User Account Management - PowerPoint PPT Presentation
Title:
User Account Management
Description:
User Account Management WeeSan Lee Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? – PowerPoint PPT presentation
Number of Views:32
Avg rating:3.0/5.0
Title: User Account Management
1
User Account Management
- WeeSan Lee ltweesan_at_cs.ucr.edugt
2
Roadmap
- Add An Account
- Delete An Account
- /etc/passwd,shadow
- /etc/group
- How To Disable An Account?
- Root Account
- QA
3
Add An Account
- To create an account for user foo
- Create /home/foo
- cp -a /etc/skel/ /home/foo
- chown -R foousers /home/foo
- chmod 711 /home/foo
- chmod urwx,gx,ox /home/foo
- Add foo into /etc/passwd and /etc/shadow
- vipw
- passwd foo
- Alternatively, use useradd
- useradd foo
- passwd foo
4
Delete An Account
- To remove the account foo
- Revert what we did before
- Or, use userdel
- userdel foo
- userdel -r foo
- Delete /home/foo as well
- To find files left behind
- find -nouser -xdev /
5
/etc/passwd
- A file that contains a list of users recognized
by the system - World readable
- Why?
- Each line represents one user, eg.
- foox500500Foo Bar/home/foo/bin/bash
- 7 fields separated by colons
- Login name or username
- Encrypted passwd
- UID
- Default GID
- GECOS information fullname, office, extension,
phone - Home directory
- Login shell
6
/etc/passwd (cont)
foox500500Foo Bar/home/foo/bin/bash
- Login name
- 32 chars long
- 8 for NIS (Network Information Service)
- Case sensitive, usually lower case
- Usually used as email address
- Encrypted passwd
- See /etc/shadow
- UID
- 32-bit unsigned integers
- Start from 500. See /etc/logins.defs
7
/etc/passwd (cont)
foox500500Foo Bar/home/foo/bin/bash
- Login name
- 32 chars long
- 8 for NIS (Network Information Service)
- Case sensitive, usually lower case
- Usually used as email address
- Encrypted passwd
- See /etc/shadow
- UID
- 32-bit unsigned integers
- Start from 500. See /etc/logins.defs
8
/etc/passwd (cont)
foox500500Foo Bar/home/foo/bin/bash
- Login name
- 32 chars long
- 8 for NIS (Network Information Service)
- Case sensitive, usually lower case
- Usually used as email address
- Encrypted passwd
- See /etc/shadow
- UID
- 32-bit unsigned integers
- Start from 500. See /etc/logins.defs
9
/etc/passwd (cont)
foox500500Foo Bar/home/foo/bin/bash
- Default GID
- Defined in /etc/group
- GECOS field
- For personal information
- finger foo
- Home directory
- Cd to home directory after login
- Login shell
- Valid shells defined in /etc/shells
10
/etc/passwd (cont)
foox500500Foo Bar/home/foo/bin/bash
- Default GID
- Defined in /etc/group
- GECOS field
- For personal information
- finger foo
- Home directory
- Cd to home directory after login
- Login shell
- Valid shells defined in /etc/shells
11
/etc/passwd (cont)
foox500500Foo Bar/home/foo/bin/bash
- Default GID
- Defined in /etc/group
- GECOS field
- For personal information
- finger foo
- Home directory
- Cd to home directory after login
- Login shell
- Valid shells defined in /etc/shells
12
/etc/passwd (cont)
foox500500Foo Bar/home/foo/bin/bash
- Default GID
- Defined in /etc/group
- GECOS field
- For personal information
- finger foo
- Home directory
- Cd to home directory after login
- Login shell
- Valid shells defined in /etc/shells
13
/etc/shadow
- A file contains the encrypted passwd for the
users - Only readable by root or processes with root
privilege - Each line represents user, eg.
- foo1naYPGQnr2Xyp.Q1KrWSf//VFR.yBL0136900999
997 - 9 fields separated by colons
- Login name or username
- Encrypted passwd
- Date of last passwd change
- Min. of days between password changes
- Max of days between password changes
- of days in advance to warn users about passwd
expiration - of days after passwd expiration that account is
disabled - Account expiration date
- A reserved field
- Usually login name and passwd are enough
14
/etc/shadow (cont)
- usermod
- usermod -e 2007-06-26
15
/etc/group
- A file contains the names of UNIX groups and a
list of groups members, eg. - foox500
- installerx200foo,bar
- Each line represents one group
- 4 fields separated by colons
- Group name (8 chars)
- Encrypted passwd or x for /etc/gshadow
- GID (starts from 500. see /etc/login.defs)
- List of members, separated by commas (no space)
16
How To Disable An Account?
- Append username with a in /etc/passwd
- usermod -L foo
- Put a ! in front of the encrypted passwd
- To undo usermod -U foo
- usermod -e yyyy-mm-dd
- Replace login shell with
- /etc/false
- /sbin/nologin
17
Root Account
- Special and powerful account
- UID 0
- Guard your root passwd with your life!!!
- At least 8 chars. long
- Dont write it down
- Mix letters, numbers and punctuations
- Eg. Bambo0!
- Dont login root as a normal user
- Use su when needed
- Dont share your root passwd with others
18
Root Account (cont)
- Use sudo instead
- sudo /bin/bash
- /etc/sudoers
- All commands are logged
- To edit /etc/sudoers
- visudo
- foo ALL(root) ALL
- User foo can run ALL commands on ALL machines as
root - Host_Alias CSeon,orpheus
- Cmnd_Alias SNOOP/usr/sbin/tcpdump,/usr/sbin/ether
eal - bar CSSNOOP
19
References
- LAH
- Ch 3 Rootly Powers
- Ch 6 Adding New Users
Recommended
CrystalGraphics Presentations
