Admin and

security
NB: all examples use emulator in
Linux essentials, not Linux
unhatched

files and directories differ in each

course
Recap week 3
Commands
• which command would you use to output the entire contents of a file?
• what are the two commands that are used to output one page at a time?
• how would you output the top 5 lines of a text file?
• name the output streams
• which command is used to redirect and overwrite output?
• which command is used to redirect and append errors?
• how do you send output from one command to be input for another?
• which command is used to display file statistics?
• which 2 ways can be used to filter the contents of a file using cut?
• what is grep used for?
• name 2 text editors that are typically used in Linux
To be covered
(Ess 15, 16, 17)
• module 15 - system and user security
• module 16 - creating users and groups
• module 17 - ownership and permissions

Accounts Groups Users Files and directories

su groupadd useradd chgrp
su - groupdel usermod chown
sudo groups userdel chmod
whoami passwd
id
/etc/group /etc/passwd symbolic
/etc/gshadow /etc/shadow octal
account settings
Security
(Ess 15)
Security model

• access to directories and files is controlled through permissions

• each file has an owner (user) and is assigned to a group
• independent permissions can be set for:
• owner user
• users in the group
• other users (everyone else)
• separate permissions access can be given for:
• read
• write
• execute
 Security myths

• Linux doesn’t get viruses because it’s totally secure

• Linux has low market share so no one writes malware for it
• Linux software is only installed from repositories which are
secure

feel free to substitute

"macOS" for "Linux" in the
above myths
Security best practices
• each file and directory should have the minimum set of permissions necessary
• use the computer with a non-privileged user account
• keep software updated
• use respected software repositories
• disable / disconnect software, hardware, services, ports and peripherals you don’t
need
• take good security measures:
• strong passwords
• password managers
• multi-factor authentication
• consider data security (encryption) and physical security
Accounts in Linux
Accounts in Linux
(Ess 15.1)

• 3 types of account:
• admin or root account:
• access all system files
• change permissions
• add and delete users
• add and delete groups
• service or system accounts:
o
• mail, games, printing, etc t r e le v a n t t in g
no do
a t w e are
• allow services to interact with computer wh

• user accounts:
• every user has an account
Accounts in emulator
(Ess 15.2)

• when you first log in, emulator outputs a message showing the available accounts:

• automatically logged in as sysadmin

• cannot directly login as root
• but can switch to being root
• when switching to root user, you will be prompted for the password:
• netlab123
Root (admin) access
(Ess 15.2)

• Linux commands access sensitive items:

• passwords
• user details
• system files
• system hardware
• external devices
• regular users have restricted access
• root user has privileged access to a s
r r e d
e t i m es refe ilar to
som im
er - s n Windows
e r u s
sup t r a t or
o
i n i s
adm
Examples of access
(Ess 15.2)

m m a nd
co
s am e t u s er s
e n
differ t result
n
differe
 Ways of getting root access
(Ess 15.2.1, 15.2.2)
whichever method is used, you
will be prompted for a password
method comments
login as root many distros, including Ubuntu do not support login as root due to potential danger
if supported by distro, need to log out as current user and login as root
cannot do this in emulator as it automatically logs back in as sysadmin after logout
create new login shell login shell resets environment variables, providing a clean slate
preferable in "real-life"
su -, su -l or su --login
should logout using logout
switch to root for session switch the user without resetting environment variables
su
need to end session using exit
execute single command sudo
with root permissions NB: prompted for user password, not root password, (same value in netacad emulator)
 su command
(Ess 15.2.1)

user or substitute use

r,

btw: abbrevia
tion of s witch

s u
n o t up e r
ser
should be us
ed w
root has ultim ith care -
a t e p o we r !
• su command:
• creates new shell as root user
• switches user to root for duration of terminal session or
until users exits
remember a shell is
simply a console that
hell has
accepts input and passes root user s
ileges
it to the OS for execution admin priv
 DEMO: su command
(Ess 15.2.1)
switch user su -

f or
p r om p t e d
p a s s wo r d -
netlab123

command prompt now shows

you are logged in as root

exit session exit

command prompt now shows

you are logged in as sysadmin
sudo command
(Ess 15.2.2)

abbreviation
of super user do

• sudo command:
• each time sudo is used to execute an administrative command an entry is
written to log file
• name of the user
• command
• date and time of execution
ountability
increased acc
DEMO: whoami command
(Ess 5.2.3)

• whoami command displays which user you are acting as:

Groups
Groups
(Ess 15.5)

• groups provide a mechanism for users to share files

an add
only admin c
• anyone in the same group will have the same privileges users to a gr
oup

