Sei sulla pagina 1di 28

-

Chapter 5. Managing Loca l Linux Users and Groups .---��� ' ' [student@serverX -]$ sudo
Chapter 5. Managing Loca l Linux Users and Groups
.---���
'
' [student@serverX
-]$
sudo
tail
/var/log/secure
Feb 19 15 :23:36 localhost sudo : student : TTY=pts/0 ; PWD=/home/student
USER=root
-
Feb Feb COMMAND=/sbin/usermod 19 19 15:23:36 15 : 23:47 localhost localhost -L student usermod[16325] sudo : student : TTY=pts/0 lock user ; ' student PWD=/home/student ' password
COMMAND=/bin/tail /var/log/secure
USER=root
-

In Red Hat Enterprise Linux 7, all members of group wheel ca n use sudo to run commands as any user, including root. The user will be prompted for their own password. This is a change from Red Hat Enterprise Linux 6 and earlier. Users who were members of g roup wheel did not get this administrative access by default in RHEL 6 and earlier.

To enable similar behavior on earlier versions of Red Hat Enterp rise Linux, use vis udo to edit the configuration file and u ncomment the line allowing the group wheel to run all commands.

[root@desktopX -]# cat /etc/sudoers %wheel ## Allows Output omitted people ALL=(ALL) in group wheel ALL
[root@desktopX -]# cat /etc/sudoers
%wheel ## Allows Output omitted people ALL=(ALL) in group wheel ALL to run all commands
## Same thing without a password
# %wheel Output ALL=(ALL) omitted
NOPASSWD : ALL
Warning

RHEL 6 did not g rant g roup wheel any special privileges by default. Sites which have been using this g roup may be surprised when RHEL 7 automatically grants all members of wheel full sudo privil eges. This cou ld lead to unauthorized users getting su peruser access to RHEL 7 systems.

Historica lly, membership in g roup wheel has been used by Unix-l i ke systems to g rant or control superuser access.

Most system administration applications with a GUI use PolicyKit to prompt users for authen tication and to manage root ac cess. In Red Hat Enterpri se Linux 7, Po l i cyKit may also prompt members of group wheel for their own password in order to get root privil eges when using graph ica l too ls. This is similar to the way in which they can use sudo to get those privileges at the shell prompt. PolicyKit grants these privileges based on its own configuration settings, separate from sudo. Advanced students may be interested in the pkexec(1) and polkit(8) man pages for details on how this system works, but it is beyond the scope of this course.

120

RH124-RHEL7-en-1-20140606

-

-

-

-

-

-

-

-

-

Running commands as root with sudo

-

-

- - Running commands as root with sudo - - - - - - - -

-

-

-

-

-

-

-

-

-

-

-

-

-

R
R

References

su(1) and sudo(8) man pages

info

Section 29.2: The Persona of a Process

libc (GNU C Library Reference Manual)

(Note that the glibc-devel package m ust be i nsta l l ed for this i nfo node to be availab l e.)

the glibc-devel package m ust be i nsta l l ed for this i nfo node

RH124-RHEL7-en-1-20140606

121

Chapter 5. Managing Loca l Linux Users and Groups

-

-

Practice: Running Commands as root

Guid ed exercise

In this lab, you will practice running commands as root.

Outcomes

Use the su with and without login scripts to switch users. Use sudo to run commands with privilege.

Before you begin

Reset your serverX system.

D

1.

Log into the GNOME desktop on serverX as student with a password of student.

D

2.

Open a window with a Bash prompt.

 
 

Sel ect Appli cations > Ut i litie s > Te rminal.

D

3.

Explore characteristics of the current student login environment.

 

D

3.1.

View the user and group information and display the current working directory.

   
uid=1000(student [student@serverx context=unconfined_u ) -]$ gid=1000(student id : unconfined_r ) : unconfined_t

uid=1000(student [student@serverx context=unconfined_u ) -]$ gid=1000(student id : unconfined_r ) : unconfined_t groups=1000(student : s0-s0:c0 } , . c1023 10(wheel) /home/student [student@serverx -]$ pwd

 

D

3.2.

View the variables which specify the home directory and the locations searched for executable files.

 
/home/student [student@serverx -]$ echo $HOME /usr/local/bin student/.local/bin:/home/student/bin [student@serverx
/home/student [student@serverx -]$ echo $HOME
/usr/local/bin student/.local/bin:/home/student/bin [student@serverx :/usr/local/sbin: -)$ echo SPATH /usr/bin :/usr/sbin :/bin :/sbin:/home/

D

4.

Switch to root without the dash and explore characteristics of the new environment.

 

D

4.1 .

Become the root user at the shell p rompt.

 

Password: [student@serverx redhat - ] $ su

 

D

4.2.

View the user and group i nformation and display the current working directory. Note the identity changed, but not the current working directory.

the identity changed, but not the current working directory. [root@serverX student]# id uid=0(root) [root@serverx
the identity changed, but not the current working directory. [root@serverX student]# id uid=0(root) [root@serverx

[root@serverX student]# id uid=0(root) [root@serverx context=unconfined_u: gid=0(root) student]# unconfined_r: groups=0(root) pwd unconfined t:s0-s0:c0.c1023

groups=0(root) pwd unconfined t:s0-s0:c0.c1023 - - - - - - - - - - - -

-

-

-

-

groups=0(root) pwd unconfined t:s0-s0:c0.c1023 - - - - - - - - - - - -

-

-

-

groups=0(root) pwd unconfined t:s0-s0:c0.c1023 - - - - - - - - - - - -

-

-

-

-

-

-

-

Guided exercise

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

I /home/student I
I
/home/student
I

D

4.3.

View the variables which specify the home directory and the locations searched for executable files. Look for references to the student and root accou nts.

 

/root [root@serverX student]# echo $HOME

/usr/local/bin:/usr/local/sbin: student/.local/bin:/home/student/bin [root@serverX student]# echo $PATH /usr/bin :/usr/sbin :/bin:/sbin: /home/

D

4.4.

