Workbook 5 PDF
Workbook 5 PDF
Workbook 5 PDF
User
and Group Administration
Table of Contents
1. What Is a User? ............................................................................................................. 5
Discussion ................................................................................................................ 5
A Userid Is a Number ........................................................................................ 5
Userid 0 is root ................................................................................................. 5
Processes Have a Userid ..................................................................................... 5
The id command ............................................................................................... 6
The ps command ............................................................................................... 6
Real or Effective Userid? .................................................................................... 7
Resources (Files and Directories) Have Userids ...................................................... 7
The /etc/passwd file ........................................................................................... 7
Three kinds of users .......................................................................................... 9
Userid ranges .................................................................................................. 10
Examples ............................................................................................................... 10
Some Password Entries ..................................................................................... 10
Some Processes ............................................................................................... 11
Processes As Resources .................................................................................... 11
Files As Resources .......................................................................................... 12
Online Exercises ...................................................................................................... 13
Specification ................................................................................................... 13
Deliverables .................................................................................................... 13
Questions ............................................................................................................... 13
2. Adding, Modifying, and Deleting Users ............................................................................ 16
Discussion .............................................................................................................. 16
The useradd command ...................................................................................... 16
Options for useradd and usermod ....................................................................... 17
usermod options .............................................................................................. 18
Deleting Users with userdel ............................................................................... 18
Examples ............................................................................................................... 18
Adding Three Musicians with useradd ................................................................. 18
usermod For Fickle Musicians ........................................................................... 19
userdel For Evicting Them ................................................................................ 19
Exercise ................................................................................................................. 20
Specification ................................................................................................... 20
Deliverables .................................................................................................... 20
Questions ............................................................................................................... 21
3. Managing Passwords ..................................................................................................... 24
Discussion .............................................................................................................. 24
Setting passwords ............................................................................................ 24
Where Passwords Go -- Old School .................................................................... 25
Where Passwords Go -- Today ........................................................................... 25
The Shadow File ............................................................................................. 26
Password Aging .............................................................................................. 26
The chage command ........................................................................................ 27
Account Expiration .......................................................................................... 27
Setting Password Aging Parameters .................................................................... 28
Examples ............................................................................................................... 28
Using chage .................................................................................................... 28
Changing Passwords ......................................................................................... 29
More chage .................................................................................................... 30
Exercise ................................................................................................................. 30
Setup ............................................................................................................. 30
rha130-6.1-1
4.
5.
6.
7.
rha130-6.1-1
Specification ................................................................................................... 30
Deliverables .................................................................................................... 30
Questions ............................................................................................................... 31
Adding, Modifying, and Deleting Groups .......................................................................... 33
Discussion .............................................................................................................. 33
Creating Groups .............................................................................................. 33
Deleting Groups .............................................................................................. 33
Modifying Groups ........................................................................................... 33
Adding Users to Groups or Removing Them ........................................................ 34
The /etc/group File ........................................................................................... 34
Primary and Secondary Groups .......................................................................... 35
Examples ............................................................................................................... 35
Adding Groups ................................................................................................ 35
Sharing One File with a Group .......................................................................... 35
Modifying Groups ........................................................................................... 36
Exercises ................................................................................................................ 37
Deliverables .................................................................................................... 37
Questions ............................................................................................................... 38
Users and the UNIX Filesystem ....................................................................................... 40
Discussion .............................................................................................................. 40
Review of Mode Bits ....................................................................................... 40
The umask command ....................................................................................... 40
Set-Groupid Directories .................................................................................... 41
User Private Group .......................................................................................... 42
Examples ............................................................................................................... 42
A directory not shared with a group .................................................................... 42
Exercises ................................................................................................................ 43
Deliverables .................................................................................................... 44
Questions ............................................................................................................... 44
Filesystem Access Control Lists ("acls") ............................................................................ 47
Discussion .............................................................................................................. 47
Why Access Control Lists? ............................................................................... 47
Observing and Setting acls: getfacl and setfacl ...................................................... 47
The setfacl Command ....................................................................................... 49
Directories and Default ACLs ............................................................................ 50
The ls, mv, and cp Commands and ACLs ............................................................ 50
Filesystem Support: the acl Mount Option ............................................................ 51
A Final Word ................................................................................................. 51
Examples ............................................................................................................... 52
Access to Removable Media .............................................................................. 52
Managing Sound Card Access in Fedora .............................................................. 52
Research ................................................................................................................ 52
Deliverables .................................................................................................... 53
Cleaning Up ................................................................................................... 53
Questions ............................................................................................................... 53
Network Based User Models ........................................................................................... 57
Discussion .............................................................................................................. 57
The Name Service Switch ................................................................................. 57
The Naming Problem ............................................................................... 57
The Name Service Switch ......................................................................... 57
Databases ............................................................................................... 58
Database Sources ..................................................................................... 58
Searching Left to Right ............................................................................. 59
Working with centralized users .......................................................................... 59
rha130-6.1-1
Discussion
When you sit down at a Linux computer to do some work or play some games, you have to log on first,
providing a username and a password. You think of that username as representing yourself: My name is
Alice, and my username is alice, and it represents me.
A Userid Is a Number
But what does Linux think of you as? Linux thinks of you as not just a username like alice, but also as a
number, like 531. You may think "I am not a number," but to Linux you are!
In Linux, a userid is a 32-bit integer -- that is, a number from 0 to 4,294,967,295. The userid is used
frequently in the internal workings of Linux, and is usually only converted to a human-friendly username
(like alice) for presentation to humans, as in a directory listing or an email address. This chapter will be
about when Linux uses a username, when Linux uses an integer userid, and how it converts one to the
other when needed.
In this chapter we will consistently use the term username to mean human-friendly names like alice, and
the term userid to mean integers like 531.
Userid 0 is root
The userid 0 is special: it is the userid of the superuser, whose username is always root. We mention
this now, because you'll see userid 0 or username root a lot when you start looking around in your Linux
system, and we want you to notice it when you do.
rha130-6.1-1
What Is a User?
A process with userid 0 is exceptional, in that it has permission to do whatever it asks to do. It is not subject
to the limitations that other userids have.
The id command
If you are logged in to Red Hat Enterprise Linux, you can find out what your shell's current userid is with
the id command:
[student@system student]$ id
uid=500(student) gid=500(student) groups=500(student) context=user_u:system_r:unconfined_t
The number marked uid= is your userid. It also looks up the username associated with that userid, and
prints it in parentheses. The rest are group ids; we'll talk about them later.
If run on yourself, the id command also reports your SELinux context, which showed up starting in Red
Hat Enterprise Linux 4. All standard users of a type called unconfined, which, as the name implies, has
no relevant effect.
Try the id command. What is your integer userid?
The ps command
To see the userids of all processes on your system, use the command ps lax.
Note
To make this listing fit on the page better, we've left out a few columns and a few rows. When
you try this, you should see a bit more.
[alice@system alice]$ ps lax
F
UID
PID PPID STAT TTY
4
0
1
0 S
?
1
0
2
1 SW
?
1
0
3
1 SW
?
1
0
4
1 SWN ?
1
0
5
1 SW
?
1
0
7
1 SW
?
1
0
10
1 SW
?
1
0 1437
1 S
?
5
0 1441
1 S
?
5
32 1459
1 S
?
5
29 1478
1 S
?
5
0 1608
1 S
?
5
0 1628
1 S
?
1
51 1637
1 S
?
5
0 1647
1 S
?
1
0 1656
1 S
?
5
43 1726
1 S
?
1
2 1744
1 S
?
1
0 1754
1 S
?
4
0 1760
1 S
?
4
0 1765
1 S
?
4
500 1768 1760 S
tty1
4
0 1810 1765 S
tty6
0
0 1863 1810 S
tty6
0
500 1868 1768 R
tty1
TIME
0:05
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:01
0:00
COMMAND
init [
[keventd]
[kapmd]
[ksoftirqd_CPU0]
[kswapd]
[kscand/Normal]
[kupdated]
syslogd -m 0
klogd -x
portmap
rpc.statd
xinetd -stayalive -reuse
sendmail: accepting connections
sendmail: Queue runner@01:00:00
gpm -t ps/2 -m /dev/mouse
crond
xfs -droppriv -daemon
/usr/sbin/atd
rhnsd --interval 240
login -- alice
login -- root
-bash
-bash
vim u5-1.txt
ps lax
The second column (UID) shows the userid of the process. The third column (PID) shows the process ID,
a unique number identifying each process.
If you try ps lax, you'll notice that your userid owns at least one shell (probably bash) and one process
running ps. Why is that?
rha130-6.1-1
What Is a User?
You'll also see lots of processes running with userid 0, for instance the process with PID 1, which executes
the program init.
ls -lna /home
0
0
500
502
4096
4096
4096
4096
May
May
May
May
15
18
16
15
22:39
00:27
19:07
21:42
.
..
alice
bob
(Notice there are two columns with the numbers 0, 500, and 502. The left column is the userid, and the
right column is the groupid.)
The -n option means to show userids numerically. Usually you want userids to be translated to usernames,
so you don't use the -n option:
[alice@localhost alice]$
total 56
drwxr-xr-x
4 root
drwxr-xr-x
25 root
drwx-----12 alice
drwx-----2 bob
ls -la /home
root
root
alice
bob
4096
4096
4096
4096
May
May
May
May
15
18
16
15
22:39
00:27
19:07
21:42
.
..
alice
bob
What usernames in this listing map to what userids in the previous listing?
rha130-6.1-1
What Is a User?
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
Each line contains seven fields separated by colons, with no extra spaces. Since colons are used to separate
the fields, colons cannot be used within any field.
The seven fields are as follows:
1. Alphanumeric username
2. The user's encrypted password, or "x" if the encrypted password is in /etc/shadow
3. The user's integer userid
4. The user's primary integer groupid
5. A field for miscellaneous information (often the user's full name), historically called the GECOS field,
and now usually called the comment field.
6. The user's home directory
7. The user's login shell
Now we will talk about each of the seven fields in more detail.
1. The first field is the alphanumeric username. For the most compatibility with older programs and other
UNIX systems, it's best if usernames be one to eight characters; contain only lowercase letters, digits,
and underscores; and begin with a lowercase letter. Although some Linux users today have usernames
longer than eight characters, there are programs which will truncate their output to only show the first
eight characters (for example, who and last), and other programs that just refuse to show long usernames
(for example, ps).
Each line in /etc/passwd must begin with a different username; that is, the usernames must be
unique.
2. Traditionally UNIX stored the user's password in the second field in an encrypted form. For instance,
the password "pig+foo9" might be stored as "yk2uSm8XR6eZ1".
Today it is best practice to use the newer Shadow Password mechanism, in which the encrypted
passwords are saved in a separate file /etc/shadow. When shadow passwords are used, this second
field of /etc/passwd contains a single "x". If this field is empty, the account is "unpassworded",
and no password will be requested when the user logs on. If the system will ever be connected to a
network, this is not a good idea!
3. The third field is the integer userid we've been talking about. These are usually unique, but in rare cases,
two different usernames may map to the same userid (most often for userid zero).
4. The fourth field is similar to userid; it's the primary groupid. It's also a 32-bit integer in today's Linux.
We'll talk more about group ids in later sections.
5. The fifth field is the comment (or GECOS) field. It's often just left blank, or it might store the user's
full name. Older UNIX systems sometimes put phone numbers or other information here. Read man 5
passwd if you want to know why this field is still sometimes called the "GECOS field".
rha130-6.1-1
What Is a User?
6. Each username is assigned a home directory, which is named in the sixth field. People need home
directories; when they login, their current directory is set to their home. System users have less need
for them, but some home directory should be specified for all usernames.
7. People must have a program which is executed when they login, called the login shell, which is named
in the seventh field. On Red Hat Enterprise Linux, it is usually /bin/bash.
