Linux Essential A 2 4

-
C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d Groups
' [ student@serverX -]$ sudo t ail /var/log/sec u r e

.---��
'
Feb 19 15 : 23 : 36 localhost sudo : student : TTY=pts/0 ; PWD=/home/student USER=root

COMMAND=/sbin/usermod - L student
-
Feb 19 15 : 23 : 36 localhost usermod [16325] : lock user ' student ' password
Feb 19 15 : 23 : 47 localhost sudo : student TTY=pts/0 ; PWD=/home/student USER= root
COMMAND=/bin/tail /var/log/secure
-
In Red H a t Enterprise L i n u x 7, a l l m e m b e rs of g r o u p wheel ca n u s e sudo to r u n com m a n d s a s

a ny u s e r, i n c l u d i n g root. T h e u s e r w i l l be prom pted for t h e i r own password. T h i s is a c h a n g e
f r o m R e d Hat Enterprise L i n u x 6 a n d e a r l i e r. U s e r s w h o were m e m bers o f g ro u p wheel d i d not
get this a d m i n istrative access by defa u l t in R H E L 6 and e a r l i e r.
To e n a b l e s i m i l a r b e h a v i o r o n e a r l i e r vers i o n s of Red Hat E n t e r p rise L i n u x , use vis u d o to edit

t h e confi g u ra t i o n f i l e and u nc o m m e n t t h e line a l l ow i n g t h e g r o u p wheel to run all c o m m a nds.
[ root@desktopX -]# cat /etc/sudoers

. . . Output omitted . . .
## Allows people in group wheel to run all commands
%wheel ALL=(ALL ) ALL
## Same thing without a password
# %wheel ALL=(ALL ) NOPASSWD : ALL
-
Warning
R H E L 6 d i d n ot g ra n t g ro u p wheel a ny s p e c i a l p r i v i l e g e s by d efa u lt. S ites w h i c h h ave
been using t h i s g ro u p m a y b e s u rp r i sed w h e n R H E L 7 automatica l l y g ra nts a l l m e m b e rs
of wheel f u l l sudo p r i v i l eges. T h i s cou l d l e a d to u n a u t h o rized users gett i n g s u p e r u s e r -
access to R H E L 7 syst e m s.
H i storica l l y, m e m b e rs h i p i n g ro u p wheel h a s b e e n u s e d by U n ix-l i ke systems to g ra n t -
o r control s u p e r u s e r a ccess.
M ost system a d m i n i stration a p p l i ca t i o n s with a G U I use P o l i c y K i t to p ro m pt u s e rs for -
a u t h e ntication and to m a n a g e root a ccess. In Red H a t E n t e r p r ise L i n u x 7, Po l ic y K i t

may a l so p ro m pt m e m b e rs of g ro u p wheel for their own passwo rd i n order to g et
-
root p r i v i l eges w h e n u s i n g g r a p h ica l too l s . T h i s is s i m i l a r to t h e way i n w h i c h t h ey c a n
use s u d o to get t h o s e pr i vi l e g es a t t h e s h e l l p r o m pt . P o l i c y K i t g ra nts t h ese p r i v i l eges
based o n i t s own confi g u ra t i o n sett i ngs, s e p a rate from sudo. Adva n ce d students
-
may be i nterested in t h e pkexec(1) a n d polki t ( 8 ) man pages for deta i l s o n how t h i s
system works, b u t it is beyo n d t h e scope o f t h is cou rse.
120 R H 1 24- R H E L 7 - e n -1 -20140606
-
-
R u n n i n g c o m m a nds a s root with s u d o

-
R References
-
s u (1 ) a n d s u do(8) m a n pa ges
info libc (GNU C Library Reference Manual)

• Section 29.2: T h e Persona of a Process
( N ote t h a t t h e glibc-devel package m ust b e i nsta l l e d for t h i s i nfo n o d e to be a va i l a b l e. )
R H 1 24- R H E L 7-en-1-20140606 121

-
-
-
P ract i ce: R u n n i n g Co m m a n d s as root
Guide d exercise -
I n t h i s l a b , you w i l l practice r u n n i n g c o m m a n d s a s root.

-
Outcomes
U s e t h e s u with and without l o g i n s c r i pts to switch u s e rs. U s e s u d o to run c o m m a n d s with
p r i v i l ege.
Before you begin ...

Reset yo u r se rve r X syste m .
-
D 1. L o g i nto t h e G N O M E desktop o n s e rverX a s s t udent with a password o f s t u d e n t .
D 2. O p e n a w i n d ow with a Bash prom pt. -
S e l ect A p p l i c a t i o n s > Ut i l i t i e s > Te r m i n a l .
D 3. E x p l o re c h a ra cteristics o f t h e c u r rent s t u d e n t l o g i n e n v i ro n m e nt.
D 3.1 . V i ew t h e u s e r a n d g r o u p i nfo r m a t i o n a n d d i s p l ay t h e c u r re n t worki n g d i rectory.
[student@serverx - ] $ id
uid=1000( student ) gid=1000( student ) groups=1000( student } , 10(wheel )
context=unconfined_u : unconfined_r : unconfined_t : s0 - s0 : c0 . c1023
[student@serverx - ] $ pwd
-
/home/student
-
D 3 . 2 . V i ew t h e va r i a b l e s w h i c h specify t h e h o m e d i rectory a n d t h e locat i o n s searched

for executa b l e files.
-
[student@serverx - ] $ echo $HOME

/home/student
[student@serverx - ) $ echo SPATH
/usr/local/bin : /usr/local/sbin : /usr/bin : /usr/sbin : /bin : /sbin : /home/
student/ . local/bin : /home/student/bin
D 4. Switch to root without t h e dash and ex p l o re c h a racteristics of the n e w e n v i ro n m e nt.
-
D 4.1 . Become t h e root u s e r at t h e s h e l l p ro m pt.
[student@serverx ] $
Password : redhat
- su
-
D 4.2. V i ew the u s e r a n d g r o u p i nfo r m a t i o n a n d d i s p l a y the c u rrent worki n g d i recto ry. -

N ote t h e i d e n t ity c h a n g e d , b u t not t h e cu rrent w o r k i n g d i recto ry.
[ root@serverX student]# id
uid=0 ( root ) gid=0 ( root ) groups=0( root )
context=unconfined_u : unconfined_r : unconfined t : s0 - s0 : c0 . c1023
-
[ root@serverx student]# pwd -
122 R H 1 24- R H E L7-en-1-20140606
-
-
I /home/student
G u i d ed exercise
-
-
D 4.3. V i ew t h e va r i a b l es w h i c h spec ify t h e h o m e d i rectory a n d t h e l ocat i o n s sea rched
for executa b l e f i l es. Look for refe rences to the st u d e n t and root accou nts.
[ root@serverX student]# echo $HOME

/root
-
[ root@serverX student]# e c h o $PATH

/usr/local/bin : /usr/local/sbin : /usr/bin : /usr/sbin : /bin : /sbin : /home/
student/ . local/bin : /home/student/bin
-
-
D 4.4. E x i t t h e s h e l l to ret u r n to t h e s t u d e n t u s e r.
[ root@serverx student]#
exit
exit
-
- D 5. Switch to root w i t h t h e dash and ex p l o re c h a ra cteristics of t h e new e n v i ro n m e nt.
D 5.1 . Beco m e t h e r o o t u s e r at t h e s h e l l prom pt. Be s u re a l l t h e l o g i n s c r i pts a re a l so

-
executed.
j Password :
I [ student@serverX -]$ su
redhat
-
D 5.2. View the user a n d g ro u p i n fo r m a t i o n a n d d i s p l ay the c u rrent w o r k i n g d i recto ry.
[ root@serverx -]# id
uid=0 ( root ) gid=0( root ) groups = 0 ( root )
context=unconfined_u : unconfined r : unconfined_t : s0 - s0 : c0 . c1023
[ root@serverx -]# pwd
/root
-
-·
D 5.3. View the varia b l es which specify t h e home d i rectory and t h e locat i o n s searched
for executa b l e f i l es. Look for refe re n ces to t h e student a n d root accou nts.
[ root@serverx -]# e c h o $HOME

-
/root
[ root@serverx -]# e c h o $PATH
/usr/local/sbin : /usr/local/bin : /sbin : /bin : /usr/sbin : /usr/bin : /root/bin
-
- D 5.4. Exit the s h e l l to ret u r n to t h e s t u d e n t u s e r.
I [ root@serverX -]#
logout
exit
- !
D 6. R u n seve ra l c o m m a n d s a s s t u d e n t w h i c h req u i re root a ccess.

