GROUP 3

A PRESENTATION ON USER ADMINISTRATION, USER

ACCOUNT CREATION, ACCOUNT MANAGEMENT, SECURITY,
PERMISSION AND ACCESS LEVELS
 Involves creating and manipulating user accounts and groups, managing them and the
overall system security in Linux.
The following are the user account types created in user administration.
• Root account also called superuser which is the most powerful user account and
performs any operations like changing passwords, navigate to end directions on the
file system. On some hosts it may be recommended to lock the root account in
order to avoid any security issues.

USER • System accounts. Are accounts used by processes or programs on your host. They
are often given restricted permissions and prevented from accessing an interactive
ADMINISTRATI shell. Its recommended not to modify the systems accounts by yourself.

ON • User accounts. Are accounts by real users for examples they might be members of
your team or accounts that you created for them to retrieve some files on the host.
Its recommend to modify those accounts in order to give them a correct
configuration.
• By default, users on your host are assigned one or multiple groups. The groups have
the same name with the user accounts and every user belongs to at least one
group. Groups are created in order to have users sharing the same set of
permissions or the same restrictions on the Linux host.
Groups are split into two categories on Linux.

• Primary Group: one user may have on and only one primary group at
a time. A primary group is a group assigned when the user creates a
file or directory on the system.
• Secondary Group: user may belong to many other groups. If they
belong to a specific team on your host, they will belong to this group
for example administrators.
 • etc/passwd which keeps the user account
and password information. This file holds the
majority of information about accounts on
the Linux system.
Managing • ⦁ /etc/shadow which holds the encrypted
password of the corresponding account.
users and Note that not all the systems support this
groups. file.
• ⦁ /etc/group file contains the group
information for each account.
• ⦁ /etc/gshadow file contains secure group
account information.
Commands and their description used in Linux.
•   useradd: adds accounts to the system.
•   usermod: modifies account attributes.
•   userdel: deletes accounts from the system.
•   groupadd: adds groups to the Linux system.
•   groupdel: removes groups from the Linux system.
•   groupmod: modifies group attributes.
 Only root or users with pseudo privileges can use the useradd command
to create new accounts and each user created is unique with different
usernames
The useradd command performs the following actions.
⦁    Reads the /etc/login.defs and /etc/default/useradd files to get

USER
default values to use when creating accounts. The /etc.login.defs file
provides default configuration information for user accounts
parameters.
ACCOUNT ⦁    Checks command line parameters to find out which default values to
override.
CREATION. ⦁    Creates a new user entry in the /etc/passwd and /etc/shadow file
based on the default values and command line parameters.
⦁    Creates any new group entries in the /etc/group file.
⦁    Creates a home directory based on the user’s name in the home
directory.
⦁    Copies any files located within the /etc/skel directory to the new
home directory.
 The following are the rules associated with account management.
• One user per user account. Accounts should enforce accountability therefore multiple people should not log into
one account. If many people share an account, there is no way to prove a particular individual completed a
particular task or action.
• Limit access to the root user account. If multiple people log into the root account, you cannot track the individual
use of the root account access on a per-command basis with the sudo command which is beneficial in the
following ways.
• The root password doesn't have to be given out.
• You can fine-tune command access.

ACCOUNT
• All sudo use (who,what,when) is recorded in /var/log/secure including any failed sudo attempts.                      
• After you grant someone sudo permission, you can try to restrict root access to certain commands in the

MANAGEME
/etc/sudoers file.
• Set expiration dates on temporary accounts. Reviewing all user account expiration dates should be considered as
part of security  monitoring activities which help to eliminate any potential back doors to your Linux system.

NT • Removing unused user accounts. A series of steps to remove unused accounts should be performed along with
their data . The steps are:
•  find the files on the system owned by the account using the find /- user username command.
•  Expire or disable the account.
• Backup the files.
• Remove the files or reassign them to a new owner.
• Delete the account from the system. When  you forget to delete the accounts from the system and the disabled
accounts or expired accounts are still on the Linux system, a malicious user might gain access to the system and
renew the account and then use it as a legitimate user.
 The main security requirements in Linux are as
follows:
• Authorization: only allows access to data by
authorized personnel.
•  Authenticity: verify if the personnel are who they
assume to be.
•  privacy/confidentiality- ensure that personal
SECURITY information cant be compromised.
•  Integrity- ensure the data is in its right form and not
tampered with.
•  Non-repudiation- confirm the data is received and
can be proven.
•  Availability- ensure the system can perform its
required functions.
Security can be ensured in many ways while using Linux
• To ensure physical security of the server room, one has to perform the following
• lock or install security alarms on the server room
• implement access controls that only allow access to authorized people and should identify who accessed the room, and
when the access occurred by using access key entry system.
• Implement policies on who can access the room and when to access it.
• To ensure internal security on the Linux server, the following should be implemented.
• Backup data,media and software and they should be included in the Access Control Matrix checklist. Backup utilities
include cpio,dump/restore,tar,rsync.
• Securing user accounts that allows proper user account management. When dealing with securing user accounts, the
following rules should be followed to increase security.
• One user per account which ensures that there is proof that shows a particular individual completed the particular action
• limit access to the root user account which ensures repudiation of data. To track the root account use by individuals, a
sudo command should be used instead of logging into root account. After granting sudo permissions, one can restrict root
access to certain commands.
• Setting expiration dates on temporary accounts which safeguards you in case you forget to remove temporary accounts
when they are no longer need access to your 
 • Access levels are groups with a non-empty set of granted rights. Their purpose is to
define the extents of permissions that users have. Access levels include read(r),
write(w), execute(x).
• Access to a file or other resources it’s based on permissions that are given or

PERMISSIO removed at the owner account, group and other levels.

• Every file and directory has a basic set of access permissions in bits each of which

NS AND can be true/false.

• For each level of access control(user, group, other) the 3 bit corresponds to three

GROUP permission types. For regular bits, these 3 bits control are read access, write access
and execute permission.

ACCESS
• The ls -l command is used to show the state of permission bits for files and
directions.

LEVELS.
• The first block represents the user permissions, the second block represents the
group permission bits and the last block represents the other permission bits.
• ⦁    User permission: are the first set of read/write/execute permissions in an access
made and they apply to a file owners.
• ⦁    Group permission: second set of read/write/execute permissions in an access
media and they apply to the users that are members of the file group.
• ⦁    Other permission: third set of read/write/execute permissions in an access
mode.