Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Feb 19 15 : 23 : 36 localhost usermod [16325] : lock user ' student ' password
Feb 19 15 : 23 : 47 localhost sudo : student TTY=pts/0 ; PWD=/home/student USER= root
COMMAND=/bin/tail /var/log/secure
-
. . . Output omitted . . .
Warning
R H E L 6 d i d n ot g ra n t g ro u p wheel a ny s p e c i a l p r i v i l e g e s by d efa u lt. S ites w h i c h h ave
been using t h i s g ro u p m a y b e s u rp r i sed w h e n R H E L 7 automatica l l y g ra nts a l l m e m b e rs
of wheel f u l l sudo p r i v i l eges. T h i s cou l d l e a d to u n a u t h o rized users gett i n g s u p e r u s e r -
access to R H E L 7 syst e m s.
o r control s u p e r u s e r a ccess.
-
-
R References
-
s u (1 ) a n d s u do(8) m a n pa ges
-
-
Guide d exercise -
[student@serverx - ] $ id
uid=1000( student ) gid=1000( student ) groups=1000( student } , 10(wheel )
context=unconfined_u : unconfined_r : unconfined_t : s0 - s0 : c0 . c1023
[student@serverx - ] $ pwd
-
/home/student
-
-
D 4.1 . Become t h e root u s e r at t h e s h e l l p ro m pt.
[student@serverx ] $
Password : redhat
- su
-
[ root@serverX student]# id
uid=0 ( root ) gid=0 ( root ) groups=0( root )
context=unconfined_u : unconfined_r : unconfined t : s0 - s0 : c0 . c1023
-
-
-
I /home/student
G u i d ed exercise
-
-
D 4.3. V i ew t h e va r i a b l es w h i c h spec ify t h e h o m e d i rectory a n d t h e l ocat i o n s sea rched
for executa b l e f i l es. Look for refe rences to the st u d e n t and root accou nts.
-
D 4.4. E x i t t h e s h e l l to ret u r n to t h e s t u d e n t u s e r.
[ root@serverx student]#
exit
exit
-
j Password :
I [ student@serverX -]$ su
redhat
-
[ root@serverx -]# id
uid=0 ( root ) gid=0( root ) groups = 0 ( root )
context=unconfined_u : unconfined r : unconfined_t : s0 - s0 : c0 . c1023
[ root@serverx -]# pwd
/root
-
-·
D 5.3. View the varia b l es which specify t h e home d i rectory and t h e locat i o n s searched
for executa b l e f i l es. Look for refe re n ces to t h e student a n d root accou nts.
/root
[ root@serverx -]# e c h o $PATH
/usr/local/sbin : /usr/local/bin : /sbin : /bin : /usr/sbin : /usr/bin : /root/bin
-
I [ root@serverX -]#
logout
exit
- !
-
-
C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d G ro u p s
[ student@serverx -]$ s u d o
-
·-
M a n a g i n g Loca l U s e r Acco u n t s
Objectives
Afte r c o m p l e t i n g t h i s sect i o n , s t u d e n t s s h o u l d be a b l e to c reate, m o d i fy, lock, a n d d e l ete l oca l l y
defined u s e r accou nts.
u s e r ad d c reates u s e rs
- • u s e r ad d username sets reaso n a b l e defa u lts for a l l f i e l d s i n / e t c / pas swd w h e n r u n w i t h o u t
opt i o n s . T h e u s e radd com m a n d does not s e t a n y va l i d pa ssword by defa u lt, a n d t h e u s e r
can n ot l o g i n u n t i l a pa ssword i s set.
-
• u s e r add - - help w i l l d i s p l a y the basic o p t i o n s that can be used to ove r r i d e the defa u lts. I n
most cases, t h e s a m e o pt i o n s c a n b e used w i t h t h e u s e rmod co m m a n d t o mod ify a n exist i n g
- user.
u s e rmod options:
-c, - - comme n t COMMENT Add a va l u e, such a s a fu l l n a m e , to the GECOS fie l d .
-g, - - gid GROUP S pecify the p r i mary g r o u p for the user acco u nt.
-G, - - g roups GROUPS S p e c i fy a l i st of s u p p l e m e ntary g ro u ps for the user acco u nt.