• primary group
• user belongs to exactly one primary group
• when a user creates a file, its group is set to the user’s primary group
• secondary or supplementary group
• user belongs to zero or more secondary groups
• used to grant file permissions to a set of users who are members of the group
• details of groups are stored in database files:
• /etc/group not very us
eful
• /etc/gshadow
 /etc/group file
(Ess 15.5)

• /etc/group contains details of groups a user belongs to

• one line per group, with fields delimited by :
find all groups sysadmin is member of grep sysadmin /etc/group

e m be r s
group n list of m
oup
a me in the gr
group ID
password placeholder details
held in /etc/gshadow
DEMO: create group with groupadd
(Ess 16.2.1)

• groupadd command creates a new group with the specified name

• can optionally specify a group ID
• group ID defaults to one higher than largest group ID
• need to run as root
create group called wdos groupadd wdos
DEMO: delete group with groupdel
(Ess 16.2.13)

• groupdel command deletes a group with the specified name

• can only delete groups that are not the primary group for any user
• need to run as root
delete group called wdos groupdel wdos
Users
Users
(Ess 16.3)

• every user has a separate account

• details of accounts are stored in database files:
• /etc/passwd
• /etc/shadow
 /etc/passwd file
(Ess 15.5)

• /etc/group contains details of user accounts for more d

man 5 pas
etails see
swd
• one line per user, with fields delimited by :
find all groups sysadmin is member of grep sysadmin /etc/passwd

username

p a s s w or path
d placeh absolute
- h a s he ol
d passw der for shell
held in ord primary t
/etc/sha user ID group ID commen p a t h to
dow
(addition
al absolute
ectory
informat
ion) home dir
 /etc/shadow file
(Ess 15.5)

• /etc/shadow contains encrypted details of user passwords

• one line per user, with fields delimited by :
• need to run as root
find all groups sysadmin is member of grep sysadmin /etc/shadow

username
f r om
d
/etc/passw
e d e t a ils of last
lds ar e,
password encrypted for other fie u e n cy of chang
fr e q
change,
regular users or placeholder
p ir y d a t es , et c
ex
An aside about IDs
(Ess 16.3)

• humans like to use names

• user names
• group names

• computers handle numeric IDs best

• root ID is 0
• system UIDs typically between 1 and 499
• user accounts over 500 or 1000 (dependent on distro)
DEMO: id command
(Ess 17.2)

• id command displays:
• current user ID (UID) and username
• primary group ID (GID) and group name
• group GIDs and names associated with the user separated by commas
DEMO: groups command
(Ess 17.3)

• groups command displays:

• group names of all groups the current user belongs to

• can supply the username as an argument to see the groups they belong to
 User account settings
(Ess 16.3.6)
fields option comments
user ID -u or --uid will use next value if not supplied when user created
primary group ID -g or --gid group must exist
value is dependent on distro
emulator defaults to the same value as user ID
user accounts
secondary groups -G or --groups comma-separated list of existing groups
have many comment -c used to provide other data, eg. full name
fields, that can
be set when home directory -d or --home by default, directory is created in /home
user is created ie. user1 would have home directory of /home/user1
or modified:
shell -s or --shell value is dependent on distro
emulator defaults to /bin/bash
skeleton directory -k directory containing files to copy into user's home directory
used by admin to set up default files
Creating a user with useradd
(Ess 16.3.4)

• useradd command:
• creates a new user with the specified unique name
• has many options to override any default settings
• see user account settings
• can specify whether to make home directory when account is created
• need to run as root
•
option comments
-m make home directory on creation
emulator defaults to not making home directory on user creation
-M do NOT make home directory on creation
Demo: create ann
(Ess 16.3.4)
create a new user called ann with default values useradd ann
home directory should not be made
use id to check their details id ann
check their home directory has not been created ls /home
Demo: create bob
(Ess 16.3.4)
create a new group called wdos groupadd wdos
create a new user called bob, who belongs to wdos useradd -G wdos -m -c 'Robert Doe' bob
secondary group, with a comment of 'Robert Doe'
home directory should be made
use id to check their details id bob
check their home directory has been created ls /home
passwd command
(Ess 16.3.5)

• when users are created, they do not have a password

• passwd command:
• used to change password
• user can change their own password
• must meet complexity requirements
• will be prompted for existing password
• admin can change any password by specifying the username
• no complexity requirements required, though may be a warning
Demo: change ann's password
(Ess 16.3.5)
change ann's password to ann123 passwd ann
use grep to check their details in /etc/shadow grep ann /etc/shadow
Modifying a user with usermod
(Ess 16.3.6)

