User Administration

• -p password provides the password but in clear text
• -p sets the password field to disabled ("*" or "x")
• Then use passwd to change it. It's still in the clear, but not an interactive command.

• userdel [-r] username
  -r deletes the home directory

• usermod [options] username
  • -d home_dir     creates a new home directory
  • -m home_dir     creates a new home and moves the old
  • -e     set the expire_date
  • -f     set inactive password time before disabling
  • -g     set initial group
  • -u     set uid
  • -l     set new login name, everything else stays the same
  • -s     set shell (see chsh)

• Disabling a user
  • Change the password to "x" in /etc/passwd
  • passwd -d username
  • Insert a script that executes a logout.
  • Or change the shell to a program that informs the user and then logs out.

• User level commands
  • chsh -s shell username   -   change shell
  • chfn [-f name] [-o office] [-p office phone] [-h home_phone] username -  -   change finger information
  • passwd [username] - change a password, root can change any users password
  • Other
    • userpasswd - graphical password changing program

• Set expiration dates
• Have papertrace rules to insure that you know who should have an account and who shouldn't.

There are programs that will test passwords and make sure that they are "crack-proof". Basically, they are the same tools that people user to break into your system. It is better to test passwords as they are created - see above, but these programs will test passwords and tell you which are vulnerable.

• crack - this is the grand-daddy
• UFC-crypt
• cracklib - the underlying basis for crack
• Don't run these on any system without permission

• Shell defaults are:
  • /etc/shells - all the shells installed.
  • For a login shell, csh (tcsh) executes /etc/csh.cshrc followed by /etc/csh.login and then the users .login.
  • For a non-login shell, it executes .cshrc (.tcshrc).
  • If started as a login shell, bash executes /etc/profile and then the users ~/.profile, ~/.bash_profile, ~/.bash_login. The latter two are not as common as the first.
  • If the shell is non-login, it executes ~/.bashrc. Typically, this file executes /etc/bashrc to get global defaults. A typical ~/.profile might execute ~/.bashrc.
  • /etc/zlogin and ~/.zlogin - contains commands to be executed only in login shells. Set up terminal type, run fortune, etc.
• PATH defaults to /usr/local/bin:/bin:/usr/bin or to /sbin:/bin:/usr/sbin:/usr/bin for root (system dependent)
• Also sets HOME, SHELL, TERM, MAIL and LOGNAME variables
• /etc/motd for messages to all users

Straight from the Horse's Mouth

I took this from a site that is dedicated to hacking.

Information in a Password File

User Support

This is one of the most important things that you do for two reasons - first, your job probably depends on keeping the users reasonably happy. Second, it will eat up all of your time if you allow it to. Users can be incredibly demanding and helpless given the opportunity, so you need to have an organized approach.

• What exactly are you responsbile for.
  • System monitoring
  • Network monitoring
  • Security system setup and monitoring
  • Hardware installations
  • Software installations
  • Hardware maintenance
  • Software maintenance
  • User hardware support
  • User software support
  • Planning
  • Purchasing
• Try to arrange times where you don't have to interact directly.
• Schedule your tasks
• Use email, which gives you the opportunity to prioritize.
• Set up an FAQ for common problems.
• Establish a method for handling tasks that involves a clear understanding of what is expected and when you expect to get it done.
• Be realistic.

• From Root     -     passwd username

• dump/restore - later

Lock down the account
• Change the shell or password

    #!/bin/sh
    echo "This account is locked. Please contact your sysadmin."
    exit
    

• Capture the information
• Authenticate and clean
• Create the accounts with a script

1. shutdown -k +5 System going down in 5 mintues
2. telinit s     - Gets you to single user mode.
3. touch /etc/nologin     - no one can log on.
4. Now try to get things figured out.