System users do not usually log in with login shells, but something must be named here. If the program
named here does not appear in the file /etc/shells, the user will not be allowed to login. One way
of forbidding people to log in (that is, to disable a user's account) is to put /sbin/nologin for the login
shell. It is a special command that tells them they cannot log in.
Superusers
The userid zero is special, in that a process with userid zero is never denied
access to a file, directory, or any other resource on the system. In addition,
there are some system calls that only userid zero is allowed to do, such as
mount a file system, or shut down the computer. (There may be provisions
for non-super users to be able to do these things, but they all involve a
process that has userid zero.)
Conventionally the username root is mapped to userid zero on the first
line of the password file, and bad things will surely happen if it isn't.
Therefore being a superuser is frequently called "being root" or "having
root privileges."
(It is possible to have other usernames in addition to root map to userid
zero, and these usernames will also be superusers. This is sometimes
done if several people all have root privileges, but want different home
directories so they can have different initialization files. You might call
them superhumans.)
System Users
Some RPM packages allocate their own userid and username when they
are installed. Such packages often have some files that they manipulate,
and they often execute processes with their own userid. (It is preferable
for them to have their own userid, instead of running as root, to limit the
amount of damage possible if a programming error allowed the package
to be exploited in a bad way.)
Since there is no human user behind these userids, they are called system
users, and they are usually defined in the first part of the password file,
on the lines following root.
Databases, Internet servers, mail and news transport programs, and print
spoolers are examples of packages that have system users. Red Hat
rha130-6.1-1
What Is a User?
Userid ranges
We mentioned at the beginning that userids are 32-bit integers. This means they can range from zero to
4,294,967,295.
Userid zero is always the superuser. Red Hat Enterprise Linux reserves the range 1 through 499 for system
users, and recommends that human users have userids 500 and higher.
Older UNIX systems had only 16-bit integers for userids. For compatibility with them, keep userids less
than 65,000 if you can. A couple of anomalous system users (with names like "nobody") were historically
assigned userids with signed values of -1 and -2, or equivalent unsigned 16-bit values of 65534 and 65535.
One of these is still in Red Hat Enterprise Linux -- look in /etc/passwd for it. Furthermore, in some
Linux kernel calls userid -1 has a special meaning, and some older commands print -1 for any userid higher
than 65534.
For these reasons, Red Hat Enterprise Linux ships with defaults to allocate userids for humans in the range
of 500 through 60,000.
Examples
Some Password Entries
If we look at the first few lines in /etc/passwd, will see the root entry and some system users.
[root@system root]# head -10 /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
(The head command shows the first few lines of a text file.)
Notice that root has userid 0. The others shown here are all system users, with userid and groupid less than
500: bin has userid 1, lp (line printer) is 4, mail is 8. They have various directories listed as their home
directories, and most have /sbin/nologin as login shell, so that no one can ever login with these accounts.
The last field of the news line is empty, meaning it defaults to /bin/sh, the most standard UNIX shell.
Now if we look at the last few lines of /etc/passwd, we see some human users.
[student@system student]# tail -3 /etc/passwd
julius:x:501:501::/home/julius:/bin/bash
alice:x:502:502::/home/alice:/bin/bash
bob:x:503:503::/home/bob:/bin/bash
(The tail command shows the last few lines of a text file.)
Julius, Alice, and Bob have userids 501, 502, and 503. They have normal home directories in /home,
and the usual /bin/bash login shell. The fifth field (comment or GECOS) is empty, so you just see two
colons together after the groupid.
rha130-6.1-1
10
What Is a User?
Some Processes
Let's look at processes running on a typical Linux workstation. The command ps lax shows us all
processes, with the userid in the second column labeled UID. Notice the first few all have userid 0,
including process (PID) 1,which is always init. Then some system processes have system userids: portmap
has userid 32, and xfs (a font server) is 43. A human user with userid 500 is running the Nautilus file
manager. Finally humans 501, 502, and 503 are logged in on consoles tty2, tty3, and tty4.
Note
To make this listing fit on the page better, we've left out a few columns and quite a few rows.
When you try this, you should see a bit more. ]
[root@system root]# ps lax
F
UID
PID PPID STAT TTY
4
0
1
0 S
?
1
0
2
1 SW
?
1
0
3
1 SW
?
1
0
5
1 SW
?
1
0
73
1 SW
?
1
0 2250
1 SW
?
1
0 2257
1 SW
?
1
0 2515
1 S
?
5
0 2519
1 S
?
5
32 2537
1 S
?
5
29 2556
1 S
?
5
43 2881
1 S
?
0
500 2991 2961 S
pts/1
4
0 3018 2991 S
pts/1
4
0 3021 3018 S
pts/1
0
500 3279
1 S
?
0
500 3283
1 S
?
0
500 3285
1 S
?
0
500 3289
1 S
?
0
500 3291
1 S
?
0
500 3293
1 S
?
0
500 3305
1 S
?
0
500 3306 3305 S
?
0
500 3307 3305 S
pts/0
4
501 4929 2841 S
tty2
0
501 4969 4929 S
tty2
4
502 4970 2842 S
tty3
4
503 5011 2843 S
tty4
0
502 5056 4970 S
tty3
0
503 5057 5011 S
tty4
4
0 5058 3021 R
pts/1
TIME
0:05
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:01
0:01
0:00
0:00
0:11
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
COMMAND
init [
[keventd]
[kapmd]
[kswapd]
[khubd]
[kjournald]
[kjournald]
syslogd -m
klogd -x
portmap
rpc.statd
xfs -droppriv -daemon
bash
su -bash
/usr/bin/meta
gnome-panel nautilus --no
eggcups --smpam-panel-ico
/usr/bin/pyth
gnome-termina
gnome-pty-hel
bash
-bash
sleep 600
-bash
-bash
sleep 800
sleep 900
ps lax
Processes As Resources
It turns out that the users we see on tty3 and tty4 are Alice (userid 502) and Bob (userid 503). We'll show
you now what they're doing. Each of them puts a sleep command into the background (sleep simply does
nothing for the specified number of seconds) and takes note of its process id (PID).
Then each tries to kill the others' sleep process, using the kill command. They each get an error, because
you are only allowed to kill processes that have your same userid. Then they kill their own sleep process,
which succeeds.
[alice@system alice]$ sleep 800 &
[1] 5056
[alice@system alice]$ ps
PID TTY
TIME CMD
rha130-6.1-1
11
What Is a User?
4970 tty3
00:00:00 bash
5056 tty3
00:00:00 sleep
5060 tty3
00:00:00 ps
[alice@system alice]$ kill 5057
-bash: kill: (5057) - Operation not permitted
[alice@system alice]$ kill 5056
[bob@system bob]$ sleep 900 &
[1] 5057
[bob@system bob]$ ps
PID TTY
TIME CMD
5011 tty4
00:00:00 bash
5057 tty4
00:00:00 sleep
5061 tty4
00:00:00 ps
[bob@system bob]$ kill 5056
-bash: kill: (5056) - Operation not permitted
[bob@system bob]$ kill 5057
This demonstrated the rights of a process (the ability of a shell to kill) being limited based on its userid
and the userid of a resource (the sleeping process).
Files As Resources
Next we'll look at the mail spool directory, which holds incoming mail for users. With ls -lan, we see
userids and group ids printed numerically.
Then we leave out the -n option, so it translates userids and group ids into usernames and groupnames.
[student@system
total 44
drwxrwxr-x
2
drwxr-xr-x
13
-rw------1
-rw------1
-rw------1
-rw------1
[student@system
total 44
drwxrwxr-x
2
drwxr-xr-x
13
-rw------1
-rw------1
-rw------1
-rw------1
04:20
00:43
04:19
04:20
04:20
04:20
.
..
alice
bob
julius
student
root
root
alice
bob
julius
student
04:20
00:43
04:19
04:20
04:20
04:20
.
..
alice
bob
julius
student
mail
root
mail
mail
mail
mail
4096
4096
713
690
17611
6373
May
May
May
May
May
May
22
9
22
22
22
22
What userid is associated with each username? (That is, what is student's userid?) What groupid and
groupname is the group owner of each mail file?
Next user student does a directory listing of "the root directory" (named /). Then student tries to list
"root's home directory" (named /root), but doesn't have permission to do so.
[student@system
total 265
drwxr-xr-x
42
drwxr-xr-x
42
drwxr-xr-x
2
drwxr-xr-x
3
drwxr-xr-x
20
drwxr-xr-x
52
drwxr-xr-x
7
drwxr-xr-x
2
drwxr-xr-x
9
drwx-----2
drwxr-xr-x
2
rha130-6.1-1
student]$ ls -la /
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
4096
4096
4096
4096
118784
4096
4096
4096
4096
16384
4096
12
May
May
May
May
May
May
May
Jan
May
May
Jan
22
22
9
9
22
22
22
24
9
8
28
03:51
03:51
01:49
00:37
03:52
04:18
04:18
23:52
01:48
23:52
04:22
.
..
bin
boot
dev
etc
home
initrd
lib
lost+found
misc
What Is a User?
drwxr-xr-x
3 root
root
4096
drwxr-xr-x
2 root
root
4096
dr-xr-xr-x
84 root
root
0
drwxr-x--15 root
root
4096
drwxr-xr-x
2 root
root
8192
drwxrwxrwt
11 root
root
4096
drwxr-xr-x
15 root
root
4096
drwxr-xr-x
17 root
root
4096
[student@system student]$ ls -la /root
ls: /root: Permission denied
May
Jan
May
May
May
May
May
May
9
24
22
22
9
22
9
9
01:21
23:52
03:50
04:08
01:49
04:20
00:35
00:55
mnt
opt
proc
root
sbin
tmp
usr
var
We see in the listing of / that /root has mode displayed as drwxr-x---, and it's owned by user root
and group root. Why can't student list it?
Online Exercises
Lab Exercise
Objective: Gain experience editing the /etc/passwd file.
Estimated Time: 5 mins.
Specification
1. As a precaution, make a backup of your /etc/passwd file, and store it somewhere safe.
2. As root, edit the file /etc/passwd with a text editor. Insert the word avocado in the comment (fifth)
field of your primary student account. Save the file.
Deliverables
1.
1. An avocado in your comment field.
Questions
1.
b.
c.
up to 32
d.
e.
2.
rha130-6.1-1
ls
b.
ls -laR
c.
ls -lan
13
What Is a User?
d.
ps lax
e.
id
3.
b.
c.
d.
e.
4.
1-499
b.
0-1023
c.
0-65535
d.
10-99
e.
500-60000
5.
b.
c.
500
d.
65535
e.
ps
6.
b.
/bin/bash is obsolete
c.
d.
the superuser account is unpassworded, so anyone can take over the computer
e.
7.
rha130-6.1-1
b.
c.
14
What Is a User?
d.
e.
8.
In Red Hat Enterprise Linux, mail, news, and apache are examples of what?
a.
default shells
b.
process ids
c.
system users
d.
superusers
e.
home directories
9.
b.
c.
d.
e.
10.
rha130-6.1-1
root's userid
b.
c.
d.
e.
15
Discussion
Users exist in a Linux system because they are present in the passwd file. Although it's done indirectly
through the PAM module, the login programs (as well as ls -l and ps -a) in effect read the /etc/passwd
file for information about users.
(Actually, other user authentication mechanisms can be enabled, but we'll ignore them until a later chapter.)
To add new users, the superuser could just edit the passwd file. As we've seen, it's a text file, and it's easy
to edit. You can duplicate the bottom line and edit the new line by making a new username, allocating a
new userid, fixing the home directory field, etc. But this is tedious and prone to error, and there are other
things that have to be done (like making a home directory & making an entry in /etc/shadow) so we don't
recommend doing this manually.
Instead you should use the commands useradd, usermod, and userdel which do all these things correctly
for you. These commands are fairly standard, and are found on the other UNIX systems as well as Red
Hat Enterprise Linux. You must be root to use these commands, so type "su - root" (and give the root
password) before typing these commands.