Exit the shel l to return to the student user.

exit [root@serverx student]# exit

D

5.

Switch to root with the dash and explore characteristics of the new environment.

D

5.1.

Become the root user at the shell prompt. Be sure all the login scripts are also

executed.

I Password [student@serverX : redhat -]$ su j
I Password [student@serverX : redhat -]$ su
j

D

5.2.

View the user and group information and display the current working directory.

[root@serverx -]# id uid=0(root) [root@serverx context=unconfined_u gid=0(root) -]# pwd : unconfined groups=0(root) r :
[root@serverx -]# id
uid=0(root) [root@serverx context=unconfined_u gid=0(root) -]# pwd : unconfined groups=0(root) r : unconfined_t : s0-s0:c0. c1023
/root

D 5.3.

View the variables which specify the home directory and the locations searched for executable files. Look for references to the student and root accounts.

/root [root@serverx -]# echo $HOME /usr/local/sbin: [root@serverx -]# /usr/local/bin echo $PATH : /sbin :/bin:/usr/sbin:
/root [root@serverx -]# echo $HOME
/usr/local/sbin: [root@serverx -]# /usr/local/bin echo $PATH : /sbin :/bin:/usr/sbin: /usr/bin: /root/bin

D 5.4.

Exit the shel l to return to the student user.

I ! logout [root@serverX -]# exit

D

6.

Run several commands as student which require root access.

D 6.1.

View the last 5 lines of the /var/log/messages.

-5 /var/log/messages tail: [student@serverX cannot open -]$ '/var/log/messages' tail for reading: Permission
-5
/var/log/messages
tail: [student@serverX cannot open -]$ '/var/log/messages' tail for reading: Permission denied

RH124-RHEL7-en-1-20140606

123

Chapter 5. Managing Loca l Linux Users and Groups

-

-

D

6.2.

[student@serverx 3 15:07:22 localhost -]$ sudo tail su: (to root) root on pts/0 3 3 3 3 15:14:47 15 : 12:05 localhost localhost su: su : (to (to student) root ) root root on on pts/0 pts/0

Feb

Feb

Feb

Feb

-5

/var/log/messages

15:10:01 localhost

15 : 10:01

localhost

systemd : Starting Session 31 of user root .

systemd : Started Session 31 of user root .

Feb

Make a backup of a configuration file in the /etc directory.

a backup of a configuration file in the /etc directory. cp: [student@serverx [student@serverX cannot create -]$

cp: [student@serverx [student@serverX cannot create -]$ -]$ regular cp file '/etc/motdOLD': Permission denied

/etc/motd

/etc/motdOLD

sudo

cp

/etc/motd

/etc/motdOLD

D

6.3.

Remove the /etc/motdOLD file that was just created.

rm: rm: [student@serverX cannot remove write-protected remove -]$ '/etc/motdOLD': rm /etc/motdOLD regular Permission empty file denied '/etc/motdOLD'? y [student@serverx -]$ sudo rm /etc/motdOLD

D

6.4.

Edit a configuration file in the /etc directory.

[student@serverx -]$ echo "Welcome -bash: [student@serverX /etc/motd: -]$ Permission sudo vim denied /etc/motd

to

class"

>>

/et c/motd

-

-

-

-

-

-

-

-

-

-

·-

-

-

-

-

-

-

-

- - Managing Local User Accounts Managing Local User Accounts Objectives Afte r completing this section,

-

Managing Local User Accounts

Managing Local User Accounts

Objectives

Afte r completing this section, students shou ld be able to create, modify, lock, and delete locally defined user accounts.Local User Accounts Managing Local User Accounts Objectives Managing local users - A number of command-line

Managing local users

-

A

number of command-line too ls can be

used to manage local user accou nts.

useradd creates users

-

useradd

username sets reasonable defa u lts for all fields in /etc/passwd when run without

 

options. The useradd command does not set any valid password by defau lt, and the user cannot log in until a password is set.

-

 

useradd

- - help will display the basic options that can be used to override the defaults. In

 

most cases, the same options can be used with the usermod command to modify an existing

-

user.

Some defa u lts, such as the ra nge of va lid UID numbers and default password aging rules, a re read from the /etc/login . defs file. Va l ues in this file a re only used when creating new users. A change to this file will not have an effect on any existing users.

use rmod mod ifies existing users

usermod

- - help wi ll display the basic options that can be used to mod ify an account. Some

common options include:

usermod options: -c, - - comment COMMENT Add a va l ue, such as a
usermod options:
-c,
- - comment
COMMENT
Add a va l ue, such as a fu ll name,
to the GECOS field.
-g,
- - gid
GROUP
Specify the primary group for the user account.
-G,
- - groups
GROUPS
Specify a list of supplementary g roups for the user account.
-a,
- - append
Used with the -G option to append the user to the
supplemental groups mentioned without removing the user
from other g roups.
-d,
- - home
HOME_DIR
Specify a new home directory for the user account.
-m,
- - move - home
Move a user home directory to a new location. Must be used
with the -d option.
- SHELL
s,
- - shell
Specify a new login shell for the user account.
- L,
- - lock
Lock a user account.
-U,
- - unlock
U n lock a user account.

-

 

userdel deletes users

userdel username removes the user from /etc/passwd, but leaves the home directory

userdel

username removes the user from /etc/passwd, but leaves the home directory

-

intact by default.

·

use rdel

- r

use rname removes the user and the user's home directory.

Chapter 5. Managing Loca l Linux Users and Groups

Chapter 5. Managing Loca l Linux Users and Groups Warning When a user is removed with

Warning

When a user is removed with use rdel without the - r option s pecified, the system will have files that are owned by an unassigned user ID number. This can also happen when files created by a deleted user exist outside their home directory. This situation can lead to information leakage and other security issues.