-
u s e r d e l d e l etes u s e rs
u s e r d e l use rname removes t h e u s e r from /etc/ passwd, b u t l eaves t h e h o m e d i rectory
-
intact by d efa u lt.
Warning -
id d i s p l a ys u s e r i n fo r m a t i o n
• i d w i l l d i s p l ay u s e r i nfor m a t i o n , i n c l u d i n g t h e u s e r ' s U I D n u m be r a n d g r o u p m e m b e rs h i ps.
a n d g ro u p m e m bers h i ps.
• pas swd use rname c a n be used to e i t h e r set the user's i n i t i a l pa ssword o r c h a n g e that u s e r ' s
pa sswo rd .
BAD PASSWORD : The password fails the dictionary check - it is based on a dictionary
word
-
-
M a n a g i n g l oca l u s e rs
J'
• A reg u l a r u s e r m u st c h oose a password w h i c h is at l east 8 c h a racters in l e n g t h a n d i s not
based o n a d i c t i o n a ry word, t h e u s e r n a m e, or t h e p rev i o u s password.
-
U I D ra n g es
-
Specific U I D n u m bers a n d ra n g e s of n u m be rs a re used for s pecific p u r poses by Red H a t
Enterp rise L i n u x.
- • UID 201 -999 i s a ra n g e of " syste m users" used by syst e m p rocesses t h a t do n ot own f i l e s o n
t h e f i l e syste m . T h e y a re typica l l y a s s i g n e d d y n a m i ca l l y f r o m t h e ava i l a b l e p o o l w h e n t h e
softwa re t h a t n e e d s t h e m i s i n sta l l e d . Prog ra m s r u n a s t h e s e " u n p r i v i l e g e d " syst e m u se rs i n
- o r d e r to l i m it t h e i r a ccess to j u st t h e resou rces t h ey n e e d to f u n c t i o n .
Note
-
P r i o r to Red H a t Enterprise L i n u x 7, t h e co nve n t i o n was that U I D 1 -499 was u s e d for
system u s e rs a n d U I D 500+ for reg u l a r u s e rs. Defa u lt ra nges used by u s e radd a n d
g rou padd c a n b e c h a n g ed i n t h e / e t c/login . d e f s f i l e.
-
-
R References
u s e r add(8), u s e rmod(8), u s e rdel(8) m a n pages
-
-
C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d G ro u ps
Guided exercise
D 2. O p e n a w i n d ow w i t h a B a s h prom pt.
-
D 3. Become the root user at the s h e l l pro m pt.
[student@serverX -]$
Password : redhat
su - -
tcpdump : x : 72 : 72 : : / : /sbin/nologin
j uliet : x : 1001 : 1001 : : /home/j uliet : /bin/bash -
-
-
G u i d e d exerc i s e
D 7.2 . h a m let
[ root@serverx -]#
-
[ root@serverX -]#
use radd hamlet
passwd hamlet
D 7.3. reba
[ root@serverx -]#
[ root@serverX -]#
-
u se radd reba
passwd reba
-
D 7.4. d o l l y
[ root@serverx -]#
[ root@serverx -]#
-
u s e r add dolly
pas swd dolly
- D 7.5. e l v i s
[ root@serverX -]#
[ root@serverx -]#
use radd elvis
- passwd elvis
-
-
Objectives -
g ro u padd c reates g ro u ps -
-
Note
G iv e n t h e a utomatic c reat i o n of u s e r p rivate g roups (G I D 1 000+), it is g e n e ra l ly
-
reco m m e n ded to set a s i d e a ra n g e of G I D n u m b e rs to be used for s u p p l ementa ry
g ro u ps. A h i g h e r ra n g e w i l l avoid a col l i s i o n with a system g ro u p (G I D 0-999).
l [ student@serverx -]$
• T h e - g option is used to s pecify a n e w G I D. -
g r o u pdel d e l etes a g ro u p
• T h e g r o u pdel com m a n d wi l l rem ove a g ro u p . -
-
-
M a n a g i n g s u p p l e m e nt a ry g ro u ps
-
u s e rmod a lt e rs g ro u p m e m b e rs h i p
-
• The m e m b e rs h i p o f a g ro u p i s contro l l e d w i t h u s e r m a n a g ement. C h a n g e a u s e r ' s p r i m a ry
group with u s e rmod - g groupname.