-
D 6.1 . V i e w t h e l a st 5 l i nes o f the /va r /log/me ssages.
[student@serverX -]$ tail - 5 /var/log/messages

tail : cannot open ' /var/log/messages ' for reading : Permission denied
-
- R H 1 24- R H E L7-en-1-20140606 123
-
-
C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d G ro u p s
[ student@serverx -]$ s u d o
-
Feb 3 15 : 07 : 22 localhost su : ( to root ) root on pts/0

t ail - 5 /var/log/messages
Feb 3 15 : 10 : 01 localhost systemd : Starting Session 31 of user root .

Feb 3 15 : 10 : 01 localhost systemd : Started Session 31 of user root .
Feb 3 15 : 12 : 05 localhost su : ( to root ) root on pts/0
-
Feb 3 15 : 14 : 47 localhost su : ( to student ) root on pts/0 -
D 6.2. M a ke a b a c k u p of a confi g u ration f i l e in the /etc d i rectory.
[student@serverX -]$ cp /etc/motd /etc/motdOLD

-
cp : cannot create regular file ' /etc/motdOLD ' : Permission denied

[student@serverx -]$ sudo c p /etc/mo t d /etc/motdOLD -
D 6.3. Remove the / e t c/motdOLD f i l e t h a t was j u st c reated.
[student@serverX -]$ rm /etc/motdOLD

-
rm : remove write-protected regular empty file ' /etc/motdOLD ' ? y

rm : cannot remove ' /etc/motdOLD ' : Permission denied
[student@serverx -]$ s u d o rm /etc/motdOLD
-
D 6.4. Edit a confi g u ra t i o n f i l e in the / e t c d i recto ry.
[student@serverx -]$ echo "Welcome to clas s "

-bash : /etc/motd : Permission denied
>> /et c/motd
[student@serverX -]$ s u d o v i m /etc/motd

-
·-
124 R H 1 24- R H E L 7 - e n -1-20140606 -

-
M a n a g i n g Loca l U s e r Acco u n t s
M a n a g i n g Loca l U se r Acco u nts

-
Objectives
Afte r c o m p l e t i n g t h i s sect i o n , s t u d e n t s s h o u l d be a b l e to c reate, m o d i fy, lock, a n d d e l ete l oca l l y
defined u s e r accou nts.
Managing local users

-
A n u m be r of com m a n d - l i n e too l s c a n be used to m a n a g e l o c a l u s e r accou nts.
u s e r ad d c reates u s e rs
- • u s e r ad d username sets reaso n a b l e defa u lts for a l l f i e l d s i n / e t c / pas swd w h e n r u n w i t h o u t
opt i o n s . T h e u s e radd com m a n d does not s e t a n y va l i d pa ssword by defa u lt, a n d t h e u s e r
can n ot l o g i n u n t i l a pa ssword i s set.
-
• u s e r add - - help w i l l d i s p l a y the basic o p t i o n s that can be used to ove r r i d e the defa u lts. I n
most cases, t h e s a m e o pt i o n s c a n b e used w i t h t h e u s e rmod co m m a n d t o mod ify a n exist i n g
- user.
• S o m e defa u lts, s u c h as t h e ra n g e of va l i d U I D n u m bers a n d defa u l t password a g i n g r u l es, a re

read from t h e / e t c /login . defs f i l e. Va l u es i n t h i s f i l e a re o n l y used w h e n creat i n g new
users. A c h a n g e to this file w i l l n ot have a n effect on a n y exist i n g u s e rs.
u s e rmod m o d ifies ex ist i n g u s e rs

• u s e r mod - - help wi l l d i s p l a y t h e basic o p t i o n s that c a n be used to m o d ify a n account. S o m e
co m m o n o p t i o n s i n c l ude:
u s e rmod options:
-c, - - comme n t COMMENT Add a va l u e, such a s a fu l l n a m e , to the GECOS fie l d .
-g, - - gid GROUP S pecify the p r i mary g r o u p for the user acco u nt.
-G, - - g roups GROUPS S p e c i fy a l i st of s u p p l e m e ntary g ro u ps for the user acco u nt.
-
-a, - - append Used with t h e -G option to a p p e n d t h e user to the

s u p p l e m e n t a l g ro u ps m e n t i o n e d w i t h o u t remov i n g t h e user
- from other g ro u ps.
-d, - - home HOME_D IR S pecify a n ew h o m e d i rectory for t h e u s e r account.
-m, - - move - home M ove a u s e r home d i rectory to a new l ocat i o n . M u st be used
with t h e - d option.
-s, - - shell SH E L L S p e c i fy a n ew l o g i n s h e l l f o r t h e u s e r a ccount.
- L, - - lo c k Lock a u s e r accou nt.
-U, - - unlock U n l o c k a u s e r acco u n t .
-
u s e r d e l d e l etes u s e rs
u s e r d e l use rname removes t h e u s e r from /etc/ passwd, b u t l eaves t h e h o m e d i rectory
-
intact by d efa u lt.
· u s e r d e l - r use rname removes t h e u s e r and t h e user's h o m e d i rectory.
- R H 1 24- R H E L7-en-1-20140606 125

-
Warning -
W h e n a u s e r is re m oved w i t h u s e rdel w i t h o u t t h e - r o p t i o n s pe c i f i e d , t h e syst e m

w i l l have f i l e s t h a t a re owned by a n u n a s s i g n e d u s e r I D n u m be r. T h i s c a n a l so h a p p e n
-
w h e n f i l e s c reated by a d e l eted u s e r exist o u t s i d e t h e i r h o m e d i recto ry. T h i s s i t u a t i o n
c a n l e a d to i n fo r m a t i o n l e a k a g e a n d ot h e r secu rity i s s u e s .
I n Red H a t E n t e r p r i s e L i n u x 7 t h e u s e r ad d com m a n d a s s i g n s n e w u s e rs t h e f i rst

free U I D n u m be r ava i l a b l e in t h e ra n g e sta r t i n g from U I D 1 0 0 0 or a bove. (u n l ess o n e
i s e x p l i c i t l y specified w i t h t h e - u UID option). This i s how i n fo r m a t i o n l e a k a g e c a n
o c c u r : I f t h e f i rst f ree U I D n u m be r h a d b e e n p reviou s l y a s s i g n e d to a user account
which h a s s i n c e been removed from t h e syste m , t h e o l d u s e r ' s U I D n u m be r w i l l
g e t rea s s i g n e d t o t h e n e w u s e r, g i v i n g t h e n e w u s e r o w n e rs h i p o f t h e o l d u s e r ' s
re m a i n i n g f i l es. The fo l l ow i n g s c e n a r i o d e m o n st rates t h i s s i t u a t i o n :
[ root@serverx -]# use radd prince

[ root@serverx -]# ls 1 /home
drwx- - - - - - . 3 prince prince 74 Feb 4 15 : 22 prince
[ root@serverx -]# userdel p r i n c e
-
[ root@serverx -]# ls - 1 /home

drwx- - - - - - . 3 1000 1000 74 Feb 4 15 : 22 prince
[ root@serverx -]# use radd b o b
[ root@serverX -]# ls - 1 /home
drwx- - - - - - . 3 bob bob 74 Feb 4 15 : 23 bob
drwx- - - - - - . 3 bob bob 74 Feb 4 15 : 22 prince
-
N ot i c e that bob now owns a l l f i l es t h a t p rince once owned. D e p e n d i n g o n the

s i t u a t i o n , o n e solution to this p ro b l e m i s to rem ove a l l " u nowned " f i l es from the
syste m w h e n t h e u s e r that created them i s d e l eted. Another s o l u t i o n i s to m a n u a l l y
a s s i g n t h e " u n ow n e d " fi les to a d iffe rent u s e r. T h e root u s e r ca n f i n d " u n ow n e d " f i l e s
a n d d i rectories by r u n n i ng : find I - no u s e r - o - no g r o u p 2> /dev/nu ll.
id d i s p l a ys u s e r i n fo r m a t i o n
• i d w i l l d i s p l ay u s e r i nfor m a t i o n , i n c l u d i n g t h e u s e r ' s U I D n u m be r a n d g r o u p m e m b e rs h i ps.
• id use rname w i l l d i s p l ay user i n fo r m a t i o n for use rname, i n c l u d i n g the user's U I D n u m b e r -
a n d g ro u p m e m bers h i ps.
pas swd sets pa sswords -
• pas swd use rname c a n be used to e i t h e r set the user's i n i t i a l pa ssword o r c h a n g e that u s e r ' s
pa sswo rd .
• T h e root u s e r c a n set a password to a ny va l u e. A message w i l l be d i s p l ayed if t h e password

does not m e et the m i n i m u m reco m m e n d e d c rite r i a , but i s fo l l owed by a p ro m pt to retype t h e
--
new passwo rd a n d a l l toke n s a re u pdated su ccessfu l l y.
[ root@serverx -]# passwd student

