SUSE Linux Enterprise Desktop Administration

1
SUSE Linux Enterprise Desktop Administration

• Chapter 9
• Manage Users, Groups, and Permissions

2
Objectives

• Objective 1Understand the Multiuser Environment
• Objective 2Manage User and Group Accounts
• Objective 3Manage File Permissions and Ownership
• Objective 4Perform Tasks as a Different User
• Objective 5Use Encrypted File Systems

3
Objective 1Understand the Multiuser Environment

• Multiuser capability
• Allows a number of users to use the system
  simultaneously
• Multitasking capability
• Allows programs to run simultaneously
• Implementation of a multiuser and multitasking
  system
• Only appears to be simultaneous in a single
  processor system
• Advantage waiting times for input or output from
  processes can be used for other processes

4
Objective 1Understand the Multiuser Environment
(continued)

• UNIX implements preemptive multitasking
• Each process is allowed a certain amount of time
  during which it can work
• When this time has expired, the operating system
  temporarily stops the execution of one process
• And executes another process that is waiting to
  run
• UNIX controls this sharing of processing time,
  which avoids one process hijacking the processor
• The OS coordinates access to the resources
• Only one process can be granted access
• This coordination task is very complex

5
Objective 1Understand the Multiuser Environment
(continued)
Figure 9-1 Two or more processes need the
same resources exclusively
6
Objective 1Understand the Multiuser Environment
(continued)

• Multithreading
• An extension of multitasking and helps solve this
  problem
• A number of parts independent from one another
  (threads) can be created within a process
• Increases the level of parallel processes with
  each thread
• A program exists only once in the system
• However, there can be several processes
  performing the same program

7
Objective 2Manage User and Group Accounts

• You can manage users and groups with YaST or with
  command-line tools
• To do this, you need to understand the following
• Basics About Users and Groups
• Manage User and Group Accounts with YaST
• Manage Group Accounts from the Command Line
• User and Group Configuration Files

8
Basics About Users and Groups

• UNIX system must be able to uniquely identify all
  users
• Every user must log in with a username and a
  password
• Users are represented internally as numbers
• The number that a user receives is a UID (User
  ID)
• A Linux system has three kinds of users
• Regular (normal) user
• System user
• The root user

9
Basics About Users and Groups (continued)

• Users can be grouped together based on shared
  characteristics or activities
• As with users, each group is also allocated a
  number internally called the GID (Group ID)
• The GID can be one of the following types
• Normal groupsGID 100 and above
• System groupsGIDs from 1 to 99, used by system
  services
• Root groupGID 0

10
Manage User and Group Accounts with YaST

• You can access YaST user and group account
  administration in the following ways
• User administration
• Group administration
• If you selected LDAP for authentication during
  the installation
• You are prompted for the LDAP server
  administrator password

11
Manage User and Group Accounts with YaST
(continued)

• User administration
• With the Users button selected, the User and
  Group Administration window lists the existing
  user accounts
• See Figure 9-2
• To create a new user account or edit an existing
  account, select Add or Edit
• See Figure 9-3
• To set the properties of the user, select the
  Details tab
• See Figure 9-4

12
Figure 9-2 User administration
13
Figure 9-3 Create a new user account
14
Figure 9-4 Set user properties
15
Manage User and Group Accounts with YaST
(continued)

• User administration (continued)
• To set various password parameters, select the
  Password Settings tab
• See Figure 9-5
• Set Defaults for New User Accounts
• You can use YaST to select default settings to be
  applied to new user accounts
• See Figure 9-6
• The values are written to the file
  /etc/default/useradd

16
Figure 9-5 Set user password properties
17
Figure 9-6 Set defaults for new user accounts
18
Manage User and Group Accounts with YaST
(continued)

• Group Administration
• To administer groups, start YaST and select
  Security and Users gt Group Management
• See Figure 9-7
• You can create a new group or edit an existing
  group by selecting Add or Edit
• See Figure 9-8

19
Figure 9-7 Group administration
20
Figure 9-8 Create a new group or edit an existing
one
21
Manage User and Group Accounts from the Command
Line

• Manage User Accounts from the Command Line
• The user root can use the following commands
• useradd to create a new user account
• passwd to change a users password
• userdel to delete an existing user account
• usermod to modify settings for an existing user
  account
• Standard configuration information is derived
  from the /etc/default/useradd and /etc/login.defs
  files

22
Manage User and Group Accounts from the Command
Line (continued)

• Manage User Accounts from the Command Line
  (continued)
• passwd command can also be used for
• Lock a user account
• Status of a user account
• Change password times

Table 9-1 Options for changing password times
23
Manage User and Group Accounts from the Command
Line (continued)

