Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya - - PowerPoint PPT Presentation

facultat d inform tica de barcelona univ polit cnica de
SMART_READER_LITE
LIVE PREVIEW

Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya - - PowerPoint PPT Presentation

Nov 24, 2022 140 likes •373 views

Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya Administraci de Sistemes Operatius Users management

slide-1
SLIDE 1

Facultat d'Informàtica de Barcelona

  • Univ. Politècnica de Catalunya

Administració de Sistemes Operatius

Users management

!

slide-2
SLIDE 2

Topics

  • 1. Introduction to OS administration
  • 2. Installation of the OS
  • 3. Users management
  • 4. Applications management
  • 5. System monitoring
  • 6. Maintenance of the file system
  • 7. Local services
  • 8. Network services
  • 9. Protection and security
slide-3
SLIDE 3

Objectives

Knowledge

System data bases (users, passwords...) Permissions and protections

Files and directories SETUID/SETGID bits

Abilities

Users maintenance

Creating user accounts Groups and group membership Account disabling and deletion

Commands and files

chmod, chown, id, useradd, userdel, umask /etc/passwd, /etc/group, /etc/shadow

slide-4
SLIDE 4

System data bases

/etc/passwd /etc/group /etc/shadow /etc/aliases

E-mail aliases Users Passwords Groups

N:M 1:1 N:M

slide-5
SLIDE 5

/etc/passwd

Read-only for all users

username:passwd:uid:gid:real-name:homedir:shell

  • root:x:0:0:root:/root:/bin/bash
  • bin:x:1:1:bin:/bin:/sbin/nologin
  • daemon:x:2:2:daemon:/sbin:/sbin/nologin
  • adm:x:3:4:adm:/var/adm:/sbin/nologin
  • lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
  • sync:x:5:0:sync:/sbin:/bin/sync
  • shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
  • halt:x:7:0:halt:/sbin:/sbin/halt
  • mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
  • news:x:9:13:news:/etc/news:
  • nobody:x:99:99:Nobody:/:/sbin/nologin
  • sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
  • aramirez:x:500:500:Alex Ramirez, C6117, 54040:/home/aramirez:/bin/bash
slide-6
SLIDE 6

/etc/group

Several users can belong to the same group

Each user has a main group (/etc/passwd) Each group has a list of members

groupname:passwd:gid:username,username...

  • root:x:0:root
  • bin:x:1:root,bin,daemon
  • daemon:x:2:root,bin,daemon
  • sys:x:3:root,bin,adm
  • adm:x:4:root,adm,daemon
  • tty:x:5:
  • disk:x:6:root
  • lp:x:7:daemon,lp
  • mem:x:8:
  • kmem:x:9:
  • wheel:x:10:root
  • Mail:x:12:mail
  • news:x:13:news
  • uucp:x:14:uucp
  • man:x:15:
  • games:x:20:
  • ftp:x:50:
  • nobody:x:99:
  • users:x:100:aramirez
  • aramirez:x:500:
slide-7
SLIDE 7

/etc/shadow

Only root can read and write /etc/shadow

Encripted passwords Passwords expiration policy username:passwd:expiration policy

passwd allows to change password chage allows to change the expiration policy

minimum/maximum amount of time between changes Account expiration date

  • root:$1$iVKd84gQ$IV7vHG0CHdIGGnYnNs00E/:12260:0:99999:7:::
  • bin:*:12260:0:99999:7:::
  • daemon:*:12260:0:99999:7:::
  • ...
  • aramirez:$1$jGmk47hy$6Lkk.QYrMI67qPqvhTCdS.:12262::99999::::
slide-8
SLIDE 8

/etc/aliases

Data base containing e-mail aliases

Allows to redirect e-mail to other addresses

From pseudo-users

To the administrator

to programs To users in another machine

# Basic system aliases -- these MUST be present. mailer-daemon: postmaster postmaster: root # General redirections for pseudo accounts. bin: root webmaster: root support: postmaster # Person who should get root's mail root: aduran, xavim@ac.upc.edu

slide-9
SLIDE 9

Activity

Individually

Write down the process of giving a user a new account

Changes in the data bases Creation of directories Default files ...

In group

Discussion

Program the useradd command (pseudocode)

slide-10
SLIDE 10

Basic commands

useradd adduser

groupadd

userdel

groupdel

usermod

  • > man

groupmod

Allows to modify all values except the username

passwd [ -g ]

gpasswd

newusers vipw vigr newgrp, sg

slide-11
SLIDE 11

Disable users

Temporarily disable a user account

The user will not be able to access the system Invalidate password

Add an illegal character into the encription (*) Allows to recover the old password, if necessary

Invalidate its shell

Change it by another binary (/bin/false, /bin/nologin)

Informs the user that his/her account has been disabled Informs the administrator when the user attempts to access the

system

slide-12
SLIDE 12

Remove users

When a user does not need his/her account...

Disable account (using an invalid encription for the

password)

Check whether it is currently working in the machine Generate a backup with all his/her data Delete all data Eliminate the user from the system data bases

/etc/shadow /etc/passwd /etc/group

Redirect his/her e-mail

/etc/aliases

slide-13
SLIDE 13

Users and processes

login login shell setuid/setgid exec /etc/passwd /etc/shadow /etc/group password

uid, gid Additional groups

program fork fitxer access? Root process Non-privileged user process init fork

slide-14
SLIDE 14

Permissions and protection

(-,d) rwx rwx rwx owner group

3 types of permissions

Read, write, and execute (rwx)

Applied to regular files... Applied to directories... 3 application areas

Owner, group, other (ugo)

Related commands:

chown: changes the owner of files/directories chgrp : changes the group of files/directories chmod : changes permissions to files/directories

slide-15
SLIDE 15

Permissions and protection

Set-UID/Set-GID bit (s)

Applied to files Applied to directories

Sticky bit (t) applied to directories

slide-16
SLIDE 16

Permissions (summary)

  • !

"

slide-17
SLIDE 17

Activity

In groups

Assign the appropriate permissions to directories and files,

so that the file...

  • $ ls -l ./datadir/data.txt
  • rw-rw-r-- 1 aso01 aso01 9778 Nov 28 18:10 ./datadir/data.txt

Only the owner can modify the contents All members of the group can read it Only the owner can delete it Only the owner can list the contents of the directory

slide-18
SLIDE 18

Default permissions

When creating a file/directory...

The current user determines the actual owner and group

id reports the current owner/group newgrp changes the current user group

Permissions are determined by the umask system variable:

It indicates which permissions are not set by default to new

files or directories

022: rwx r-x r-x 027: rwx r-x ---

slide-19
SLIDE 19

Special users and groups

root

UID 0 (the username does not mind)

ftp

Anonymous ftp (with no password)

nobody

Special user for NFS o WWW

wheel

User group with administration privileges

slide-20
SLIDE 20

Obtaining privileges

Work as administrator (root) is dangerous

Better to have an administrator user (admin), and obtain

the required privileges only when needed

su [user] [-c command]

It allows to change user (defaults to root)

sudo [command]

It allows to execute a command as a different user The administrator can restrict which commands can

execute each user

slide-21
SLIDE 21

User management policies

Assigning new UID's

Do not reuse UID's

Assigning usernames Keep office and phone number to easily contact users /home organization

Flat

All users (/home/...)

Hierarchical, creating different levels of directories

Departments... office levels, rooms... (/home/ac/user)

... in different disks

slide-22
SLIDE 22

Personal work

Different ways to install applications Ways of distribute software, and formats

tar, gz, bz2, rpm, deb, zip...