[student@serverx -]$
-
Important
- T h e use of t h e - a o pt i o n m a kes u s e rmod f u n c t i o n i n "appe n d " mode. W i t h o u t it, t h e
u s e r wou l d b e re m oved f r o m a ll other s u p p l e m e n t a ry g ro u ps.
R References
-
-
-
l i n e Too l s
-
Guided exercise
-
Outcomes -
[student@serverx -]$
�--��-�--��� --�� .----�-� ------,
Password : redhat
-
I
L.
su -
___j
I
-
D 2.
.
�
C reate a s u p p l e m e n t a ry g ro u p ca l l ed shakespeare w i t h a g ro u p ID of 30000.
- g 30000 shakesp a r e I
I �-
_----�------ -----'
[ root@serverX -]#
!
L ---- ----����
g roupadd a r t i s t s
-
D 4. Confirm t h a t shakespeare a n d artists have b e e n a d d e d by exa m i n i n g the / e t c / g r o u p
f i l e.
reba : x : 1004 :
,. dolly - 5 /etc/group
: x : 1005 :
elvis : x : 1006 : -
shakespeare : x : 30000 :
1- artists : x : 30001 :
D 5. Add the juliet user to the shakespeare g r o u p a s a s u p p l e m entary g ro u p .
'
,-
[ root@serverx - ]# id j u liet
uid=1001{j uliet ) gid=1001(j uliet ) groups=1001{j uliet ) , 30000( shakespeare ) -
D 7. Cont i n u e a d d i n g t h e re m a i n i n g u s e rs to g ro u p s as fo l l ows: -
-
-
G u i d e d exercise
-
[ root@serverX -]#
[ root@serverX -]#
-
u s ermod - G shakespeare romeo
usermod -G s hakespeare hamlet
[ root@serverx -]#
[ root@serverx -]#
- u se rmod - G a r t i s t s reba
[ root@serverX -]#
use rmod -G a r t i s t s dolly
use rmod -G a r t i s t s elvis
dolly : x : 1005 :
elvis : x : 1006 :
shakespeare : x : 30000 : j uliet, romeo, hamlet
artists : x : 30001 : reba, dolly, elvis
-
-
-
M a n a g i n g U s e r Pa sswo rd s
-
Objectives
-
After com p l e t i n g t h i s sect i o n , stu d e n t s s h o u l d be a b l e to l o c k a ccou nts m a n u a l l y or by sett i n g a
pa ssword-a g i n g p o l icy i n t h e s h a d ow pa ssword f i l e.
-
Note
-
Red H a t E nterprise L i n u x 6 a n d 7 s u p port two n ew stro n g password h a s h i n g
a l g or it h m s , S H A-256 (a l g orit h m 5) a n d S H A-512 (a l g o r it h m 6 ) . Bot h t h e s a l t st r i n g
a n d t h e e n c rypted h a s h a re l o n g e r for t hese a l g o r it h m s. T h e defa u l t a l g or i t h m u s e d
f o r p assword h a s h e s c a n be c h a n g e d by t h e root user by r u n n i n g t h e c o m m a n d
aut hconfig - - passalgo w i t h o n e o f t h e a rg u m e nts m d 5 , sha256, o r sha512, a s
a p p ro p r i ate.
/ e t c / s h adow fo r m a t
T h e format of / e t c / s hadow fo l l ows ( n i n e c o l o n - s e p a rated f i e l d s):
-
-
Password a g i n g
O
-
O
T h e l o g i n name. T h i s m u st be a va l i d acco u n t n a m e o n t h e syste m .
The e n c rypted password. A password fie l d w h i c h starts with a exc l a m a t i o n m a r k m e a n s t h a t
-
t h e pa ssword i s l o c ked.
O
O The date of t h e l a st password change, re p resented a s t h e n u m be r of days s i nce 1 970.01 .01 .
-
The minimum n u m be r of d a ys before a password m a y be c h a n g e d , w h e re O means "no
m i n i m u m a g e req u i re m e nt."
O The maximum n u m be r of days before a p a ssword m u st be cha nged.
