Users
UIDs
All local users are given an identification number that is stored along with the corresponding username in /etc/passwd
.
Remote users: typically a range of UID’s is reserved for non-local users in order to prevent UID collision with local users.
Note: Note: When logging into the system, a user MUST use their username. Logging in via UID is not permitted, even if the UID exists.
UID | User | Description |
---|---|---|
0 | superuser | always assigned to the superuser account, root. |
1-200 | system users | UID 1-200 is a user ID range for system users for system processes. These are statically assigned by the |
201-999 | system users | user ID range given to system users for system processes but don’t own files on the system. These are dynamically assigned when the packages that require them are installed. These user |
1000+ | regular users | IDs have restricted access only to the resources they need for operating. |
Note: Special UIDs
UID 1
: bin user (system binaries and non-login accounts)UID 48
: Apache user (if installed)UID 99
: nobody account (used for a variety of things, FTP anonymous access for example, may also map to a root account for certain NFS configurations (theroot_squash
option))
User Shells
A shell
is a program that acts as an interface between the user and the operating system (OS) kernel. A shell is started each time a user logs in and is responsible for executing programs based on user input.
The shell also provides a user environment that can be customized by configuring the profile initialization files for each user. These files contain user settings for:
- Paths where commands are located
- Defining variables
- Customizable values, such as terminal prompt
User shell set to /sbin/nologin
: print the following message /etc/nologin.exe/
and exit: “the user account is currently not available”
User shell set to /bin/false
: the user is immediately logged out. This file is just a binary that immediately exits, returning false.
Working with Home Directories
A users home directory is the directory in which a user enters upon login. It is intended to store a user’s files, directories and executables.
- identified by
~
- resides on the
/
partition
The /etc/skel
contains files and directories that are copied over to a new user’s home directory when it is created with the useradd
command.
Standard Users
- provided a login shell, a home directory
- limited permissions for view system configs
- no permissions for modifying system configs
Standards account may have be granted the ability to perform privileged actions with sudo
- super-user do.
Root User
Root is the system administrator account and has full access to all permissions on the system. Linux administrators need to be careful with the use of sudo privileges, it is a security best practice not to log into a system directly as root, but “become” root.
su
You will provide the root password and will then become root (su = superuser)sudo su
: You will provide your password and, as long as you have sudo privileges (sudo = superuser do), you will then become root
For example: Become the root user, but login shell scripts (.bash_login, .bashrc, etc.) will not execute so you will not inherit values in them.
su root
For example: Become root and all login shell scriptswill execute and the full environment and settings will be available.
su - root
su -l root
Applies to regular users as well (as long as you know the associated password)
Note: Root can
su
to any user without knowing the user’s password.
Users that can execute commands with elevated root level privileges are listed in /etc/sudoers
. The formate of the file requires the user be listed (or a group if an entire group should have root privileges) along with what they can do.
For example: Provide the user account sudo rights for any command using elevated privileges.
user ALL=(ALL) ALL
For example: Limit the user to only be able to run systemctl with sudo privileges (so they can restart services).
user ALL=(ALL) /bin/systemctl
Use visudo
is a special editing mode for vi
that will allow editing and syntax/error checking of the /etc/sudoers
file or allow the creation config files in /etc/sudoers/d
.
Note: The editor used can be changed by setting the
EDITOR
environment variable to any other available text editor.
/etc/sudoers
System User
Application Service Accounts - System users are generally deployed when applications are installed:
- their home directories are set to application folders
- they normally do not have a login shell
/usr/sbin/nologin
The purpose of having discreet users is to seperate functional privileges from other applications and services.
User Management
Note: Although it is possible to create a user by directly editing the
/etc/passwd
and/etc/group
files, this poses security risks AND can contain errors that will prevent user login or cause unintended consequences.
User Management Files: /etc/passwd, /etc/shadow, /etc/group
Getting relevant user information can be done a few different ways.
id
commandgetent
command: Utility to allow you to search both local (/etc/passwd
and/etc/shadow
) for account information, as well as network sources.- Manually looking at
/etc/passwd
,/etc/shadow
files
User Management tools:
Tool | /etc/passwd | /etc/shadow |
---|---|---|
pwck |
X | X |
pwconv -pwunconv |
X | X |
/etc/passwd:
/etc/passwd
is a text file that contains the attributes for all user accounts on the system. This includes name, password, UID, GID, gecos, home directory, and shell. The file contains 7 attribute fields for each local user.
- username
- password
- user ID
- group ID
- GECOS
- home directory
- login shell
/etc/shadow:
/etc/shadow
is a text file that stores the passwords for all user accounts, in encrypted format, as well as a few configurable password properties. Each line contains 8 fields.
- username
- password
- lastchanged
- minimum
- maximum
- warn
- inactive
- expire
cloud user: $5$alskXffMarjd$f1YSNjXfiuhwa: 18249:0:99999:7:::
Note: structure of hashed passwords
username hashed-password-with-salt last min max warn inactive expire –>
$5$alskXffMarjd$f1YSNjXfiuhwa
=$id$salt$hashed
- $id [1-6]:
- 1: MD5
- 2a: Blowfish
- 2y: Blowfish
- 5: SHA-256
- 6: SHA-512
- $salt: A salt is a fixed-length cryptographically-strong random value that is added to the password hash to make the password stronger and prevent hacking attempts.
