RHEL - CHAPTER 6 | Managing Local Users and Groups
WHAT IS A GROUP?
A group is a collection of users that need to share access to files and other system resources. Groups can be used to grant access to files to a set of users instead of just a single user. Like users, groups have group names to make them easier to work with. Internally, the system distinguishes groups by the unique identification number assigned to them, the group ID or GID. The mapping of group names to GIDs is defined in databases of group account information. By default, systems use the /etc/group file to store information about local groups.
Why have users?
A user account is used to provide security boundaries between different people and programs that can run commands
userdel [-r] username
Delete a user account -------------------------- • The userdel username command removes the details of username from /etc/passwd, but leaves the user's home directory intact. • The userdel -r username command removes the details of username from /etc/passwd and also deletes the user's home directory.
Setting passwords from the cmdline
The passwd username command sets the initial password or changes the existing password of username
By default, systems use the _________________ file to store information about local users
etc/passwd
usermod [options] username
modify user account -c Comment -e Expire date -f Days after password expiration to disable account -G Add groups -l Change username -L Lock account -m Move home directory -p Change password -u Set user ID -U Unlock account
Creating Groups from the Command Line
• The groupadd command creates groups. Without options the groupadd command uses the next available GID from the range specified in the /etc/login.defs file while creating the groups. • The -g option specifies a particular GID for the group to use. • The -r option creates a system group using a GID from the range of valid system GIDs listed in the /etc/login.defs file. The SYS_GID_MIN and SYS_GID_MAX configuration items in / etc/login.defs define the range of system GIDs. --------- [user01@host ~]$ sudo groupadd -g 10000 group01 [user01@host ~]$ tail /etc/group ...output omitted... group01:x:10000: ----------------------- sudo groupadd -r group02
RUNNING COMMANDS WITH SUDO
Unlike su, sudo normally requires users to enter their own password for authentication, not the password of the user account they are trying to access. That is, users who use sudo to run commands as root do not need to know the root password. Instead, they use their own passwords to authenticate access. Additionally, sudo can be configured to allow specific users to run any command as some other user, or only some commands as that user One additional benefit to using sudo is that all commands executed are logged by default to / var/log/secure.
Where is the main config file for SUDO?
/etc/sudoers To avoid problems if multiple administrators try to edit it at the same time, it should only be edited with the special visudo command. For example, the following line from the /etc/sudoers file enables sudo access for members of group wheel. %wheel ALL=(ALL) ALL In this line, %wheel is the user or group to whom the rule applies. A % specifies that this is a group, group wheel. The ALL=(ALL) specifies that on any host that might have this file, wheel can run any command. The final ALL specifies that wheel can run those commands as any user on the system. By default, /etc/sudoers also includes the contents of any files in the /etc/sudoers.d directory as part of the configuration file. This allows an administrator to add sudo access for a user simply by putting an appropriate file in that directory. ------------------------------- To enable full sudo access for the user user01, you could create /etc/sudoers.d/user01 with the following content: user01 ALL=(ALL) ALL ------------------------------- To enable full sudo access for the group group01, you could create /etc/sudoers.d/group01 with the following content: %group01 ALL=(ALL) ALL ------------------------------- It is also possible to set up sudo to allow a user to run commands as another user without entering their password: ansible ALL=(ALL) NOPASSWD:ALL
*~* Name the 4 parts of the /etc/group file *~* group01: x: 10000: user01,user02,user03
1.) Group name for this group (group01). 2.) Obsolete group password field. This field should always be x. 3.) The GID number for this group (10000). 4.) A list of users who are members of this group as a supplementary group (user01, user02, user03). Primary (or default) and supplementary groups are discussed later in this section
*~* Name the 7 parts of the /etc/shadow text file *~* User01: x: 1000: 1000: User One: /home/user01: /bin/bash
1.) Username for this user (user01). 2.) The user's password used to be stored here in encrypted format. That has been moved to the /etc/shadow file, which will be covered later. This field should always be x. 3.)The UID number for this user account (1000). 4.) The GID number for this user account's primary group (1000). Groups will be discussed later in this section. 5.) The real name for this user (User One). 6.) The home directory for this user (/home/user01). This is the initial working directory when the shell starts and contains the user's data and configuration settings. 7.) The default shell program for this user, which runs on login (/bin/bash). For a regular user, this is normally the program that provides the user's command-line prompt. A system user might use /sbin/nologin if interactive logins are not allowed for that user.
Getting an Interactive Root Shell with Sudo
If there is a nonadministrative user account on the system that can use sudo to run the su command, you can run sudo su - from that account to get an interactive root user shell. This works because sudo will run su - as root, and root does not need to enter a password to use su. Another way to access the root account with sudo is to use the sudo -i command. This will switch to the root account and run that user's default shell (usually bash) and associated shell login scripts. If you just want to run the shell, you can use the sudo -s command. For example, an administrator might get an interactive shell as root on an AWS EC2 instance by using SSH public-key authentication to log in as the normal user ec2-user, and then by running sudo -i to get the root user's shell.
