1 / 33

Simplifying User Management: Adding and Removing Users

Automating the process of adding and removing users is essential for system security. This chapter explains the importance of account hygiene and provides an overview of the /etc/passwd file, encryption schemes, UID and GID numbers, GECOS field, home directory, and login shell. It also discusses the FreeBSD /etc/master.passwd file and the Solaris and Red Hat /etc/shadow file.

bivery
Download Presentation

Simplifying User Management: Adding and Removing Users

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adding New Users Chapter 6

  2. Introduction • Adding and removing users is a routine chore. • These tasks are simple, but they are also boring. • Most administrators build tools to automate the process and then delegate the actual work to an assistant or operator. • Account hygiene is a key determinant of system security • Infrequently used accounts are prime targets for hackers, • as are accounts with easily guessed passwords Chapter 6 - Adding new users

  3. 1. The /etc/passwd file • The /etc/passwd file is a list of users recognized by the system. • Each line in the file represents one user and contains several fields separated by colons: • Login name • Encrypted password (unless there is a shadow password) • UID number • Default GID number • GECOS information (full name, office, extension, phone) • Home directory • Login shell • The contents are often shared among systems via NIS or NIS+ Chapter 6 - Adding new users

  4. 1. The /etc/passwd file • Login name • Must be unique • On some OS’s (and with NIS/NIS+) they are limited to 8 characters • Case sensitive • (but most mail systems expect lower case) Chapter 6 - Adding new users

  5. 1. The /etc/passwd file • Encrypted password • This is set by passwd (yppasswd if you use NIS) • Encryption Schemes • Most use DES encryption • input: first 8 characters are used • output: 13 characters are produced no matter what • Red Hat and FreeBSD include support for MD5 • input: can be of any length • output: 31 characters (first 3 are $1$) Chapter 6 - Adding new users

  6. 1. The /etc/passwd file • Shadow passwords: (Chapter 21) • places encrypted passwords in a separate file (not world readable) • Solaris requires shadow passwords • Notes: • A * in this field prevents someone from logging in. • Never leave this field empty. Chapter 6 - Adding new users

  7. 1. The /etc/passwd file • UID number • Size: • On most modern systems UIDs are a 32 bit integer • On older systems the largest UID was 32,767 • By definition, root has UID 0 • HINTS: • avoid recycling UID’s (restoring files can be a problem) • Keep unique UID’s across your system Chapter 6 - Adding new users

  8. 1. The /etc/passwd file • Default GID number • Group ID numbers • Size: 16 or 32 bit integer (signed or unsigned) • Defined in /etc/group • Reservations • GID 0 - reserved for the group “root” or “wheel” • GID 1 - reserved for the group “daemon” • Modern versions UNIX allow users to be in up to 16 groups. Chapter 6 - Adding new users

  9. 1. The /etc/passwd file • File creation: BSD or Not? • Inherit the GID of the parent directory or the user? • If from the user, they may want to change which group they are in at the time with the command newgrp • Most OS’s do not follow the BSD semantics • But they allow it as a mount option (grpid) Chapter 6 - Adding new users

  10. 1. The /etc/passwd file • GECOS field • no well defined syntax • records personal information • finger and sendmail use this info (but most others do not) • chfn lets users change their own GECOS information • this can be abused Chapter 6 - Adding new users

  11. 1. The /etc/passwd file • Home directory • Users are placed in their home directory when they log in • If the home directory is missing: • All print an error message • Some allow the login to proceed (and put the user in /) • Some don’t allow the login to continue. • Beware: if home directories are mounted over NFS, they may be unavailable in the event of a server or network problem. Chapter 6 - Adding new users

  12. 1. The /etc/passwd file • Login shell • Normally a command interpreter such as • /bin/sh, /bin/csh, /bin/ksh, /bin/tcsh, /bin/bash • sh is the default on most systems and is used if /etc/passwd does not specify a login shell • Users can change their shell with chsh • /etc/shells contains a list that chsh will allow. Chapter 6 - Adding new users

  13. 2. The FreeBSD /etc/master.passwd File • On FreeBSD, the “real” password file is /etc/master.passwd. • The /etc/passwd file exists for backward compatibility, but it is generated from master.passwd and is never edited directly. • This file also contains fields to implement password aging • The authors of our text are not very enthusiastic about password aging. See Chapter 21 for a discussion. • It also contains information for account expiration. Chapter 6 - Adding new users

  14. 3. The FreeBSD /etc/login.conf File • The login.conf entry can set • Resource limits (max process size, open files,…) • Session accounting limits (when logins are allowed, how long) • Default environment variables • Default paths (PATH, MANPATH, …) • Location of the message of the day • Host and TTY-based access control • Default umask • Account controls (min passwd length, password aging,…) Chapter 6 - Adding new users

  15. 4. The Solaris and Red Hat /etc/shadow File • The use of a shadow password file is mandatory under Solaris. • You can also use it under Red Hat Linux if you install the shadow package. • /etc/shadow is readable only by the superuser • keeps encrypted passwords safe from prying eyes. • Has fields for password expiration, and aging. Chapter 6 - Adding new users

  16. 5. The /etc/group File • Contains the names of UNIX groups and a list of each group’s members • Each line contains • Group name • Encrypted password (vestigal and rarely used) • allows users to change to the group with the password even if not in the list of members. • GID number • List of members (comma separated) Chapter 6 - Adding new users