Shadow Passwords

• To avoid having your passwd file in the clear.
• Requires new login and passwd commands, as well as other utilities
• Account information is kept in /etc/passwd
• /etc/shadow

  • Format

    login name

    encrypted password

    Days since password changed (since 1/1/1970)

    Days before password may be changed

    Days after password must be changed

    Days before expiration that the user is warned

    Days after password expiration that the account is disabled

    Days the account has been disabled (since 1/1/1970)

• How to Install
  • This should come with any recent release of Red Hat or most other Linux distributions.
  • If not, or if you want to upgrade, get the rpm file and install.
  • If new install, you will want to convert you existing password file.
    • /usr/sbin/pwconv - to covert passwd to shadow in /etc.
    • /usr/sbin/pwunconv - to covert shadow and passwd into just password.
    • /usr/sbin/grpconv - convert your group file to gshadow.

Superuser Priviledges

• Root is a user with UID and GID = 0.
• A user with only GID = 0, belongs to the root group which can be used to give partial permissions, but at a huge administrative cost.

On some systems, it is important to control access to su just for you own piece of mind. This can be done by restricting access to su by changing the ownership and permissions. Traditionally, the wheel group is used for people that can access root types of things, so change the ownership of /bin/su:

chgrp wheel /bin/su

and then change the permissions to:

chmod o-rwx /bin/su

The permissions and ownership for /bin/su should be:

   -rwsr-xr-x    1 root   wheel    19132 Aug 29 14:56 /bin/su
   

If you want someone to be able to run su, they must belong to the wheel group, which can be done by editing the /etc/group file, or with groupadd.

sudo

• sudo edquota - allows a garden variety user to edit disk quotas
• sudo lpc - allows a garden variety user to control printers
• sudo -u admin /bin/rm /var/log/*.3 - allows a user to delete files

Most recent Linux installs include sudo.

The sudo command syntax is straight forward and documented in the man pages (sudo and sudoers) , but you seldom need to do anything fancy. Of some use is the -l option which lists the commands a user is allowed to execute with sudo.

The hosts part of the sudo process is for performing system administration tasks remotely. For example, on host A, you run a sudo command that uses rsh to access and execute a command on another system via sudo. For example,

sudo "rsh blah.blee.com shutdown -r now"

On blah.blee.com, sudo will ask for your password and insure that the system are executing on is a trusted host for the shutdown command and user. rsh is not secure (and is disabled on many systems) so a better way to do this is:

sudo ssh malt.cs.montana.edu ls /tmp

You will have to type in a password for accessing the system as well as the sudo password. You can eliminate the first one by setting up ssh to access the remote host without a password.

sudo is controlled by the sudoers file, /etc/sudoers, as shown here /etc/sudoers. This is a very simple format, in spite of the way it looks. The lines at the bottom tell sudo how to control things, and the lines above simple define lists of, hosts, users, commands and run_as lists.

If you modify /etc/sudoers, use visudo as it locks the file and also performs syntax checking on the file when you close it. All sudoer accesses are logged in /var/log/sudo.log by default.

Quotas

Most 2.x Linux kernels include quota support, and it can be enabled either at installation or by rebuilding the kernel. If kernel support is on, /etc/rc.d/rc.sysinit will enable quotas at boot time.

Turn on Quotas

There are several steps. First, you need to turn on the quotas when the disk is mounted. In the following, all examples are related to a /home file system, but it could be any file system.

/dev/hda6   /home  ext2   defaults,usrquota,grpquota    1  1
   

usrquota places quotas on users and grpquoata places defaults on groups. Next, you need to create the quota files for the filesystems as root.

• touch /home/aquota.user
• touch /home/aquota.group
• chmod 600 /home/aquota.user
• chmod 600 /home/aquota.group
• For Fedora, run
  1. quotacheck -vma /
  2. quotacheck -vmag /

Now reboot your system and quotas will be on. If you don't want to reboot, do the following:

• mount -o remount /home # to remount with the new parameters
• quotaon /home

If your quotas aren't on after rebooting try running quotacheck and then quotaon for each filesystem.

Note: This is really not a good way to do this as you could create corrupted quota files if there are users logged on. With this in mind, you should only do this booted to single user mode, or by mounting the partition read-only. You will not be able to mount the / partition read-only unless you boot from a floppy or CD-ROM.

