Professional Documents
Culture Documents
04 Admin and Security
04 Admin and Security
04 Admin and Security
security
NB: all examples use emulator in
Linux essentials, not Linux
unhatched
• 3 types of account:
• admin or root account:
• access all system files
• change permissions
• add and delete users
• add and delete groups
• service or system accounts:
o
• mail, games, printing, etc t r e le v a n t t in g
no do
a t w e are
• allow services to interact with computer wh
• user accounts:
• every user has an account
Accounts in emulator
(Ess 15.2)
• when you first log in, emulator outputs a message showing the available accounts:
m m a nd
co
s am e t u s er s
e n
differ t result
n
differe
Ways of getting root access
(Ess 15.2.1, 15.2.2)
whichever method is used, you
will be prompted for a password
method comments
login as root many distros, including Ubuntu do not support login as root due to potential danger
if supported by distro, need to log out as current user and login as root
cannot do this in emulator as it automatically logs back in as sysadmin after logout
create new login shell login shell resets environment variables, providing a clean slate
preferable in "real-life"
su -, su -l or su --login
should logout using logout
switch to root for session switch the user without resetting environment variables
su
need to end session using exit
execute single command sudo
with root permissions NB: prompted for user password, not root password, (same value in netacad emulator)
su command
(Ess 15.2.1)
btw: abbrevia
tion of s witch
s u
n o t up e r
ser
should be us
ed w
root has ultim ith care -
a t e p o we r !
• su command:
• creates new shell as root user
• switches user to root for duration of terminal session or
until users exits
remember a shell is
simply a console that
hell has
accepts input and passes root user s
ileges
it to the OS for execution admin priv
DEMO: su command
(Ess 15.2.1)
switch user su -
f or
p r om p t e d
p a s s wo r d -
netlab123
abbreviation
of super user do
• sudo command:
• each time sudo is used to execute an administrative command an entry is
written to log file
• name of the user
• command
• date and time of execution
ountability
increased acc
DEMO: whoami command
(Ess 5.2.3)
• primary group
• user belongs to exactly one primary group
• when a user creates a file, its group is set to the user’s primary group
• secondary or supplementary group
• user belongs to zero or more secondary groups
• used to grant file permissions to a set of users who are members of the group
• details of groups are stored in database files:
• /etc/group not very us
eful
• /etc/gshadow
/etc/group file
(Ess 15.5)
e m be r s
group n list of m
oup
a me in the gr
group ID
password placeholder details
held in /etc/gshadow
DEMO: create group with groupadd
(Ess 16.2.1)
username
p a s s w or path
d placeh absolute
- h a s he ol
d passw der for shell
held in ord primary t
/etc/sha user ID group ID commen p a t h to
dow
(addition
al absolute
ectory
informat
ion) home dir
/etc/shadow file
(Ess 15.5)
username
f r om
d
/etc/passw
e d e t a ils of last
lds ar e,
password encrypted for other fie u e n cy of chang
fr e q
change,
regular users or placeholder
p ir y d a t es , et c
ex
An aside about IDs
(Ess 16.3)
• id command displays:
• current user ID (UID) and username
• primary group ID (GID) and group name
• group GIDs and names associated with the user separated by commas
DEMO: groups command
(Ess 17.3)
• can supply the username as an argument to see the groups they belong to
User account settings
(Ess 16.3.6)
fields option comments
user ID -u or --uid will use next value if not supplied when user created
primary group ID -g or --gid group must exist
value is dependent on distro
emulator defaults to the same value as user ID
user accounts
secondary groups -G or --groups comma-separated list of existing groups
have many comment -c used to provide other data, eg. full name
fields, that can
be set when home directory -d or --home by default, directory is created in /home
user is created ie. user1 would have home directory of /home/user1
or modified:
shell -s or --shell value is dependent on distro
emulator defaults to /bin/bash
skeleton directory -k directory containing files to copy into user's home directory
used by admin to set up default files
Creating a user with useradd
(Ess 16.3.4)
• useradd command:
• creates a new user with the specified unique name
• has many options to override any default settings
• see user account settings
• can specify whether to make home directory when account is created
• need to run as root
•
option comments
-m make home directory on creation
emulator defaults to not making home directory on user creation
-M do NOT make home directory on creation
Demo: create ann
(Ess 16.3.4)
create a new user called ann with default values useradd ann
home directory should not be made
use id to check their details id ann
check their home directory has not been created ls /home
Demo: create bob
(Ess 16.3.4)
create a new group called wdos groupadd wdos
create a new user called bob, who belongs to wdos useradd -G wdos -m -c 'Robert Doe' bob
secondary group, with a comment of 'Robert Doe'
home directory should be made
use id to check their details id bob
check their home directory has been created ls /home
passwd command
(Ess 16.3.5)
• passwd command:
• used to change password
• user can change their own password
• must meet complexity requirements
• will be prompted for existing password
• admin can change any password by specifying the username
• no complexity requirements required, though may be a warning
Demo: change ann's password
(Ess 16.3.5)
change ann's password to ann123 passwd ann
use grep to check their details in /etc/shadow grep ann /etc/shadow
Modifying a user with usermod
(Ess 16.3.6)
• usermod command:
• change an existing account
• has many options to override any default settings
• see user account settings
• need to run as root
option comments
-a append supplemental groups specified by the -G option to existing groups
-L lock user account
may be preferrable to deleting account
-U unlock user account
Demo: modify ann
(Ess 16.3.6)
add 'ann doe' as a comment on ann's account usermod -c 'Ann Doe' ann
use grep to check their details in /etc/passwd grep ann /etc/passwd
Demo: modify bob
(Ess 16.3.6)
create a new group called staff groupadd staff
add secondary group staff to bob's account usermod -aG staff bob
use grep to check their details in /etc/group grep bob /etc/group
Deleting a user with userdel
(Ess 16.3.7)
• userdel command:
• deletes a user
• need to run as root
option comments
-r delete user and home directory
if home directory is not deleted, files will be "orphaned"
Demo: delete ann
(Ess 16.3.7)
delete ann userdel -r ann
use grep to check their details in /etc/passwd grep ann /etc/passwd
t
a r d m e s sages abou e
disre g
f o u n d : n either wer
items not s e r w a s cr e a t e d
n u
made whe
Files
Files (and directories)
(Ess 17.1)
• the files and directories that can be accessed by the user are based on
permissions for:
note the underlined
• user (owner) character, it will be
used later!
• group
• other
execute can be run as a process can change to directory if parent directories also
have execute permission
• chmod command:
• changes the access mode for files (ie. permissions)
• only root and the owner can change permissions
• mode can be changed using:
• symbolic method
• octal (or numeric) method
Symbolic method
(Ess 17.8.1)