In Red Hat Enterprise Linux 7 the useradd command assigns new users the first free UID number available in the range starting from UID 1000 or a bove. (unless one is explicitly specified with the -u UID option). This is how information leakage can occur: If the first free UID number had been previously assigned to a user account which has since been removed from the system, the old user's UID number will get reassigned to the new user, giving the new user ownership of the old user's remaining files. The following scenario demonstrates this situation:

drwx- ----- . 3 [root@serverx [root@serverx -]# -]# ls useradd - 1 /home prince [root@serverx
drwx- ----- . 3
[root@serverx [root@serverx -]# -]# ls useradd - 1 /home prince
[root@serverx [root@serverx -]# -]# ls userdel -1 prince /home prince
drwx- [root@serverX [root@serverx ----- . 3 -]# -]# 1000 ls useradd -1 /home 1000 bob
bob bob
prince
74 Feb
4 15: 22
prince
74
Feb
4
15 : 22 prince
drwx- -----
.
3
bob
drwx- ----- . 3
bob
74 74
Feb Feb
4 4 15 15: : 22 23
prince bob

Notice that bob now owns all files that prince once owned. Depending on the situation, one solution to this problem is to remove all " unowned" files from the system when the user that created them is deleted. Another solution is to manually assign the "unowned" files to a different user. The root user can find " unowned" files and directories by running: find I - nouser -o - nogroup 2> /dev/null.

id displays user information

id will display user information, including the user's UID number and group memberships.

id

username wil l display user information for username, including the user's UID number

and group memberships.

passwd sets passwords

passwd

username can be used to either set the user's initial password or change that user's

password.

The root user can set a password to a ny va lue. A message wi ll be displayed if the password does not meet the minimum recommended criteria, but is followed by a prompt to retype the new password and all tokens are updated successfully.

[root@serverx -]# passwd for user student BAD New word PASSWORD password: : The redhat123 password fails the dictionary check - it is based on a dictionary

Changing password

student .

126

RH124-RHEL7-en-1-20140606

-

-

-

-

-

-

-

--

-

-

-

-

-

Managing local users

-

-

Retype new password : redhat123 passwd : all authenticatio n to e s u da
Retype new password : redhat123
passwd :
all authenticatio n to e s u da e
k
n
p
t
d s u c c es s f u ll Y ·_
_
_
�--
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_
_

J'

A regular user must choose a password which is at least 8 characters in length and is not based on a dictionary word, the username, or the previous password.

-

UID ra nges

Specific UID num bers and ra nges of numbe rs a re used for specific purposes by Red Hat
-

Enterprise Linux.

UID 0 is always assigned to the superuser accou nt, root.

-

UID 1 -200 is a ra nge of "syste m users" assigned statica l l y to system p rocesses by Red Hat.

-

-

UID 201 -999 is a ra nge of "syste m users" used by system processes that do not own files on the file system. They are typically assigned dynamically from the available pool when the

"un privileged" system users in

softwa re that needs them

is insta l led. Prog ra ms run

as these

order to limit their access to just the resources they need to function.

UID 1 000+ is the ra nge available for assignment to regular users.

-

-

-

-

-

-

-

-

-

-

-

-

Notefor assignment to regular users. - - - - - - - - - - -

Prior to Red Hat Enterprise Linux 7, the co nve ntion was that UID 1-499 was used for system users and UID 500+ for regular users. Default ra nges used by useradd and groupadd can be changed in the /etc/login . defs file.

References

useradd(8), usermod(8), userdel(8) man pages man pages

- RH124-RH EL7-en-1-20140606

-

127

Chapter 5. Managing

Loca l Linux Users and Groups

-

-

Practice: Creating To ols

Users

Using Command-line

- - Practice: Creating To ols Users Using Command-line   - Guid ed exercise   In
 

-

Guid ed

exercise

 

In

this lab, you will create a number of users

on you r serverX

syste m, sett ing and record ing an

initial password for each

user.

 
 

-

Outcomes

 

A

system with additional user accounts.

 

-

Before you begin

Reset your serverX system.

D

D

1. Log into the

GNOME desktop on serverX as student with a password of

2. Open a window with a

Bash prompt.

D

3.

Select

Applications

>

Uti lities

> Terminal.

Become the

root

user

at the shell

prompt.

student.

Password: [student@serverX redhat -]$ su -

D

D

D

4.

5.

6.

Add the

user juliet.

I [root@serverx

-]#

useradd

j uliet

the user juliet. I [root@serverx -]# useradd j uliet Confirm that ju/iet has been added by

Confirm that ju/iet has

been

added by examining

the /etc/pas

swd

file.

ju/iet has been added by examining the /etc/pas swd file. /etc/passwd [root@serverx juliet tcpdump:x:72:72:

/etc/passwd

[root@serverx juliet tcpdump:x:72:72: :x:1001:1001: :/:/sbin/nologin :/home/juliet:/bin/bash

-]#

tail

-2

Use the

passwd

com mand to initia l ize juliet's password.

Changing [ root@serverx password for user BAD New Retype password: PASSWORD new password : The password : is shorter than 8 characters all authentication tokens updated successfully.

passwd :

-]#

passwd

j uliet

juliet .

j uliet

j uliet

D

7.

Con tinue adding the re maining

users in the steps below and set initial

passwords.

D

7.1 .

ro meo

I

[root@serverX

-]#

useradd

romeo

l

128

RH124-RHEL7-en-1-20140606

I [root@serverX -]# useradd romeo l 128 RH124-RHEL7-en-1-20140606 - - - - - - - -

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

- - - - - - - - - - - - - - - -

-

-

-

-

-

- - - - - - - - - - - - - - - -

-

Guided exercise

Changing New [root@serverX password password : -]# romeo passwd for user romeo romeo. BAD Retype
Changing New [root@serverX password password : -]# romeo passwd for user romeo romeo.
BAD Retype passwd PASSWORD : new all password: authentication : The password romeo
is shorter than 8 characters
tokens updated successfully.