- $hashed: Hashed password string
/etc/nsswitch.conf:
The /etc/nsswitch.conf
file determines the order that user account information is searched for on a system during login.
For example:
password: files nis
shadow: files nis
Will search for LOCAL files for account information and then search the remote user database configured if not found.
Creating Users
Command | Description |
---|---|
useradd |
used to add or create users. Options are available for specifying UID, GID, home dir, and group membership |
Option | Description |
---|---|
-c |
text string that is entered into the comment field in /etc/passwd |
-m |
create the home directory |
-d |
set the home directory |
-g |
set the primary group id |
-G |
set supplemental groups |
-k |
set the skeleton directory |
-p |
set the user’s password to this encrypted password |
-r |
create a system account |
-s |
set the user’s login shell |
-u |
set the user id |
-o |
set a non-unique user id |
useradd -c "<COMMENT>" -d <HOME_DIR> -m -g <GROUP> -p <PASSWORD> -s <USER_SHELL> <USERNAME>
Boilerplate files and folders for new accounts - The contents of /etc/skel
are automatically copied when a new user’s home dir is created via useradd
.
/etc/skel
etc/default/useradd
contains the default values for the useradd command when those parameters are not used.
Modifying User Settings
Command | Description |
---|---|
usermod |
modify options and paramters set for a specific user |
Option | Description |
---|---|
-c |
modify the user’s password file comment field |
-d |
change the user’s home directory. Often used with the m flag which moves files from the current home dir to the new one |
-G |
change the user’s supplemental groups. Often used with the a flag which appends, rather than replaces, the supplemental groups |
-L |
lock the user account |
-U |
unlock the user account |
usermod -c "COMMENT" -d HOME_DIR -m -g GROUP -p PASSWORD -s USER_SHELL USERNAME
Note: most of the options used with the
usermod
command are equal to those ofuseradd
.
Removing Users
Command | Description |
---|---|
userdel |
remove the user and the home directory |
Option | Description |
---|---|
-r |
also removes all user mail, owned print jobs, cron jobs and the home directory with all contents (All other files owned by the user will still exist, ownership reverting to the UID of the removed user, thus becoming orphaned) |
userdel -r <HOME_DIR> <USERNAME>
Note: You cannot delete a user that is in use or has a process associated with the account.
userdel
is often used in combination with other commands like find
.
For exmaple: Search the server/directory for files created by the user and remove the files approved for removal.
find <directory to search> -user <USERNAME>
Suspending Users
The passwd -1 username
and usermod -I username
commands lock a user’s password, but not the full account. It enters a!
in the /etc/shadow
file at the beginning of the encrypted password to make it unreadable. Users can still log in by other means, such as SSH keys.
WARNING: Never edit the
/etc/shadow
file manually. If you must edit the file, make a backup copy first withcp /etc/shadow /etc/shadow.bak.date
Use chage -E 0 username
for full account locking. To set a date for the account to expire, you can use:
usermod -e YYYY-MM-DD username
Managing User Passwords
See man page for passwd command
Command | Description |
---|---|
passwd |
remove the user and the home directory |
Update a user’s password - The passwd
utility may be used to update the current user’s password, or another user’s with sufficient privileges.
passwd <USERNAME>
Command | Description |
---|---|
chage |
change password expiry information |
Option | Description |
---|---|
-d [date] |
Set number of days since the password was reset. 0 will force a password reset |
-m [# days] |
How long user must wait (in days) between password changes |
-M [# days] |
Maximum number of days a password will be vaild for. Once that number passes a user will be reauired to reset their password |
-I [# days] |
Number of days of inactivity after expiration before locking the account |
-E [date] |
Set the date when the user account will be locked out, requiring admin intervention. -1 value means the account can never expire |
-W [# days] |
How many days before expiration a user will receive a warning that the password will expire |
-l |
Display all values for the indicated user |
chage -l <USERNAME>
Managing User Files and Processes
Search for files owned by a user:
find / -user <USERNAME>
Search for processes owened by a user and kill them:
ps U <USERNAME>
kill <PID>
Remove a user and their home directory from the ystem:
ps U userdel -r <USERNAME>
Note: Users can change their own password, but not other user’s password (without
sudo
), root can change any user’s password
Groups
Groups allow us to group users together for a set of permissions. Getting relevant information can be don in different ways.
Like users, groups are given an identification number that is stored along with the corresponding groupname in /etc/group
.
The groups
command will allow a suer to see what primary and secondary group they are a member of.
Note: Special GIDs
GID 1
: bin group (system binaries and non-login accounts)GID 100
: users group (put users in this group to give access to resources by assigning the group ownership to this group)
Group Management
Group Management Files: /etc/group, /etc/gshadow
Group Management tools:
Tool | /etc/group | /etc/gshadow |
---|---|---|
gpasswd |
X | X |
grpck |
X | X |
grpconv -grpconv |
X | X |
/etc/group:
/etc/group
is a text file that contains all of the groups configured on a system, and the users who belong to those groups. The file contains the following 4 fields.