Wheel Group
In Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8, all members of the wheel group can use sudo to run commands as any user, including root. The user is prompted for their own password. This is a change from Red Hat Enterprise Linux 6 and earlier, where users who were members of the wheel group did not get this administrative access by default
/etc/shadow -------------------------------- user03: $6$CSsX...output omitted...: 17933: 0: 99999: 7: 2: 18113:
Like /etc/passwd, each user has a line in the /etc/shadow file. A sample line from /etc/ shadow with its nine colon-separated fields is shown below. user03: $6$CSsX...output omitted...: 17933: 0: 99999: 7: 2: 18113: 1.)Username of the account this password belongs to. 2.)The encrypted password of the user. 3.)The day on which the password was last changed. This is set in days since 1970-01-01, and is calculated in the UTC time zone. 4.)The minimum number of days that have to elapse since the last password change before the user can change it again. 5.)The maximum number of days that can pass without a password change before the password expires. An empty field means it does not expire based on time since the last change. 6.) Warning period. The user will be warned about an expiring password when they login for this number of days before the deadline. 7.) Inactivity period. Once the password has expired, it will still be accepted for login for this many days. After this period has elapsed, the account will be locked. .) The day on which the password expires. This is set in days since 1970-01-01, and is calculated in the UTC time zone. An empty field means it does not expire on a particular date. 9.) The last field is usually empty and is reserved for future use.
superuser (administrator)
Most operating systems have some sort of superuser, a user that has all power over the system. In Red Hat Enterprise Linux this is the root user. This user has the power to override normal privileges on the file system, and is used to manage and administer the system. To perform tasks such as installing or removing software and to manage system files and directories, users must escalate their privileges to the root user. The root user only among normal users can control most devices, but there are a few exceptions. For example, normal users can control removable devices, such as USB devices. Thus, normal users can add and remove files and otherwise manage a removable device, but only root can manage "fixed" hard drives by default --- The root account on Linux is roughly equivalent to the local Administrator account on Microsoft Windows. In Linux, most system administrators log in to the system as an unprivileged user and use various tools to temporarily gain root privileges
To view process information, use the ______ command.
PS ------- The default is to show only processes in the current shell. Add the -a option to view all processes with a terminal. To view the user associated with a process, include the -u option.
UID Ranges
Specific UID numbers and ranges of numbers are used for specific purposes by Red Hat Enterprise Linux. • UID 0 is always assigned to the superuser account, root. • UID 1-200 is a range of "system users" assigned statically to system processes by Red Hat. • UID 201-999 is a range of "system users" used by system processes that do not own files on the file system. They are typically assigned dynamically from the available pool when the software that needs them is installed. Programs run as these "unprivileged" system users in order to limit their access to only the resources they need to function. • UID 1000+ is the range available for assignment to regular users.
nologin shell
The nologin shell acts as a replacement shell for the user accounts not intended to interactively log into the system. It is wise from the security standpoint to disable the user account from logging into the system when the user account serves a responsibility that does not require the user to log into the system. For example, a mail server may require an account to store mail and a password for the user to authenticate with a mail client used to retrieve mail. That user does not need to log directly into the system. A common solution to this situation is to set the user's login shell to /sbin/nologin. If the user attempts to log in to the system directly, the nologin shell closes the connection.
SWITCHING USERS
The su command allows users to switch to a different user account. If you run su from a regular user account, you will be prompted for the password of the account to which you want to switch. When root runs su, you do not need to enter the user's password --- [user01@host ~]$ su - user02 Password: [user02@host ~]$ --- If you omit the user name, the su or su - command attempts to switch to root by default. [user01@host ~]$ su - Password: [root@host ~]#
MANAGING LOCAL USERS - Add user from the cmdline
The useradd username command creates a new user named username. It sets up the user's home directory and account information, and creates a private group for the user named username. At this point the account does not have a valid password set, and the user cannot log in until a password is set. • The useradd --help command displays the basic options that can be used to override the defaults. In most cases, the same options can be used with the usermod command to modify an existing user. • Some defaults, such as the range of valid UID numbers and default password aging rules, are read from the /etc/login.defs file. Values in this file are only used when creating new users. A change to this file does not affect existing users.
How are users implemented?
Users have user names to identify them to human users and make them easier to work with. Internally, the system distinguishes user accounts by the unique identification number assigned to them, the user ID or UID. If a user account is used by humans, it will generally be assigned a secret password that the user will use to prove that they are the actual authorized user when logging in
CONFIGURING PASSWORD AGING
[user01@host ~]$ sudo chage -m 0 -M 90 -W 7 -I 14 user03 The preceding chage command uses the -m, -M, -W, and -I options to set the minimum age, maximum age, warning period, and inactivity period of the user's password, respectively. The chage -d 0 user03 command forces the user03 user to update its password on the next login. The chage -l user03 command displays the password aging details of user03. The chage -E 2019-08-05 user03 command causes the user03 user's account to expire on 2019-08-05 (in YYYY-MM-DD format).
Deleting Groups from the Command Line
• The groupdel command removes groups. ---------------------- [user01@host ~]$ sudo groupdel group0022 • NOTE You cannot remove a group if it is the primary group of any existing user. As with userdel, check all file systems to ensure that no files remain on the system that are owned by the group.
Modifying Existing Groups from the Command Line
• The groupmod command changes the properties of an existing group. The -n option specifies a new name for the group. ------------- sudo groupmod -n group0022 group02
3 Types of user accounts
• The superuser account is for administration of the system. The name of the superuser is root and the account has UID 0. The superuser has full access to the system. • The system has system user accounts which are used by processes that provide supporting services. These processes, or daemons, usually do not need to run as the superuser. They are assigned non-privileged accounts that allow them to secure their files and other resources from each other and from regular users on the system. Users do not interactively log in using a system user account. • Most users have regular user accounts which they use for their day-to-day work. Like system users, regular users have limited access to the system.