-
O The warning p e r i o d t h a t a pa ssword is a bo u t to ex p i re. Represented i n days, w h e re 0 m e a n s
O
" n o wa r n i n g g iven."
The n u m be r of d ays a n account re ma i n s a ctive after a passwo rd h a s expired. A u s e r may
- sti l l l o g i nto the system and c h a nge t h e password d u ri n g t h i s period. After the s p e c ified
O
n u m be r of days, the acco u nt is l ocked, beco m i n g inactive.
O
The account expiration date, represented a s t h e n u m be r of days s i n ce 1970.01 .01 .
-
This blank f i e l d is reserved for future u se.
- Password aging
The fo l l owi n g d i a g ra m re l ates t h e re l eva nt pa ssword-a g i n g pa ra meters, w h i c h ca n be adjusted
u s i n g chage to i m p l e m e n t a password-a g i n g p o l i cy.
-
max da y s ( - M )
-
' .
' .
.
'
.
.
i nactive d a y s
min days ' . warn da y s (-1)
- '
(-m) ' ' (-W)
' '
' '
'
-
time -
-
-
# chage - m 0 - M 90 -W 7 - I 14 username
Note
The date c o m m a n d can b e used to ca l c u l ate a date in the f u t u re.
[student@serverX -)$ d a t e - d
Sat Mar 22 11 : 47 : 06 EDT 2014
-
-
-
-
C h a pter 5. M a n a g i n g Loca l L i n u x U s e rs a n d Gro u p s
Restricting access
W i t h the chage com m a n d , a n acco u n t e x p i rat i o n c a n be set. O n c e that date is rea c h e d , t h e user -
-
c a n not log i nto t h e syst e m i nteract ive l y. The u s e rmod com m a n d can " l oc k " a n account w i t h the
L option.
...
[ student@serverX - ] $ s u - elvis
- L elvis
Password : elvis
su : Authentication failure
-
-
W h e n a user h a s l eft t h e c o m p a ny, t h e a d m i n istrator m a y l o c k a n d ex p i re a n acco u n t w i t h a
-
s u d o use rmod - L - e 1 elvis
� -- ---�----�
-
is t h e reco m m e n d ed m e t h o d of p reve n t i n g access to a n accou nt b y a n e m p l oyee w h o h a s l eft
t h e compa ny. If t h e e m p l oyee ret u rns, t h e acco u n t c a n later be u n l o c ked w i t h u s e r mod U
USERNAME. I f t h e acco u n t was a l so e x p i red, be s u re to a l so c h a n g e t h e e x p i ra t i o n date. -
T he nologin she l l
Sometimes a u s e r n e e d s a n acco u n t with a password t o a u t h e nt i cate t o a syste m , b u t does not -
need a n intera ctive s h e l l o n t h e system. Fo r exa m p l e, a m a i l se rver may req u i re a n a c c o u n t to
store m a i l a n d a password for t h e user to a u t h e n t i cate w i t h a m a i l c l ient used to ret r i eve m a i l .
T h a t u s e r d o e s n ot n e e d to l o g d i rect l y i nto t h e syst e m . -
L___ ___
Important
Use of t h e nologin s h e l l preve nts i nteractive u s e of t h e system, but does n ot p reve nt -
a l l access. A user m a y sti l l b e a b l e to a u t h e n ticate and u p l o a d o r ret rieve files t h ro u g h
a p p l i c a t i o n s s u c h a s w e b a p p l i ca t i o n s , f i l e t ra n sfer p rograms, or m a i l rea d e rs.
-
R References -
chage(1 ), u s e rmod(8), s h ad ow(5), c ry pt ( 3 ) m a n pages
-
-
Practice: M a n a g i n g U s e r Password A g i n g
-
P ra ct i ce: M a n a g i n g U s e r Pa sswo rd Ag i n g
-
-
Guide d exercise
I n t h i s l a b , yo u w i l l set u n iq u e password p o l icies for users.
-
Outcomes
T h e pa ssword fo r romeo m u st b e c h a n g e d when t h e u s e r fi rst l o g s into t h e syst e m , eve ry 9 0 days
t h e reafter, and t h e acco u n t e x p i res i n 1 8 0 days.