Changing password for user student .
New password : redhat123
-
BAD PASSWORD : The password fails the dictionary check - it is based on a dictionary
word
126 R H 1 24- R H E L 7-en-1-20140606 -
-
-
M a n a g i n g l oca l u s e rs
Retype new password : redhat123

-
passwd : all authenticatio n to k e n s u p da t e d s u c_c es s_f u llY ·

- _ _____________ __ ____
_
_
____
_____� - -
J'
• A reg u l a r u s e r m u st c h oose a password w h i c h is at l east 8 c h a racters in l e n g t h a n d i s not
based o n a d i c t i o n a ry word, t h e u s e r n a m e, or t h e p rev i o u s password.
-
U I D ra n g es
-
Specific U I D n u m bers a n d ra n g e s of n u m be rs a re used for s pecific p u r poses by Red H a t
Enterp rise L i n u x.
• UID 0 is a l ways a s s i g n e d to t h e s u pe r u s e r accou nt, roo t .

-
• UID 1 -200 i s a ra n g e o f " syste m u s e rs" a ss i g n e d statica l l y t o system p rocesses by R e d Hat.
- • UID 201 -999 i s a ra n g e of " syste m users" used by syst e m p rocesses t h a t do n ot own f i l e s o n
t h e f i l e syste m . T h e y a re typica l l y a s s i g n e d d y n a m i ca l l y f r o m t h e ava i l a b l e p o o l w h e n t h e
softwa re t h a t n e e d s t h e m i s i n sta l l e d . Prog ra m s r u n a s t h e s e " u n p r i v i l e g e d " syst e m u se rs i n
- o r d e r to l i m it t h e i r a ccess to j u st t h e resou rces t h ey n e e d to f u n c t i o n .
• UID 1 000+ i s t h e ra n g e ava i l a b l e for ass i g n m e n t to reg u l a r users.

-
Note
-
P r i o r to Red H a t Enterprise L i n u x 7, t h e co nve n t i o n was that U I D 1 -499 was u s e d for
system u s e rs a n d U I D 500+ for reg u l a r u s e rs. Defa u lt ra nges used by u s e radd a n d
g rou padd c a n b e c h a n g ed i n t h e / e t c/login . d e f s f i l e.
-
-
R References
u s e r add(8), u s e rmod(8), u s e rdel(8) m a n pages
- R H1 24- R H E L 7-en-1 -20140606 127
-
-
C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d G ro u ps
P ract ice: C reat i n g U se rs U s i n g Co m m a n d - l i n e

Too l s
-
Guided exercise
I n t h i s l a b , you w i l l c reate a n u m be r of u s e rs on you r s e rverX syste m , sett i n g a n d record i n g a n

i n it i a l password f o r e a c h u s e r.
-
O u tcomes
A system with a d d i t i o n a l user accounts.
-
Before you begin...
Reset you r se rve r X syst e m .
D 1. L o g i nto t h e G N O M E desktop o n s e rverX a s s t u d e n t w i t h a password of s t u d e n t .
D 2. O p e n a w i n d ow w i t h a B a s h prom pt.
S e l ect A p p l icat i o n s > Uti l i t i e s > Term i n a l.
-
D 3. Become the root user at the s h e l l pro m pt.
[student@serverX -]$
Password : redhat
su - -
D 4. Add the u s e r juliet.
I [ root@serverx - ] # use radd j uliet

-
D 5. Confirm t h a t ju/iet has been added by exa m i n i n g the / e t c / pas swd f i l e.
[ root@serverx - ] # t ail - 2 /etc/pas swd

-
tcpdump : x : 72 : 72 : : / : /sbin/nologin
j uliet : x : 1001 : 1001 : : /home/j uliet : /bin/bash -
D 6. U s e t h e passwd c o m m a n d to i n it i a l ize juliet's password.
[ root@serverx - ] # pas swd j uliet

-
Changing password for user j uliet .

New password : j uliet
BAD PASSWORD : The password is shorter than 8 characters
Retype new password : j uliet
-
passwd : all authentication tokens updated successfully .

D 7. Cont i n u e a d d i n g t h e re m a i n i n g users i n t h e steps b e l ow a n d set i n i t i a l passwords.
-
D 7.1 . ro meo
I [ root@serverX - ] # use radd romeo l
128 RH124- R H E L 7-en-1-20140606 -
-
-
G u i d e d exerc i s e
[ root@serverX -]# pas swd romeo

-
Changing password for user romeo .

New password : romeo
BAD PASSWORD : The password is shorter than 8 characters
Retype new password : romeo
-

-
D 7.2 . h a m let
[ root@serverx -]#
-
[ root@serverX -]#
use radd hamlet
passwd hamlet
D 7.3. reba
[ root@serverx -]#
[ root@serverX -]#
-
u se radd reba
passwd reba
-
D 7.4. d o l l y
[ root@serverx -]#
[ root@serverx -]#
-
u s e r add dolly
pas swd dolly
- D 7.5. e l v i s
[ root@serverX -]#
[ root@serverx -]#
use radd elvis
- passwd elvis
- R H 1 24- R H E L 7-en-1-20140606 129
-
-

-
M a n a g i n g Loca l G ro u p Acco u nts

-
Objectives -
Aft e r co m p l et i n g t h i s sect i o n , students s h o u l d be a b l e to c reate, mod ify, a n d d e l ete l o ca l l y

d e f i n e d g ro u p a ccounts.
-
Managing supplementary groups

A g r o u p m u st e x i st before a user c a n be a d d e d to t h a t group. Seve ra l com m a n d - l i n e too l s a re -
used to m a n a g e l o c a l g ro u p accou nts.
g ro u padd c reates g ro u ps -
• g roupadd groupname without o p t i o n s uses t h e n ext ava i l a b l e G I D from t h e ra n g e specified

i n t h e / e t c/login . defs f i l e.
-
• The - g GID option is used to s pecify a specific G I D.
[student@serverx -]$ sudo g roupadd - g 5000 at eam

-
-
Note
G iv e n t h e a utomatic c reat i o n of u s e r p rivate g roups (G I D 1 000+), it is g e n e ra l ly
-
reco m m e n ded to set a s i d e a ra n g e of G I D n u m b e rs to be used for s u p p l ementa ry
g ro u ps. A h i g h e r ra n g e w i l l avoid a col l i s i o n with a system g ro u p (G I D 0-999).
• T h e - r o p t i o n w i l l c reate a system g ro u p u s i n g a G I D from the ra n g e of va l i d system G I D

n u m be rs l isted i n t h e / e t c/login . defs f i l e. -
I [ student@serverx -]$ sudo g roupadd - r appus e r s
g r o u pmod m o d i fies ex ist i n g g ro u ps

• T h e g r o u pmod com m a n d is used to c h a n g e a g r o u p n a m e to a G I D m a p p i n g . The - n option i s -
used t o s pecify a new n a me.
I [student@serverx -]$ sudo g r oupmod - n j avaapp appu s e r s
l [ student@serverx -]$
• T h e - g option is used to s pecify a n e w G I D. -
s u d o g r o upmod - g 6000 ateam

i
-
g r o u pdel d e l etes a g ro u p
• T h e g r o u pdel com m a n d wi l l rem ove a g ro u p . -
[ student@serverx -]$ s u d o g r oupdel j avaapp