• Manage User Accounts from the Command Line
  (continued)
• The /etc/default/passwd file is checked for the
  encryption method to be used
• The encryption method is set in the variable
  CRYPT
• You can use the id command in a terminal window
• To display information about a users UID and
  which groups the user is assigned to

24
Manage User and Group Accounts from the Command
Line (continued)

• Manage Groups from the Command Line
• You can use the following commands
• groupadd to create a new group
• groupdel to delete a group
• groupmod to modify the settings for an existing
  group
• gpasswd to change passwords for group accounts
• If you want information on the groups in which
  you are a member, enter groups
• The newgrp command allows you to change the
  effective group of the executing user

25
User and Group Configuration Files

• /etc/passwd
• Stores information for each user such as the
  username, the UID, home directory, and the login
  shell
• In the past, it also contained the encrypted
  password
• The encrypted password is now stored in
  /etc/shadow
• Only readable by root and members of the group
  shadow
• Each line in the file represents one user
• See Figure 9-9

26
User and Group Configuration Files (continued)
Figure 9-9 Information contained in each line of
the /etc/passwd file
27
User and Group Configuration Files (continued)

• /etc/shadow
• Stores encrypted user passwords and password
  expiration information
• Can only be changed by the user root and read by
  the user root and members of the group shadow
• Each line in the file belongs to one user
• See Figure 9-10

28
User and Group Configuration Files (continued)
Figure 9-10 Information contained in each line of
the /etc/shadow file
29
User and Group Configuration Files (continued)

• /etc/group
• Stores group information
• Each line in the file represents a single group
  record
• And contains the group name, the GID, and the
  members of the group

30
Exercise 9-1 Manage User Accounts with YaST and
Get User and Group Information from the Command
Line

• In this exercise, first create and remove a user
  account with the YaST User Management module
• Perform the following tasks
• Create a new account labeled tux for the user Tux
  Penguin with the password of novell
• Log in as the new user tux
• Open the /etc/passwd file and look for the
  entries for geeko and tux
• Log in as geeko and remove tuxs account using
  YaST

31
Objective 3Manage File Permissions and Ownership

• You can change the current values associated with
  ownership and permissions by knowing how to do
  the following
• Understand File Permissions
• Change File Permissions with chmod
• Change File Ownership with chown and chgrp
• Modify Default Access Permissions
• Configure Special File Permissions

32
Understand File Permissions

• ls l command
• Displays the contents of the current directory
• Along with the assigned permissions for each file
  or subdirectory
• Each file (and directory) can belong to only one
  user and one group
• You can also view the permissions, owner, and
  group from the Nautilus file manager

33
Figure 9-11 File properties in Nautilus file
manager
34
Change File Permissions with chmod

• You can use the chmod command to add or remove
  permissions
• The following options can be used to change the
  permissions
• uChange permissions for the owner (user)
• gChange permissions for the group
• oChange permissions for others
• aChange permissions for all (owner, group, and
  others)

35
Change File Permissions with chmod (continued)
Table 9-2 Examples of the chmod command
36
Change File Permissions with chmod (continued)

• Using the option -R (recursive) and a specified
  directory
• You can change the access permissions for the
  directory and all files and subdirectories
  beneath it
• Besides using letters (rwx), you can also use the
  octal way of representing the permission letters
  with groups of numbers
• Read 4
• Write 2
• Execute 1

37
Change File Permissions with chmod (continued)
Table 9-3 Examples of the chmod command using
numbers equivalents
Table 9-4 Using numbers instead of letters
38
Change File Ownership with chown and chgrp

• The user root can use the chown command to change
  the user and group affiliation of a file by using
  the following syntax
• chown new_user.new_group file
• To change the owner, but not the group
• chown new_user file
• To change the group, but not the user
• chown .new_group file

39
Change File Ownership with chown and chgrp
(continued)

• You can also change the group affiliation of a
  file with the chgrp command
• chgrp new_group file
• Normal users can use the chown command to
  allocate a file that they own to a new group
• chown .new_group file

40
Exercise 9-2 Manage File Permissions and
Ownership

• In this exercise, you create directories with
  different permissions

41
Modify Default Access Permissions

• By default, files are created with the access
  mode 666 and directories with 777
• To modify (restrict) these default access mode
  settings, you can use the umask command
• With a three-digit numerical value
• The permissions set in the umask are removed from
  the default permissions
• umask without any parameters shows the current
  value of the umask with a leading zero

42
Modify Default Access Permissions (continued)
Table 9-5 Examples of the umask command
43
Configure Special File Permissions
Table 9-6 Special file permissions
44
Ensure File System Security

• In Linux, file system security is especially
  important
• Because every resource available on the system is
  represented as a file
• The Basic Rules for User Write Access
• Access permissions can be administered separately
  for file owners, user groups, and the rest of the
  world
• As a general rule, a normal user should only have
  write access in the following directories
• The home directory of the user
• The /tmp directory (to store temporary files)

