Open Source Operating Systemنظم تشغيل مفتوحة المصدرLecture (4) Dr.Samah Mohammed
Objectives • Working with users and Groups • Creating and Managing User Accounts from theCommand Line • Linux Groups • Managing groups from the command line • What Are Permissions • Typical file permissions
Manage users and group • Linux user accounts is the mechanism by which the Linux operating system is able to handle the task of protection. • In Linux, there are three forms of user accounts: 1- root 2-user (human) accounts 3-software accounts
How Linux User Accounts Work • Username • Password • By default, all user home directories are created and maintained in the /home directory. • However, the root user’s home directory is /root
To view information about the user_name account on my Linux system, you would enter finger user_name • The following information about the user account: • Login This is the username that is used to authenticate to the system. • Name This is the user’s full name. • Directory This is the user’s home directory. • Shell This is the default shell that will be provided to the user. • Last Login This displays the last time the user logged in and where from.
In addition to having a home directory and default shell assigned, each user account is also assigned a unique user ID (UID) number when they are created. • Notwo user accounts on the system will have the same UID. • To view the UID for a given user account: id username Example: to view information about our khalid user account, we can enter idkhalid
The root user account is always assigned a UID of 0 on most Linux distributions. • Other distributions may use a different numbering scheme for the UID, however. For example, UIDs on a Red Hat system start at 500 instead of 1000. • It’s this UID that the operating system actually uses to control access to files and directories in the file system.
Linux is a very flexible operating system. One of its flexible features is the location of user accounts on the system. When you originally installed the system, your distribution may have given you several options for where you wanted to store your user accounts. This screen allows you to choose from the following authentication methods: Where Linux User Accounts Are Stored
1- Local This option stores user accounts in the /etc/passwd file. This has been the default configuration used by Linux systems for many years. 2- LDAPThis is a newer option that many Linux administrators are starting to adopt. Instead of storing user accounts in a file in the file system, user accounts are stored in a directory service provided by OpenLDAP. Unlike local authentication, which is a flat file, the directory service is hierarchical in nature, allowing you to sort and organize your user accounts by location,function, or department.
Local option • /etc/passwd This file contains the user account information for your system. • /etc/shadow This file contains passwords for your user accounts. • /etc/group This file contains your system’s groups.
- The /etc/passwd File • Username:Password:UID:GID:Full_Name:Home_Directory:Default_Shell • Username:The Username field simply identifies the username the user will supply when logging in to the system • Password: This is a legacy field. At one time, the user’s password was stored in encrypted form in this field in the passwd file. However, for security reasons, the password has been moved from /etc/passwd to /etc/shadow.
UID This is the user ID for the user account • GID This field references the group ID number of the user’s default group • Full_Name This field contains the user’s full name • Home_Directory This field contains the path to the user’s home directory. • Default_Shell This field specifies the shell that will be used by default
The /etc/shadow File • Username:Password:Last_Modified:Min_Days:Max_Days:Days_Warn:Disabled_Days:Expire • Username This is the user’s login name from /etc/passwd. • Password This is the user’s password in encrypted format • Last_Modified This field displays the number of days since the password was last changed
Min_Days This field displays the minimum number of days required before a password can be changed. • Max_Days This field displays the maximum number of days before a password must be changed. • Days_WarnThis field displays the number of days prior to password expiration that the user will be warned of the pending expiration.
Disabled_Days This field displays the number of days to wait after a password has expired to disable the account. • Expire This field displays the number of days since after which the account will be disabled.
creating user accounts There are two approaches to creating user accounts and groups. 1- There is a GUI tool, the User Manager, and 2- There are command line programs.
Create user from GUI The GUI User Manager program is launched either from the menu selecting System> Administration > Users and Groups
Creating and Managing User Accounts from the Command Line • Using useradd • Using passwd • Usingusermod • Using userdel
userdd is the command used to create a new user for the Linux system. Syntax: useraddoptionsusername Example (1): useraddEman Emanaccount is created using the default parameters contained in the following configuration files: /etc/default/useradd Example (2): useradd-e2018-05-28khalid Using useradd
Managing Passwords • Password management requires that passwords are modified in a timely fashion. For this duty, we turn to two standard Linux programs: chage and passwd • The chage program allows the system administrator to change user password expiration dates of a user. • The syntax: chage [options] username
The passwd utility is used to change an existing user’s password You can find out this information using the –S option with passwd. Syntax: passwdusername Example: passwd –S khalid Managing Passwords Cont..
- Using usermod • From time to time, you will need to modify an existing user account. The syntax for usermod is very similar to that used by useradd. Syntax: usermodoptionsusername
options –c Edits the user’s full name. –e Sets the date when the user account will be disabled. Format the date as yyyy-mm-dd. –f Sets the number of days after password expiration before the account is disabled. Use a value of –1 to disable this functionality. –g Sets the user’s default group. –G Specifies additional groups that the user is to be made a member of.
options –l Changes the username. –L Locks the user’s account. This option invalidates the user’s password. –m Sets the user’s home directory. –p Sets the user’s password. –s Specifies the default shell for the user. –u Sets the UID for the user. –U Unlocks a user’s account that has been locked.