-
130 R H 1 24- R H E L7-en-1-20140606 -
-
-
M a n a g i n g s u p p l e m e nt a ry g ro u ps
-
• A g ro u p m a y not be re m oved if it is the p r i m a ry g ro u p of a ny ex ist i n g user. As w i t h use rdel,

check a l l file syste m s to e n s u re t h a t no files re m a i n owned by t h e g ro u p.
-
u s e rmod a lt e rs g ro u p m e m b e rs h i p
-
• The m e m b e rs h i p o f a g ro u p i s contro l l e d w i t h u s e r m a n a g ement. C h a n g e a u s e r ' s p r i m a ry
group with u s e rmod - g groupname.
• Add a u s e r to a s u p p l e menta ry g ro u p with u s e rmod - aG groupname use rname.
[student@serverx -]$
-
sudo use rmod - aG wheel elvis
Important
- T h e use of t h e - a o pt i o n m a kes u s e rmod f u n c t i o n i n "appe n d " mode. W i t h o u t it, t h e
u s e r wou l d b e re m oved f r o m a ll other s u p p l e m e n t a ry g ro u ps.
R References
-
g roup(5), g rou padd(8), g r o u pdel(8), a n d u s e rmod(8) m a n pages
- R H 1 24- R H E L7-en-1-20140606 131
-
-
C h a pter 5. M a n a g i n g Loca l L i n u x U sers a n d Groups

-
P ract ice: M a n a g i n g G ro u ps U s i n g Com m a n d

-
l i n e Too l s
-
Guided exercise
-
I n t h i s l a b , you w i l l a d d u s e rs to n e w l y c reated s u p p l e m e nta ry g ro u ps.
Outcomes -
T h e shakespeare g r o u p c o n s ists of j ulie t , romeo, and h amle t . The a r t i s t s g ro u p conta i n s

reba, dolly, a n d elvis .
-
Before you begin. . .
Perform t h e fo l l ow i n g steps o n s e r v e r X u n l ess d i rected ot h e rwise.
-
D 1. Become t h e r o o t u s e r a t t h e s he l l prom pt.
[student@serverx -]$
�--��-�--�� --�� .----�-� ------,
Password : redhat
-
I
L.
su -
___j
I
-
D 2.
.
�
C reate a s u p p l e m e n t a ry g ro u p ca l l ed shakespeare w i t h a g ro u p ID of 30000.
[I [ root@serverx -]# g roupadd

..
--i
__ . .
- g 30000 shakesp a r e I
I �-
_----�------ -----'
D 3. C reate a s u p p l e m e ntary g ro u p c a l led a r t i s t s .

-
[ root@serverX -]#
!
L ---- ----��
g roupadd a r t i s t s
-
D 4. Confirm t h a t shakespeare a n d artists have b e e n a d d e d by exa m i n i n g the / e t c / g r o u p
f i l e.
l [ root@serverx -]# t ail

-
reba : x : 1004 :
,. dolly - 5 /etc/group
: x : 1005 :
elvis : x : 1006 : -
shakespeare : x : 30000 :
1- artists : x : 30001 :
D 5. Add the juliet user to the shakespeare g r o u p a s a s u p p l e m entary g ro u p .
I [ root@serverx -]# u sermod

r� -
-G shakespeare j uliet
D 6. Confirm that ju/iet h a s been a d d e d u s i n g t h e id c o m m a n d . -
'
,-
[ root@serverx - ]# id j u liet
uid=1001{j uliet ) gid=1001(j uliet ) groups=1001{j uliet ) , 30000( shakespeare ) -
D 7. Cont i n u e a d d i n g t h e re m a i n i n g u s e rs to g ro u p s as fo l l ows: -
132 R H 1 24- R H E L 7-en-1-20140606 -
-
-
G u i d e d exercise
-
D 7.1 . Add romeo a n d hamlet to t h e shakespeare g ro u p.
[ root@serverX -]#
[ root@serverX -]#
-
u s ermod - G shakespeare romeo
usermod -G s hakespeare hamlet
D 7.2 . Add reba, dolly, a n d elvis to t h e artists g ro u p .
[ root@serverx -]#
[ root@serverx -]#
- u se rmod - G a r t i s t s reba
[ root@serverX -]#
use rmod -G a r t i s t s dolly
use rmod -G a r t i s t s elvis
D 7.3. Ve rify t h e s u p p l e m e nta l group m e m be r s h i p s by exa m i n i n g the / e t c / g r o u p f i l e.
[ root@serverx -]# t ail - 5 /etc/group

reba : x : 1004 :
-
dolly : x : 1005 :
elvis : x : 1006 :
shakespeare : x : 30000 : j uliet, romeo, hamlet
artists : x : 30001 : reba, dolly, elvis
-
- R H 1 24- R H E L7-en-1-20140606 133
-
-

-
M a n a g i n g U s e r Pa sswo rd s
-
Objectives
-
After com p l e t i n g t h i s sect i o n , stu d e n t s s h o u l d be a b l e to l o c k a ccou nts m a n u a l l y or by sett i n g a
pa ssword-a g i n g p o l icy i n t h e s h a d ow pa ssword f i l e.
-
Shadow passwords and password policy

I n t h e d ista n t past, e n c rypted passwords were stored i n the worl d - reada b l e /etc/passwd f i l e. T h i s
-
w a s t h o u g ht to be reaso n a b l y sec u re u n t i l d i c t i o n a ry attacks o n e n c rypted pa sswords b e c a m e
c o m m o n . At t h a t point, t h e e n c rypted passwords, o r " pa sswo rd h a s h es," w e re moved to t h e m o re
sec u re /etc/s h a d ow f i l e. This new f i l e a l s o a l lowed pa ssword a g i n g a n d ex p i ra t i o n featu res to be
-
implemented.
T h e re a re t h ree p i eces of i nform a t i o n stored i n a m o d e r n password h a s h :

-
$1$gCj La2/Z$6 Pu0EK0AzfCj xj v2ho LOB/
1. 1: The h a s h i n g a l g or i t h m . The n u m be r 1 i n d icates a n M D 5 h a s h . The n u m be r 6 a p p e a rs w h e n

-
a S H A-512 h a s h is u s e d .
2. g C j La2/Z: The salt used t o e n c rypt t h e h a s h . T h i s is orig i n a l l y chosen at ra n d o m . T h e

s a l t a n d t h e u n e n c rypted password a re c o m b i n e d a n d e n c rypted to c reate t h e e n c ry pted
pa ssword h a s h . The use of a s a l t prevents two u s e rs with the s a m e password from h a v i n g
i d e n t ica l e n t ries i n t h e / e t c / s hadow f i l e.
-
3. 6Pu0 EK0AzfCj x j v2ho LOB/: The e n c rypted h a s h .
W h e n a u s e r tries t o log i n , t h e system lo o k s u p t h e e n t ry f o r t h e u s e r i n / e t c / s hadow, -
c o m b i n e s t h e s a l t for t h e u s e r with t h e u ne n c ry pted password t h a t was typed i n , a n d e n c rypts

them u s i n g the h a s h i n g a l g o r i t h m s p e c i f i e d . I f the res u lt matches the e n c rypted hash, the user
typed i n t h e r i g h t password. I f t h e res u lt does n ' t match t h e e n c rypted hash, t h e user typed i n the -
w ro n g pa ssword a n d t h e login att e m pt fa i l s. T h i s method a l l ows t h e syste m to d ete r m i n e if t h e

u s e r t y p e d i n t h e correct pa ssword w i t h o u t sto r i n g t h a t password i n a form u s a b l e for l o g g i n g i n .
-
Note
-
Red H a t E nterprise L i n u x 6 a n d 7 s u p port two n ew stro n g password h a s h i n g
a l g or it h m s , S H A-256 (a l g orit h m 5) a n d S H A-512 (a l g o r it h m 6 ) . Bot h t h e s a l t st r i n g
a n d t h e e n c rypted h a s h a re l o n g e r for t hese a l g o r it h m s. T h e defa u l t a l g or i t h m u s e d
f o r p assword h a s h e s c a n be c h a n g e d by t h e root user by r u n n i n g t h e c o m m a n d
aut hconfig - - passalgo w i t h o n e o f t h e a rg u m e nts m d 5 , sha256, o r sha512, a s
a p p ro p r i ate.
Red Hat Enterprise L i n u x 7 defa u l t s to u s i n g S H A-512 e n c ry pt i o n .
/ e t c / s h adow fo r m a t
T h e format of / e t c / s hadow fo l l ows ( n i n e c o l o n - s e p a rated f i e l d s):
L Oname : Opassword : 01astchange : Ominage : Omaxage : Owarning : Oinactive : Oexpire : Ob1ank I