- group
- password
- group ID
- group list
Note: view group membership with
groups [USERNAME]
/etc/gshadow:
/etc/gshadow
is a text file that contains all of the groups configured on a system, and the encrypted password. if one is set. It also lists group administrators and group members
Creating Groups
Command | Description |
---|---|
groupadd |
used to add or create group |
Option | Description |
---|---|
-g |
set the primary group id |
-G |
set supplemental groups |
-n |
set the home directory |
groupadd -g <GID> -n <GROUP_NAME>
For example: adding a user to a group and secondary group
useradd -g <GROUP> -G <SECONDARY_GROUP> username
etc/default/groupadd
contains the default values for the groupadd command when those parameters are not used.
Modifying Group Settings
Command | Description |
---|---|
groupmod |
modify options and paramters set for a specific group |
Option | Description |
---|---|
-g |
set the primary group id |
groupmod -g <GID> <GROUP_NAME>
Note: most of the options used with the
usermod
command are equal to those ofuseradd
.
Removing Groups
Command | Description |
---|---|
groupdel |
removes the indicated group. Files/directories that are owned by the group will then revert to the GID; you can change ownership at that point |
groupdel <GROUP_NAME>
Note: You cannot delete a user that is in use or has a process associated with the account.
groupdel
is often used in combination with other commands like find
.
For exmaple: Search the server/directory for files created by the user and remove the files approved for removal.
find <directory to search> -group groupname
Enabling User and Group Disk Quotas
quotacheck
,edquota
,quataon
andrepquota
Configure a system disk with a new 2GB partition. Sync the system disks, and view the newly created partition.
lsblk
fdisk /dev/xvdb
partprobe /dev/xvdb
lsblk
Create the filesystem and the mount point.
mkfs -t ext4 /dev/svdb1
mkdir /app
Get the UUID for the disk and use it to configure /etc/ fstab with a group and user quota. Then mount the filesystem and change permissions on the mount point.
blkid /dev/svdb1
vim /etc/fstab
mount -a
chown test:test /app
Install the quota package, create the quota files, and assign the user and group quotas for the filesystem.
yum install -y quota
quotacheck -cug /app
edquota test
edquota -g test
Enable the user and group quotas on the /app filesystem and verify the quota configuration.
quotaon -vug /app
repquota /app
Configure Advanced PAM
What is PAM
The Pluggable Advanced Modules (PAM) system adds a layer of security to administrative tools and commands. PAM includes dynamically loadable libraries that control how different applications verify and authenticate users.
PAM is also used to standardize user authentication. For example, the /etc/pam.d/login
file contains the following line:
auth [user_unknown=ignore success=ok ignore=ignore default=bad) pam_securetty.so
This means that the root user can only log in from the secure terminals defined in /etc/securetty
.
Typically, configuration files in /etc/pam.d/
are named according to the program that is using them to authenticate. However, some applications make no changes to default files and will be symlinked instead of having their own PAM configuration files.
You can change how PAM-aware applications like the console login program verify their users by changing the appropriate configuration file
PAM Rule Types
There are four different PAM rule types:
- Authentication Management (auth): Validates identity
- Account Management (account): Allows or denies access based on account policies
- Password Management (password): Manages password change policies
- Session Management (session): Applies settings for application sessions
PAM Control Flags
There are five different PAM control flags:
required
- If the module passes, PAM proceeds to the next rule of the same type. If it fails, PAM still proceeds, but the result retums a tailure.requisite
- If this module fails. PAM does not check any more rules: it simply returns a failure.sufficient
- If this module passes, no other rules of this type get processed. If the module fails, PAM continues processing the rest of the rules of this type.optional
- Whether this module passes or fails, PAM isnores the result and proceeds to the next rule.include
- Includes all rules of the same type from the desismated configuration file. For example. if the rule savs password include system-auth all password rule types from the PAM system-auth file will be included in this configuration file.
Using LDAP for Authentication
Lightweight Directory Access Protocol (LDAP) is a protocol that allows quick transfer of user information from a central point of authority to any number of clients.
This allows users to be configured in one place, rather than individually throughout the environment.
Microsoft’s Active Directory is a directory service, and you can use LDAP to talk to it.
OpenLDAP is another popular directory service, and as the name implies it can also use LDAP to distribute information.
LDAP with Linux
Using LDAP for user information is easier than it may sound. It requires installing a few packages and then setting up authconfig
.
Packages:
nss-pam
pam_krb5
autofs
nfs-utils
openldap-clients
authconfig command:
authconfig --enableldap \
--enableldapauth \
--enablemkhomedir \
--enableldaptls \
--ldaploadcacert=<CERT_FILE> \
--ldapserver=<LDAP_SERVER_HOSTNAME> \
--ldapbasedn="dc=<DC>,dc=com" \
--update