Using userdel • The userdel command is used to delete user accounts. This can but does not have to delete the associated files (the user’s home directory, temporary files, and mail file). Syntax: userdel username Example: userdel khalid
Using userdel Cont.. • If you do want to remove the home directory when you delete the user, you need to use the –r option in the command line. • Example: userdel–rkhalid will remove the account and delete his home directory.
Linux Groups • How Linux groups work • Managing groups from the command line
How Linux Groups Work • If your Linux system has been configured to use local authentication, your groups are defined in the /etc/group file. Each record is composed of the following four fields: Group:Password:GID:Users • GroupSpecifies the name of the group. • Password Specifies the group password.
GID Specifies the group ID (GID) number of the group. • Users Lists the members of the group. • As with /etc/shadow, each line in /etc/gshadow represents a record for a single group. Each record is composed of the following fields: Group_Name:Password:Group_Admins:Group_Members
Managing groups from the command line • Using groupadd • Using groupmod • Using groupdel
- Using groupadd • Syntax: groupaddoptionsgroupname groupadd –r workstudent
- Using groupmod • To modify a group, including adding users to the group membership, you use the groupmod utility. • Syntax: groupmodoptionsgroup • Options: –g Changes the group’s GID number. –p Changes the group’s password. –A Adds a user account to the group. –R Removes a user account from the group.
If we wanted to add “Ali” to the group, we would enter groupmod–A“Ali” student at the shell prompt.
Using groupdel • There are no options; instead it is simply groupdelgroupname • The group is deleted from the /etc/group and /etc/gshadow files, and the group is removed from any user’s list of groups as stored in /etc/passwd. • Example:groupdel student
Manage ownershipand permissions • Managing ownership • Managing permissions
What Are Permissions Permissions are a mechanism to support operating system protection. Protection ensures that users do not misuse system resources (CPU, memory, network, partitions, directories and files). Permissions specify who can access a file or directory and the types of access. In Linux, permissions are controlled at three levels: 1- Owner (called user, or ‘u’ for short) 2- Group (‘g’ for short) 3- The rest of the world (called other, or ‘o’ for short)
Each level of accessprovides: • • Read: for a file, it can be viewed or copied. For a directory, the directory’s contents can be viewed by ls. • • Write: for a file, it can be overwritten (e.g., using save as). for a directory, files can be written there. • • Execute: for a file, it can be executed (this is necessary for executable programs and • shel l scripts). for a directory, a user can cd into it • Note: to delete a file, you must have write access to the directory that contains it.
Typical file permissions • In the long listing (ls -l) The first 10 characters of a line are a combination of letters and hyphens.
File Permissions • On a Linux system, each file and directory is assigned access rights for the owner of the file, the members of a group of related users, and everybody else. Rights can be assigned to read a file, to write a file, and to execute a file. • To see the permission settings for a file, we can use the ls-l command. • Example, we will look at the file1.txt permissions: $ls–l file2.txt $ -rwxr-xr-x 1 root root 316848 Feb 27 2017 • Here we can see: • The file “file1.txt" is owned by user "root" • The super user has the right to read, write, and execute this file • The file is owned by the group "root" • Members of the group "root" can also read and execute this file • Everybody else can read and execute this file
Altering Permissions • To change a file’s permission, the command is chmod. The command’s syntax is • chmod permissions file(s) • where permissions can be specified using one of three different approaches: • 1-Describe the changes to be applied as a combination of u, g, o along with r, w, x. To add a permission, use + and to remove a permission, use –. • Example: file1.txt currently readable and writable by u and g and readable by o. To remove writable by group and remove readable by other. The command would be: • chmod g–w,o–r file1.txt
Altering Permissions Cont.. • 2-Altering permissions uses an = to assign new permissions rather than a change to the permissions. • Example: To make file1.txt readable, writable, and executable to the user, readable to the group, and nothing to the world, this could be done with: • chmod u=rwx,g=r,o= file1.txt • Can combine =, +, and - as in: • chmod u=rwx,g–w+x,o–r file1.txt
Altering Permissions Cont.. • 3-Using a 3-digit number. Each digit is the summation of the access rights granted to that party (user, group, other) where readable is a 4, writable is a 2, and executable is a 1. • Readability, write ability, and execute ability would be 4 + 2 + 1 = 7. • Readability and execute ability would be 4+1=5. • No access at all would be 0. • Example: we want file1. txt to have readable, writable, and executable access for the owner, readable, and executable access for the group and no access for the world. The command would be: • chmod 750 file1.txt
Anytime a user creates a new file or directory, his or her user account is assigned as that file or directory’s “owner.” Example, suppose khalid is a user logs in to his Linux system and creates a file named file1.txtin home directory. Because he created this file, automatically assigned ownership of file1.txt to “khalid”. You can also view file ownership from the command line using the: ls–l How ownership works
Managing ownership from the command line • You can specify a different user and/or group as the owner of a given file or directory. To change the user who owns a file, you must be logged in as root. To change the group that owns a file, you must be logged in as root or as the user who currently owns the file. • Using chown • Using chgrp