-
134 R H 1 24- R H E L7-e n-1-20140606 -
-
-
Password a g i n g
O
-
O
T h e l o g i n name. T h i s m u st be a va l i d acco u n t n a m e o n t h e syste m .
The e n c rypted password. A password fie l d w h i c h starts with a exc l a m a t i o n m a r k m e a n s t h a t
-
t h e pa ssword i s l o c ked.
O
O The date of t h e l a st password change, re p resented a s t h e n u m be r of days s i nce 1 970.01 .01 .
-
The minimum n u m be r of d a ys before a password m a y be c h a n g e d , w h e re O means "no
m i n i m u m a g e req u i re m e nt."
O The maximum n u m be r of days before a p a ssword m u st be cha nged.
-
O The warning p e r i o d t h a t a pa ssword is a bo u t to ex p i re. Represented i n days, w h e re 0 m e a n s
O
" n o wa r n i n g g iven."
The n u m be r of d ays a n account re ma i n s a ctive after a passwo rd h a s expired. A u s e r may
- sti l l l o g i nto the system and c h a nge t h e password d u ri n g t h i s period. After the s p e c ified
O
n u m be r of days, the acco u nt is l ocked, beco m i n g inactive.
O
The account expiration date, represented a s t h e n u m be r of days s i n ce 1970.01 .01 .
-
This blank f i e l d is reserved for future u se.
- Password aging
The fo l l owi n g d i a g ra m re l ates t h e re l eva nt pa ssword-a g i n g pa ra meters, w h i c h ca n be adjusted
u s i n g chage to i m p l e m e n t a password-a g i n g p o l i cy.
-
max da y s ( - M )
-
' .
' .
.
'
.
.
i nactive d a y s
min days ' . warn da y s (-1)
- '
(-m) ' ' (-W)
' '
' '
'
-
time -
-
last change password i n a ct ive

-
date (-d) expi rat ion date
date
-
# chage - m 0 - M 90 -W 7 - I 14 username
chage - d e username w i l l force a password u pdate o n next l og i n .

-
chage -1 use rname w i l l l i st a u s e r n a m e ' s c u rrent sett i n gs.
- chage -E YYYY - MM - DD wi l l e x p i re a n acco u nt o n a s pecific day.
Note
The date c o m m a n d can b e used to ca l c u l ate a date in the f u t u re.
[student@serverX -)$ d a t e - d
Sat Mar 22 11 : 47 : 06 EDT 2014
-
" +45 days "
- R H1 24- R H E L7-en-1 -20140606 135
-
-
-
C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d Gro u p s
Restricting access
W i t h the chage com m a n d , a n acco u n t e x p i rat i o n c a n be set. O n c e that date is rea c h e d , t h e user -
-
c a n not log i nto t h e syst e m i nteract ive l y. The u s e rmod com m a n d can " l oc k " a n account w i t h the
L option.
...
[student@serverX - ] $ sudo use rmod

r - --··----��-- -- - ------ �-��
- -�- -�..
--
� -��
- ---- - ·-------------··�-�-
[ student@serverX - ] $ s u - elvis
- L elvis
Password : elvis
su : Authentication failure
-
-
W h e n a user h a s l eft t h e c o m p a ny, t h e a d m i n istrator m a y l o c k a n d ex p i re a n acco u n t w i t h a
,-[� tud�nt@se�verX -]$

s i n g l e use rmod com m a n d . T h e date m u st be g iven a s t h e n u m be r of days s i n ce 1 970.01 .01 .
-
s u d o use rmod - L - e 1 elvis
� -- ---�----�
Loc k i n g t h e account p revents t h e user from a u t h e nt i c a t i n g with a password to t h e syste m . I t -
-
is t h e reco m m e n d ed m e t h o d of p reve n t i n g access to a n accou nt b y a n e m p l oyee w h o h a s l eft
t h e compa ny. If t h e e m p l oyee ret u rns, t h e acco u n t c a n later be u n l o c ked w i t h u s e r mod U
USERNAME. I f t h e acco u n t was a l so e x p i red, be s u re to a l so c h a n g e t h e e x p i ra t i o n date. -
T he nologin she l l
Sometimes a u s e r n e e d s a n acco u n t with a password t o a u t h e nt i cate t o a syste m , b u t does not -
need a n intera ctive s h e l l o n t h e system. Fo r exa m p l e, a m a i l se rver may req u i re a n a c c o u n t to
store m a i l a n d a password for t h e user to a u t h e n t i cate w i t h a m a i l c l ient used to ret r i eve m a i l .
T h a t u s e r d o e s n ot n e e d to l o g d i rect l y i nto t h e syst e m . -
A c o m m o n s o l u t i o n to t h i s s i t u a t i o n is to s e t t h e u s e r ' s l o g i n s h e l l to /sbin/nologin. I f t h e user

atte m pts to l o g i nto the system d i rect l y, t h e nologin " s h e l l " will simply c l ose t h e c o n n ection. -
[ root@serverX -]# u s e rmod - s /sbin/nologin s t udent

[ root@serverx - ] # s u - s t udent
j This account is currently not available .
Last login : Tue Feb 4 18 : 40 : 30 EST 2014 on pts/0
-
L___ ___
Important
Use of t h e nologin s h e l l preve nts i nteractive u s e of t h e system, but does n ot p reve nt -
a l l access. A user m a y sti l l b e a b l e to a u t h e n ticate and u p l o a d o r ret rieve files t h ro u g h
a p p l i c a t i o n s s u c h a s w e b a p p l i ca t i o n s , f i l e t ra n sfer p rograms, or m a i l rea d e rs.
-
R References -
chage(1 ), u s e rmod(8), s h ad ow(5), c ry pt ( 3 ) m a n pages
136 RH124- R H E L7 - e n -1 -20140606
-
-
Practice: M a n a g i n g U s e r Password A g i n g
-
P ra ct i ce: M a n a g i n g U s e r Pa sswo rd Ag i n g
-
-
Guide d exercise
I n t h i s l a b , yo u w i l l set u n iq u e password p o l icies for users.
-
Outcomes
T h e pa ssword fo r romeo m u st b e c h a n g e d when t h e u s e r fi rst l o g s into t h e syst e m , eve ry 9 0 days
t h e reafter, and t h e acco u n t e x p i res i n 1 8 0 days.
-

Pe rfo r m the fo l l ow i n g steps o n serverX u n l ess d i rected othe rwise.
-
D 1. E x p l o re l o c k i n g and u n l o c k i n g accou nts.
- D 1.1 . L o c k t h e romeo accou nt.
-
[student@serverX -]$ sudo use rmod - L romeo
D 1 .2 . Atte m pt to log in as romeo.
[ student@serverX -]$ su - romeo

-
Password : romeo
-
su : Authentication failure
D 1 .3. U n l oc k the romeo account.
[student@serverX -]$
-
s u d o use rmod - U romeo

---
- -- ------
-- ---
-
D 2. C h a n g e t h e password p o l icy for romeo to req u i re a new password every 90 days.
[ student@serverX -]$ sudo c hage - M 90 romeo

[student@serverX -]$ sudo chage romeo
Last password change Feb 03, 2014
-
-1
Password expires May 04, 2014

Password inactive never
Account expires never
-
Minimum number of days between password change 0

Maximum number of days between password change 90
-
Number of days of warning before password expires 7
D 3. A d d i t i o n a l l y, force a password c h a n g e o n t h e fi rst l o g i n for t h e r omeo a cco u nt.
!
! [ student@serverX -]$ sudo chage - d 0 romeo
- !
D 4. Log in a s romeo a n d c h a n g e the pa sswo rd to f o r s o o t h 123.
'- '- �::��s �:�::x -]$ su - romeo

-1
- r�--�----�-�----
· You are required to change your password immediately ( root enforced )

-
- R H 1 24- R H E L 7-en-1-20140606 137
-
-
Changing password for romeo .