D

7.2.

ham let

 

[root@serverx [root@serverX -]# -]# passwd useradd hamlet hamlet

D

7. 3.

reba

 

[root@serverx [root@serverX -]# -]# useradd passwd reba reba

D

7.4.

dolly

 

[root@serverx [root@serverx -]# -]# useradd passwd dolly dolly

D

7. 5.

elvis

[root@serverX [root@serverx -]# -]# passwd useradd elvis elvis
[root@serverX [root@serverx -]# -]# passwd useradd elvis elvis

-

-

RH124-RHEL7-en-1-20140606

129

Cha pter 5. Managin g Loca l Linux Users and Groups

Managing Local Group Accounts

Objectives

After co mpleting this section, students should be able to create, mod ify, and delete locally defined g roup accounts.

Managing supplementary groups

A group must exist before a user can be added to that group. Seve ra l com mand-line too ls a re

used to manage local g roup accou nts.

g roupadd c reates groups

g roupadd

groupname without options uses the n ext available GID from the ra nge specified

in the /etc/login . defs file.

The -g

GID option is used to specify a specific GID.

[student@serverx -]$ sudo groupadd -g 5000 ateam Note
[student@serverx -]$ sudo groupadd
-g
5000
ateam
Note

Given the a utomatic creat ion of user p rivate g roups (G ID 1 000+), it is generally

recommen ded to set aside a ra nge

g roups. A higher ra nge will avoid a col l ision with a system g roup (GID 0-999).

of GID num bers to be used for suppl ementa ry

The -r option wi ll create a system g roup using a GID from the ra nge of va lid system GID numbers listed in the /etc/login . defs file.

I [student@serverx -]$ sudo groupadd

-r

appusers

g roupmod modifies existing g rou ps

-

-

-

-

-

-

-

-

-

-

-

-

-

-

- - - - - - - - - - • The groupmod command is used

The groupmod command is used to change a group name to a GID mapping. The -n option is used to specify a new name.

-

I [student@serverx -]$ sudo groupmod -n j avaapp appusers
I
[student@serverx -]$ sudo groupmod
-n
j avaapp
appusers

The -g option is used to specify a new GID.

 

-

l

[student@serverx -]$ sudo groupmod

-g

6000

ateam

i

-

g roupdel deletes

a g roup

 

The groupdel command will remove a group.

 

-

 

[student@serverx -]$ sudo groupdel j avaapp

 

-

130

RH124-RHEL7-en-1-20140606

-

 

-

-

-

Managing supplementary groups

-

-

-

-

-

-

-

-

groups - - - - - - - - - - - • A g roup

-

-

-
-

A g roup may not be re moved if

it is the primary g roup of a ny ex isting user. As with use rdel,

check all file systems to ensure that no files remain owned by the group.

use rmod a lters g roup membership

The membership of a group is control led with user management. Change a user's primary

group with use rmod

-g

groupname.

a user's primary group with use rmod -g groupname. • Add a user to a supple

Add a user to a supple menta ry g roup with use rmod

- aG

groupname

use rname.

menta ry g roup with use rmod - aG groupname use rname. - aG wheel elvis

- aG

wheel

elvis

[student@serverx -]$ sudo usermod

Important

The use of the -a option makes usermod function in "append" mode. Without it, the user wou ld be removed from all other supplementary g roups.

R
R

References

group(5), groupadd(8), groupdel(8), and usermod(8) man pages

-

-

-

-

-

-

-

RH124-RHEL7-en-1-20140606

131

-

-

Chapter 5. Managing Loca l Linux Users and Groups

-

-

Practice: Managing Groups Using Command­ lin e To ols

Guided exercise

In this lab, you will add users to newly created supplementa ry g rou ps.

Outcomes

The shakespeare group consists of j uliet, romeo, and hamlet. The artists g roup contains reba, dolly, and elvis.

Before you begin

Perform the following steps on serverX unless directed otherwise.

D 1.

D

D

2.

3.

Become the root user at the shell prompt.

I

Password: [student@serverx redhat -]$ su -

I

L.

Create a supplementary group called shakespeare with a group ID of 30000.

 
 

.

.

--i

[ I [root@serverx -]# groupadd -g 30000 shakesp�ar e _ ----�------
[
I
[root@serverx -]# groupadd
-g
30000
shakesp�ar e
_
----�------

I

I

-----'

Create a supplementary group cal led artists.

! [root@serverX -]# groupadd artists

L--------����

D

D

4.

5.

Confirm that shakespeare and artists have been added by examining the /etc/group file.

.,. l[root@serverx reba : x: 1004 : -]# tail -5 /etc/group 111- dolly:x:1005: elvis:x:1006: artists:x:30001: shakespeare :x:30000 :

elvis:x:1006: artists:x:30001: shakespeare :x:30000 : Add the juliet user to the shakespeare group as a

Add the juliet user to the shakespeare group as a supplem entary g roup.

r�

I [root@serverx -]# usermod

-G

shakespeare

j uliet

D

6.

Confirm that ju/iet has been added using the id command.

,-

' uid=1001{juliet) [root@serverx -]# gid=1001(juliet) id j uliet groups=1001{juliet) , 30000(shakespeare)

D

7.

Con tinue adding the re maining users to g roups as fo llows:

132

RH124-RHEL7-en-1-20140606

-

-

-

-

-

-

-

-

-

�-

-

-

-

-

- - - - - - - - - �- - - - - - -

-

-

-

-

-

-

-

-

Guided exercise

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

D

7.1 .

Add romeo and hamlet to the shakespeare g roup.

[root@serverX [root@serverX -]# -]# usermod usermod

-G

shakespeare

romeo

-G

shakespeare

hamlet

D

7. 2.

Add reba, dolly, and elvis to the artists g roup.

[root@serverx [root@serverx [root@serverX -]# -]# -]# usermod usermod usermod

-G

artists

reba

-G

artists

dolly

-G

artists

elvis

D

reba -G artists dolly -G artists elvis D 7. 3. Ve rify the supplementa l group

7. 3.

Ve rify the supplementa l group memb erships by ex amining the /etc/group file.