-
-
[student@serverX -]$ sudo use rmod - L romeo
Password : romeo
-
su : Authentication failure
D 1 .3. U n l oc k the romeo account.
[student@serverX -]$
-
!
! [ student@serverX -]$ sudo chage - d 0 romeo
- !
-
-
...
D 5. E x p i re a ccounts in t h e futu re.
-
-
L a b : M a n a g i n g Loca l L i n u x U s e rs a n d Groups
-
L a b : M a n a g i n g Loca l L i n ux U se rs a n d G ro u ps
-
-
Perfor mance checklist
I n t h i s l a b, you w i l l defi n e a defa u l t password p o l icy, c reate a s u p p l e m e nta ry g ro u p of t h ree new
users, and mod ify the passwo rd p o l icy of o n e u s e r.
-
Outcomes
• A new g ro u p o n serverX ca l l ed c o n s u l t an t s , i n c l u d i n g t h ree new u s e r acco u nts for Sam
-
Spade, Betty Boop, and Dick Tra cy.
3. C reate t h ree new u s e rs: s s pade, bboop, a n d d t r acy, with a pa ssword of default and add
-
them to t h e s u p p l e m enta ry g ro u p con s u l t a n t s . The p r i m a ry group s ho u l d re m a i n a s the
user private g ro u p .
-
4. Dete r m i n e t h e date 90 d ays in t h e f u t u re a n d set each of t h e t h ree new u s e r accounts to
expire on t h a t d ate.
-
5. C h a n g e the password po l i cy fo r the bboop account to req u i re a new password every 15 d ays.
-
-
C h a pter 5. M a n a g i n g Loca l L i n u x U se rs a n d G ro u ps
Solution
-
I n t h i s l a b , you w i l l d e f i n e a defa u lt password p o l i cy, c reate a s u p p l e m enta ry g r o u p of t h ree new
u s e rs, and mod ify t h e password p o l icy of o n e u s e r.
-
Outcomes
• A new g ro u p o n serve r X ca l l ed c o n s u l t an t s , i n c l u d i n g t h ree new u s e r accounts for S a m
S pa d e, Betty Boop, a n d D i c k Tra cy.
-
[student@serverX - ] $
[student@serverX - ] $
-
s u d o v i m /et c/login . defs
. . . Output omitted . . .
cat /etc/login . defs
PASS_MAX_DAYS 30
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
-
PASS_WARN_AGE 7
. . . output omitted . . . -
[student@serverx - ] $
-
[student@serverX - ] $
s u d o g roupadd - g 4 0 0 0 0 consultan t s
stapdev : x : 158 :
t ail - 5 /etc/group
pesign : x : 989 :
-
tcpdump : x : 72 :
slocate : x : 21 :
consultants : x : 40000 :
-
3. C reate t h re e new users: s s pade, bboop, and d t r acy, with a password of defaul t and add -
dtracy : x : 1003 :
[student@serverx - ] $ sudo passwd s spade
Changing password for user sspade .
New password : default
-
-
-
Solution
- 5. C h a n g e the pa ssword p o l i c y for the bboop acco u n t to req u i re a new password every 15 d a ys.
[ student@serverx
-
[student@serverx
- ] $ sudo chage - d 0 sspade
[ student@serverX
- ) $ sudo c hage -d 0 bboop
- - ] $ sudo chage -d 0 dt racy
-
[ student@serverx - ) $ lab localu s e r s g r ade
-
-
S u m m a ry
-
U s e rs and Groups
L i st the ro l e s of u s e rs and g ro u p s on a L i n u x system and v i ew the l oca l confi g u ration
-
f i l es.
Ga i n i n g S u peruser Access
-
Esca l ate privi l e g e to run c o m m a n d s a s the s u pe r u s e r.
M a n a g i n g Loca l U s e r Accounts
-
A d d , remove, and mod ify local u sers with co m m a n d- l i n e tools.
M a n a g i n g U s e r Passwords
-
M a n a g e password a g i n g p o l icies for u s e rs and m a n u a l l y lock, u n l o c k , and e x p i re
accou nts.
-
red hat ®
®
TRAINING
C H A PT E R 6
Overview
L i n u x F i l e Syste m Pe r m i s s i o n s
O bject ives
After com pl e t i n g t h i s section, students s h o u l d be a b l e t o e x p l a i n h o w t h e L i n u x f i l e p e r m issions
m o d e l works.
