User environments l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 12

User Environments PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on
  • Presentation posted in: General

User Environments. Objectives to provide appropriate environments for different types of users Contents different login programs user profiles restricted shells security issues Practicals to provide special user accounts Summary. Login Shell.

Download Presentation

User Environments

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


User environments l.jpg

User Environments

  • Objectives

    • to provide appropriate environments for different types of users

  • Contents

    • different login programs

    • user profiles

    • restricted shells

    • security issues

  • Practicals

    • to provide special user accounts

  • Summary


Login shell l.jpg

Login Shell

  • The password file defines the user's login shell

    • full program pathname must be specified

    • no parameters allowed

  • Standard programs are interactive shells

    • Bash, Bourne Again Shell (bash)

    • Bourne shell (sh)

    • C shell (csh)

  • Specialist programs can be provided

    • pppd

  • Any executable program can be provided

    • database front end query programs

    • simple menu selection programs


Restricted shells l.jpg

Restricted Shells

  • A restricted shell stops the user from:

    • changing directories with cd

    • changing the value of the PATH variable

    • specifying command names containing /

    • using output redirection > and >>

  • Restrictions only apply to interactive session

    • profiles can still perform all functions

  • Restricted shells apply to some standard applications

    • Sendmail uses /usr/sbin/smrsh

  • Create a special bin directory for restricted users

    • often in /usr/rbin with links to required programs in /usr/bin


Restricted root access l.jpg

Restricted root Access

  • Administrator provided shell scripts are useful for providing restricted root access to the system

    • user written shell scripts

    • shutdown or backup programs

# cat >/home/admin/bin/shutdown

#!/usr/bin/sh

# shutdown script

trap "" 2 3

echo "Type number of seconds to shutdown or"

echo -n "Ctrl-D to abandon shutdown [180]? "

if read N; then

[ -z "$N" ] && N=180

echo "Shutting down in $N seconds"

/sbin/shutdown -i0 -g$N -y

fi

# useradd -o -u 0 -d / -s /home/admin/bin/shutdown shutdown

# passwd shutdown


Environment files l.jpg

Environment Files

  • Two environment files are executed at login time when a Bourne or Korn shell is executed

    /etc/profile

    • contains system commands

    • common environment (set of variable definitions) for all users

    • may define variable ENV, describing the location of Shell specific environment file, usually set to $HOME/.bashrc

      $HOME/.bash_profile

    • contains user commands and definitions

    • run once at login

  • Finally, if the variable ENV is defined then the shell executes the file given by its value

    • use to set up shell environment: aliases, functions, prompts, etc.

  • Many definitions are predefined in the /etc/profile file


Environmental definitions l.jpg

Environmental Definitions

  • Most users will need to modify some of the environmental definitions to suit their requirements

  • Good system administrator will make sure that user has a basic set of definitions available when account is created

  • These may include:

    PATH=$PATH:/usr/X/bin:.# include required search directories

    EDITOR=vi# define line editting editor (for history mechanism)

    TERM=vt100# must reflect terminal used, otherwise all non-

    character-based applications, including vi, will fail

    MAIL=/var/mail/$LOGNAME# location for your mail box

    SHELL=/bin/bash# shell used for 'escape' from program. eg. when you

    type :!cmd within vi, the cmd is executed by the shell

    defined here

    ENV=$HOME/.bashrc# location of bash shell run command file

  • All variable must be exported after they have been set


The umask command l.jpg

The umask Command

  • Used to define default permissions on newly created files

  • The user mask (umask) is part of the process environment

    • used when creating files to remove permissions

    • the creating process defines the file permissions

    • then the umask value is subtracted

  • Each bit set in the octal umask clears the corresponding bit in the permissions

umaskplain text files (vi)directories (mkdir)

rw-rw-rw-rwxrwxrwx

000rw-rw-rw-rwxrwxrwx

022rw-r--r--rwxr-xr-x

033rw-r--r--rwxr--r--

027rw-r-----rwxr-x---

077rw-------rwx------


Message of the day l.jpg

Message of the day

  • Profiles often display a message of the day

    • traditionally stored in /etc/motd

  • Keep message short and up to date

    • otherwise users will stop reading it

  • Include a restricted access notice

# more /etc/motd

Welcome to Acme's Development System.

Access to this system is restricted to authorised users only.

Unauthorised access is prohibited and offenders are liable to prosecution.

System will be down all day on Sun 23 April for preventative maintenance.


Exercise example environment l.jpg

Exercise - Example Environment

  • Which file is maintained by the administrator?

  • What do the two trap commands imply for /etc/profile?

A typical system profile (/etc/profile) :

trap "" 2 3 ENV=$HOME/.kshrc export ENV

ulimit -c 0

umask 022

cat /etc/motd

trap 2 3

A typical user profile (.bash_profile):

PATH=$PATH:$HOME/bin

TERM=vt100

A typical user bashrc file (.bashrc):

alias dir=ls lf='ls -FC'

export PS1='$PWD[!] '

set -o vi

what do you think this

line should contain?


Guest accounts l.jpg

Guest Accounts

  • Many systems define a login called guest

    • password null or set to guest

  • Disable or remove this account

    • it is a security risk

  • System hackers logging in as guest can:

    • get a list of login names (/etc/passwd)

    • look at encrypted passwords on older unix systems

    • use find to look for security holes

    • find out about networked machines (/etc/hosts)

    • access the network via telnet, rlogin & rsh & rcp

  • If someone wants to use your system you should know about them and provide an account accordingly


Shared group directories l.jpg

Shared Group Directories

  • Users working on a common set of files should belong to the same group

  • Files should be stored in a common directory

  • Directory should have:

    • sticky bit

    • set group id (so that all files are owned by the directory group)

$ ls -al /shared

drwxrwsr-t 1 trapper staff 1024 Dec 25 09:30 .

drwxr-xr-x 1 root sys 512 Dec 25 09:30 ..

$ id -a

uid=318(hawkeye) gid=300(users) groups=100(staff),300(users)

$ cp lfile /shared

$ ls -l lfile /shared/lfile

-rw-r--r--1 hawkeye users 232 Jan 18 09:58 lfile

-rw-r--r--1 hawkeye staff 232 Jan 19 11:42 /shared/lfile


Summary l.jpg

Summary

  • Users can be provided any login program not just an interactive shell

  • A standard user environment should be set and maintained by the administrator using /etc/default/login and /etc/profile

  • Users may be restricted in their access to the system and what they can do

    /usr/lib/rsh & /usr/bin/rksh

  • Users can be setup to share directories by using combination of guid and sticky bits

  • Guest account without a password is bad news


  • Login