[root@serverx -]# tail -5 /etc/group dolly:x:1005: reba:x:1004:

artists:x:30001: elvis:x:1006: shakespeare:x:30000:juliet, reba,dolly, elvis romeo, hamlet

-

-

RH124-RHEL7-en-1-20140606

133

Chapter 5. Managing Loca l Linux Users and Groups

-

-

Managing User Passwords

Objectives

After com pleting this section, students should be able to lock accou nts manually or by setting a password-aging policy in the shadow password file.

Shadow passwords and password policy

In the di sta nt past, encrypted passwords were stored in the worl d-read able /etc/passwd file. This was thought to be reasonably secure until dictionary attacks on encrypted passwords became common. At that point, the encrypted passwords, or " password hashes," were moved to the more se cure /etc/sha dow file . This new file also a l lowed pa ssword aging and ex piration featu res to be implemented.

There are three pieces of information stored in a modern password hash:

$1$gCj La2/Z$6Pu0EK0AzfCj xj v2hoLOB/

1. 1: The hashing algorithm. The number 1 indicates an MD5 hash. The number 6 appears when a SHA-512 hash is used.

2. gCj La2/Z: The salt used to encrypt the hash. This is originally chosen at ra ndom. The salt and the unencrypted password are combined and encrypted to create the encrypted password hash. The use of a salt prevents two users with the same password from having identical entries in the /etc/shadow file.

3. 6Pu0EK0AzfCj xj v2hoLOB/: The encrypted hash.

When a user tries to log in, the system looks up the entry for the user in /etc/shadow, combines the salt for the user with the u nencrypted password that was typed in, and encrypts them using the hashing algorithm specified. If the resu lt matches the encrypted hash, the user typed in the right password. If the resu lt doesn't match the encrypted hash, the user typed in the wrong password and the login attempt fai ls. This method a l lows the system to determine if the user typed in the correct password without storing that password in a form usable for logging in.

storing that password in a form usable for logging in. Note Red Hat E nterprise Linux

Note

Red Hat E nterprise Linux 6 and 7 support two new strong password hashing algorithms, SHA-256 (algorithm 5) and S HA-512 (algorithm 6). Both the salt string and the encrypted hash are longer for these a lgorithms. The default algorithm used for password hashes can be changed by the root user by running the command

authconfig

- - passalgo with one of the a rguments md5, sha256, or sha512, as

appropriate.

Red Hat Enterprise Linux 7 defa ults to using SHA-512 encryption.

/etc/shadow fo rmat

The format of /etc/shadow follows (nine colon-separated fields):

-

-

-

-

-

-

-

-

-

-

-

-

L Oname: Opassword : 01astchange: Ominage: Omaxage: Owarning : Oinactive: Oexpire: Ob1ank I

-

134

RH124-RHEL7-en-1-20140606

-

-

-

-

Password aging

-

-
-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

O

O

O

O

O

O

O

O

O

The login name. This must be a va lid account name on the syste m.

The encrypted password. A password fie ld which starts with a excla mation mark means that the password is locked.

The date of the last password change, re p resented as the number of days si nce 1970.01.01 .

The minimum number of days before a password may be changed, where O means "no minimum age requirement."

The

The warning period that a pa ssword is a bout to ex pire. Represented in days, where 0 means "no warning given."

The number of days an account remains active after a password has expired. A user may

still log into the system and change the password during this period. After the specified number of days, the account is locked, becoming inactive.

The account expiration date, represented as the number of days since 1970.01 .01 .

This blank field is reserved for future use.

maximum number of days before a pa ssword m u st be cha nged.

Password aging

The fol l owi ng diagram re lates the re l eva nt password-aging pa ra meters, which using chage to implement a password-aging policy.

ca n be adjusted

time

max da y s (-M) ' . ' . . . inactive days ' .
max da y s (-M)
'
.
'
.
.
.
inactive days
'
.
min days
. warn da y s
'
'
(-m)
' (-W)
'
(-1)
'
'
'
'
'
-
-

last change

password

inactive

date (-d)

expiration

date

#

chage

-m

0

-M

90

date

-W

7

-I

14

username

date # chage -m 0 -M 90 date -W 7 -I 14 username chage -d e

chage

-d

e

username will force a password update on next login.

chage

-1

username will list a username's current settings.

chage

-E

YYYY - MM-DD wi ll expire an account on a s pecific day.

YYYY - MM-DD wi ll expire an account on a s pecific day. Note The date

Note

The date command can be used to calculate a date in the future.

Sat [student@serverX Mar 22 11 : 47:06 -)$ EDT date 2014 -d "+45 days "
Sat [student@serverX Mar 22 11 : 47:06 -)$ EDT date 2014 -d
"+45
days "

RH124-RHEL7-en-1-20140606

135

Chapter 5. Managing Loca l Linux Users and Groups

-

-

Restricting access

With the chage command, an account expirat ion can be set. Once that date is reached, the user cannot log into the system interactively. The usermod command can "lock" an account with the - L option.

r ----··----��-- -- - ------ �-���- -�-

-�--�-��- ----

[student@serverX [student@serverX -]$ -]$ sudo su - usermod elvis Password su : Authentication : elvis failure

-L

-

·-------------··�-�-

elvis

When a user has left the company, the admin istrator may lock and expire an account with a single use rmod com mand. The date mu st be given as the number of days since 1970.01 .01 .

, - [�tud�nt@se�verX -]$ sudo usermod -L -e 1 elvis �-- ---�--------------�
, - [�tud�nt@se�verX -]$ sudo usermod
-L
-e
1
elvis
�--
---�--------------�

Loc king the account prevents the user from authenticating with a password to the syste m. It

is the recommended method of preventing access to an accou nt by an employee who has left

the compa ny. If the employee retu rns, the account can later be u n locked with usermod - U

USERNAME. If the account was also expired, be sure to a l so cha nge the expiration date.

T he nologin shell

Sometimes a user needs an account with a password to authenticate to a system, but does not need an interactive shell on the system. Fo r exa mple, a mail se rver may re quire an account to store mail and a password for the user to authenticate with a mail client used to ret ri eve mail. That user does not need to log directly into the system.