Used in this simple style, the command does a number of things for you:
1. Allocates a new userid, one higher than the largest human userid found in /etc/passwd. (If you have
only a few users, the userids will be in the 500's.)
2. Adds a line to /etc/passwd with appropriate values for this user.
3. Adds a line to /etc/shadow, if shadow passwords are being used. (By default, they are. More about
them later.)
4. Creates a new home directory for the user, with a name like /home/alice, and sets the owner userid
of the directory correctly.
5. Copies all files from /etc/skel into the new home directory. These files are usually initialization
commands for various programs, including shell profiles like .bashrc and .bash_profile.
rha130-6.1-1
16
Adding, Modifying,
and Deleting Users
6. Creates a new private group for the user in /etc/group. A later chapter will discuss groups.
-d homedir
-e expireDate
-g primaryGroup
-G group1,group2,...
-a
-s loginShell
rha130-6.1-1
17
Adding, Modifying,
and Deleting Users
-u userid
usermod options
The usermod command can be used to change the user's attributes later, after they were created.
usermod takes all of the options described above, plus a few more:
-l newUsername
-u newUserid
Change the integer userid. usermod will try to update the userids of
the files and directories in the user's home directory, but the user may
own other files on the system which do not get updated, so it's not
recommended that you do this, either.
-L
This option locks the user out, so they cannot log in. It does this by
inserting an extra ! in front of their encrypted password field, which
prevents it from matching any password.
-U
This option reverses the effect of -L, allowing the user to log in again.
Examples
Adding Three Musicians with useradd
Let's add three users to our system: Blondie, Prince, and Madonna. They all want to be in a secondary
group music. Blondie requests a special comment in her password entry, Prince is a csh advocate (a dying
breed!), and Madonna's contract expires in the middle of the year 2005.
[root@system root]# useradd -c "heart of glass" -G music blondie
[root@system root]# useradd -s /bin/csh -G music prince
[root@system root]# useradd -e 2005-07-01 -G music madonna
[root@system root]# tail -3 /etc/passwd
blondie:x:505:508:heart of glass:/home/blondie:/bin/bash
rha130-6.1-1
18
Adding, Modifying,
and Deleting Users
prince:x:506:509::/home/prince:/bin/csh
madonna:x:507:510::/home/madonna:/bin/bash
[root@system root]# ls -l /home
total 23
drwx-----2 blondie blondie
4096
drwx-----2 madonna madonna
4096
drwx-----2 prince
prince
4096
drwx-----2 student student
4096
[root@system root]#
May
May
May
May
22
22
22
22
04:34
04:35
04:34
04:18
blondie
madonna
prince
student
You can see all of these details (except the expiration date of Madonna's account) in the tail of /etc/passwd.
Their home directories were also made by the useradd command.
Notice that the prince line in /etc/passwd was deleted, and a new tafkap line appears at the bottom
of the file, with the same userid and groupid formerly known as prince. Madonna's userid is in fact is
now 888, and her home directory (and its contents) were automatically chowned for us by the usermod
command. Tafkap's home is still named /home/prince. Weird things like that is why changing usernames
and groupnames is not recommended in general!
Finally, notice the ! after the first : on tafkap's entry in /etc/shadow. Inserting that ! disables his account,
the result of usermod -L (locking his account).
rha130-6.1-1
19
Adding, Modifying,
and Deleting Users
[root@system
[root@system
[root@system
[root@system
total 12
drwx-----drwx-----[root@system
root]#
root]#
root]#
root]#
userdel -r blondie
userdel -r tafkap
userdel madonna
ls -l /home
2 888
2 student
root]#
510
student
We forgot the -r option when deleting Madonna, and so it left her home directory.
Exercise
Lab Exercise
Objective: Manage users with useradd, usermod, and userdel.
Estimated Time: 30 mins.
Specification
In this exercise, you will be adding users to groups. If the group you need does not exist, you will have
to make it using the groupadd command. It is very simple and takes only one argument, the name of the
group to add.
groupadd groupname
Deliverables
1.
1. The specified 8 (well, 7) users with the appropriate memberships.
2. The user ringos has his name, Ringo Starr, in his comment field.
3. The user johnl's account is "disabled".
rha130-6.1-1
20
Adding, Modifying,
and Deleting Users
Questions
1.
-c
b.
-D
c.
-e
d.
-G
e.
-u
2.
b.
c.
d.
e.
metacharacters
3.
b.
c.
exactly 1
d.
up to 31
e.
up to 499
4.
b.
c.
exactly 1
d.
up to 31
e.
up to 499
5.
rha130-6.1-1
What is Red Hat Enterprise Linux's default login shell for human users?
a.
/etc/passwd
b.
/sbin/nologin
c.
/bin/bash
21
Adding, Modifying,
and Deleting Users
d.
/bin/csh
e.
/etc/shells
6.
When new users are added with useradd, suppose you want them to each get their own copy of
the file named .blog.prefs. Where should you put the master copy?
a.
/etc
b.
/etc/profile
c.
/etc/profile.d
d.
/home/skel
e.
/etc/skel
7.
Which options to usermod do you use (1) to lock a user out, and (2) to allow them access again?
a.
b.
c.
d.
e.
8.
b.
c.
the user may own some files whose userid is not fixed
d.
e.
9.
b.
c.
x is not an integer
d.
e.
10.
rha130-6.1-1
b.
22
Adding, Modifying,
and Deleting Users
c.
d.
e.
11.
rha130-6.1-1
What's really wrong with this command? usermod -g wheel -G math,science -c Beverly Wong
bev90210
a.
b.
c.
d.
e.
23
Discussion
In the previous chapter we made a number of accounts, but never set passwords on them. Oops -- how
could they log in? In this chapter we'll talk about passwords.
Setting passwords
The passwd command sets or changes passwords. It can be run either by root or by a user who wants to
change their own password.
If it's being run by a user changing their own password, it takes no arguments.
If it's being run by root, it takes one argument, the name of the account whose password is being set. Don't
forget this argument, or root will change root's own password instead!
Here is root creating a password for Alice's new account. Root is setting her password to "tofu!43*".
[root@system root]# passwd alice
Changing password for user alice.
New password: tofu!43*
Retype new password: tofu!438
Sorry, passwords do not match
New password: tofu!43*
Retype new password: tofu!43*
passwd: all authentication tokens updated successfully.
[root@system root]#
Ordinarily the passwords would not show on the screen, but we've shown them for you in this chapter.
Note that root typed "8" rather than "*" the second time the password was typed, and because of this
mistake, had to type it in again.
Root told Alice this password was set for her, but Alice didn't like this password (she hates anything with
tofu in it) so she decided to change it to "Mary". But that was not a very good password, and the system
would not let her set it, so she used "stake-ribs-ketchdown" instead.
[alice@system alice]$ passwd
Changing password for alice
(current) UNIX password: tofu!43*
New password: Mary
BAD PASSWORD: it is too short
New password: stake-ribs-ketchdown
Retype new password: stake-ribs-ketchdown
passwd: all authentication tokens updated successfully.
[alice@system alice]$
(Actually, that's a really good password -- especially the pun changing ketchup to ketchdown, which
probably doesn't appear in word lists in any language -- yet it is not too hard to remember.)
rha130-6.1-1
24
Managing Passwords
You can choose which encryption algorithm to use when you install Red Hat Enterprise Linux or after
installation using the system-config-authentication utility which will be discussed later in this workbook.
It is strongly recommended that you do use the MD5 or SHA Password options. If you share passwords
rha130-6.1-1
25
Managing Passwords
with other UNIX systems, you may need to use the MD5 instead of the new default SHA encryption
algorithms. Red Hat Enterprise Linux gives you the option of using the older crypt scheme, but it defaults
to the new way, and there's little reason not to use it, unless you have to share passwords with very old
UNIX systems.
Now we'll look at the corresponding line in /etc/shadow, which begins with the same username in the
first column:
alice:$2$HjurSvoW$uLtD6XOQ7/YS6bc3cZawE1:12198:0:99999:7:::
On a new Red Hat Enterprise Linux 6 system, the encrypted password string is even longer. Look at the
following entry for elvis:
elvis:$6$4yFyTln.rAWbAnB4$Tolut.3Dc6UOAHuDs/5Txrm4ZS3Y518Bh5STaqQVb4B8WP1uN2BTtN7zao1che3.B7ruQ7On9Ijcl
4yFyTln.rAWbAnB4
Tolut.3Dc6UOAHuDs/5Txrm4ZS3Y518Bh5STaqQVb4B8WP1uN2BTtN7zao1che3.B7ruQ7On9IjclZKLnaYMu.
The encrypted hash. An MD5 hash is 22
characters, A SHA-256 is 43 characters, and
a SHA-512 hash is 86 characters.
You don't need to know what all of the fields in the shadow file, except that the first field is the username,
and the second is the encrypted password. The rest are aging and expiration information that we'll talk
about next.
Password Aging
It's not a good idea to use the same password forever, but some people would if you didn't force them to
change it occasionally. So there is a mechanism called Password Aging which requires users to change their
passwords regularly. Password aging is optional, and is not used by default. But if it is used, the superuser
can set a Minimum and a Maximum number of days for passwords to be changed. After a password is
changed, the Minimum number of days must pass before the user is allowed to change the password again.
Users are required to change their password before the Maximum number of days passes.
The most recent day on which the password was changed is called the Last Day, and the day after the
maximum period is called the Maximum Day (or the Password Expiration Day).
Two other days are computed as offsets from the Maximum day: the Warning Day and the Inactive Day.
The superuser must set how many days before the Maximum day that the user will begin receiving warnings
that the password will soon expire and therefore needs to be changed. The Inactive Day is a certain number
of days (a grace period) after the Maximum day. If the user still hasn't changed the password by the Inactive
Day, they will be locked out, and will have to talk to the superuser about reactivating it.
rha130-6.1-1
26
Managing Passwords
Minimum: 3
Maximum: 180
Warning: 45
Inactive: 7
Account Expiration
The Account Expire feature is totally separate from, and should not be confused with, Password Aging.
Unfortunately it has been grafted onto the chage command, which prints both a "Password Expire" and
an "Account Expire" date, so it is easy to get confused.
rha130-6.1-1
27
Managing Passwords
Account Expiration is for the case when a user should be using the system only for a specific period of
time: the user is a conference guest for a week, a student for a three-month term, a contractor on a sixmonth contract, or a senator for six years.
The superuser can set the account expiration date for a user, and there's nothing the user can do to avoid it.
It has nothing to do with changing passwords. After the Account Expiration date, the user will no longer
be able to log into the system.
In Alice's example above, her account will expire on December 31, 2015. Maybe that's the date she plans
to graduate!
meaning
-d YYYY-MM-DD artificially set the "Last Day", when Linux believes the password was last changed.
-m mindays
the minimum number of days since the Last Day before the password can be changed
again.
-M maxdays
the maximum number of days since the Last Day during which the password should
be changed again. The end of this period is called the Maximum Day or the Password
Expiration Day.
-W warndays
the number of days before the Maximum Day when the user starts receiving
warnings to change their password.
-I inactivedays
the number of days after the Maximum Day when the user can no longer login if
the password has not been changed.
-E YYYY-MM-DD set the date on which the account (not the password) expires
You may use one or more of these options at a time with the chage command. As a large example, here's
the command that will set all of Alice's features given in the example above:
chage -d 2003-05-01 -m 3 -M
If you have not been using password aging and you decide to begin using it, remember that some
passwords probably have not been changed in a long time, and you will have to choose a reasonable "Last
Day" (probably the current day) for existing accounts with the -d option.
Examples
Using chage
First notice the date in the following example is May 22, 2003. Various dates will be calculated from that.