45
Ensure File System Security (continued)

• The Basic Rules for User Read Access
• No normal user account should be able to read the
  content of files that store passwords, including
• /etc/shadow
• /etc/samba/smbpasswd
• Files with Apache passwords
• /etc/openldap/sldap.conf
• /boot/grub/menu.1st
• Some password files can be readable for a nonroot
  account
• This is normally the account under whose user ID
  a service daemon is running

46
Objective 4Perform Tasks as a Different User

• Some tasks can only be done from the root user
  account
• Sometimes root might want to delegate tasks to
  normal users
• This objective covers both scenarios
• Perform Administrative Tasks as root
• Delegate Administrative Tasks with sudo

47
Perform Administrative Tasks as root

• As a system administrator, you are advised to log
  in as a normal user
• And only switch to root to perform tasks that
  require root permissions
• Start Programs from GNOME as Another User
• You can start any program with a different UID
  (as long as you know the password)
• Using the program gnomesu
• You can specify a different user than root and
  also start a program directly with the following
  syntax
• gnomesu--uuser command

48
Perform Administrative Tasks as root (continued)

• Switch to Another User with su
• You can use the su (switch user) command to
  assume the UID of root or of other users
• su syntax
• suoptions. . .-userargument
• Switch to Another Group with newgrp
• A user can be a member of many different groups
• However, he or she can have only one effective
  (current) group at any one time
• You can change the effective group GID with the
  command newgrp or sg

49
Delegate Administrative Tasks with sudo

• The default configuration of sudo in SLED 10
  requires the knowledge of the root password
• Advantages of using sudo
• Executed commands are logged to /var/log/messages
  
• You do not need to retype the password for each
  command
• /etc/sudoers configuration file
• Allows sudo to ask for the user password instead
  of the root password
• Allows visudo to specify which command a user can
  or cannot enter

50
Delegate Administrative Tasks with sudo
(continued)
Figure 9-12 Example illustrating the flexibility
of sudo
51
Exercise 9-3 Use sudo to Perform Tasks as root

• In this exercise, you use sudo to view the
  /var/log/messages log file as a normal user
• First, use visudo as root to change the sudo
  configuration to allow geeko to use the tail
  command to view the last lines of
  /var/log/messages and any new lines added to it
• Then, as geeko, view the end of the
  /var/log/messages log file using sudo

52
Objective 5Use Encrypted File Systems

• With SLED 10, it is possible to encrypt a file
  system on a partition
• Or to create encrypted home directories based on
  images that contain an encrypted file system
• Both can be set up with YaST
• Use YaST to Encrypt a Partition
• Create an Encrypted Image as Home Directory for a
  User

53
Use YaST to Encrypt a Partition

• You only need to select the appropriate option
  when creating the partition in YaST
• Enter a password to unlock the partition when it
  is mounted
• See Figures 9-13 and 9-14
• The minimum password length required is eight
  characters, but a longer password is advisable

54
Figure 9-13 Create an encrypted partition
55
Figure 9-14 Enter a password for an encrypted
partition
56
Use YaST to Encrypt a Partition (continued)

• To unlock the partition when the system boots, a
  prompt appears during the boot process
• The machine boots up even if no password is
  entered, but the partition is not accessible
• To access the partition, log in as root and enter
  /etc/init.d/boot.crypto start
• Then enter the password for the partition

57
Create an Encrypted Image as Home Directory for a
User

• Another approach is offered in YaST as part of
  the User Management module
• See Figure 9-15
• Create a file of that size with an encrypted file
  system inside
• File system can be mounted as a loop device
• The image file is named username.img and located
  in /home
• The key used to decrypt the image is username.key
  in /home, and the users password is used to
  unlock it

58
Figure 9-15 Create an encrypted image as a home
directory for a user
59
Summary

• Linux is a multiuser, multitasking, and
  multithreading operating system
• Users use normal user accounts to log in to the
  system
• Each user account is a member of one or more
  groups
• Linux systems store user information in
  /etc/passwd and password information in
  /etc/shadow
• For system identification, each user account has
  a UID, and each group account has a GID

60
Summary (continued)

• The id command displays your UID, GIDs, and
  primary GID
• The su and gnomesu commands can be used to switch
  to another user account or run a program as
  another user account
• You can use the useradd, usermod, and userdel
  commands to add, modify, and remove user accounts
  on your system
• You can change user account passwords, lock user
  accounts, and control password expiry settings
  using the passwd command

61
Summary (continued)

• YaST can be used to perform all user and group
  management functions
• You can assign read, write, and execute
  permissions to files and directories
• Permissions can be set on the owner of a file
  (owner), members of the group of the file
  (group), as well as everyone else on the system
  (others) using the chmod command
• Encryption can be used as an alternative to file
  and directory permissions