L i n u x f i l e syst e m p e r m i s s i o n s
Access t o files by users a re co ntro l l e d by file permissions. The L i n u x f i l e p e rm issions system is
s i m p l e but f l e x i b l e, w h i c h m a kes it easy to u nd e rstand a n d a p p ly, yet a b l e to h a n d l e m ost n o r m a l
p e r m i s s i o n c a s e s easi ly.
The most specific permissions a p p ly. So, user p e r m i ssions override group p e r m i ssions, w h i c h
override other p e rm i s s i o ns.
joshua a l lison
There a re a l s o just t h ree categories of permissions w h ich a p p ly: read, write, a n d execute. These
permissions affect a ccess to fi l es and d i rectories a s f o l l ows:
V i ew i n g f i l e/d i rectory p e r m i s s i o n s a n d ow n e rs h i p
-
-
A f i l e m a y be removed by a nyo n e w h o h a s write p e r m i s s i o n to t h e d i rectory i n w h i c h t h e f i l e
res id e s , regardless o f t h e o w n e rs h i p o r p e r m i s s i o n s o n t h e fi l e itse l f. ( T h i s ca n be ove r r i d d e n w i t h
a s p e ci a l p e r m i s s i o n , t h e sticky bit, w h i c h w i l l be d i scussed a t t h e e n d o f t h e u n it.)
-
[student@desktopX -]$ ls - 1 t e s t
- rw- rw- r - - . 1 student student 0 Feb 8 17 : 36 test
-
[student@desktopX - ] $ ls - ld /home
-
· ��--...., ,>
Note
-
�
U n l i ke N T FS p e r m i s s i o n s , L i n u x p e r m i s s i o n s o n l y a p p l y to t h e d i rectory or f i l e t h a t
t h ey a re s e t o n . P e r m i ss i o n s o n a d i rectory a re not i n h e r ited a utomatica l ly by t h e
- s u b d i rectories a n d fi les w it h i n i t . ( T h e p e r m issions o n a d i rectory may effect ive l y b l o c k
access to i t s contents, however.) A l l p e r m issions i n L i n u x a re s e t d i rect l y o n e a c h f i l e o r
d i rectory.
-
The rea d p e r m i s s i o n on a d i rectory i n L i n u x i s rou g h l y e q u iva l e nt to L i st fo l d e r
contents i n W i n d ows.
-
The write p e r m i s s i o n on a d i rectory in L i n u x is e q u i va l e nt to M o d ify i n W i n d ows; it
i m p l i es t h e a b i l ity to d e l ete fi l es a n d s u b d i recto ries. In L i n ux , i f w r i t e a n d t h e st i c ky b i t
a re both set o n a d i rectory, then only t h e u s e r t h a t o w n s a file o r s u b d irectory i n the
-
d i rectory m a y d e l ete it. which is c l ose to t h e b e h a v i o r of t h e W i n d ows Write p e r m i s s i o n .
R o o t h a s t h e e q u i va l e n t of t h e W i ndows Fu l l C o n t r o l p e r m i s s i o n o n a l l f i l es i n L i n u x.
-
H oweve r, root may sti l l h a ve a ccess rest r i cted by t h e system ' s S E L i n u x p o l icy a n d t h e
s e c u rity context of t h e process a n d f i l es i n q u est i o n . S E L i n u x w i l l b e d i scussed i n a l a t e r
cou rse.
-
-
-
p e r m i s s i o n s a p p l y to h e r, a n d those i n c l u d e
w rite p e r m i s s i o n .
-
lucy can c h a n g e t h e c o n t e n t s of rfilel. lucy is a m e m b e r of t h e ricardo g ro u p ,
a n d t h a t g r o u p h a s both r e a d a n d w rite
p e r m i s s i o n s o n rfilel. -
146 R H 1 24 - R H E L 7-en-1-20140606 -
-
-
E xa m p l es : L i n u x u s e r, grou p, o t h e r concepts
References
ls(1) m a n p a g e
Jllllllf
- R H1 24- R H E L7 - e n -1 -20140606 1 47