02 Account Management

7/29/2019 02 Account Management

1/19

User Account Management

WeeSan Lee


2/19

Roadmap

Add An Account

Delete An Account

/etc/{passwd,shadow}

/etc/group

How To Disable An Account?

Root Account Q&A


3/19

Add An Account

To create an account for user foo Create /home/foo $ cp -a /etc/skel/* /home/foo $ chown -R foo:users /home/foo

$ chmod 711 /home/foo $ chmod u=rwx,g=x,o=x /home/foo

Add foo into /etc/passwd and /etc/shadow $ vipw

$ passwd foo

Alternatively, use useradd $ useradd foo $ passwd foo


4/19

Delete An Account

To remove the account foo

Revert what we did before

Or, use userdel

$ userdel foo

$ userdel -r foo

Delete /home/foo as well

To find files left behind $ find -nouser -xdev /


5/19

/etc/passwd

A file that contains a list of users recognized by the system

World readable Why?

Each line represents one user, eg.

foo:x:500:500:Foo Bar:/home/foo:/bin/bash 7 fields separated by colons

Login name or username

Encrypted passwd

UID

Default GID GECOS information: fullname, office, extension, phone #

Home directory

Login shell


6/19

/etc/passwd (cont)

Login name 32 chars long

8 for NIS (Network Information Service)

Case sensitive, usually lower case Usually used as email address

Encrypted passwd See /etc/shadow

UID

32-bit unsigned integers

Start from 500. See /etc/logins.defs

foo:x:500:500:Foo Bar:/home/foo:/bin/bash


7/19

/etc/passwd (cont)





UID





8/19

/etc/passwd (cont)





UID





9/19

/etc/passwd (cont)

Default GID Defined in /etc/group

GECOS field For personal information $ finger foo

Home directory Cd to home directory after login

Login shell Valid shells defined in /etc/shells



10/19

/etc/passwd (cont)







11/19

/etc/passwd (cont)







12/19

/etc/passwd (cont)







13/19

/etc/shadow

A file contains the encrypted passwd for the users Only readable by root or processes with root privilege Each line represents user, eg.

foo:$1$naYPGQnr$2Xyp.Q1KrWSf//VFR.yBL0:13690:0:99999:7:::

9 fields separated by colons

Login name or username Encrypted passwd Date of last passwd change Min. # of days between password changes Max # of days between password changes # of days in advance to warn users about passwd expiration # of days after passwd expiration that account is disabled Account expiration date A reserved field

Usually login name and passwd are enough


14/19

/etc/shadow (cont)

usermod

$ usermod -e 2007-06-26


15/19

/etc/group

A file contains the names of UNIX groups and a listof groups members, eg.

foo:x:500:

installer:x:200:foo,bar Each line represents one group

4 fields separated by colons

Group name (8 chars)

Encrypted passwd or x for /etc/gshadow GID (starts from 500. see /etc/login.defs)

List of members, separated by commas (no space)


16/19

How To Disable An Account?

Append username with a * in /etc/passwd

$ usermod -L foo

Put a ! in front of the encrypted passwd

To undo: $ usermod -U foo

usermod -e yyyy-mm-dd

Replace login shell with

/etc/false

/sbin/nologin


17/19

Root Account

Special and powerful account

UID 0

Guard your root passwd with your life!!!

At least 8 chars. long Dont write it down

Mix letters, numbers and punctuations

Eg. Bambo0!

Dont login root as a normal user Use su when needed

Dont share your root passwd with others


18/19

Root Account (cont)

Use sudo instead $ sudo /bin/bash

/etc/sudoers

All commands are logged

To edit /etc/sudoers $ visudo

foo ALL=(root) ALL User foo can run ALL commands on ALL machines as root

Host_Alias CS=eon,orpheus Cmnd_Alias SNOOP=/usr/sbin/tcpdump,/usr/sbin/ethereal

bar CS=SNOOP


19/19

References

LAH

Ch 3: Rootly Powers

Ch 6: Adding New Users

02 Account Management

Documents

Transcript of 02 Account Management