RH133 Unit 5 User Administration

Objectives

Upon completion fo this unit, you should be able to:

- Configure user and group accounts

- Modify file ownership and permissions

- Use “Special” permissions SUID/ SGID/ #Sticy

- Configure network users with NIS and LDAP

- Set ACLs

Adding a New User Account

1) Most common method is useradd:

- useradd [option] username

2) Running useradd is equivalent to:

- editing /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow

- creating and populating home directory

- setting permissions and ownership

3) Set account password using passwd

4) Accounts may be added in a batch with newusers

User Private Groups

1) When user account are created, a private group is also created with the same name

- User are assigned to this private group

- User’s new files affliliated with this group

2) Advantage: Prevents new files from belonging to a “public” group

3) Disadvantage: May encourage making files “world-accessible”

Modifying/ Deleting User Accounts

1) To change filelds in a user’s /etc/passwd entry you can:

- Edit the file by hand

- Use usermod [option] username

2) To remove a user either

- Manually remove the user from /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow, /var/spool/mail, etc.

- Use userdel [-r] username

Group Administration

1) Entries added to /etc/group and /etc/shadow

- groupadd

- groupmod

- groupdel

Password Aging Policies

1) By default, password do not expire

2) Forcing password to expire is part of a strong security policy

3) Modify default expiration settings in /etc/login.defs

4) To modify password aging for expiration users, use the chage command

- chage [option] username

Switching Accounts

1) Syntax

- su [-] [user]

- su [-] user –c command

2) Allow the user to temporarily become another user

- Default user is root

3) The “-" option makes the new shell la login shell

Sudo

1) Users listed in /etc/sudoers execute commands with:

- an effective user id of 0

- group id of root’s group

2) An administrator will be contacted if a user not listed in /etc/sudoers attempts to use sudo

Network Users

1) Information about users may be centrally stored and managed on a remote server

2) Two types of information must always be provided for each user account.

- Account information: UID number, default shell, home directory, group memberships, and so on
- Authentication: a way to tell that the password provided on login for an account is correct

Authentication Configuration

1) system-config-authentication

- GUI tool to configure authentication

- For text-based tool, user authconfig-tui

- Load authconfig-gtk RPM

2) Supported account information services:

- (local files), NIS, LDAP, Hesiod, Winbind

3) Supported authentication mechanisms:

- (NSS), Kerberos, LDAP, SmartCard, SMB, Winbind

Example: NIS Configuration

1) Must install ypbind and portmap RPMs

2) Run system-config-authentication

- Enable NIS to provide User information

- Specify NIS server and NIS domain name

- Keep default authentication (through NSS)

3) What does this actually do?

- Five text-based configuration files are changed

Example: LDAP Configuration

1) Must install nss-ldap and openldap RPMs

2) Run system-config-authentication

- Enable LDAP to provide User Information

- Specify server, the search base DN, and TLS

- Enable LDAP to provide Authentication

3) What does this actually do?

- Five text-based configuration files are changed

SUID and SGID Executables

1) Normally processes started by a user run under the user and group security context of that user

2) SUID and/or SGID bits set on an executable file cause it to run under the user and/or group security context of the file’s owner and/or group

SGID Directories

1) Used to create a collaborative diretory

2) Normally, files created in a directory belong to the user’s the default group

3) When a file is created in a directory with the the SGID bit set, it belongs to the same group as the directory

The Sticky Bit

1) Normally users with write permissions to a directory can delete any files in that directory regardless of that file’s permissions or ownership

2) With the sticky bit set on a directory, only the owner of a file can delete the file

Default File Permissions

1) Read and write (not execute) for all is the default for files

2) Read, write and execute is the default for directories

3) umask can be used to withhold permissions on file creation

4) Users’ umaks is 022

- File will have permissions of 644

- Directory will have permissions of 755

- May need to change to 002 for group colaboration

Access Control Lists (ACLs)

1) Grant rwx access to files and directories for multiple users or groups

- mount –o acl /directory

- getfacl file|directory

- setfacl –m u:gandolf:rwx file|directory

- setfacl –m g:nazgul:rw file|directory

- setfacl –m d:u:frodo:rw directory

- setfacl –x u:samwise file|directory

SELinux

1) Mandatory Access Control (MAC) –VS- Discrentionary Access Control (DAC)

2) A rule set called the policy determines how strict the control

3) Processes are either restricted or unconfined

4) The policy defines what resources restricted processes are allowed to access

5) Any action that is not explicitly allowed is, by default, denied

SELinux, continued

1) All files and processes have a security context

2) The context has several elements, depending on the security needs:

- user:role:type:sensitivity:category

- user_u:object_r:tmp_t:s0:c0

- Not all systems will display s0:c0

3) ls –Z

4) ps –Z

- usually paired with other options, such as –e

SELinux: Targeted Policy

1) The targeted policy is loaded at install time

2) Most local processes are unconfined

3) Principally uses the type elementfor type enforcement

4) The security text can be changed with chcon

- chon –t tmp_t/ect/hosts

5) Safer to user restorecon

- restorecon /etc/hosts

SELinux: Management

1) Modes: Enforcing, Permissive, Disabled

- Changing enforcement is allowd in the targeted policy

- getenforce

- setenforce 0|1

- Disable from GRUB with selinux=0

2) /etc/sysconfig/selinux

3) system-config-securitylevel

- change mode, disabling requires reboot

4) system-config-selinux

- Booleans

5) setroubleshootd

- Advises on how to avoid errors, not ensure security!

End of Unit 5

1) Questions and Answers

2) Summary

- User and group accounts

- File ownership and permissions

- Extended filr modes: SUID/ SGID/ Sticky

- Switching accounts with su

- umask and the UPG scheme

- Shell environment

- Set NIS and LDAP

- Use ACLs

- Configure and troubleshoot SELinux