We add three users: Einstein, Maxwell, and Nero. Einstein gets the default aging parameters, which is to
have no password expiration. Maxwell gets a password expiration period of 90 days, with warnings 14
days before expiration, a grace period of five days, and a minimum of seven days before changing his
password again. Nero, being an emperor, needs some limitations, but weak ones: he has a year until his
password expires, and a year of grace period, and no minimum.
[root@system root]# date
Thu May 22 05:33:13 GMT 2003
rha130-6.1-1
28
Managing Passwords
Notice in Einstein's listing that his Maximum is 99999. Apparently 99999 equals infinity, to the chage
command.
Changing Passwords
None of them have passwords yet, so they can't yet log in. For demonstration, we'll set Einstein's password,
and then change it, so you can see the encrypted password found in /etc/shadow change. Maxwell's and
Nero's password field still says !! meaning a password needs to be set, so they can't log in yet.
[root@system root]# passwd einstein
Changing password for user einstein.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@system root]# tail -3 /etc/shadow
einstein:$2$.r71/IMJ$p7duYZmUD4Zr7vNKdEqAz/:12194:0:99999:7:::
maxwell:!!:12194:7:90:14:5::
nero:!!:12194:0:365:60:365::
[root@system root]# passwd einstein
Changing password for user einstein.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@system root]# tail -3 /etc/shadow
einstein:$2$pL2GHaEm$Y9cAaaGCWWpJ4vMUdWHdp.:12194:0:99999:7:::
maxwell:!!:12194:7:90:14:5::
nero:!!:12194:0:365:60:365::
[root@system root]#
Einstein's first encrypted password ended in "Az/", and his second one ended in "dp.". Encrypted passwords
are encoded using "/" and "." as well as letters and numbers.
rha130-6.1-1
29
Managing Passwords
More chage
Finally we put some aging requirements on Einstein's password and set an expiration date for Maxwell.
[root@system root]#
[root@system root]#
[root@system root]#
Minimum:
0
Maximum:
180
Warning:
30
Inactive:
30
Last Change:
Password Expires:
Password Inactive:
Account Expires:
[root@system root]#
Minimum:
7
Maximum:
90
Warning:
14
Inactive:
5
Last Change:
Password Expires:
Password Inactive:
Account Expires:
[root@system root]#
May
Aug
Aug
Dec
22,
20,
25,
31,
2003
2003
2003
2003
You can actually count 180 days from Einstein's Last Change date, May 22, until the Expiration Day,
November 18, and another 30 days until Inactivation, December 18.
Exercise
Setup
In the last chapter, you made four Beatles accounts, georgeh, paulm, ringos, and johnl. If they are no
longer on your system, make them again quickly with useradd. Don't worry about their groups or any
other details from the previous chapter.
Specification
Your CFO read a magazine article about homeland security during an airplane flight, and now he informs
you, the system administrator, that the Beatles will have to start changing their passwords every month.
1. Give them a minimum of two days between password changes, a maximum of 30 days before password
expiration, seven days of warning, and five days of grace period before inactivation.
2. He also reminds you that their contract expires in four years, so their accounts should expire exactly
four years from today.
3. Since they probably haven't changed their password in a long time, artificially set the Last Change Date
to today.
Deliverables
1.
Four accounts with aging and expiration configured as described.
rha130-6.1-1
30
Managing Passwords
Questions
On January 1, 2011, the superuser executes this command: chage -d 2011-01-01 -m 3 -M 90 -W 7 -I 5
martha. The first four questions are about martha.
1.
every year
b.
c.
d.
e.
2.
every day
b.
c.
d.
every 90 days
e.
on her birthday
3.
How long is martha's grace period, between when her password expires, and when it is inactive?
a.
b.
three days
c.
five days
d.
12 days
e.
90 days
4.
How long does martha have from when she receives Warnings until the password is actually
Inactive?
a.
zero days
b.
three days
c.
five days
d.
12 days
e.
90 days
5.
Which users are allowed to change another user's password by naming the other user as an argument
to the passwd command?
a.
rha130-6.1-1
31
Managing Passwords
b.
c.
d.
e.
6.
b.
c.
d.
e.
7.
lines about the same user begin with the same username in the first field
b.
c.
d.
e.
8.
rha130-6.1-1
b.
c.
d.
e.
32
Discussion
Just like usernames and userids, Linux groups are identified by both an alphanumeric groupname and an
integer groupid.
Similar to how the file /etc/passwd is used to convert between usernames and userids, the file /etc/group
is used to convert between groupname and group ids. It also records secondary group memberships.
Creating Groups
The command to create groups is groupadd. It takes exactly one argument, the name of the group to be
added:
groupadd <groupname>
Deleting Groups
The command to delete groups is groupdel. It also takes exactly one argument, the name of the group
to be deleted:
groupdel <groupname>
Modifying Groups
There are only two things you can do with the groupmod command, change the name of the group or
change the groupid. If you change the groupid of a group, any files or directories that were in the group will
still have the old groupid. Changing groupnames is cleaner, but still can present problems, for example
with backups and archives. So the use of this command is not really recommended, if you can avoid it.
To change the groupname of a group, use the -n option:
groupmod -n <newname> <oldname>
rha130-6.1-1
33
Adding, Modifying,
and Deleting Groups
groupmod -g <newGid> <groupname>
rha130-6.1-1
34
Adding, Modifying,
and Deleting Groups
We are ignoring the Group Password feature, which is obsolete today since Linux has secondary groups.
(In the old days, a UNIX process could only be in one group at a time. There were no secondary groups.
The group password let you change groups. Today you're in many secondary groups simultaneously, and
so you don't need to change groups.)
Examples
Adding Groups
We will make three new groups with groupadd. Then we will make five new users, adding them to various
groups. The Emperor Nero wants to be in a bunch of random groups, and we'll give him his way.
root]#
root]#
root]#
root]#
root]#
root]#
root]#
root]#
root]#
groupadd wrestle
groupadd governor
groupadd emperors
useradd -G wrestle,governor ventura
useradd -G wrestle hogan
useradd -G governor pataki
useradd -G emperors julius
useradd -G wrestle,governor,emperors,wheel,root nero
The wrestlers can't remember who is in their group, and they don't know how to look in the /etc/group
file to see. So root creates them a file /home/buddy-list and puts the file in group wrestle. The file allows
read and write access to group wrestle but not to others.
[root@system root]# echo "ventura, hogan, nero" > /home/buddy.list
[root@system root]# chgrp wrestle /home/buddy.list
[root@system root]# chmod 660 /home/buddy.list
[root@system root]# tail -8 /etc/group
wrestle:x:505:ventura,hogan,nero
governor:x:506:ventura,pataki,nero
emperors:x:507:julius,nero
ventura:x:508:
hogan:x:509:
pataki:x:510:
julius:x:511:
nero:x:512:
[root@system root]# tail -5 /etc/passwd
ventura:x:505:508::/home/ventura:/bin/bash
hogan:x:506:509::/home/hogan:/bin/bash
pataki:x:507:510::/home/pataki:/bin/bash
julius:x:508:511::/home/julius:/bin/bash
nero:x:509:512::/home/nero:/bin/bash
[root@system root]# ls -l /home
total 32
-rw-rw---1 root
wrestle
21 May 23 06:01 buddy.list
drwx-----2 hogan
hogan
4096 May 23 05:59 hogan
drwx-----2 julius
julius
4096 May 23 05:59 julius
drwx-----2 nero
nero
4096 May 23 06:00 nero
rha130-6.1-1
35
Adding, Modifying,
and Deleting Groups
drwx-----2 pataki
drwx-----2 student
drwx-----2 ventura
[root@system root]#
pataki
student
ventura
Modifying Groups
Nero's spin doctors insist that the emperors group be renamed defenders. When the wrestlers'
headquarters move to Raleigh, North Carolina, they want their groupid changed to telephone area code 919.
We explain patiently that there is no reason to do that, but they're wrestlers, and a lot bigger than we are.
[root@system root]# groupmod -n defenders emperors
[root@system root]# groupmod -g 919 wrestle
[root@system root]# tail -8 /etc/group
wrestle:x:919:ventura,hogan,nero
governor:x:506:ventura,pataki,nero
ventura:x:508:
hogan:x:509:
pataki:x:510:
julius:x:511:
nero:x:512:
defenders:x:507:julius,nero
[root@system root]# ls -l /home
rha130-6.1-1
36
Adding, Modifying,
and Deleting Groups
total 32
-rw-rw---1 root
505
21 May 23 06:01 buddy.list
drwx-----2 hogan
hogan
4096 May 23 05:59 hogan
drwx-----2 julius
julius
4096 May 23 05:59 julius
drwx-----2 nero
nero
4096 May 23 06:07 nero
drwx-----2 pataki
pataki
4096 May 23 06:07 pataki
drwx-----2 student student
4096 May 22 04:18 student
drwx-----2 ventura ventura
4096 May 23 06:06 ventura
[root@system root]# chgrp wrestle /home/buddy.list
[root@system root]# ls -l /home
total 32
-rw-rw---1 root
wrestle
21 May 23 06:01 buddy.list
drwx-----2 hogan
hogan
4096 May 23 05:59 hogan
drwx-----2 julius
julius
4096 May 23 05:59 julius
drwx-----2 nero
nero
4096 May 23 06:07 nero
drwx-----2 pataki
pataki
4096 May 23 06:07 pataki
drwx-----2 student student
4096 May 22 04:18 student
drwx-----2 ventura ventura
4096 May 23 06:06 ventura
[root@system root]#
Changing the wrestle groupid did not change the groupid of the buddy-list, which still has the old groupid
505, for which no groupname now exists. So we fixed it with chgrp.
Exercises
Log in as root and do the following.
1. Use the useradd and groupadd commands to create the following users, and subscribe them to the
the specified secondary groups (which you must to create as well). Assign each user a password so
that they can login.
User
Secondary Groups
xander
mortal, greek
yves
mortal, greek
zeus
olympian, greek
2. Create a file /opt/id-list containing the word "hello". The file should be group owned by the
group mortal, and have a mode of 660.
3. Login as xander, and execute id >>/opt/id-list. Log out.
4. Login as yves, and execute id >>/opt/id-list. Log out.
5. Login as zeus, and execute id >>/opt/id-list, but the command should fail, since zeus is not
a mortal. Log out.
6. Change the groupid of group mortal to 12345.
7. Fix the groupid of /opt/id-list with chgrp so that it is again in group mortal.
8. Repeat steps 3, 4, and 5.
Deliverables
You should keep these users and groups for the Exercise in the next Lesson.
1.
rha130-6.1-1
37
Adding, Modifying,
and Deleting Groups
1. The three users tabled above, with the appropriate group memberships.
2. The groupid of the group mortal should be 12345.
3. The file /opt/id-list which contains the single word hello, followed by the output of four
id commands. The file should be correctly group owned by the group mortal.
Questions
1.
b.
c.
d.
31
e.
2.
-n
b.
-N
c.
-g
d.
-G
e.
--help
3.
-g
b.
-N
c.
-n
d.
-G
e.
--help
4.
rha130-6.1-1
After you change a group's groupid, what else should you do?
a.
fix the groupid on any files that were in their group with chgrp
b.
fix the groupid on any files that were in the group with groupmod
c.
fix the groupid on any files that were in the group with groupadd
d.
fix the userid on any files that were in the group with id
e.
fix the mode on any files that were in the group with chmod
38
Adding, Modifying,
and Deleting Groups
5.
Bob is in three groups, chess, scrabble, and bridge. Which command would add him to the
baseball group as well?
a.
b.
c.
d.
e.
6.
Ventura is in three groups, drama, poetry, and fencing. Which command would remove him from
fencing?
a.
b.
c.
d.
e.
7.
Which command changes the owner group of the file /etc/fstab to group wheel?
a.
b.
c.
d.
e.
8.
rha130-6.1-1
b.
c.
d.
e.
