password expires that account is
  disabled
• disable
• Days since Jan 1, 1970 that account is disabled

15
User Management Programs

• chfn - Change a user's finger information
• chsh - Change a user's shell
• gpasswd - Used to administer the /etc/group file
  and /etc/gshadow file.
• -A - Define group administrator.
• gpasswd -a user group - Adds a user to a group.
• gpasswd -d user group - Deletes a user from a
  group.
• -M - Define group members.
• gpasswd -R group - Removes a group disabling
  access to it using the newgrp command.
• gpasswd -r group - Remove a group password.
• groupadd - Create a new group.
• groupdel - Delete a group
• groupmod - Modify a group ID or name.
• id - Print group or user ID numbers for the
  specified user
• newgrp - Allows a user to log in to a new group.
• newusers - Used to update many user accounts at a
  single time by reading a file with user names and
  clear text passwords.
• passwd - Allows a user or root to change their or
  their user's passwords.
• su - Allows a user to run in a shell with a
  different user and group ID. A user may become
  root with this command if they know the root
  password.
• useradd - Used to create a new user or update
  information.
• userdel - Used to delete a user. The user's home
  directory can be deleted using the -r option.

16
Shadow Password Utility Programs

• The following programs are available as tools to
  manipulate shadow passworda and user password
  entry information/requirements.
• chage - Used to change information on the
  required number of days between user password
  changes and date of the last change. Non-root
  users can only use chage with the -l option to
  see when their password will expire. Options are
  
• l -
• m - Set the minimum days between password changes
  
• M - Set the maximum days a password will be valid
  for.
• W - Sets the number of days the user is warned
  before their password expires.
• d - Used to change the time of the last password
  change.
• E - Set a date the user's account will not be
  accessible.
• I - The days of inactivity after a password has
  expired until the account is locked.
• pwconv - Used to create the file /etc/shadow from
  the file /etc/passwd. In short, it converts to a
  shadow password system. It uses the file
  /etc/login.defs to get PASS_MIN_DAYS,
  PASS_MAX_DAYS, and PASS_WARN_AGE values to help
  generate the /etc/shadow file.
• pwunconv - Uses the files /etc/passwd and
  /etc/shadow to create /etc/passwd, then deletes
  /etc/shadow. In short, it removes the shadow
  password system.
• grpconv - Creates /etc/gshadow form the file
  /etc/group.
• grpunconv - Uses the files /etc/passwd and
  /etc/shadow to create /etc/passwd, then deletes
  /etc/shadow.
• pwck - Checks the /etc/passwd and /etc/shadow
  files for errors.
• grpck - Checks the /etc/group and /etc/sgroup
  files for errors.
• usermod - Modify a user's account. Options are
• d - Change the user's home directory
• e - Change the user's account expiration date in
  the format YYYY-MM-DD.
• f - Change the number of days after the password
  expires to when the account is disabled.

17
LinuxConf

• Linuxconf is a sophisticated administration
  system for the Linux operating system. In many
  ways, Linuxconf is different from other
  administration schemes found on Unix operating
  systems and most other systems.

18
LinuxConf 4 Interfaces

• There are four user interfaces for Linuxconf
  planned. Three are already done.
• Text-based Interface
• Web Interface
• Graphical Interface
• Command-line Interface (still in development)
• Linuxconf allows you to configure the workstation
  even before it is fully booted. This is a winner
  as it saves you from false start boot (often with
  an invalid network configuration).

19
LinuxConf Does It For You!

• Linuxconf is both a configurator and an
  activator. It is the one which decide if ...
• A daemon must be started.
• A configuration command must be executed.
• A daemon must be killed/restarted.
• A daemon must be signaled (kill -HUP ...).
• A network interface must be (re)configured.
• A network route must be set/remove.
• A volume must be (re)mount.
• Firewalling rules must be updated.
• Linuxconf acts based on configuration files. It
  knows about most Linux configuration files and
  can compare their status with what is running
  currently. Based on this query, Linuxconf can
  bring your system "current". Whether you use
  Linuxconf's user interface or edit the
  configuration files by hand is unimportant. The
  following command
• linuxconf --status
• Will give you a report of what has to be done to
  bring the system "current".
• linuxconf --update
• Will do it for you!

20
LinuxConf Modules

• What modules come with the Redhat version of
  Linuxconf? In addition to the capabilities that
  are built in to linuxconf, the following modules
  are present in the Redhat 6.1 distribution
  version
• apache
• dhcpd
• dialout
• dnsconf
• firewall
• inittab
• mailconf
• modemconf
• motd
• mrtg
• netadm
• pppdialin
• rarp
• redhatppp
• samba
• squid
• status
• treemenu

21
LinuxConf Modules

• Available Modules
• Linuxconf SSL - Using apache SSL/proxy to protect
  the HTML interface.
• ldapconf - Manage LDAP for linux.
• htmlplus - Enhanced HTML interface.
• isdnadmin - Manage isdn4net/isdn4linux devices.
• tpconf - Control the ThinkPad BIOS (via tpctl).
• tobot - Simple backup module using tob.
• Misc
• pam_vdomain - exprimental pam module for
  linuxconf vdomains.
• Linuxconf portal - exprimental project central
  using SourceForge technology.

22
PAM

• PAM Pluggable Authentication Modules Basically,
  it is a flexible mechanism for authenticating
  users.
• PAM allows integration of various authentication
  technologies such as UNIX, Kerberos, RSA, smart
  cards and DCE into system entry services such as
  login, passwd, rlogin, telnet, ftp, and su
  without changing any of these services.

23
PAM Development

• Since the beginnings of UNIX, authenticating a
  user has been accomplished via the user entering
  a password and the system checking if the entered
  password corresponds to the encrypted official
  password that is stored in /etc/passwd .
• The idea being that the user is really that
  user if and only if they can correctly enter
  their secret password. That was in the beginning.
  Since then, a number of new ways of
  authenticating users have become popular.
  Including more complicated replacements for the
  /etc/passwd file, and hardware devices Smart
  cards etc..
• The problem is that each time a new
  authentication scheme is developed, it requires
  all the necessary programs (login, ftpd etc...)
  to be rewritten to support it.
• PAM provides a way to develop programs that are
  independent of authentication scheme.
• These programs need "authentication modules" to
  be attached to them at run-time in order to work.
  Which authentication module is to be attached is
  dependent upon the local system setup and is at
  the discretion of the local system administrator.

24
PAMs for MS Connectivity

• pam_ldap
• The pam_ldap module provides the means for
  Solaris and Linux workstations to authenticate
  against LDAP directories, and to change their
  passwords in the directory.
• Active Directory and the NIS/LDAP Gateway
• The NIS/LDAP Gateway is able to act as a NIS
  front-end to an Active Directory server
  configured with the Microsoft Services for UNIX
  schema.

25
WEBMIN UG Management