A common solution to this situation is to set the user's login shell to /sbin/nologin. If the user

attempts to log into the system directly, the nologin "shell" will simply close the connection.

[root@serverX -]# usermod j This Last [root@serverx account login : Tue is -]# currently Feb
[root@serverX -]# usermod
j This Last [root@serverx account login : Tue is -]# currently Feb su 4 - student 18 : 40:30 not available. EST 2014 on pts/0
-s
/sbin/nologin
student
Important

Use of the nologin shell prevents interactive use of the system, but does not prevent all access. A user may sti ll be able to authenticate and upload or retrieve files through applications such as web applications, file transfer programs, or mail readers.

R
R

References

chage(1), usermod(8), shadow(5), c rypt(3) man pages

136

RH124-RHEL7-en-1-20140606

c rypt(3) man pages 1 3 6 RH124-RHEL7-en-1-20140606 - - - - - - - -

-

-

-

-

-

-

-

-

-

-

-

- -
-
-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

Practice: Managing User Password Aging

- - - - Practice: Managing User Password Aging Practice: Managing User Password Aging Guided exercise

Practice: Managing User Password Aging

Guided exercise

In this lab, you wi ll set unique password policies for users.

Outcomes

The password for romeo must be cha nged when the user fi rst logs into the system, eve ry 90 days

thereafter, and the account expires in 180 days.

Before you begin

Perform the following steps on serverX unless directed otherwise.

D 1. Explore locking and unlocking accounts. D 1.1. Lock the romeo account. [student@serverX -]$
D
1.
Explore locking and unlocking accounts.
D
1.1.
Lock the romeo account.
[student@serverX -]$ sudo usermod - L romeo
D
1.2.
Attempt to log in as romeo.
Password [student@serverX : romeo -]$ su - romeo
su : Authentication failure
D 1.3.
Unlock the romeo account.
[student@serverX -]$ sudo usermod -U romeo
----
-- -----------------
D
2.
Change the password pol icy for romeo to requ ire a new password every 90 days.
Last [student@serverX [student@serverX password change -]$ -]$ sudo sudo chage chage -M -1 90 romeo romeo
Password Password inactive expires
Minimum Account expires number of days between password change
May never Feb 03, 04, 2014 2014
never
0
90
Maximum Number of number days of of warning days between before password password change expires
7
D
3.
Additionally, force a password change on the first login for the romeo account.
!
! [student@serverX -]$ sudo chage -d 0 romeo
!
D
4.
Log in as romeo and change the password to forsooth123.
r�--�----�-�----
r�--�----�-�----

'---'' �::������s�:�::x -]$ su

-

romeo

-1

You are required to change your password immediately ( root enforced)

·

RH124-RHEL7-en-1-20140606

137

Chapter 5. Managing Loca l Linux Users and Groups

Changing {current) password UNIX password for romeo : romeo . New Retype [romeo@serverx password: new
Changing {current) password UNIX password for romeo : romeo .
New Retype [romeo@serverx password: new password: forsooth123 -]$ exit forsooth123

D

5.

Expire accounts in the future.

D 5.1. Determine a date 180 days in the future. [student@serverX -]$ date -d "+180
D
5.1.
Determine a date 180 days in the future.
[student@serverX -]$ date -d "+180 days"
Sa t
Aug
2
17:e5:2e
EDT
2e14
D
5.2.
Set accounts to expire on that date.
sudo chage - E 2914 - 98-82 romeo Last [student@serverX [student@serverx password change -]$ -]$
sudo
chage
- E
2914 - 98-82
romeo
Last [student@serverX [student@serverx password change -]$ -]$ sudo chage -1 romeo
Password Password expires inactive
Minimum Account expires number of days between password change
Maximum Number of number days of of warning days between before password password change expires
May never Feb 04, 03, 2014 2014
Aug 02, 2014
0
90
7

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-
-
 

-

-

-

-

138

RH124-RHEL7-en-1-20140606

-

 

-

-

Lab: Managing Local Linux Users and Groups

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

Lab: Managing Local Linux Users and Groups

Perfor mance checklist

In this lab, you wi ll define a default password pol icy, c reate a supplementa ry g roup of three new

users, and modify the password policy of one user.

Outcomes

A new g roup on serverX ca l led consultants, incl uding three new user accounts for Sam

consultants, incl uding three new user accounts for Sam Spade, Betty Boop, and Dick Tracy. All

Spade, Betty Boop, and Dick Tracy.

All new accounts should require that passwords be changed at fi rst login and every 30 days

thereafter.

The new consultant accounts should ex pire at the end of the 90-day contract, and Betty Boop

must change her password every 15 days.

Before you begin

Reset your serverX system.

1. Ensure that newly created users have passwords which must be changed every 30 days.

2. Create a new g roup named consultants with a GID of 40000.

3. Create three new users: sspade, bboop, and dt racy, with a password of default and add

them to the supplementary group consultants. The primary group should remain as the user private g roup.

4. Determine the date 90 days in the future and set each of the three new user accounts to expire on that date.

5. Change the password policy for the bboop account to require a new password every 15 days.

6. Additional ly, force all users to change their password on first login.

7. When you finish, run the lab done everything correctly.

localu sers

g r ade eva l u ation scrip t to confirm you have

RH124-RHEL7-en-1-20140606

139

Chapter 5. Managing Loca l Linux Use rs and Grou ps

-

-

Solution

In this lab, you will define a default password policy, c reate a supp lem enta ry group of three new users, and modify the password policy of one user.

Outcomes

A new group on serverX cal led consultants, including three new user accounts for Sam Spade, Betty Boop, and Dick Tracy.

All new accou nts should req uire that passwords be changed at fi rst login and eve ry 30 days thereafter.

The new consu ltant accou nts should expire at the end of the 90-day contract, and Betty Boop must change her password every 15 days.

-

-

-

-

-

-

Before you begin

 

Reset your serverX system.

 
-
-

1.

Ensure that newly created users have passwords which must be changed every 30 days.

