Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : User Administration Linux Server

/etc/passwd

The file where system user account definition is done is /etc/passwd. This file has the following structure :


$ cat /etc/passwd
...
username:x:500:500:Some comments:/home/username:/bin/bash

...

username
The system account username . It should not start with a number or include uppercase letters.

x
The password. An x points to /etc/shadow for the password. An * means the account is disabled. A random group of letters and numbers represents the encrypted password.

500
The user ID (UID) for that user.

500
The group ID (GID) associated with that user.

Some comments
Any information can be used in this field.

/home/username
By default, RHEL places new home directories in /home/username.

/bin/bash
Default user shell.

In order add/delete users to the system this file can be edited directly with vipw or using useradd/userdel commands as described in next sections.

/etc/group

The file where system group account definition is done is /etc/group. This file has the following structure :


$ cat /etc/group
...
groupname:x:500:user1,user2
...


groupname
The system account groupname user gets his own group. By default when a user is created is related to a group with groupname equal to username.

x
The group password password. An x points to /etc/gshadow for the password. As user password on /etc/passwd random group of letters and numbers represents the encrypted password.

500
The group ID (GID) associated with user.

user1,user2
Lists of users that belong to the group. If it's blank means that there is a username that is identical to the groupname.

In order add/delete groups to the system this file can be edited directly with vigr or using useradd/userdel commands as described in next sections.

/etc/shadow

The /etc/passwd file is can be read for every user on the system so include the encrypted password there is not a good idea. For this reason the file /etc/shadow accessible to root only is used to store the encrypted password :

$ cat /etc/shadow
...
username:$1sdsew$td%wqee@132ewSDADdsa:14860:0:99999:7:::
...


username
Username shadow entry, it is related with 'username' account on /etc/passwd.

$1sdsew$td%wqee@132ewSDADdsa
Encrypted password. An x in the second column of /etc/passwd means that the encrypted password is stored here.

14860
Last password change date, in Linux epoch number of days: number of days after January 1, 1970.

0
The value of 0 here means that this user can keep this password forever.

99999
The system will ask to username to change his password after 99999 days since account creation.

::
This value means the number of days before password expiration when a warning is given, in this case none.

::
It sets the number of days after password expiration when an account is made inactive, in this case none.

::
This value means the number of days after password expiration when an account is disabled, in this case none.

Adding user account

When a user account needs to be added to the system the command useradd must be used :

$ useradd -u 600 -c "Test add user" -d /home/john -s /bin/bash john

With this command we have created the user account 'john' with UID=600 which home directory in /home/john and default shell bash. By default the user is assigned to a new created group 'john' with GID=600. This value can be changed using the -g option.

$ cat /etc/passwd
...
john:x:600:600:Test add user:/home/john:/bin/bash


Next step must be create a password to 'john' account with the command '$ passwd john'

Deleting user account

When a user account needs to be removed in the system the command userdel must be used :

$ userdel -r john

With this command all information about 'john' account is removed on the system, including all /home/john directory and mail spool files.

Modifying user account

In order to change the parameters of an existing account the commands usermod and/or chage can be used :

$ usermod -e 2012-10-08 john
Sets the expiration account day for user 'john' to 2012-10-08

$ usermod -G sales john
Sets 'john' account group ownership to 'sales' group.

$ chage -E -1 john
Removes any account expiration date for user 'john'

User profile

By default when a user account is created some environment files stored in /etc/skel are copied to the user home directory. Any changes applied to this files on /etc/skel directory are propagated to the new users home directories.

.bashrc
This file points to the general /etc/bashrc configuration file. It normally includes the commands to be run bash shell is started.

.bash_logout
This file is executed when the user exits a bash shell. It normally includes commands for clearing screen, umount partitions, etc.

.bash_profile
It is the bash startup environment where environment variables as PATH and LIB_PATH are configured.

The system-wide shell configuration files are stored in /etc/bashrc and /etc/profile. These files configure the default system-wide umask value for default file creation permission, the default prompt display, the system-wide PATH, aliases, etc.

Switch accounts with 'su'

The 'su' commands allows the change between users accounts without logout :

$ su - john
Password:
john-$


It also allows to execute some command/script as another user after authentication without changing the user account :

john-$ su cate -c id
Password:
uid=501(cate) gid=502(cate) groups=502(cate) context=user_u:system_r:unconfined_t

Without changing user john account we have executed the 'id' command as 'cate' user after typing cate password

Execute a command as another user with 'sudo'

A most powerful way to execute process as another user than 'su -c' is the sudo command. The file /etc/sudoers accessible with visudo command controls how sudo is executed.

The sudoers file format looks like:

user host = (userl) command

* user is the username or groupname to which the rule applies
* host is a list of hosts where the rule applies
* userl is the user that this rule can be run as. If it is not specified sudo run the command as root user
* command is the command/s that can be run as userl from user account

The parameters host, userl and command can be replaced with the ALL, meaning unrestricted access for this parameter. The parameter NOPASSWD after userl means that no passowrd authentication is required on sudo execution.