To set quotas for a user:

edquota username

   edquota bozo
        |
        | before changing
        V
   Quotas for user bozo:
   /dev/hda6: blocks in use 180, limits (soft = 0, hard = 0)
          inodes in use 45, limits (soft =0, hard = 0)
        |
        | after changing
        V
   Quotas for user bozo:
   /dev/hda6: blocks in use 180, limits (soft = 50000, hard = 50500)
          inodes in use 45, limits (soft =1500, hard = 1550)
   

• soft quota - the user gets warned
• hard quota - cannot go beyond this point
• blocks = 512 byte blocks
• 0 = no limit

Other the commands related to quotas are:

• quotaon [options] filesystem   -  
• quotaon [-a]   -   turn on all quotas in fstab
• quotacheck [options] filesystem   -   builds and checks the quota files. Run at startup and can be run if there seems to be a problem. -v option shows more information.
• quota [options] user   - display the disk usage
• quota [options] group   - display the disk usage

• edquota -p prototype-user user     set user quotas to those of the prototype user
• edquota -g   -   edit group quotas

Turn off Quotas

• quotaoff [options] filesystem
• quotaoff [-a]   -   turn off all quotas in fstab

Manipulate Quotas

• quota [options] user - display the disk usage
• quota [options] group - display the disk usage

• edquota user

Getting Information About Users

who

A list of current users that are logged on. This might include repeats of single users with multiple login shell sessions. By default, it shows the user name, terminal and login time. Example Syntax: who [options] Options -i     show idle time -q     give a count of users logged in

ac

Print a report of connect time by user as recorded in /var/log/wtmp. Example Syntax: ac [options] Options ac -d     show daily totals ac -y     show yearly totals -p users    show individual totals

last,lastb

Print a list of users that have logged in and out. lastb shows failed login attempts. Example Syntax: last [options] [username][tty] Options -num     the number of lines to display -a     display the hostname

users,rusers

Print a simple list of logged in users. rusers prints the rwho information for all hosts on the network that participate. Example Syntax: users [options] Syntax: rusers [options] Options rusers -l     long format version

wall,rwall

Send a message to all terminals on a host. rwall sends to all logged in users on a specified host. Example Syntax: wall [-n] message Syntax: rwal host file

w

Print a a list of users logged in, their terminals, dynamic usage statistics and command executed. The header also shows current system performance statistics. Example Syntax: w[options] Options -f     toggle printing from field -s     short format

Pseudo-users

bin		daemon		adm
lp		sync		shutdown
halt		mail		news
gopher		ftp		nobody
ntp		rpc		sshd
rpm		mailnull		nfsnobody
named		gdm		apache

Some of these could be used simply for setting permissions on the file system, others could be actual login names. For example, the named daemon (implements DNS services) runs as named to insure that it can be isolated from roots capabilities. If these ran as root, with uid 0, they could do considerable damage to your system if they happened to be a trojan horse or simply had a serious bug. It is important that the password field in /etc/passwd for thse accounts be set to prevent logins (an "x").

Assignment

1. Add a group to your system named users and another group named projects. Choose some reasonable group identifiers for them by looking at your /etc/group file.
2. Create a login.defs file for your system that is reasonable, but not the same as the shipped version. Also create a /etc/default/useradd in the same way, and finally a set of skeleton files in /etc/skel.
3. Then add at least 4 users to your system, all with the default group of users.
   Another one of the users should be one for yourself, but set it up with the same uid that you have on esus. To find out what that is type the following:
   
   
   id
   
   on esus. It will display your uid and current gid, as well as all groups you belong to.
   All accounts should have home directories and the skeleton files you have created.
   
   
   

   Set up a user named gjh, and use the password you have been given. You will also have to set up your tcp wrappers so that I can telnet to your machine from 153.90.199.77.

4. Try to log into root with the su command from your personal account.
5. If you don't have sudo on your system, install it from the Red Hat CD. Configure it to provide a group called admin with the privileges necessary to help out the sysadmin. In particular, give the user gjh permission to run anything (ha, ha, ha).

6. Set up quotas on your machine.
7. Create a script to print the connect time and the last three logins for any given user. The script should be run with a command of the form: command username. All scripts should be placed in /usr/local/bin.