39
Discussion
A process (like your login shell and the programs you run) has a userid, a primary groupid, and possibly
some secondary group ids. Files and directories have an owner userid, an owner groupid, and 12 mode
bits. All of these work together to determine what rights a process has to do things like read, write, list,
and execute files and directories.
binary
permissions
000
---
001
--x
rha130-6.1-1
40
octal
binary
permissions
010
-w-
011
-wx
100
r--
101
r-x
100
rw-
111
rwx
When Linux creates a new file, it wants to give it mode 666. When Linux creates a new directory, it wants
to give it mode 777. However for each bit that is set in the umask, the corresponding bit will not be set
on the new file or directory.
For example, if your umask is 002, the "other write" bit will not be set on new files or directories. New
files will receive mode 664, and new directories will receive mode 775. This means you trust your files
to be edited by any members of the file's group.
Or if your umask is 022, the "group write" and "other write" bits will not be set on new files or directories.
New files will receive mode 644, and new directories will receive mode 755. This means you do not trust
your files to be edited by members of the file's group.
Or if your umask is 077, then no "group" bits nor any "other" bits will be set on new files or directories.
New files will receive mode 600, and new directories will receive mode 700. This means you do not want
anyone to other than yourself to even see your files.
Finally, if your umask is 000, no bits will be inhibited. New files will receive mode 666, and new directories
will receive mode 777. This means anyone can edit any of your files.
Your umask is set for you when you log in. Under Red Hat Enterprise Linux, umask defaults to 002 for
human users. This is important in the User Private Group scheme, which we will talk about soon.
For system users, the default umask is 022, slightly more restrictive. System users are not supposed to be
collaborating in the User Private Group scheme, like humans do.
You can change the umask for a shell with the umask command: umask NNN (where NNN are three
octal digits, 0 to 7). You can add a umask command to your ~/.bash_profile file, if you want to change
the default.
Set-Groupid Directories
When a process creates files or directories, usually the file or directory gets the same userid as the userid
of the process, and the same groupid as the primary groupid of the process.
[student@system student]$ id
uid=504(student) gid=504(student) groups=504(student),919(wrestle),923(magic)
[student@system student]$ mkdir /opt/normal
[student@system student]$ ls -la /opt/normal
total 8
drwxrwxr-x
2 student student
4096 May 27 16:14 .
drwxrwxrwt
3 root
root
4096 May 27 16:14 ..
[student@system student]$ date > /opt/normal/file
[student@system student]$ mkdir /opt/normal/dir
[student@system student]$ ls -la /opt/normal
total 16
drwxrwxr-x
3 student student
4096 May 27 16:14 .
drwxrwxrwt
3 root
root
4096 May 27 16:14 ..
drwxrwxr-x
2 student student
4096 May 27 16:14 dir
-rw-rw-r-1 student student
29 May 27 16:14 file
rha130-6.1-1
41
[student@system student]$
But if the directory inside which the new file or directory is created has its set-groupid bit set, then the
new file or directory will have the same groupid as the containing directory, and new directories will also
inherit the set-groupid bit. (This is true even if the user who is making the file or directory is not in the
group of the containing directory.)
[student@system student]$ id
uid=504(student) gid=504(student) groups=504(student),919(wrestle),923(magic)
[student@system student]$ mkdir /opt/magic
[student@system student]$ ls -la /opt/magic
total 8
drwxrwxr-x
2 student student
4096 May 27 16:17 .
drwxrwxrwt
4 root
root
4096 May 27 16:17 ..
[student@system student]$ chgrp magic /opt/magic
[student@system student]$ chmod g+s /opt/magic
[student@system student]$ date > /opt/magic/file
[student@system student]$ mkdir /opt/magic/dir
[student@system student]$ ls -la /opt/magic
total 16
drwxrwsr-x
3 student magic
4096 May 27 16:17 .
drwxrwxrwt
4 root
root
4096 May 27 16:17 ..
drwxrwsr-x
2 student magic
4096 May 27 16:17 dir
-rw-rw-r-1 student magic
29 May 27 16:17 file
[student@system student]$
Examples
A directory not shared with a group
The superuser has set the sticky bit on /opt and opens the other permissions, making it mode 1777, so any
user can create or install things there.
Hogan makes a directory /opt/fight-dir for notices about wrestling events, and he tells the other wrestlers
about it.
[hogan@system hogan]$ mkdir /opt/fight-dir
rha130-6.1-1
42
Ventura wants to add comments, but cannot, since it's all owned by user hogan and group hogan, with
no write privileges for the wrestling group.
[ventura@system ventura]$ ls -la /opt/fight-dir/
total 12
drwxrwxr-x
2 hogan
hogan
4096 May 23 06:17 .
drwxrwxrwt
12 root
root
4096 May 23 06:16 ..
-rw-rw-r-1 hogan
hogan
24 May 23 06:17 hh-event
[ventura@system ventura]$ echo "Wear Costume" >> /opt/fight-dir/hh-event
-bash: /opt/fight-dir/hh-event: Permission denied
[ventura@system ventura]$ echo "Wear Costume" > /opt/fight-dir/hh-note
-bash: /opt/fight-dir/hh-note: No such file or directory
[ventura@system ventura]$
So Ventura makes his own /opt/fight-club directory, and correctly puts it in group wrestle with the setgroupid bit on the directory. Then he copies Hogan's file, and adds his own comment to it.
[ventura@system
[ventura@system
[ventura@system
[ventura@system
[ventura@system
[ventura@system
total 12
drwxrwsr-x
2
drwxrwxrwt
13
-rw-rw-r-1
ventura]$
ventura]$
ventura]$
ventura]$
ventura]$
ventura]$
ventura
root
ventura
mkdir /opt/fight-club
chgrp wrestle /opt/fight-club/
chmod g+s /opt/fight-club/
cat /opt/fight-dir/hh-event >/opt/fight-club/hh-party
echo "Wear costume" >> /opt/fight-club/hh-party
ls -la /opt/fight-club/
wrestle
root
wrestle
Now Nero, a member of group wrestle, can make a subdirectory raves and and his own file Dec-31-party.
[nero@system nero]$ cat /opt/fight-club/hh-party
Oct 31 at Haunted House
Wear costume
[nero@system nero]$ echo "Play violin" >> /opt/fight-club/hh-party
[nero@system nero]$ mkdir /opt/fight-club/raves
[nero@system nero]$ echo "Rave on Capri Island" > /opt/fight-club/raves/Dec-31-party
[nero@system nero]$ ls -laR /opt/fight-club/
/opt/fight-club/:
total 16
drwxrwsr-x
3 ventura wrestle
4096 May 23 06:44 .
drwxrwxrwt
13 root
root
4096 May 23 06:38 ..
-rw-rw-r-1 ventura wrestle
49 May 23 06:44 hh-party
drwxrwsr-x
2 nero
wrestle
4096 May 23 06:45 raves
/opt/fight-club/raves:
total 12
drwxrwsr-x
2 nero
wrestle
4096 May 23 06:45 .
drwxrwsr-x
3 ventura wrestle
4096 May 23 06:44 ..
-rw-rw-r-1 nero
wrestle
21 May 23 06:45 Dec-31-party
The recursive listing of the fight-club directory shows all files are in the group wrestle, and the raves
directory mode drwxrwsr-x (notice the s in the middle) shows the set-groupid bit was inherited by the
raves subdirectory.
Exercises
Use the same users xander, yves, and zeus and their groups mortal, greek, and olympian from the last
exercise.
rha130-6.1-1
43
1. Create the directory /opt/tags, group owned by the group mortal, with a mode of 777.
2. Additionally, make the directory /opt/tags a SGID directory (by setting the set-group-ID bit).
3. Login as xander. Make a directory /opt/tags/xander and then execute id > /opt/tags/
xander/id. Logout.
4. Login as yves. Make a directory /opt/tags/yves and then execute id > /opt/tags/yves/
id. Logout.
5. Login as zeus. Make a directory /opt/tags/zeus and then execute id > /opt/tags/zeus/
id. Logout.
Deliverables
1.
The seven files listed below, with the appropriate ownerships and permissions.
File
User Owner
Group Owner
Mode
/opt/tags/
(unspecified)
mortal
2777
/opt/tags/xander/
xander
mortal
2775
/opt/tags/yves/
yves
mortal
2775
/opt/tags/zeus/
zeus
mortal
2775
/opt/tags/xander/id
xander
mortal
664
/opt/tags/yves/id
yves
mortal
664
/opt/tags/zeus/id
zeus
mortal
664
Questions
Frodo Baggins logs in and changes to his favorite directory, /earth/middle. He examines his id and his
umask, and does a directory listing, which shows four subdirectories. (Assume the four subdirectories
are all empty.)
Frodo then executes eight commands making files or directories. Each command might succeed or fail. If
the command should succeed, answer the question with choice a, b, c, or d. If the command should fail,
answer e: command failed.
[frodo@system frodo]$ id
uid=513(frodo) gid=513(frodo) groups=513(frodo),924(hobbit),925(ring),926(brave),927(lucky)
[frodo@system frodo]$ umask
0002
[frodo@system frodo]$ cd /earth/middle/
[frodo@system middle]$ ls -l
total 16
drwxrwx--2 aragorn brave
4096 Mai 29 00:04 gondor
drwx-----2 sauron
ring
4096 Mai 29 00:04 mordor
drwxrwxrwx
2 durin
dwarf
4096 Mai 29 00:04 moria
drwxrws--2 bilbo
hobbit
4096 Mai 29 00:04 shire
[frodo@system middle]$
1.
rha130-6.1-1
rwxrwxrwx
b.
rwxrwxr-x
44
c.
rw-rw-r--
d.
rwxrwsr-x
e.
command failed
2.
rwxrwxrwx
b.
rwxrwxr-x
c.
rw-rw-r--
d.
rwxrwsr-x
e.
command failed
3.
frodo
b.
hobbit
c.
ring
d.
brave
e.
command failed
4.
frodo
b.
hobbit
c.
ring
d.
brave
e.
command failed
5.
rwxrwxrwx
b.
rwxrwxr-x
c.
rw-rw-r--
d.
rwxrwsr-x
e.
command failed
6.
rha130-6.1-1
rwxrwxrwx
b.
rwxrwxr-x
45
c.
rw-rw-r--
d.
rwxrwsr-x
e.
command failed
7.
rwxrwxrwx
b.
rwxrwxr-x
c.
rw-rw-r--
d.
rwxrwsr-x
e.
command failed
8.
rha130-6.1-1
rwxrwxrwx
b.
rwxrwxr-x
c.
rw-rw-r--
d.
rwxrwsr-x
e.
command failed
46
Discussion
Why Access Control Lists?
With any security system, there is a tension between flexibility and manageability. The standard Unix
permission model tends to be simple enough to be manageable, and still flexible enough to satisfy most
situations. Still, there's some situations that it cannot handle. For those cases, there's acls.
Consider a group of physicists, all members of the group physics, who feel that physics doesn't have enough
popular support. They have hired a group of musicians (members of the group music) to develop a physics
theme song. The musicians set up a collaborative file.
[prince@station ~]$ cat > physics_theme
logarithm, logarithm, tangent, sine,
three point one four one five nine
CTRL-D
[prince@station ~]$ chgrp music physics_theme
[prince@station ~]$ chmod 660 physics_theme
[prince@station ~]$ ll physics_theme
-rw-rw---- 1 prince music 72 Sep 25 09:43 physics_theme
Because the file is group owned by music, and group writable, all musicians can work on improving the
theme song. But what if the physicists would like to review it? Is there a way to set the permissions so
that all musicians can modify it, all physicists read it, but all others have no access? Not without access
control lists.
rha130-6.1-1
47
Filesystem Access
Control Lists ("acls")
group::rwother::---
Using the setfacl command, additional acls can be added to a file. The following three commands allow
members of the group physics to read the file, the otherwise unrelated user bob to read and write the file,
and the unrelated user ventura read-only access.