[student@serverX [student@serverX Output omitted PASS_MAX_DAYS PASS_MIN_DAYS 0 30 PASS_WARN_AGE PASS_MIN_LEN output omitted 5 7

-]$

sudo vim /etc/login . defs

 

-

-]$

cat

/etc/login . defs

 

-

-
-

2.

Create a new group named consultants with a GID of 40000.

[student@serverx [student@serverX -]$ -]$ sudo groupadd pesign:x:989: stapdev:x:158: -g 40000 consultants tail -5
[student@serverx [student@serverX -]$ -]$ sudo groupadd
pesign:x:989: stapdev:x:158:
-g
40000
consultants
tail
-5
/etc/group
tcpdump:x:72: consultants:x:40000: slocate:x:21:

-

-

-

-

-

-

-

-

-

-

-

3.

Create three new users: sspade, bboop, and d t racy, with a password of default and add them to the supplementary group consultants. The primary group should remain as the user private group.

[student@serverx -]$ sudo useradd [student@serverx [student@serverX [student@serverx -]$ -]$ sudo sudo useradd useradd consultants:x:40000: slocate:x:21: sspade:x:1001: sspade, bboop, dtracy dtracy:x:1003: bboop:x:1002:

Changing [student@serverx password -]$ for sudo user passwd sspade . BAD New PASSWORD: password : default The password is shorter than B characters

-G

-G

-G

consultants

consultants

consultants

sspade

bboop

dtracy

-]$

t ail

-5

/etc/group

sspade

 

140

RH124-RHEL7-en-1-20140606

-

-

Solution

4.

-

-

-

-

-

-

-

-
-

-

Retype passwd [student@serverx : new all password: authentication -]$ default sudo passwd tokens updated successfully.

[student@serverx

bboop

dt racy

-)$

sudo

passwd

Determine the date 90 days in the future and set each of the three new user accounts to

expire on

that date.

[student@serverx -]$ date -d

"+90

Mon [student@serverx [student@serverX [student@serverX May 5 11: 49:24 -]$ -)$ -]$ EDT sudo sudo sudo 2014 chage chage chage

 

days "

-E

2014-05-05

sspade

-E

2014-05-05

bboop

-E

2014-05-05

dt racy

5. Change the password policy for the bboop account to require a new password every 15 days.

-M 15 bboop Last [student@serverX [student@serverx password change -)$ -)$ sudo sudo chage chage Password
-M
15
bboop
Last [student@serverX [student@serverx password change -)$ -)$ sudo sudo chage chage
Password Password inactive expires
Account Minimum expires number of days between password change
-1
bboop
Feb Feb never 04, 19, 2014 2014
May es, 2014
e
15
Maximum Number of number days of of warning days between before password password change expires
7

6. Additional ly, force all users to change their password on first login.

-

-

-

-

-

-

-

-

-

-

[student@serverx [student@serverX [student@serverx -]$ -)$ sudo sudo chage chage

-]$

sudo

chage

-d

0

sspade

-d

0

bboop

-d 0 dt racy

7. When you finish, run the lab

done everything correctly.

localu sers

g r ade evalua tion script to confi rm you have

[student@serverx -)$ lab localusers

grade

-

-

RH124-RHEL7-en-1-20140606

141

Chapter 5. Managing Loca l Linux Users and Groups

Chapter 5. Managing Loca l Linux Users and Groups Summary Users and Groups List the roles

Summary

Users and Groups

List the roles of users and g roups on a Linux system and view the loca l configuration files.

Gaining Superuser Access Escalate privi lege to run commands as the superuser.

Managing Local User Accounts Add, remove, and modify local users with command-line tools.

Managing Local Group Accounts

Manage local groups with command-line tools.

Managing User Passwords Manage password aging policies for users and manually lock, un lock, and expire accounts.

142

RH124-RHEL7-en-1-20140606

-

-

-

-

-

-

-

-

-

-

-

-

-

- - - - - - - - - - - - - - - -

-

-

-

-

-

-

-

-

-

-

red hat ® ® TRAINING CHAPTER 6 CONTROLLING ACCESS TO FI LES WITH LINUX FILE

red hat ®

® TRAINING

CHAPTER 6

CONTROLLING ACCESS TO FI LES WITH LINUX FILE SYSTEM PERMISSIONS

Overview Goal To set Linux file system permissions on files and interpret the security effects
Overview
Goal
To set Linux file system permissions on files and interpret
the security effects of different permission settings.
Objectives
• Explain how the Linux file permissions model works.
• Change the permissions and ownership of files using
command-line tools.
• Configure a directory in which newly created files are
automatically writable by members of the group which
owns the directo ry, using spec ial permissions and default
umask settings.
Sections
• Linux File System Permissions (a nd Practice)
• Managing File System Permissions from the Command
Line (and Practice)
• Managing Default Permissions and File Access (and
Practice)
Lab
• Controlling Access to Files with Linux File System
Permissions

R H124-RHEL7-en-1-20140606

143

Chapter 6. Controlling Access to Files with Linux File System Permissions

Linux File System Permissions

Objectives

After com pleting this section, students should be able to explain how the Linux file permissions model works.

Linux file system permissions

Access to files by users a re co ntro lled by file permissions. The Linux file pe rm issions system is simple but flexible, which ma kes it easy to understand and apply, yet able to handle most normal permission cases easi ly.

Files have just three categories of user to which permissions app ly. The file is owned by a user, normally the one who created the file. The file is also owned by a single group, usually the primary group of the user who created the file, but this can be changed. Different permissions can be set fo r the own ing user, the owning g roup, and for all other users on the system that are not the user or a member of the owning g roup.