-
{current ) UNIX password : romeo

New password : forsooth123
Retype new password : forsooth123
[ romeo@serverx -]$ exit
-
...
D 5. E x p i re a ccounts in t h e futu re.
D 5.1 . Dete r m i n e a date 1 8 0 d ays i n t h e f u t u re. -
[ student@serverX -]$ date -d " +180 days "

Sa t Aug 2 1 7 : e5 : 2e EDT 2e14 -
D 5.2. Set accounts to ex p i re on t h a t d a te.
[ student@serverX -]$ sudo chage E 2914 - 98 - 82 romeo

-
[student@serverx -]$ sudo chage -1 romeo

-
Password expires May 04, 2014

-

Account expires Aug 02, 2014
Minimum number of days between password change 0
-
Number of days of warning before password expires 7

-
138 R H 1 24- R H E L7-en-1-20140606 -
-
-
L a b : M a n a g i n g Loca l L i n u x U s e rs a n d Groups
-
L a b : M a n a g i n g Loca l L i n ux U se rs a n d G ro u ps
-
-
Perfor mance checklist
I n t h i s l a b, you w i l l defi n e a defa u l t password p o l icy, c reate a s u p p l e m e nta ry g ro u p of t h ree new
users, and mod ify the passwo rd p o l icy of o n e u s e r.
-
Outcomes
• A new g ro u p o n serverX ca l l ed c o n s u l t an t s , i n c l u d i n g t h ree new u s e r acco u nts for Sam
-
Spade, Betty Boop, and Dick Tra cy.
A l l new accounts s h o u l d req u i re t h a t passwords be c h a n g e d at fi rst l o g i n a n d every 30 days

-
t h e reafter.
• The new c o n s u l t a n t accounts s h o u l d ex p i re at t h e e n d of t h e 90-day contract, a n d Betty Boop

- m u st c h a n g e h e r password every 1 5 days.

- Reset yo u r serverX syst e m .
1. E n s u re t h a t n e w l y c reated u s e rs have passwords w h i c h m u st be c h a n g e d every 3 0 days.

-
2. C reate a new g ro u p n a m e d c o n s u l t an t s w i t h a G I D of 40000.
3. C reate t h ree new u s e rs: s s pade, bboop, a n d d t r acy, with a pa ssword of default and add
-
them to t h e s u p p l e m enta ry g ro u p con s u l t a n t s . The p r i m a ry group s ho u l d re m a i n a s the
user private g ro u p .
-
4. Dete r m i n e t h e date 90 d ays in t h e f u t u re a n d set each of t h e t h ree new u s e r accounts to
expire on t h a t d ate.
-
5. C h a n g e the password po l i cy fo r the bboop account to req u i re a new password every 15 d ays.
6. Additi o n a l l y, force a l l users to c h a ng e t h e i r pa sswo rd o n fi rst l o g i n .

-
7. W h e n you f i n i s h , r u n t h e lab localu s e r s g rade eva l u ation s c r i pt to c o n f i r m you have

done everyt h i n g c o r rect l y.
-
- R H 1 24- R H E L 7-en-1 -20140606 139
-
-
C h a pter 5. M a n a g i n g Loca l L i n u x U se rs a n d G ro u ps
Solution
-
I n t h i s l a b , you w i l l d e f i n e a defa u lt password p o l i cy, c reate a s u p p l e m enta ry g r o u p of t h ree new
u s e rs, and mod ify t h e password p o l icy of o n e u s e r.
-
Outcomes
• A new g ro u p o n serve r X ca l l ed c o n s u l t an t s , i n c l u d i n g t h ree new u s e r accounts for S a m
S pa d e, Betty Boop, a n d D i c k Tra cy.
-
• A l l new acco u nts s h o u l d req u i re that passwords be c h a n g e d at fi rst l o g i n a n d eve ry 3 0 days

t h e reafter.
-
• T h e new c o n s u ltant a ccou nts s h o u l d e x p i re at t h e e n d of t h e 90-day contract, a n d Betty Boop

m u st c h a n g e her pa ssword every 15 days.
-

Reset yo u r serverX syst e m .
-
1. E n s u re t h a t n e w l y c reated users h a v e passwo rds w h i c h m u st be c h a n g ed every 3 0 d a ys.
[student@serverX - ] $
-
s u d o v i m /et c/login . defs
cat /etc/login . defs
PASS_MAX_DAYS 30
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
-
PASS_WARN_AGE 7
. . . output omitted . . . -
2. C reate a new g ro u p n a m e d c o n s u l t a n t s w i t h a G I D o f 40000.
[student@serverx - ] $
-
s u d o g roupadd - g 4 0 0 0 0 consultan t s
stapdev : x : 158 :
t ail - 5 /etc/group
pesign : x : 989 :
-
tcpdump : x : 72 :
slocate : x : 21 :
consultants : x : 40000 :
-
3. C reate t h re e new users: s s pade, bboop, and d t r acy, with a password of defaul t and add -
them to the s u p p l e m e n t a ry g ro u p consu l t a n t s . T h e p r i m a ry g ro u p s h o u l d re m a i n a s t h e

user private g ro u p .
[student@serverx - ] $ sudo u s e r add - G c o n s u l t a n t s s spade

-
[student@serverx - ] $ sudo use radd -G c o n s u l t a n t s bboop

[student@serverx - ] $ sudo use radd -G c o n s u l t a n t s d t racy
[student@serverX - ] $ t ail -5 /etc/group
slocate : x : 21 :
-
consultants : x : 40000 : sspade, bboop, dtracy

sspade : x : 1001 :
bboop : x : 1002 :
-
dtracy : x : 1003 :
[student@serverx - ] $ sudo passwd s spade
Changing password for user sspade .
New password : default
-
BAD PASSWORD : The password is shorter than B characters

-
140 R H 1 24- R H E L7-en-1 -20140606 -
-
-
Solution
Retype new password : default

-

[ student@serverx - ] $ sudo pas swd bboop
-
[student@serverx - ) $ sudo passwd dt racy
- 4. Dete r m i n e t h e date 90 days in t h e f u t u re a n d set e a c h of t h e t h re e new u s e r accounts to
e x p i re o n that date.
[ student@serverx - ] $ date -d " +90 days "

Mon May 5 11 : 49 : 24 EDT 2014
-
[ student@serverx - ] $ sudo chage -E 2014 - 0 5 - 05

[ student@serverX - ) $ sudo c hage -E 2014 - 05 - 05
ss pade
[ student@serverX - ] $ sudo c h age -E 2014 - 0 5 - 05

-
bboop
dt racy
- 5. C h a n g e the pa ssword p o l i c y for the bboop acco u n t to req u i re a new password every 15 d a ys.
[ student@serverx - ) $ sudo c h age -M 15 bboop

[student@serverX - ) $ sudo chage -1 bboop
-
Password expires Feb 19, 2014

Account expires May e s , 2014
Minimum number of days between password change
-

e
- Number of days of warning before password expires 7

6. A d d i t i o n a l ly, force a l l users to c h a n g e their pa ssword o n fi rst l o g i n .
[ student@serverx
-
[student@serverx
- ] $ sudo chage - d 0 sspade
[ student@serverX
- ) $ sudo c hage -d 0 bboop
- - ] $ sudo chage -d 0 dt racy
7. W h e n you f i n i s h , r u n t h e lab localu s e r s g r ade eva l u at i o n s c r i pt to confi r m you have

-
done everyt h i n g correct l y.
-
[ student@serverx - ) $ lab localu s e r s g r ade
- R H 1 24- R H E L 7-en-1-20140606 141
-
-

-
S u m m a ry
-
U s e rs and Groups
L i st the ro l e s of u s e rs and g ro u p s on a L i n u x system and v i ew the l oca l confi g u ration
-
f i l es.
Ga i n i n g S u peruser Access
-
Esca l ate privi l e g e to run c o m m a n d s a s the s u pe r u s e r.
M a n a g i n g Loca l U s e r Accounts
-
A d d , remove, and mod ify local u sers with co m m a n d- l i n e tools.
M a n a g i n g Loca l G ro u p Accou nts

-
M a n a g e loca l g ro u p s with c o m m a n d - l i n e too l s .
M a n a g i n g U s e r Passwords
-
M a n a g e password a g i n g p o l icies for u s e rs and m a n u a l l y lock, u n l o c k , and e x p i re
accou nts.
142 R H 1 24- R H E L 7-en-1-20140606 -
-
red hat ®
®
TRAINING
C H A PT E R 6
CONTR OLLING ACCESS TO

FI LES WITH LINUX FILE SYSTEM
PERMISSIONS
Overview
Goal To set L i n u x f i l e system p e r m i s s i o n s on files a n d interpret

the security effects of d i fferent p e r m i s s i o n sett i n g s.
Objectives • E x p l a i n how t h e L i n u x f i l e p e r m i s s i o n s model works.
• C h a n g e the p e r m i s s i o n s a n d owners h i p of files u s i n g

comm a n d - l i n e t o o l s .
• Conf i g u re a d i rectory i n which newly c reated f i l es are

autom a t i c a l l y writa b l e by m e m be rs of the g ro u p w h i c h
o w n s t h e d i recto ry, u s i n g spec i a l p e r m i s s i o n s a n d defa u l t
u m a s k sett i n g s.
Sections • L i n u x F i l e System Per m i s s ions (a n d P ract ice)
• M a n a g i n g F i l e System Perm i s s i o n s f rom t h e C o m m a n d