[prince@station ~]$ setfacl -m g:physics:rw physics_theme
[prince@station ~]$ setfacl -m u:bob:rw physics_theme
[prince@station ~]$ setfacl -m u:ventura:r physics_theme
Formally, each line is referred to as an entry, and entries can be categorized as one of the following types.
Comment
file owner
ACL_USER_OBJ
user::
individual
users
ACL_USER user:user:
0+
file
group ACL_GROUP_OBJ
group::
owner
individual
groups
ACL_GROUP group:group: 0+
mask
ACL_MASK mask::
0 or 1
for
All of the entries should make sense, with the exception of the mask. They are just the standard user, group,
and other permissions, with explicitly added individual users and explicitly added individual groups.
The mask is an automatically generated entry, which can be manually tweaked to constrain the maximum
permissions that apply to any additional user and group. In general, getfacl will automatically manipulate
the mask to allow whatever permissions were specified, so the mask can usually be ignored.
When a process attempts to access a file, the following steps are applied.
1. If the process user is the file owner, the standard owner permissions apply.
2. If the process user matches any additional user entries, the matched masked permissions apply.
3. If the process groups contain the file owner group, and there is no mask, the standard group permissions
apply.
rha130-6.1-1
48
Filesystem Access
Control Lists ("acls")
4. If the process groups contain any listed group, and there is a mask, the matched masked permissions
apply.
5. Otherwise, the other permissions apply.
While a bit involved, unless someone has been manually tweaking the mask, in most cases one can mentally
reduce the list to the following.
1. Am I the file owner or a group owner? Then do the standard Unix thing.
2. Am I an additionally listed user or group? Then the matched permissions apply, with user permissions
taking precedence.
3. Otherwise, I'm stuck with the other permissions.
The first field qualifies the type of entry, and can be abbreviated using first letters (u|g|o|m). The second
field is only relevant with user and group, and specifies a specific user/group, or, if blank, falls back to
the file user/group owner. The last field is used to specify the permissions.
Of course, if one merely wants to manipulate the user owner, group owner, or other permissions, the chmod
command can still be used, without tampering with any additional user or group permissions.
As a quick example, the setfacl command above could be reduced to the following single command.
[prince@station ~]$ setfacl -m g:physics:rw,u:bob:rw,u:ventura:r physics_theme
[prince@station ~]$ getfacl physics_theme
# file: physics_theme
# owner: prince
# group: music
user::rwuser:ventura:r-user:bob:rwgroup::rwgroup:physics:rwmask::rwother::---
The setfacl(1) man page reveals more options, with -R (recurse) and -b (remove all) perhaps being the
most relevant.
rha130-6.1-1
49
Filesystem Access
Control Lists ("acls")
Interestingly, getfacl doesn't report the SGID bit, but an ls -ld will convince you that it's there. The
new default permissions, however, are reported.
[prince@station ~]$ ls -ld physics_rocks
drwxrws---+ 2 prince music 4096 Sep 25 11:38 physics_rocks
What happens when a file is created within the directory? The combination of a SGID directory with
default acls makes it "just work".
[prince@station ~]$ cat > physics_rocks/another_ditty.txt
vector vector eigenstate
what do we appreciate
CTRL-D
[prince@station ~]$ getfacl physics_rocks/another_ditty.txt
# file: physics_rocks/another_ditty.txt
# owner: prince
# group: music
user::rwgroup::rwx
#effective:rwgroup:physics:r-mask::rwother::---
(Note the odd interplay between the group permissions, which inherited the execute bit, and the mask,
which strips it off again. A little odd, but it works. Tweaking the default group permissions on the directory
will lead to more sane behavior.)
rha130-6.1-1
50
Filesystem Access
Control Lists ("acls")
The ls -l command reports the presence of additional acls by appending a "+" to the standard permissions.
Look closely at the above transcript, and you'll see it.
The mv command attempt to preserve acls, and warns if it cannot. (The destination filesystem may not
support acls.)
The cp command does not by default preserve acls, but will attempt to if -p is specified. (This is exactly
analogous to how it handles standard permissions).
Confusingly, the mount command is unaware of this implicitly added mount option.
[root@station ~]# mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
...
A Final Word
One final word of warning. Filesystem acls provide a necessary solution to some problems, but should not
be overused. Here's some of the reasons why.
If every file and directory were to have custom acls, it could become very difficult to keep track of who
has access to what. It's hard enough already with the standard user/group/other model.
People don't expect them. About the only available clue that acls are present is the subtle "+" that gets
added to the output of ls -l. Most graphical interfaces, such as Nautilus, don't reveal acls.
Utilities don't expect them. The basic ls, cp, and mv commands know about them, but many others,
such as tar, do not.
Not all filesystems support acls. The default ext4 filesystem does, but many others do not.
rha130-6.1-1
51
Filesystem Access
Control Lists ("acls")
Examples
Access to Removable Media
In Red Hat Enterprise Linux, access to removable media such as the CDROM device is granted using
ACLs. The device file is often owned by root but the group may be related to the function of the device.
A user who logged in locally to the system, in this case elvis may also be granted access with an ACL.
[elvis@station ~]$ getfacl /dev/sr0
getfacl: Removing leading '/' from absolute path names
# file: dev/sr0
# owner: root
# group: cdrom
user::rwuser:elvis:rwgroup::rwmask::rwother::---
As implied, the logged in user may access the sound card, as well as the system user gdm (who manages
the login screen). A user who logged in over the network, however, would have no access.
Research
A group of researchers is trying to determine if early childhood bubblegum chewing correlates with bad
adulthood karaoke singing. They would like to set up a collaborative /research directory, in which
members of the chewsing group will automatically have read and write access to newly created files.
The JuicyChew corporation, which is funding the research, would like to ensure that science discovers
a commercially palatable answer. They demand that all members of the group juicychew be able to read
every newly created file. The researchers would like to insure that the cannot modify the files.
A reporter has also become interested in the results, so the user kclint should be able to read newly created
files as well.
1. Create the new secondary group chewsing, and add the already existing users einstein and maxwell to
the group.
2. Create the new secondary group juicychew, and the new users jc_ceo and jc_cto. Add both users to
the group juicychew.
rha130-6.1-1
52
Filesystem Access
Control Lists ("acls")
3. Create the new user kclint, who should not be a member of any secondary groups.
4. Create the directory /research. Use some combination of SGID bits and filesystem acls so that
newly created files in the directory are readable by the group juicychew, readable and writable by the
group chewsing, and readable by the user kclint. All other users should have no access to any of the
directory's contents.
Deliverables
1.
chewsing
read-write
group
juicychew
read
user
kclint
read
Cleaning Up
The JuicyChew corporation is not happy with the direction the research is taking, and has provided
additional funding to hide the fact that the research ever took place.
Remove the newly created users, the newly created groups, and the /research directory. Leave the
users einstein and maxwell with the original memberships in the physics group.
Questions
In the following, the term acl or acls is used to refer to Linux filesystem access control lists.
1.
getfacl
b.
ls -l
c.
lsacl
d.
mount
e.
2.
rha130-6.1-1
Which of the following command lines would allow the user elvis to read and write the file /dev/
dsp?
a.
b.
53
Filesystem Access
Control Lists ("acls")
c.
d.
e.
The governors are working on a proposed change to the wrestling laws. Use the output of the following
commands to answer the following questions.
[root@station ~]# groups ventura pataki hogan
ventura : ventura wrestle governor
pataki : pataki governor
hogan : hogan wrestle
[root@station ~]# getfacl proposed_wrestling_law
# file: proposed_wrestling_law
# owner: root
# group: governor
user::rwgroup::rwgroup:wrestle:r-mask::rwother::---
3.
What access does the user pataki have to the file proposed_wrestling_law?
a.
read only
b.
read write
c.
write only
d.
4.
What access does the user hogan have to the file proposed_wrestling_law?
a.
read only
b.
read write
c.
write only
d.
5.
The user ventura, being both a governor and a wrestler, has chosen to recuse himself. Which of the
following commands would not allow ventura to read or modify the file, while the same access is
preserved for all other members of the groups governer and wrestle?
a.
b.
c.
d.
e.
An administrator is configuring access to a /var/contrib directory. Use the output of the following
commands to answer the following questions. Assume that "contained files" are files that were created in
the directory, with permissions otherwise unmodified, for which the specified person is not the user owner.
rha130-6.1-1
54
Filesystem Access
Control Lists ("acls")
[root@station var]# groups elvis einstein
elvis : elvis music wrestle physics emperors
einstein : einstein physics
[root@station var]# ll -d contrib/
drwxrws---+ 2 root music 4096 Oct 1 06:48 contrib/
[root@station var]# getfacl contrib/
# file: contrib
# owner: root
# group: music
user::rwx
group::rwx
other::--x
default:user::rwdefault:user:elvis:rwdefault:group::r-default:group:wrestle:r-default:mask::rwdefault:other::---
6.
Which of the following may members of the group music (other than elvis) do?
a.
b.
c.
d.
e.
7.
Which of the following may members of the group wrestle (other than elvis) do?
a.
b.
c.
d.
e.
8.
b.
c.
d.
e.
9.
rha130-6.1-1
b.
c.
55
Filesystem Access
Control Lists ("acls")
d.
e.
Your friend is trying to create custom acls on a newly created directory in the tmpfs filesystem mounted
to /dev/shm.
[root@station ~]# mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
tmpfs on /dev/shm type tmpfs (rw)
...
[root@station ~] mkdir /dev/shm/contrib
[root@station ~]# setfacl -m u:elvis:rw /dev/shm/contrib
setfacl: /dev/shm/contrib: Operation not supported
10.
rha130-6.1-1
b.
c.
The underlying filesystem must support filesystem acls, and the tmpfs filesystem does not.
d.
56
Discussion
The Name Service Switch
The Naming Problem
Frequently in a school or business setting, a large number of users want to share a large number of
computers, and the users don't usually care which computer they actually use. All of the computers should
understand the same set of names of users. Rather than giving each machine its own list of the names of
all users (this list might be frequently updated), it makes sense for one server machine to have the list, and
for the other computers to look up the usernames with the server over the network.
If you haven't thought about it, it might surprise you what a big issue naming is. Most of the options and
parameters you provide to shell commands are in fact naming things: the names of files and directories,
which are all relative to a mounted filesystem which must be somehow named; the names of users; the
names of other computers; the names of services and ports and protocols; email addresses which name
users or groups of users.
In the old days of UNIX, everyone in a department used the same minicomputer, and networking was rare.
Naming was very simple. Now most computers exist on networks with many other computers, using many
different protocols and kinds of naming, so we need a flexible way to work in this complex environment.
rha130-6.1-1
57
netmasks:
files
networks:
files
protocols: files
rpc:
files
services:
files
netgroup:
files
publickey: nisplus
automount: files
aliases:
files nisplus
[student@system student]$
(The grep -v command says only print lines that don't match the pattern. The pattern matches comment
lines, lines beginning with #. The hat character ^ matches the beginning of the line. So if this grep -v
command shows us the non-comment lines.)
The names on the left-hand side of the colons (passwd, group, hosts, etc.) are the different types of things
that need naming, called databases. The right-hand side items are which sources to use for each database.
Any time the system needs to look up records for the things on the left-hand side, it consults the sources
on the right-hand side, in the specified order, to find them.
Databases
Here's what some of the databases on the left-hand side of the colons mean:
passwd, shadow, group
hosts
automount
aliases
Database Sources
Here's the meaning of some of the database sources that might be found on the right hand side of the colons:
files
Consult the usual files that are used to configure a single system. Usually you want to
put files first on any line where it makes sense, so that local changes override networkwide information when exceptions need to be made for one system for a short while.
nis
The Network Information Service, created in the 1980s and widely used on UNIX
systems.