The most specific permissions app ly. So, override other permissions.

user permissions override group permi ssions,

which

In the graphic that follows, joshua is a member of the groups joshua and web, while all ison is a member of a l lison, wheel, and web. When joshua and allison have the need to col laborate, the files should be associated with the group web and the g roup permissions should a llow the desired access.

joshua

allison

should a llow the desired access. j o s h u a allison Figure 6. 1:

Figure 6. 1: Group membership illustration

There a r e also just thr ee categories of permissions whi ch appl y: read, write, and execute. These permissions affect access to files and directories as follows:

Effects of permissions on files and directories

Permission Effect on files Effect on directories r (read) Contents of the file can be
Permission
Effect on files
Effect on directories
r (read)
Contents of the file can be read.
Contents of the directory (fi le na mes)
can be listed.
w (write)
Contents of the file can be changed.
Any file in the directory may be created
or deleted.
x (exec)
Files can be executed as commands.
Contents of the directory ca n be
accessed (dependent on the permissions
of the files in the directory).

144

RH124-RHEL7-en-1-20140606

-

-

Viewing file/d i rectory permissions and ow nership

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

Note that users norma l ly have both read and exec on read-only directories, so that they can l ist the directory and access its contents. If a user only has read access on a directory, the names of

the files in it can be listed, but no other information, including permissions or time stamps, are

availa ble, nor can they be

l ist the na mes of the files in the d i rectory, but if they already know the name of a fi le which they

have permission to read, then they can access the contents of that file by ex pl icitly specifying the file name.

accessed. If a user only has exec access

on a d i recto ry, they ca nnot

A file may be removed by a nyo ne who has write permission to the d i rectory in which the file

resides, regardless of the ownership or permissions on the file itself. (This can be overridden with

a special permission, the sticky bit, which will be discussed at the end of the unit.)

Viewing file/directory per missions and ownership

The -1 option of the ls com mand will expa nd the file l isting to include both the permissions of a file and the ownership:

-rw-rw-r-- [student@desktopX . 1 student -]$ ls student -1 test 0 Feb

8 17:36 test

The command ls

res ide

of the directory itself, add the -d option to Is:

- 1

directoryname will show the expanded listing of all of the files that

inside the directo ry. To p reve nt the descent into the di rectory and see the expanded listing

/home drwxr-xr-x. [student@desktopX 5 root -]$ root ls 4096 - ld Jan 31 22:00 /home
/home
drwxr-xr-x. [student@desktopX 5 root -]$ root ls 4096 - ld Jan 31 22:00 /home
· ��-
Note

U n like NTFS permissions, Linux permissions only apply to the d i rectory or file that they a re set on. Permissions on a directory are not inherited automatically by the

subdirectories and fi les w ithin it. (The perm issions on a directory may effect ive ly block access to its contents, however.) All permissions in Linux are set directly on each file or directory.

The read permission on a d i rectory in Linux is roughly equiva lent to List fo lder contents in Windows.

The write permission on a directory in Linux is equivalent to Modify in Windows; it implies the ability to delete fi les and subdirectories. In Linux, if write and the sticky bit a re both set on a directory, then only the user that owns a file or subdirectory in the

directory may delete it. which is close to the behavior of the Windows Write permission.

Root has the equiva lent of the Windows Fu ll Control permission on all files in Linux.

H o weve r,

security context of the process and files in question. SELinux will be discussed in a later

course.

root may sti ll have ac cess rest ric ted by the syste m's SELinux pol icy and the

Exam ples:

Linux user, group, other conce pts

I Users and their groups:
I Users and their groups:

RH124-RHEL7-en-1-20140606

145

-

Cha pter 6. Controll ing Access to Files with Linux File Syste m Pe rmissions

- lucy fred,mertz ethel,mertz lucy, ricky, ricardo ricardo File attributes (permissions, user & group ownership,
-
lucy
fred,mertz ethel,mertz lucy, ricky, ricardo ricardo
File attributes (permissions, user & group ownership, name) :
ricky
ethel
-
fred
-
ricky
ricardo
dir (which contains the following files)
lucy
lucy
lfilel
lucy
ricardo
lfile2
-
ricky
ricardo
rfilel
drwxrwxr-x - -rw-rw-r-- -rw-r--rw- -rw-r----- rw-rw-r--
ricky
ricardo
rfile2
Allowed/denied be havior
C ont r o l l ing pe rmissions
-
lucy is the only person who can change the
contents of 1filel.
lucy has write permissions on the file
1filel as the owner. No one is listed as a
member of the group lu cy. The permissions
for other do not include write permissions.
-
ricky can view the contents of lfile2, but
cannot modify the contents of 1file2.
ricky is a member of the group ricardo,
and that group has read-only permissions
on lfile2. Even though other has write
permissions, group permissions take
precedence.
-
-
ricky can delete lfilel and lfile2.
ricky has write permissions on the directory
containing both files, and as such, he can
delete any file in that directory.
-
ethel can change the contents of 1file2.
Since ethel is not lucy, and is not a
member of the
ricardo
g roup,
other
-
permissions apply to her, and those include
write permission.
-
lucy can change the contents of rfilel.
lucy is a member of the ricardo g roup,
and that group has both read and write
permissions on rfilel.
-
ricky can view and modify the contents of
rfile2.
ricky owns the file and has both read and
write access to rfile2.
-
lucy can view but not modify the contents of
lucy is a member of the ricardo group, and
rfile2.
that group has read-only access to
rfile2.
-
et hel and f red do not have any access to
the contents of rfile2.
other permissions apply to et hel and fred,
and those permissions do not include read or
write permission.
-
-

146

RH124-RHEL7-en-1-20140606

-

-

- - Examples: Linux user, group, other concepts References ls(1) man page info • Section

-

- - Examples: Linux user, group, other concepts References ls(1) man page info • Section 13:

-

Examples: Linux user, group, other concepts

References

ls(1) man page

info

Section 13: Changing file attributes

coreutils (GNU Coreuti/s)

info • Section 13: Changing file attributes coreutils (GNU Coreuti/s) - - - Jllllllf - -

-

-

-

info • Section 13: Changing file attributes coreutils (GNU Coreuti/s) - - - Jllllllf - -

Jllllllf

info • Section 13: Changing file attributes coreutils (GNU Coreuti/s) - - - Jllllllf - -

-

-

RH124-RHEL7-en-1-20140606

147