L i n e (and P ractice)
• M a n a g i n g Defa u l t Per m i s sions a n d F i l e Access (and

Practice)
Lab • Contro l l in g Access to F i l es with L i n u x F i l e System

Perm i s s i o n s
R H1 24- R H E L7-e n-1 -201 40606 143

C h a pter 6. Contro l l i n g Access to F i l es w i t h L i n u x F i l e System Permissions
L i n u x F i l e Syste m Pe r m i s s i o n s
O bject ives
After com pl e t i n g t h i s section, students s h o u l d be a b l e t o e x p l a i n h o w t h e L i n u x f i l e p e r m issions
m o d e l works.
L i n u x f i l e syst e m p e r m i s s i o n s
Access t o files by users a re co ntro l l e d by file permissions. The L i n u x f i l e p e rm issions system is
s i m p l e but f l e x i b l e, w h i c h m a kes it easy to u nd e rstand a n d a p p ly, yet a b l e to h a n d l e m ost n o r m a l
p e r m i s s i o n c a s e s easi ly.
Files have j u st t h ree categories of user to w h ic h p e r m i ss i o n s a p p ly. The f i l e is owned by a user,

n o r m a l l y t h e o n e w h o created the f i l e . The file is a l s o owned by a s i n g l e group, u s u a l l y t h e
p r i m a ry g r o u p of t h e user w h o c reated t h e file, b u t t h i s can be c h a nged. D ifferent p e r m issions
can be set fo r t h e own i n g u s e r, the owning g ro u p , and for a l l other users o n t h e system t h at are
n ot the user o r a m e m b e r of the ow n i n g g roup.
The most specific permissions a p p ly. So, user p e r m i ssions override group p e r m i ssions, w h i c h
override other p e rm i s s i o ns.
In t h e g ra p h i c that follows, j o s h u a is a m e m b e r of the groups j o s h u a and web, w h i l e a l l ison i s

a member of a l l i s o n , w h e e l , a n d w e b . W h e n j o s h u a a n d a l l ison h ave the need to co l l a b o ra te,
the f i l es s h o u l d be associated with the g r o u p web a n d the g ro u p permissions s h o u l d a l low the
desired access.
joshua a l lison
Figure 6. 1 : Group membership illustration
There a re a l s o just t h ree categories of permissions w h ich a p p ly: read, write, a n d execute. These
permissions affect a ccess to fi l es and d i rectories a s f o l l ows:
Effects of permissions on files and directories

Per m i ssion Effect o n f i l e s Effect o n d i rectories
r (read) Contents of t h e f i l e can be read. Contents of t h e d i rectory (fi l e n a mes)

can be l isted.
w (write) Contents of t h e file can be c h a n g e d . A ny f i l e i n t h e d i rectory m a y be c reated
or d e l eted.
x (exec) F i l es ca n be executed as c o m m a n d s. Contents of the d i rectory ca n be
accessed (d ependent o n t h e p e r m i ssions
of t h e files i n t h e d i rectory).
144 R H 1 24- R H E L7-e n-1-20140606

-
V i ew i n g f i l e/d i rectory p e r m i s s i o n s a n d ow n e rs h i p
-
N ote t h a t u s e rs n o r m a l ly have b o t h r ead a n d exec o n rea d - o n l y d i rectories, so t h a t t h ey c a n l ist

t h e d i rectory a n d a ccess its contents. I f a user o n l y has read a ccess o n a d i recto ry, the n a m es of
-
the f i l e s in it can b e l i sted, but n o ot h e r information, i n c l u d i n g p e r m i s s i o n s or t i m e sta m ps , a re
a va i l a b l e , n o r can they be a ccessed. I f a user o n l y has exec a ccess o n a d i recto ry, t h ey ca n n ot
l ist t h e n a mes of t h e f i l e s i n t h e d i rectory, b u t if t h ey a l re a d y k n ow t h e n a m e of a fi l e w h i c h t h ey
-
have p e r m i ssion to rea d , t h e n t h ey c a n access t h e contents of t h a t f i l e by ex p l i c i t l y specify i n g t h e
f i l e n a m e.
-
A f i l e m a y be removed by a nyo n e w h o h a s write p e r m i s s i o n to t h e d i rectory i n w h i c h t h e f i l e
res id e s , regardless o f t h e o w n e rs h i p o r p e r m i s s i o n s o n t h e fi l e itse l f. ( T h i s ca n be ove r r i d d e n w i t h
a s p e ci a l p e r m i s s i o n , t h e sticky bit, w h i c h w i l l be d i scussed a t t h e e n d o f t h e u n it.)
-
Viewing file/directory per missions and ownership

- T h e - 1 o p t i o n of t h e ls com m a n d w i l l expa n d t h e f i l e l is t i n g to i n c l u d e both t h e p e r m i s s i o n s of a
f i l e a n d t h e owners h i p:
[student@desktopX -]$ ls - 1 t e s t
- rw- rw- r - - . 1 student student 0 Feb 8 17 : 36 test
-
- The co m m a n d ls 1 d i r ec t o ryname w i l l show t h e expa n d ed l i s t i n g of a l l of t h e f i l e s t h a t

-
res i d e i n s i d e t h e d i recto ry. To p reve nt t h e d e s c e n t into t h e d i rectory a n d s e e t h e e x p a n d e d l i s t i n g

of t h e d i rectory itse l f, a d d t h e - d o p t i o n to I s :
[student@desktopX - ] $ ls - ld /home
-
drwxr-xr - x . 5 root root 4096 Jan 31 22 : 00 /home

-
· ��--...., ,>
Note
-
�
U n l i ke N T FS p e r m i s s i o n s , L i n u x p e r m i s s i o n s o n l y a p p l y to t h e d i rectory or f i l e t h a t
t h ey a re s e t o n . P e r m i ss i o n s o n a d i rectory a re not i n h e r ited a utomatica l ly by t h e
- s u b d i rectories a n d fi les w it h i n i t . ( T h e p e r m issions o n a d i rectory may effect ive l y b l o c k
access to i t s contents, however.) A l l p e r m issions i n L i n u x a re s e t d i rect l y o n e a c h f i l e o r
d i rectory.
-
The rea d p e r m i s s i o n on a d i rectory i n L i n u x i s rou g h l y e q u iva l e nt to L i st fo l d e r
contents i n W i n d ows.
-
The write p e r m i s s i o n on a d i rectory in L i n u x is e q u i va l e nt to M o d ify i n W i n d ows; it
i m p l i es t h e a b i l ity to d e l ete fi l es a n d s u b d i recto ries. In L i n ux , i f w r i t e a n d t h e st i c ky b i t
a re both set o n a d i rectory, then only t h e u s e r t h a t o w n s a file o r s u b d irectory i n the
-
d i rectory m a y d e l ete it. which is c l ose to t h e b e h a v i o r of t h e W i n d ows Write p e r m i s s i o n .
R o o t h a s t h e e q u i va l e n t of t h e W i ndows Fu l l C o n t r o l p e r m i s s i o n o n a l l f i l es i n L i n u x.
-
H oweve r, root may sti l l h a ve a ccess rest r i cted by t h e system ' s S E L i n u x p o l icy a n d t h e
s e c u rity context of t h e process a n d f i l es i n q u est i o n . S E L i n u x w i l l b e d i scussed i n a l a t e r
cou rse.
-
- E xam ples: Linux user, group, other conce pts

I Users and their groups :
-
- R H 1 24- R H E L 7-en-1-20140606 145
-
-
C h a pter 6. C o n t ro l l i n g Access to F i l es w i t h L i n u x F i l e Syste m Pe r m i s s i o n s
lucy lucy, ricardo

ricky ricky, ricardo
ethel ethel, mertz
fred fred, mertz
-
File attributes ( permissions, user & group ownership, name ) :

drwxrwxr-x ricky ricardo dir (which contains the following files)
-
- rw- rw- r - - lucy lucy lfilel