  17. 6. Adding Users • Introduction • Before you create an account fo a new user, it’s very important that the user sign and date a copy of your local user agreement and policy statement. • See Chapter 27 for more info. • The process consists of: • Edit the passwd and shadow files to define the user’s account • Set an initial password • Create the user’s home directory Chapter 6 - Adding new users

  18. 6. Adding Users • For the user • Copy default startup files • Set the user’s mail home and establish mail aliases • For you: • Add the user to the /etc/group file • Config the disk quotas • Verify the account has been set up. Chapter 6 - Adding new users

  19. 6. Adding Users • Editing the passwd and shadow files • To safely edit the passwd file, run vipw to invoke a text editor on a copy of it. • vipw allows only one person to edit the passwd file at a time. • On Solaris, vipw asks if you want to edit the shadow file after you have edited the passwd file • On FreeBSD, vipw edits the master.passwd file (then runs pwd_mkdb to generate the derived passwd file) Chapter 6 - Adding new users

  20. 6. Adding Users • Setting the initial password • Root can change any user’s password with the passwd command. • passwduser • Different implementations of passwd do/require different things • NEVER leave a new account - or any account that has access to a shell - without a password. Chapter 6 - Adding new users

  21. 6. Adding Users • Creating the user’s home directory • Any directory you create is intially owned by root, so you must change its owner and group with the chown and chgrp commands • The following is an example of their usage: • mkdir /home/staff/tyler • chown tyler /home/staff/tyler • chgrp staff /home/staff/tyler • chmod 700 /home/staff/tyler Chapter 6 - Adding new users

  22. 6. Adding Users • Copying the default startup files • You can customize commands and utilities by placing configuration files in a user’s home directory. • Startup files traditionally begin with a dot • ls ignores these files unless it is given a “-a” option • Some vendors supply a starting point set • /etc/skel or /usr/share/skel • Depending upon a user’s shell, /etc may contain system-wide startup files that are processed before the user’s own startup files Chapter 6 - Adding new users

  23. 6. Adding Users • Setting the user’s mail home • It is convenient for each user to receive email on only one machine. • This scheme is often implemented with an entry in the global aliases file /etc/mail/aliases or the sendmailuserDB • See Chapter 19 for general information about email Chapter 6 - Adding new users

  24. 6. Adding Users • Editing the /etc/group file • When you added a new user (in /etc/passwd) you placed them in a group. • /etc/group should be updated to reflect this • and any other groups you wish to add them to. Chapter 6 - Adding new users

  25. 6. Adding Users • Setting disk quotas • If your site uses disk quotas, you should set quota limits for each new account with the edquota command • edquota can be done interactively, or with a “-p” to make a user just like someone else. • edquota -psomeone_else new_user Chapter 6 - Adding new users

  26. 6. Adding Users • Verifying the new login • To verify that a new account has been properly configured, first log out, then log in as the new user and execute the following commands: • pwd • ls -la • If your site requires users to sign a written contract, • be sure this step has been completed before releasing the account • Be sure to remind new users to change their password immediately Chapter 6 - Adding new users

  27. 7. Removing Users • When a user leaves your organization, that user’s login account must be removed from the system. • This procedure involves removing all references to the login name that were added by you or your adduser program: • Before you remove a user’s home directory, it’s always a good idea to make an extra backup of their directory (and mail spool) before deleting them Chapter 6 - Adding new users

  28. 7. Removing Users • You may want to use the following checklist: • Set user’s disk quota to 0 • Remove the user from any local user database • Remove the user from the aliases file • (or add a forwarding address) • Remove the user’s crontab file and pending at jobs • Kill any of the user’s processes that are still running. • Remove any temporary files owned by the user • Remove the user from the passwd and group files • Remove the user’s home directory • Remove the user’s mail spool Chapter 6 - Adding new users

  29. 7. Removing Users • Once you have removed a user, be sure to verify that the user’s old UID owns no more files on the system. • A fast way to do this is with the quot command • Example: quot /home • quot does not require disk quotas to be active • quot only works on local disks (not over NFS mounts) • If there are, you can find their exact path with • find -x /home -nouser -print Chapter 6 - Adding new users

  30. 8. Disabling Logins • On occasion, a user’s login must be temporarily disabled. • Some people just put a * in the password file for the encrypted password. However, some setups allow net logins without a password. • These days you should replace the user’s shell with a program that explains why the login has been disabled (and how to rectify the situation) Chapter 6 - Adding new users

  31. 8. Disabling Logins • Be careful about this placing this pseudo-shell in the /etc/shells file • do you want them to have ftp access? • ftpd checks to see if the user’s login shell is in /etc/shells • Do you want them to continue to receive email • sendmail does also…. Chapter 6 - Adding new users

  32. 9. Vendor-Supplied Account Management Utilities • Solaris, HP-UX, and Red Hat provide a similar set of utilities to help automate the creation, deletion, and modification of users and groups • Users: • useradd adds users to the passwd file (and shadow) • usermod and userdel modify and delete users • Groups: • groupadd, groupmod, and groupdel operate on /etc/group Chapter 6 - Adding new users

  33. Chapter 6 - Adding new users

More Related