1 / 19

User Account Management

User Account Management. WeeSan Lee <weesan@cs.ucr.edu>. Roadmap. Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A. Add An Account. To create an account for user foo Create /home/foo $ cp -a /etc/skel/* /home/foo

maegan
Télécharger la présentation

User Account Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User Account Management WeeSan Lee <weesan@cs.ucr.edu>

  2. Roadmap • Add An Account • Delete An Account • /etc/{passwd,shadow} • /etc/group • How To Disable An Account? • Root Account • Q&A

  3. Add An Account • To create an account for user foo • Create /home/foo • $ cp -a /etc/skel/* /home/foo • $ chown -R foo:users /home/foo • $ chmod 711 /home/foo • $ chmod u=rwx,g=x,o=x /home/foo • Add foo into /etc/passwd and /etc/shadow • $ vipw • $ passwd foo • Alternatively, use useradd • $ useradd foo • $ passwd foo

  4. Delete An Account • To remove the account foo • Revert what we did before • Or, use userdel • $ userdel foo • $ userdel -r foo • Delete /home/foo as well • To find files left behind • $ find -nouser -xdev /

  5. /etc/passwd • A file that contains a list of users recognized by the system • World readable • Why? • Each line represents one user, eg. • foo:x:500:500:Foo Bar:/home/foo:/bin/bash • 7 fields separated by colons • Login name or username • Encrypted passwd • UID • Default GID • “GECOS” information: fullname, office, extension, phone # • Home directory • Login shell

  6. /etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Login name • 32 chars long • 8 for NIS (Network Information Service) • Case sensitive, usually lower case • Usually used as email address • Encrypted passwd • See /etc/shadow • UID • 32-bit unsigned integers • Start from 500. See /etc/logins.defs

  7. /etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Login name • 32 chars long • 8 for NIS (Network Information Service) • Case sensitive, usually lower case • Usually used as email address • Encrypted passwd • See /etc/shadow • UID • 32-bit unsigned integers • Start from 500. See /etc/logins.defs

  8. /etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Login name • 32 chars long • 8 for NIS (Network Information Service) • Case sensitive, usually lower case • Usually used as email address • Encrypted passwd • See /etc/shadow • UID • 32-bit unsigned integers • Start from 500. See /etc/logins.defs

  9. /etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Default GID • Defined in /etc/group • GECOS field • For personal information • $ finger foo • Home directory • Cd to home directory after login • Login shell • Valid shells defined in /etc/shells

  10. /etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Default GID • Defined in /etc/group • GECOS field • For personal information • $ finger foo • Home directory • Cd to home directory after login • Login shell • Valid shells defined in /etc/shells

  11. /etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Default GID • Defined in /etc/group • GECOS field • For personal information • $ finger foo • Home directory • Cd to home directory after login • Login shell • Valid shells defined in /etc/shells

  12. /etc/passwd (cont) foo:x:500:500:Foo Bar:/home/foo:/bin/bash • Default GID • Defined in /etc/group • GECOS field • For personal information • $ finger foo • Home directory • Cd to home directory after login • Login shell • Valid shells defined in /etc/shells

  13. /etc/shadow • A file contains the encrypted passwd for the users • Only readable by root or processes with root privilege • Each line represents user, eg. • foo:$1$naYPGQnr$2Xyp.Q1KrWSf//VFR.yBL0:13690:0:99999:7::: • 9 fields separated by colons • Login name or username • Encrypted passwd • Date of last passwd change • Min. # of days between password changes • Max # of days between password changes • # of days in advance to warn users about passwd expiration • # of days after passwd expiration that account is disabled • Account expiration date • A reserved field • Usually login name and passwd are enough

  14. /etc/shadow (cont) • usermod • $ usermod -e 2007-06-26

  15. /etc/group • A file contains the names of UNIX groups and a list of group’s members, eg. • foo:x:500: • installer:x:200:foo,bar • Each line represents one group • 4 fields separated by colons • Group name (8 chars) • Encrypted passwd or x for /etc/gshadow • GID (starts from 500. see /etc/login.defs) • List of members, separated by commas (no space)

  16. How To Disable An Account? • Append username with a ‘*’ in /etc/passwd • $ usermod -L foo • Put a ‘!’ in front of the encrypted passwd • To undo: $ usermod -U foo • usermod -e yyyy-mm-dd • Replace login shell with • /etc/false • /sbin/nologin

  17. Root Account • Special and powerful account • UID 0 • Guard your root passwd “with your life!!!” • At least 8 chars. long • Don’t write it down • Mix letters, numbers and punctuations • Eg. Bambo0! • Don’t login root as a normal user • Use su when needed • Don’t share your root passwd with others

  18. Root Account (cont) • Use sudo instead • $ sudo /bin/bash • /etc/sudoers • All commands are logged • To edit /etc/sudoers • $ visudo • foo ALL=(root) ALL • User foo can run ALL commands on ALL machines as root • Host_Alias CS=eon,orpheus • Cmnd_Alias SNOOP=/usr/sbin/tcpdump,/usr/sbin/ethereal • bar CS=SNOOP

  19. References • LAH • Ch 3: Rootly Powers • Ch 6: Adding New Users

More Related