- rw- r - - rw- lucy ricardo lfile2
- rw- rw- r - - ricky ricardo rfilel
-
- rw- r- - - - - ricky ricardo rf ile2
All o we d /denied be hav i o r C ont ro l l ing pe r m i s s i on s

-
lucy is t h e only person w h o ca n c h a n g e the lucy has write p e r m i s s i o n s o n t h e f i l e
contents of 1 filel. 1 filel a s the o w n e r. N o one is l i sted a s a
m e m be r of t h e g r o u p lu cy. The p e r m i s s i o n s -
for other d o not i n c l u d e w rite p e r m i s s i o n s .
r i c ky c a n v i ew t h e c o n t e n t s of l f i l e 2, but r icky i s a m e m b e r of t h e g ro u p ricardo,
c a n n ot m o d ify t h e contents of 1file2. a n d t h a t group h a s read-o n l y p e r m i s s i o n s -
o n lfile2. Eve n t h o u g h other h a s w r i t e

p e r m iss ions, g r o u p p e r m issions take
-
p receden ce.
r i c ky ca n d e l ete lfilel and lfile2. r icky h a s write p e r m i s s i o n s on the d i rectory
conta i n i n g both f i l es, and a s s u c h , he c a n -
d e l ete a n y f i l e i n t h a t d i recto ry.
e t hel ca n c h a n g e t h e contents of 1 file2. S i n ce et hel i s not lucy, and is not a
m e m be r of t h e ricardo g ro u p, other -
p e r m i s s i o n s a p p l y to h e r, a n d those i n c l u d e
w rite p e r m i s s i o n .
-
lucy can c h a n g e t h e c o n t e n t s of rfilel. lucy is a m e m b e r of t h e ricardo g ro u p ,
a n d t h a t g r o u p h a s both r e a d a n d w rite
p e r m i s s i o n s o n rfilel. -
r i c ky ca n v i ew a n d mod ify t h e contents of r i c ky owns the file and h a s bot h rea d a n d

rfile2. w rite access to rfile2.
-
lucy ca n view but not mod ify t h e contents of lucy is a m e m b e r of t h e ricardo g ro u p , a n d

rfile2. that g ro u p h a s read-o n l y a ccess to rfile2.
-
e t hel and f r ed do not have a n y a ccess to other p e r m i s s i o n s a p p l y to e t hel and f r ed ,

t h e c o n t e n t s of rfile2. and those p e r m i s s i o n s d o n ot i n c l u d e rea d or
w rite p e r m i s s i o n . -
146 R H 1 24 - R H E L 7-en-1-20140606 -
-
-
E xa m p l es : L i n u x u s e r, grou p, o t h e r concepts
References
ls(1) m a n p a g e
- info c o r e u t ils (GNU Coreuti/s)

• S e c t i o n 1 3 : C h a n g i n g f i l e att r i b utes
Jllllllf
- R H1 24- R H E L7 - e n -1 -20140606 1 47

Linux Essential A 2 4

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Linux Essential A 2 4

Caricato da

Copyright:

Formati disponibili

-

C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d Groups

' [ student@serverX -]$ sudo t ail /var/log/sec u r e

Feb 19 15 : 23 : 36 localhost sudo : student : TTY=pts/0 ; PWD=/home/student USER=root

In Red H a t Enterprise L i n u x 7, a l l m e m b e rs of g r o u p wheel ca n u s e sudo to r u n com m a n d s a s

To e n a b l e s i m i l a r b e h a v i o r o n e a r l i e r vers i o n s of Red Hat E n t e r p rise L i n u x , use vis u d o to edit

[ root@desktopX -]# cat /etc/sudoers

H i storica l l y, m e m b e rs h i p i n g ro u p wheel h a s b e e n u s e d by U n ix-l i ke systems to g ra n t -

M ost system a d m i n i stration a p p l i ca t i o n s with a G U I use P o l i c y K i t to p ro m pt u s e rs for -

a u t h e ntication and to m a n a g e root a ccess. In Red H a t E n t e r p r ise L i n u x 7, Po l ic y K i t

120 R H 1 24- R H E L 7 - e n -1 -20140606

R u n n i n g c o m m a nds a s root with s u d o

info libc (GNU C Library Reference Manual)

( N ote t h a t t h e glibc-devel package m ust b e i nsta l l e d for t h i s i nfo n o d e to be a va i l a b l e. )

R H 1 24- R H E L 7-en-1-20140606 121

C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d Groups

P ract i ce: R u n n i n g Co m m a n d s as root

I n t h i s l a b , you w i l l practice r u n n i n g c o m m a n d s a s root.

Before you begin ...

D 1. L o g i nto t h e G N O M E desktop o n s e rverX a s s t udent with a password o f s t u d e n t .

D 2. O p e n a w i n d ow with a Bash prom pt. -

S e l ect A p p l i c a t i o n s > Ut i l i t i e s > Te r m i n a l .

D 3. E x p l o re c h a ra cteristics o f t h e c u r rent s t u d e n t l o g i n e n v i ro n m e nt.

D 3.1 . V i ew t h e u s e r a n d g r o u p i nfo r m a t i o n a n d d i s p l ay t h e c u r re n t worki n g d i rectory.

D 3 . 2 . V i ew t h e va r i a b l e s w h i c h specify t h e h o m e d i rectory a n d t h e locat i o n s searched

[student@serverx - ] $ echo $HOME

D 4.2. V i ew the u s e r a n d g r o u p i nfo r m a t i o n a n d d i s p l a y the c u rrent worki n g d i recto ry. -

[ root@serverx student]# pwd -

122 R H 1 24- R H E L7-en-1-20140606

[ root@serverX student]# echo $HOME

[ root@serverX student]# e c h o $PATH

- D 5. Switch to root w i t h t h e dash and ex p l o re c h a ra cteristics of t h e new e n v i ro n m e nt.

D 5.1 . Beco m e t h e r o o t u s e r at t h e s h e l l prom pt. Be s u re a l l t h e l o g i n s c r i pts a re a l so

D 5.2. View the user a n d g ro u p i n fo r m a t i o n a n d d i s p l ay the c u rrent w o r k i n g d i recto ry.

[ root@serverx -]# e c h o $HOME

- D 5.4. Exit the s h e l l to ret u r n to t h e s t u d e n t u s e r.

D 6. R u n seve ra l c o m m a n d s a s s t u d e n t w h i c h req u i re root a ccess.

D 6.1 . V i e w t h e l a st 5 l i nes o f the /va r /log/me ssages.

[student@serverX -]$ tail - 5 /var/log/messages

- R H 1 24- R H E L7-en-1-20140606 123

Feb 3 15 : 07 : 22 localhost su : ( to root ) root on pts/0

Feb 3 15 : 10 : 01 localhost systemd : Starting Session 31 of user root .

Feb 3 15 : 14 : 47 localhost su : ( to student ) root on pts/0 -

D 6.2. M a ke a b a c k u p of a confi g u ration f i l e in the /etc d i rectory.

[student@serverX -]$ cp /etc/motd /etc/motdOLD

cp : cannot create regular file ' /etc/motdOLD ' : Permission denied

D 6.3. Remove the / e t c/motdOLD f i l e t h a t was j u st c reated.

[student@serverX -]$ rm /etc/motdOLD

rm : remove write-protected regular empty file ' /etc/motdOLD ' ? y

D 6.4. Edit a confi g u ra t i o n f i l e in the / e t c d i recto ry.

[student@serverx -]$ echo "Welcome to clas s "

[student@serverX -]$ s u d o v i m /etc/motd

124 R H 1 24- R H E L 7 - e n -1-20140606 -

M a n a g i n g Loca l U se r Acco u nts

Managing local users

• S o m e defa u lts, s u c h as t h e ra n g e of va l i d U I D n u m bers a n d defa u l t password a g i n g r u l es, a re

u s e rmod m o d ifies ex ist i n g u s e rs

-a, - - append Used with t h e -G option to a p p e n d t h e user to the

· u s e r d e l - r use rname removes t h e u s e r and t h e user's h o m e d i rectory.

- R H 1 24- R H E L7-en-1-20140606 125

C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d Groups

W h e n a u s e r is re m oved w i t h u s e rdel w i t h o u t t h e - r o p t i o n s pe c i f i e d , t h e syst e m

I n Red H a t E n t e r p r i s e L i n u x 7 t h e u s e r ad d com m a n d a s s i g n s n e w u s e rs t h e f i rst

P ract ice: M a n a g i n g G ro u ps U s i n g Com m a n d