Like the network filesystem NFS, it was designed back in the days before the global
Internet, when everyone on your network was considered friendly. In the presence of
rha130-6.1-1
58
today's Internet, its security is woefully insufficient, so you need to make sure your
NIS server and traffic is firewalled or otherwise protected from the Internet.
nisplus
nisplus is a version of NIS with many security enhancements, including a public key
mechanism for authenticating hosts.
ldap
sss
New in Red Hat Enterprise Linux 6, System Security Service Daemon (SSSD) is a
service which provides access to different identity and authentication providers. When
using the authentication configuration tool in Red Hat Enterprise Linux 6, SSSD is
the default database source configured when the adminstrator selects LDAP for user
account information.
hesiod
A project from MIT, Hesiod takes advantage of the mechanism of the Internet Domain
Name Service (DNS) to publish other kinds of records, such as user information. DNS
has proven itself as a highly stable, robust, and scalable mechanism, so it makes sense
to use it as the source for other information besides just Internet domain names.
When looking for a password entry for username elvis, Linux will look first in files (in this case, /etc/
passwd). If it's not found there, it'll consult LDAP. If it's not found there, then it'll try NIS.
When looking for the network address of a host name, first it consults /etc/hosts. If it's not there, it tries
NIS. If it's not there, it uses the Internet's global Domain Name Service (DNS). (dns is only allowed for
the hosts database.)
rha130-6.1-1
59
They developed a Standalone LDAP Server (slapd) to run on the TCP/IP network and eliminate the need
for the gateway and original X.500 protocol.
Today there are a number of (standalone) LDAP servers including OpenLDAP, Netware Directory
Services, a component of Active Directory, and the Red Hat Directory Server product. The server setup
includes a schema which defines the tree structure and the valid names and values for attributes used in
the directory. Unfortunately not all products use the same schema resulting in mismatches of attributes.
For example one client may request the value for uid but if the directory does not use that attribute there is
no answer. Perhaps that server product uses the attribute name uidnumber instead. Mapping can be setup
for cross platform environments but it well beyond the scope of our discussion in this class.
LDAP can also be used to store account and authentication information, as we will access in the example
below. To configure the client system to use LDAP for centralized users, you must obtain from the
administrator the following pieces of information:
Base DN
Every entry in the directory server has a unique name known as the
distinguished name. All the entries are placed into a tree hierarchy. The
Base Distinguished Name, or Base DN, is the unique name for the entry
point into the tree. It is the root of where your system will look for the
entries it needs to authenticate users. The administration of the server
will provide you with a base name such as "dc=example,dc=com" or
"ou=People,dc=mycompany,dc=com" It is very common for the base
DN to have components which look similar to your TCP/IP domain
name.
Server FQDN.
CA Certificate
Unlike NIS, there is not a client daemon that needs to run when using LDAP for authentication. Red
Hat Enterprise Linux includes OpenLDAP packages to provide configuration files, library calls, and
administration and user client tools. The base DN and server URL are stored in the /etc/openldap/
ldap.conf file and the CA certificate is stored in the /etc/openldap/cacerts directory. When
using sssd the configuration is stored in the /etc/sssd/sssd.conf file.
Although not required for centralized authentication, the most common LDAP client tools used in Linux
are provided in the openldap-clients package. These tools include commands such as ldapadd and
rha130-6.1-1
60
ldapmodify which an administrator might use to add or modify entries in the directory. Also included are
commands such as ldapsearch which a user or application could call to query the directory.
There are NIS clients and NIS servers. There will usually be lots of NIS client machines. In the simplest
case, there might be just one NIS server. There can actually be multiple servers, but we'll talk about the
case with a single server here.
The server runs a program called ypserv that has databases of information like password, group, and hosts
records. These databases are usually compiled from the usual /etc/passwd, /etc/group, /etc/hosts, etc. files
on the NIS server machine. Using NIS terminology, the various databases are referred to as NIS maps.
NIS clients run a program named ypbind. When the /etc/nsswitch.conf file on the client machine
indicates that NIS is a source for a certain type of record, the NIS client will request the needed record
over the network, and the NIS server should respond with the record, or respond that there is no such
record for that request. The ypbind command is usually started at bootup, and is implemented as a Red
Hat Enterprise Linux service of the same name. Consequently, it can be started with the service command,
and configured to start automatically with chkconfig.
Because it is possible to have multiple different NIS namespaces (called NIS domains) on a network, the
clients and servers are configured with an NIS domain name. NIS clients with domain name engineering
will make queries to NIS servers named engineering and not to NIS servers named marketing. This NIS
domain name is configured (on Red Hat Enterprise Linux) in /etc/sysconfig/network, but it is actually
read from or written to the Linux kernel with the domainname command. Clients can also be configured
with the network address of the NIS server they are to use.
rha130-6.1-1
61
NIS servers can be configured with a range of client network addresses from which they should answer
requests. Requests coming from outside these address ranges are considered unfriendly, and are ignored.
These addresses are configured in the file /etc/ypserv.conf.
Most of the commands in NIS begin with the two letters yp, like ypbind and ypserv. (That's for historical
reasons: the system once had a different name which began with the initials Y and P, but the name had
to be changed because it might be confused with a certain trademarked type of telephone directory with
pages dyed yellow.)
You must provide some parameters for the naming mechanisms that you enable. With the "Local accounts
only" there is not anything to configure. For NIS, it is the domain name (e.g. campus) and the address
of the server (e.g. 192.168.0.222). For LDAP, it is the Base DN, the server's FQDN, and the location of
the CA Certificate.
rha130-6.1-1
62
The other panel allow you configure advanced options including fingerprint reader and smart card support.
This is also where the password encryption algorithm can be changed if necessary.
When you choose Apply, the command finishes by editing files and turning services on and off. The
effects take place immediately.
A non-interactive version, called authconfig, can also take command line options to do things from a
non-interactive script. Read the man page (man 8 authconfig) if you want to see all of them. There is
also a text version, invoked as authconfig-tui. On a related note, kickstart installation scripts can use the
auth keyword, followed by the same command line switches which authconfig supports, to automatically
configure a client upon installation.
rha130-6.1-1
63
The easiest way to configure SSSD is to use the system-config-authentication utility. Configuration
information will be added to the /etc/sssd/sssd.conf. That file can be modified to tune cache
expiration times, configure additional domains, and change the debug level for increased logging. Log
output is placed in the /var/log/sssd directory.
getent
Use getent passwd username to verify the account information being used. The works whether the user
is a local user defined in /etc/passwd or a network user from an LDAP service. The command will
always show the definition that is actually being used by the system if there is any duplication between
local users and network users. By default, the local user definition overrides the network user definition.
[root@system root]# getent passwd einstein
einstein:$2$Kr41Cegm$CUlvRxN1uFKYNICMqhCyD.:4203:4203::/home/einstein:/bin/bash
[root@system root]# getent passwd sean
sean:$2$nuDwf7B.$jX9tdh6AC/sHhcAWKZzCd1:4202:4202::/home/sean:/bin/bash
Notice that the administrator who created the LDAP user databases started them with userid 4200, so that
they would not collide with userids created on typical workstations, which start with userid 500.
Note
In Red Hat Enterprise Linux 6, getent passwd (without specifying a username) will only dump
out local usernames by default, it will not dump out the list of all LDAP users as it did in Red Hat
Enterprise Linux 5. This is done for performance reasons; see sssd.conf(5) under the enumerate
option for details. (This behavior can be changed by setting enumerate = True in the [domain/
default] section of /etc/sssd/sssd.conf).
Examples
We've got three tar files that we think Einstein would like. We try to chown them to him, but he doesn't
have an account on our local system. We know he has an account in LDAP, but LDAP is not enabled in
our /etc/nsswitch.conf.
[root@system root]# ls -l /tmp/*.tar
-rw-r--r-1 root
root
1423360 May 23 04:36 /tmp/gluons.tar
-rw-r--r-1 root
root
286720 May 23 04:36 /tmp/gravitons.tar
-rw-r--r-1 root
root
8130560 May 23 04:35 /tmp/higgs.tar
[root@system root]# chown einstein /tmp/gravitons.tar
chown: `einstein': invalid user
[root@system root]# grep einstein /etc/passwd
[root@system root]# grep passwd: /etc/nsswitch.conf | grep -v ^#
passwd:
files
[root@system root]#
So we look up the options for authconfig to enable LDAP. We will need to enter the base DN
dc=campus,dc=example,dc=com and the server rha-server.example.com. We also need to enable TLS
encryption and download the CA certificate.
[root@station ~]# authconfig --help| grep ldap
--enableldap
enable LDAP for user information by default
--disableldap
disable LDAP for user information by default
--enableldapauth
enable LDAP for authentication by default
--disableldapauth
disable LDAP for authentication by default
--ldapserver=<server>
--ldapbasedn=<dn>
default LDAP base DN
--enableldaptls, --enableldapstarttls
rha130-6.1-1
64
--disableldaptls, --disableldapstarttls
--ldaploadcacert=<URL>
[root@station ~]# authconfig --enableldap --enableldapauth \
--ldapserver="rha-server.example.com" \
--ldapbasedn="dc=campus,dc=example,dc=com" --enableldaptls \
--ldaploadcacert="http://rha-server.example.com/pub/course-ca.cert" \
--update
Starting sssd:
[ OK ]
Painters have come to paint our office, so we need to unplug our Ethernet connection. We shut it down
first with the ifdown command.
But because we have the sssd on, we can still use Einstein's account, at least for a while.
[root@system
[root@system
[root@system
-bash-2.05b$
logout
But if we stop the sssd service, using Einstein's user name will invoke sss and in turn LDAP, which now
fails because the network is down.
[root@system root]# service sssd stop
Stopping sssd:
[root@system root]# chown einstein /tmp/higgs.tar
chown: invalid user: `einstein'
OK
Exercise
Lab Exercise
Objective: Bind, unbind, and understand the repercussions of using an LDAP domain.
Estimated Time: 45 mins.
Specification
1. Run system-config-authentication to make sure that all options are off, except MD5 and Shadow
Passwords. In particular, be sure NIS and LDAP are off. As a precaution, make a backup of the file /
etc/nsswitch.conf, called /etc/nsswitch.conf.bak.
rha130-6.1-1
65
2. Using the groupadd command, create the following groups, making sure to set the group ID's
appropriately.
Group
Group ID (-g)
vegetable
21100
spinach
21001
tomato
22102
squash
22103
3. Using the useradd command, create the following users, making sure to specify their user ID, primary
group, and secondary group memberships appropriately. Set their passwords, so that you may log in
as the appropriate users.
User
User ID (-u)
spinach
21001
spinach
vegetable
tomato
22102
tomato
vegetable
squash
22103
squash
vegetable
4. Create the empty file /opt/file_ids, set the group owner to vegetable, and the permissions to
664. Log in as each of the three users spinach, tomato, and squash, in that order, and run the following
command.
[spinach@station spinach]# id >> /opt/file_ids
If you have performed the steps correctly, you should be able to reproduce the following output exactly.
[root@station root]# cat /opt/file_ids
uid=21001(spinach) gid=21001(spinach) groups=21001(spinach),21100(vegetable)
uid=22102(tomato) gid=22102(tomato) groups=22102(tomato),21100(vegetable)
uid=22103(squash) gid=22103(squash) groups=22103(squash),21100(vegetable)
If you are not able to reproduce this output, you should correct your setup before continuing.
5. Create the file /opt/fruity, with arbitrary contents, set its permissions to 660, and its group
owner to 22901. (Because there is no group 22901 defined, you will have to specify the group owner
numerically). If configured correctly, you should be able to reproduce the following command.
[root@station root]# ls -l /opt/fruity
-rw-rw---1 root
22901
29 Dec
3 10:07 /opt/fruity
(Notice that the kernel is perfectly willing to identify a group by its numeric group ID, even if the
corresponding group is not defined!)
