Monday, 22 February 2021

Linux Admin - User Management

 When discussing user management, we have three important terms to understand −

  • Users
  • Groups
  • Permissions

We have already discussed in-depth permissions as applied to files and folders. In this chapter, let's discuss about users and groups.

CentOS Users

In CentOS, there are two types accounts −

  • System accounts − Used for a daemon or other piece of software.

  • Interactive accounts − Usually assigned to a user for accessing system resources.

The main difference between the two user types is −

  • System accounts are used by daemons to access files and directories. These will usually be disallowed from interactive login via shell or physical console login.

  • Interactive accounts are used by end-users to access computing resources from either a shell or physical console login.

With this basic understanding of users, let's now create a new user for Bob Jones in the Accounting Department. A new user is added with the adduser command.

Following are some adduser common switches −

SwitchAction
-cAdds comment to the user account
-mCreates user home directory in default location, if nonexistent
-gDefault group to assign the user
-nDoes not create a private group for the user, usually a group with username
-MDoes not create a home directory
-sDefault shell other than /bin/bash
-uSpecifies UID (otherwise assigned by the system)
-GAdditional groups to assign the user to

When creating a new user, use the -c, -m, -g, -n switches as follows −

[root@localhost Downloads]# useradd -c "Bob Jones  Accounting Dept Manager" 
-m -g accounting -n bjones

Now let's see if our new user has been created −

[root@localhost Downloads]# id bjones 
(bjones) gid = 1001(accounting) groups = 1001(accounting)

[root@localhost Downloads]# grep bjones /etc/passwd 
bjones:x:1001:1001:Bob Jones  Accounting Dept Manager:/home/bjones:/bin/bash

[root@localhost Downloads]#

Now we need to enable the new account using the passwd command −

[root@localhost Downloads]# passwd bjones 
Changing password for user bjones. 
New password:  
Retype new password:  
passwd: all authentication tokens updated successfully.

[root@localhost Downloads]#

The user account is not enabled allowing the user to log into the system.

Disabling User Accounts

There are several methods to disable accounts on a system. These range from editing the /etc/passwd file by hand. Or even using the passwd command with the -lswitch. Both of these methods have one big drawback: if the user has ssh access and uses an RSA key for authentication, they can still login using this method.

Now let’s use the chage command, changing the password expiry date to a previous date. Also, it may be good to make a note on the account as to why we disabled it.

[root@localhost Downloads]# chage -E 2005-10-01 bjones
 
[root@localhost Downloads]# usermod  -c "Disabled Account while Bob out of the country 
for five months" bjones

[root@localhost Downloads]# grep bjones /etc/passwd 
bjones:x:1001:1001:Disabled Account while Bob out of the country for four 
months:/home/bjones:/bin/bash

[root@localhost Downloads]#

Manage Groups

Managing groups in Linux makes it convenient for an administrator to combine the users within containers applying permission-sets applicable to all group members. For example, all users in Accounting may need access to the same files. Thus, we make an accounting group, adding Accounting users.

For the most part, anything requiring special permissions should be done in a group. This approach will usually save time over applying special permissions to just one user. Example, Sally is in-charge of reports and only Sally needs access to certain files for reporting. However, what if Sally is sick one day and Bob does reports? Or the need for reporting grows? When a group is made, an Administrator only needs to do it once. The add users is applied as needs change or expand.

Following are some common commands used for managing groups −

  • chgrp
  • groupadd
  • groups
  • usermod

chgrp − Changes the group ownership for a file or directory.

Let's make a directory for people in the accounting group to store files and create directories for files.

[root@localhost Downloads]# mkdir /home/accounting

[root@localhost Downloads]# ls -ld /home/accounting
drwxr-xr-x. 2 root root 6 Jan 13 10:18 /home/accounting

[root@localhost Downloads]#

Next, let's give group ownership to the accounting group.

[root@localhost Downloads]# chgrp -v  accounting /home/accounting/ 
changed group of ‘/home/accounting/’ from root to accounting

[root@localhost Downloads]# ls -ld /home/accounting/ 
drwxr-xr-x. 2 root accounting 6 Jan 13 10:18 /home/accounting/

[root@localhost Downloads]#

Now, everyone in the accounting group has read and execute permissions to /home/accounting. They will need write permissions as well.

[root@localhost Downloads]# chmod g+w /home/accounting/

[root@localhost Downloads]# ls -ld /home/accounting/ 
drwxrwxr-x. 2 root accounting 6 Jan 13 10:18 /home/accounting/

[root@localhost Downloads]#

Since the accounting group may deal with sensitive documents, we need to apply some restrictive permissions for other or world.

[root@localhost Downloads]# chmod o-rx /home/accounting/

[root@localhost Downloads]# ls -ld /home/accounting/ 
drwxrwx---. 2 root accounting 6 Jan 13 10:18 /home/accounting/

[root@localhost Downloads]#

groupadd − Used to make a new group.

SwitchAction
-gSpecifies a GID for the group
-KOverrides specs for GID in /etc/login.defs
-oAllows overriding non-unique group id disallowance
-pGroup password, allowing the users to activate themselves

Let's make a new group called secret. We will add a password to the group, allowing the users to add themselves with a known password.

[root@localhost]# groupadd secret

[root@localhost]# gpasswd secret 
Changing the password for group secret 
New Password:  
Re-enter new password:

[root@localhost]# exit 
exit

[centos@localhost ~]$ newgrp secret 
Password:

[centos@localhost ~]$ groups 
secret wheel rdc

[centos@localhost ~]$

In practice, passwords for groups are not used often. Secondary groups are adequate and sharing passwords amongst other users is not a great security practice.

The groups command is used to show which group a user belongs to. We will use this, after making some changes to our current user.

usermod is used to update account attributes.

Following are the common usermod switches.

SwitchAction
-aAppends, adds user to supplementary groups, only with the -G option
-cComment, updatesthe user comment value
-dHome directory, updates the user's home directory
-GGroups, adds or removesthe secondary user groups
-gGroup, default primary group of the user
[root@localhost]# groups centos 
centos : accounting secret

[root@localhost]#

[root@localhost]# usermod -a -G wheel centos

[root@localhost]# groups centos
centos : accounting wheel secret

[root@localhost]#

No comments:

Post a Comment