Sudo examples

%john ALL=(cate) /usr/bin/id


john-$ sudo -u cate id
[sudo] password for john:
uid=502(cate) gid=503(cate) groups=503(cate) context=user_u:system_r:unconfined_t


Without changing user john account we have executed the 'id' command as 'cate' user after typing john password. Note the difference with the 'su' command, with sudo you do not need to know the user password to run a process as that user.

%john ALL=(cate)NOPASSWD: /usr/bin/id


john-$ sudo -u cate id

uid=502(cate) gid=503(cate) groups=503(cate) context=user_u:system_r:unconfined_t


The same as before without typing any password

%john ALL=NOPASSWD: /bin/mount, /bin/umount


john-$ sudo mount /dev/sda1 /mnt

User john can execute mount/umount (only root can run these commands) as root without typing any password. Note that no userl is specified the sudo execution is done as root.

SUID

The Set User ID permission changes the effective user ID permission to the owner file user ID in the file execution. It allows run a command/script as the owner´s file. In this case the permission is set up on the standard file permission with the chmod u+s command. One common example is the passwd command that allow system users change their password without being root on the system :

$ ls -lrt /usr/bin/passwd
-rwsr-xr-x 1 root root 22960 jul 17 2006 /usr/bin/passwd


The 's' on the user permission field means that this when a system user like 'john' will run this command it will be executed with the effective owner file user ID root which has the right permissions to modify the /etc/shadow file in order to change 'john' password.

SGID

The Set Group ID permission changes the effective group ID permission to the owner file group ID in the file execution. It allows share files between users in the same group. As the SUID the permission is set up on the standard group directory using the command chmod g+s command:


$ groupadd admin
Create a new system group called admin.


$ usermod -G admin -a mike
$ usermod -G admin -a cate
$ usermod -G admin -a john

Add users john, cate and mike to 'admin' group.

$ mkdir /home/admin
Create the shared directory '/home/admin'.

$ chown nobody:admin /home/admin
Change the shared directory group ownership to 'admin'.

$ chmod 770 /home/admin
Only group 'admin' has access to the shared directory '/home/admin'.

$ chmod g+s /home/admin
$ ls -lrt /home/ | grep admin drwxrws--- 2 nobody admin 4096 oct 30 08:51 admin
Set the group bit to the shared directory '/home/admin', the 's' in the group permission field. Now the files created on /home/admin automatically inherits 'admin' group ID so all 'admin' group members (john ,cate and mike) can access rw directly to all the files on the shared /home/admin group directory without changing any permission.

STICKY DIRECTORY

The sticky permission ('t' on others permission field) allows to remove files only to the owner in 777 directories as /tmp. Thanks to the sticky permission on /tmp everybody can create/remove files but only the owner of the file can remove it. As previous examples the permission is applied on the directory with the chmod o+t command :


$ chmod o+t /tmp
$ ls -lrt / | grep tmp
drwxrwxrwt 93 root root 4096 oct 30 08:55 tmp

$ su - john
john-$ ls -lrt /tmp/cate
-rwxrwxrwx 1 cate cate 0 oct 30 08:55 cate
john-$ rm /tmp/cate
rm: can not remove «cate»: Permision denied


The file /tmp/cate has 777 permision so everybody can remove it, but the directory that contains the file /tmp has the sticky bit set so only the file owner ('cate') can remove /tmp/cate.

Questions

1.- The encrypted user password is always stored on /etc/shadow (true/false)

2.- Regular users accounts must have an user id UID equal or over 500 (true/false)

3.- By default in CentOS when a user account is created this user is assigned to 'users' group (true/false)

4.- Which command will set up the SGID bit on /home/share directory ?

5.- Which command will set up the SUID bit on /root/script/compare.sh script ?

6.- The line '%john ALL=NOPASSWD: /sbin/' on /etc/sudoers files allow users or group 'john' execute any command in /sbin/ directory as root using 'sudo' command. (true/false)

7.- Which file must be modified in order to execute 'echo "user john has logout" every time user 'john' logout from bash shell ?

8.- Root account can not be locked using 'chage' command. (true/false)

9.- In which directory are stored the files that contains the user/group accounts ?
A - /root
B - /etc
C - /passwd

10.- Which permission bit is set up on directories to allow only the owner of the file remove it ?
A - sgid bit 'g'
B - stiky bit 't'
C - suid bit 's'
D - None of them

Labs

1.- Create user accounts 'ben', 'kim' and 'will' with password 'shared'. Create a group called 'shared' and make it the secondary group of ben, kim and will accounts.

2.- Create the directory /home/shared and make possible that only members of 'shared' group can rw all files on it without changing any file permission.

3.- Configure 'sudo' to allow users on group 'shared' to execute any command as root without typing any password.

-- This page is part of Linux Server online tutorial --