6. Run system-config-authentication to turn on LDAP for both account information and authentication.
Use the server rha-server.example.com and the baseDN dc=rha,dc=example,dc=com. The CA
Certificate is available at http://rha-server/pub/RHA-CA-CERT.crt
For your information, the LDAP server should provide the following groups and users.
rha130-6.1-1
Group
Group ID (-g)
rhanis
22900
fruit
22901
mango
22101
66
Group
Group ID (-g)
tomato
22102
melon
22103
User
User ID (-u)
mango
22101
mango
rhanis,fruit
tomato
22102
tomato
rhanis,fruit
melon
22103
melon
rhanis,fruit
If you compare the LDAP defined users to the locally defined users, you will discover collisions in
the user and group definitions. The remainder of this lab explores some of the repercussions of these
collisions.
7. Create the file /opt/file_sss_ids, set the group owner to vegetable, and the permissions to 660.
Again, login to the machine using the users spinach, tomato, and squash, in that order, and run the
following command.
[spinach@station spinach]# id >> /opt/file_sss_ids
You should be able to reproduce the following output, ignoring the SELinux context at the end of each
line.
[root@station root]# cat /opt/file_sss_ids
uid=21001(spinach) gid=21001(spinach) groups=21001(spinach),21100(vegetable)
uid=22102(tomato) gid=22102(tomato) groups=22102(tomato),21100(vegetable),22900(
rhanis),22901(fruit)
uid=22103(squash) gid=22103(squash) groups=22103(squash),21100(vegetable)
Notice that, by binding to the LDAP domain, the user tomato has gained two group memberships,
namely rhanis and fruit.
8. Log in as the user tomato, and append the text "now i am a fruit" to the file /opt/fruity. (If you
observe the file with the ls -l command, note that the kernel now has a group to associate with group
ID 22901).
9. Using a text editor, edit the file /etc/nsswitch.conf, so that sss precedes files for the passwd,
group, and shadow databases. When finished, the relevant lines from the file /etc/nsswitch.conf
should look like the following.
passwd:
shadow:
group:
sss files
sss files
sss files
10.Create the file /opt/sss_file_ids, set the group owner to vegetable, and the permissions to 660.
Again, login to the machine using the users spinach, tomato, and squash, in that order, and run the
following command.
[spinach@station spinach]# id >> /opt/sss_file_ids
11.Set the permissions of the file /opt/sss_file_ids to 666. Log in as the users mango (with the
password rhamango) and melon (with the password rhamelon), each time appending the output of the id
command to the file /opt/sss_file_ids. Again, do not let the lack of a home directory deter you.
When completed, you should be able to reproduce the following output (again ignoring the SELinux
context).
[root@station root]# cat /opt/sss_file_ids
uid=21001(spinach) gid=21001(spinach) groups=21001(spinach),21100(vegetable)
uid=22102(tomato) gid=22902(tomato) groups=22102(tomato),22900(rhanis),22901(fru
it),21100(vegetable)
uid=22103(melon) gid=22103(melon) groups=22103(melon),21100(vegetable)
uid=22101(mango) gid=22101(mango) groups=22101(mango),22900(rhanis),22901(fruit)
uid=22103(melon) gid=22103(melon) groups=22103(melon),22900(rhanis),22901(fruit)
Deliverables
1.
1. The three locally defined users spinach, tomato, and squash, with the above mentioned
specifications.
2. A machine bound to the LDAP baseDN dc=rha,dc=example,dc=com located on the rhaserver.example.com server.
3. The files /opt/file_ids, /opt/file_sss_ids, and /opt/sss_file_ids, which
contain the output listed above.
4. The file /opt/fruity, group owned by the group fruit, with the text "now i am a fruit".
Cleaning Up
When finished, use system-config-authentication to disble LDAP account and authentication information
and use local accounts only.
Questions
1.
This line is in our /etc/nsswitch.conf file: passwd: files nis ldap. Which source is searched first
for passwd records?
a.
NIS
b.
LDAP
c.
/etc/passwd
d.
DNS
e.
ypbind
2.
rha130-6.1-1
This line is in our /etc/nsswitch.conf file: hosts: files nis dns. Which source is searched last for
hosts records?
a.
NIS
b.
LDAP
c.
/etc/passwd
68
d.
DNS
e.
ypbind
3.
Which of the following is required when using an LDAP server for account information and
authentication?
a.
b.
c.
A CA Certificate
d.
Answers A and B
e.
4.
b.
c.
d.
e.
5.
TLS encrypts the communication before LDAP sends passwords across the network.
b.
TLS verifies that the client is connected to the correct server before placing passwords on the
network.
c.
TLS converts the plain text password into the correct hash before sending it across the
network.
d.
Both A and B
e.
6.
NIS
b.
LDAP
c.
files
d.
DNS
e.
ypbind
7.
rha130-6.1-1
69
b.
c.
d.
e.
8.
b.
c.
d.
Is extensible for use with new identity sources and authentication methods
e.
9.
/etc/sssd/
b.
/var/log/messages
c.
/var/log/sssd
d.
/sssd/logs
e.
/var
10.
rha130-6.1-1
b.
c.
d.
e.
70
Discussion
In this chapter we'll talk about how users customize their environment and about how the superuser can
change the default environment for all users.
We'll talk about 3 main ways the user's environment can be adjusted: environment variables, shell aliases
and functions, and application-specific initialization files (called profiles or dot-files or rc-files).
Environment Variables
Environment variables are an important feature of UNIX processes. The great thing about how
environment variables are done in UNIX is that they are not necessarily the same for every process on a
system. Each user can have a different environment in their processes. A new process inherits a complete
copy of the environment of its parent process, but it is also possible that the parent can alter the environment
of a new child process as it creates it.
rha130-6.1-1
71
4. Changing defaults for all future users (to be created with the useradd command)
5. Changing system wide (for all future logins)
The first date used the shell's default locale, which is the English language. The next date command
received the environment variable LC_TIME set to the value fr_FR, which means French language as
spoken in France. Its output was in fact in the French language. The third date command was told to print
in German, and it did. The last date command demonstrated that the previous environment changes were
not permanent; it printed in English again.
IMPORTANT: When you set environment variables, there must be no spaces either before or after the
= mark.
It takes two steps: first set the shell variable LC_TIME, and then tell it to export the shell variable into
the environment. This new environment will be inherited to all future commands spawned from this shell
(recursively).
IMPORTANT: Once again, don't use any spaces before or after the = mark.
rha130-6.1-1
72
The su command had the - option which means create a new login shell, so it did see the change.
Again, this applies only to new users. Existing users already have copies of the files from /etc/skel which
will not be changed.
Shell functions are more powerful than aliases, but are trickier to write:
[student@system student]$ function l () {
> if test -f "$1"
rha130-6.1-1
73
That defines a shell function l, a command which will execute either less or ls, depending on whether its
argument is a file or a directory:
[student@system student]$ l /etc/sysconfig/
atd
init
netconsole
auditd
ip6tables
network
authconfig
ip6tables-config networking/
autofs
ip6tables.old
network-scripts/
cbq/
iptables
nfs
cgconfig
iptables-config
nspluginwrapper
...
[student@system student]$ l /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=system.localdomain
NISDOMAIN=campus
/etc/sysconfig/network (END)
[student@system student]$
samba
sandbox
saslauthd
selinux@
smartmontools
snmpd
Aliases and functions are not inherited in the environment. They are usually intended to be convenient for
human users typing in interactive shells, and should not be used in non-interactive shells. Therefore it's
good that they are not in the environment, because all processes inherit the environment.
So we define shell aliases and functions in different files than the environment variables are defined in.
For a single user, put them in ~/.bashrc. To affect all future users, put them in /etc/skel/.bashrc. To affect
all users, but them in /etc/profile.d/local_functions.sh.
rha130-6.1-1
74
script shells
A Common Mistake
A common mistake is to initialize environment variables for shells that are not login shells. The inheritance
model is the correct way for non-login shells to receive their environment. Doing otherwise can lead to
confusion. For instance, you may start some non-login shells with a different PATH so that they will use
a newer or older version of the C compiler or Java interpreter than the default. If non-login shells set their
PATH at startup, it would undo the new PATH you were trying to use.
~/.bash_profile
~/.bashrc
/etc/bashrc
/etc/profile.d/*.sh
rha130-6.1-1
75
customized copies of shell initialization files. You can also use it to give new users customized copies of
initialization files for any command or application.
Examples
A system administrator with an extreme penchant for minimalism decides the shell prompt
[student@station student] is way too fancy, and he would rather it just be the word ok.
Notice only the subshell was affected, and after the subshell was exited, the original shell still had its
original prompt.
But there was a small problem: there's no space between the prompt and the commands he types, such
as date.
But he likes it well enough to set it on his original shell, with one small change: a space after the ok.
Double quotes can be used to include a space in the environment value:
[student@system student]$ PS1="ok "
ok export PS1
ok date
Mon May 26 04:29:52 GMT 2003
ok
That looks pretty good, so he's going to edit to /etc/profile so that everyone on the system can enjoy it:
[root@system root]# cat >> /etc/profile
PS1="ok "
export PS1
^D
[root@system root]# su - student_a
ok date
Seg Mai 26 04:33:01 GMT 2003
ok
He used single quotes around the arguments to echo, since double quotes were already used within the
arguments.
Exercise
Some of our users have been leaving large physics simulations inadvertently running in the background,
even after they log out. It's become such a problem that you've been asked to make a few changes to help
remind them when they have background jobs.
1. Define an alias j for the jobs command, so it's easier for users to list their jobs. This will be a systemwide alias, so put it at the end of the file /etc/bashrc.
rha130-6.1-1
76
2. We want every shell prompt to show how many jobs are running in the background, so we add \j jobs
to the beginning of the PS1 environment variable. (The PS1 environment variable controls the prompt
that an interactive bash shell prints when it is waiting for a command. The string \j in PS1 magically
turns into the number of background jobs. Oh by the way, this magic string \j has nothing to do with
the aliases j in the previous paragraph. The magic string is a feature of bash. It just happens to be the
same letter.)
A line like this will do it to:
PS1="\\j jobs $PS1"
In bash, the backslash must be escaped with a backslash, so that's why there are two of them. The
previous value of PS1 will be substituted where it appears after the $ inside the double quotes, so the
effect of this command is to add to the front of PS1. (It's always good if you can alter environment
variables by adding either to the front or to the end of them, so that multiple changes work together,
rather than clobbering each other.)
We want this environment change to be available system-wide, so put it in /etc/profile.
3. Finally we've been asked to alter the ls command so that it also lists a user's background jobs whenever
it is called from an interactive shell. The following shell function can do that:
function ls () { jobs ; /bin/ls "$@" ; }
Notice that you don't want the ls function to recursively call itself forever, so we have it call /bin/ls with
its absolute path. Also, the strange phrase "$@" is the best way to pass all arguments from function
ls on to command /bin/ls.
This change is considered too abrupt to spring on existing users -- it's kind of rude if their commands
suddenly behave very differently one day -- so we decide that we only want new users on the system
to have this version of ls. Therefore you should put it in /etc/skel/.bashrc.
You'll have to create a new user with useradd to test this one.
Deliverables
1.
1. A bash shell customized to the above specifications.
Questions
1.
shell aliases
b.
c.
userid
d.
environment variables
e.
umask
2.
rha130-6.1-1
script shells
77
b.
background jobs
c.
$PS1
d.
interactive shells
e.
windowing commands
3.
/etc/bashrc
b.
/etc/profile
c.
/etc/profile.d
d.
~/.bash_profile
e.
~/.bashrc
4.
b.
c.
d.
e.
5.
b.
c.
d.
e.
6.
b.
c.
d.
e.
7.
rha130-6.1-1
78
b.
c.
d.
e.
No files
8.
When RPM packages are installed, they might put shell initialization files where?
a.
In /etc/skel
b.
In /etc/profile.d
c.
In /root
d.
In /etc
e.
9.
rha130-6.1-1
LC_TIME
b.
PATH
c.
PS1
d.
BASH
e.
PROMPT
79