• usermod command:
• change an existing account
• has many options to override any default settings
• see user account settings
• need to run as root
option comments
-a append supplemental groups specified by the -G option to existing groups
-L lock user account
may be preferrable to deleting account
-U unlock user account
Demo: modify ann
(Ess 16.3.6)
add 'ann doe' as a comment on ann's account usermod -c 'Ann Doe' ann
use grep to check their details in /etc/passwd grep ann /etc/passwd
Demo: modify bob
(Ess 16.3.6)
create a new group called staff groupadd staff
add secondary group staff to bob's account usermod -aG staff bob
use grep to check their details in /etc/group grep bob /etc/group
Deleting a user with userdel
(Ess 16.3.7)

• userdel command:
• deletes a user
• need to run as root
option comments
-r delete user and home directory
if home directory is not deleted, files will be "orphaned"
Demo: delete ann
(Ess 16.3.7)
delete ann userdel -r ann
use grep to check their details in /etc/passwd grep ann /etc/passwd

t
a r d m e s sages abou e
disre g
f o u n d : n either wer
items not s e r w a s cr e a t e d
n u
made whe
Files
Files (and directories)
(Ess 17.1)

• every file (and directory) has:

• user owner
• set to the user who created the file
• identified internally by the UID
• group owner
• set to the primary group of the user who created the file
• user can change group owner of files they own to groups they belong to
• identified internally by the GID
DEMO: changing group ownership with
chgrp
(Ess 17.4)
• chgrp command:
• used to change the group owning the file or directory
• -R option is used to change the ownership of a directory and all its contents
• root can change ownership to any group
• user can only change ownership to a group they are a member of
create new file called myfile.txt touch myfile.txt
change group ownership of myfile.txt to adm chgrp adm myfile.txt
use ls -l to check ownership ls -l myfile.txt
 DEMO: changing user ownership with
chown
(Ess 17.5)
• chown command:
• used to change the user (and / or group) owning the file or directory

• change user and group ownership • change group ownership

• change user ownership
• must run as root • touch rootfile1.txt
• must run as root
• touch rootfile1.txt • chown :bob rootfile1.txt
• touch rootfile1.txt
• chown bob:bob rootfile1.txt
• chown bob rootfile1.txt
File permissions
(Ess 17.6)

• the files and directories that can be accessed by the user are based on
permissions for:
note the underlined
• user (owner) character, it will be
used later!
• group
• other

file type field -

for regular file, user group other
d for directory permissions (except user) (except user
permissions and group)
permissions
 Permission types
(Ess 17.6)

• 3 different permission types:

permission effect on file effect on directory
read contents can be read or copied contents can be listed
long listing only possible if directory also has
execute access
write contents can be changed or files can be added to or removed from a directory
overwritten (also requires execute access)

execute can be run as a process can change to directory if parent directories also
have execute permission

by default files permissions

by default document
are rw-rw-r--
permissions are rwxrwxr-x
chmod command
(Ess 17.8)

• chmod command:
• changes the access mode for files (ie. permissions)
• only root and the owner can change permissions
• mode can be changed using:
• symbolic method
• octal (or numeric) method
Symbolic method
(Ess 17.8.1)

• chmod [<users> <action> <permissions>]... file

users action permissions

u user + add to existing r read
g group = set to specified w write
o others - remove from existing x execute
a all the above
Demo: symbolic method with chmod
(Ess 17.8.1)

• can combine the above to make multiple changes

• what is the effect of the following?

chmod ug+x animals.txt
chmod o-r animals.txt
chmod u=rx animals.txt
Octal method
(Ess 17.8.2)

• chmod octal_value file

bit mask read write execute octal value
--- 0 0 0 0
--x 0 0 1 1
-w- 0 1 0 2
-wx 0 1 1 3
r-- 1 0 0 4
r-x 1 0 1 5
rw- 1 1 0 6
rwx 1 1 1 7

adapted from https://www.bartbusschots.ie/s/2013/07/13/taming-the-terminal-part-6-of-n/

licensed under CC BY-NC-ND
Demo: octal method with chmod
(Ess 17.8)

• what is the effect of the following?

chmod 754 adjectives.txt
chmod 744 adjectives.txt
chmod 777 adjectives.txt
 • security and accounts • users
• su • useradd
• su - • usermod
What we •
•
sudo
whoami
•
•
userdel
passwd
have covered • id
• /etc/passwd
• /etc/shadow
• account settings

• groups • files and directories

• groupadd • chgrp
• groupdel • chown
• groups • chmod
• /etc/group • symbolic
• /etc/gshadow • octal
Any questions?