Certification Objective 6.01-User Account Management
You need to know how to create and configure users for the Red Hat exams. This means that you need to know how to configure the environment associated with each user account-in configuration files and in user settings. You also need to know how to specify the configuration files associated with the default bash shell. Finally, you need to know how to limit the resources allocated to each user through quotas. These requirements are all explicitly cited in the Red Hat course outlines associated with the RHCT exam and are applicable to both exams.
If you've installed RHEL 5 via kickstart or in text mode, the default Red Hat installation gives you just a single login account: root. You should set up some regular user accounts. You may have already done so through the First Boot process described in Chapter 2. Even if you're going to be the only user on the system, it's a good idea to create at least one nonadministrative account to do your day-to-day work. Then you can use the root account only when it's necessary to administer the system. Accounts can be added to Red Hat Enterprise Linux systems using various utilities, including application of the vi text editor (and related specialized commands) on password configuration files (the manual method), the useradd command (the command line method), and the Red Hat User Manager utility (the graphical method).
 |
As discussed earlier, it's faster to log in as root (and not just the superuser). While you'll be doing most of the work on the Red Hat exams as root, it's quite possible that you'll be asked to create accounts for regular users (and groups) to configure a workstation.
|
User Account Categories
There are three basic types of Linux user accounts: administrative (root), regular, and service. The administrative root account is automatically created when you install Linux, and it has administrative privileges for all services on your Linux computer. A cracker who has a chance to take control of this account can take full control of your system.
Nevertheless, it is sometimes appropriate to log in as an administrator (that is, as the root user), such as during most of the Red Hat exams. Red Hat Enterprise Linux builds in safeguards for root users. Log in as the root user, and then run the alias command. You'll see entries such as this,
alias rm='rm -i'
which prompt for confirmation before the rm command deletes a file. Unfortunately, a command such as rm -rf directoryname supersedes this safety setting.
Regular users have the necessary privileges to perform standard tasks on a Linux computer. They can access programs such as word processors, databases, and Web browsers. They can store files in their own home directories. Since regular users do not normally have administrative privileges, they cannot accidentally delete critical operating system configuration files. You can assign a regular account to most users, safe in the knowledge that they can't disrupt your system with the privileges they have on that account.
Services such as Apache, Squid, mail, games, and printing have their own individual service accounts. These accounts exist to allow each of these services to interact with your computer. Normally, you won't need to change any service account, but if you see that someone has logged in through one of these accounts, be wary. Someone may have broken into your system.
| On the Job | One resource for checking whether your system has been cracked is the Distributed Intrusion Detection System at www.dsheild.org. Check your public IP address against its database. If your system has been cracked, it's likely that someone is using it to attack other systems. When this is the case, your public IP address will be logged in the www.dsheild.org database. |
| On the Job | To review recent logins, run the utmpdump /var/log/wtmp | less command. If the login is from a remote location, it will be associated with a specific IP address outside your network. |
Basic Command Line Tools
There are two basic ways to add users through the command line interface. You can add users directly by editing the /etc/passwd file in a text editor such as vi. Alternatively, you can use text commands customized for the purpose.
Adding Users Directly
Open the /etc/passwd file in the text editor of your choice. If you choose to open it in the vi editor, you can do so with the vipw command. If you've added regular users to your system, you'll normally see them listed at the bottom of this file. Scroll around this file, and you should see a series of lines like the following:
mj:x:500:500:Michael Jang:/home/mj:/bin/bash
Each column in /etc/passwd, delineated by a colon, has a purpose, which is described in Table 6-1.
| Field | Example | Purpose |
|---|---|---|
| Username | mj | The user logs in with this name. Usernames can include hyphens (-) or underscores (_). However, they should not start with a number or include uppercase letters. |
| Password | x | The password. You should see either an x, an asterisk (*), or a seemingly random group of letters and numbers. An x points to /etc/shadow for the actual password. An asterisk means the account is disabled. A random group of letters and numbers represents the encrypted password. |
| User ID | 500 | The unique numeric user ID (UID) for that user. By default, Red Hat starts user IDs at 500. |
| Group ID | 500 | The numeric group ID (GID) associated with that user. By default, RHEL creates a new group for every new user, and the number matches the UID. Some other Linux and Unix systems assign all users to the default Users group (GID=100). |
| User info | Michael Jang | You can enter any information of your choice in this field. Standard options include the user's full name, telephone number, e-mail address, or physical location. You can leave this blank. |
| Home Directory | /home/mj | By default, RHEL places new home directories in /home/username. |
| Login Shell | /bin/bash | By default, RHEL assigns users to the bash shell. You can change this to any legal shell that you have installed. |
You can create a new user in /etc/passwd by copying and then editing a line associated with an existing user. Just substitute the information of your choice to create the new user. Make sure that you at least assign a new username and user ID.
Assuming you've assigned a new home directory for your new user, you have to remember to create that directory. For example, if your new user is ez, you'll probably want to create the /home/ez directory. You'll also need to make sure that ez has ownership permissions on that directory and all the files that you're going to put in that directory.
You can then populate that new user's home directory. A default environment is available in the /etc/skel directory. You can copy the contents of that directory to the new user's home directory. The /etc/skel directory is covered in more detail later in this chapter.
Adding Users to a Group
Every Linux user is assigned to a group. By default in RHEL 5, every user gets his own private group. The user is the only member of that group, as defined in the /etc/ group configuration file. Open that file in the editor of your choice. If want to use the vi editor, use the vipw command. You should see lines similar to the following:
mj:x:500: vp:x:501: managers:x:1000:mj,vp
The contents are straightforward. The users mj and vp are members of their own groups as well as the managers group. The four columns in each /etc/group line are described in Table 6-2.
| Field | Example | Purpose |
|---|---|---|
| Groupname | mj | Each user gets his own group, with the same name as his username. You can also create unique groupnames. |
| Password | x | The password. You should see either an x or a seemingly random group of letters and numbers. An x points to /etc/gshadow for the actual password. A random group of letters and numbers represents the encrypted password. |
| Group ID | 500 | The numeric group ID (GID) associated with that user. By default, RHEL creates a new group for every new user. If you want to create a special group such as managers, you should assign a GID number outside the standard range; otherwise, Red Hat GIDs and UIDs would probably get out of sequence. |
| Group members | mj,vp | Lists the usernames that are members of the group. If it's blank, and there is a username that is identical to the groupname, that user is the only member of that group. |
Adding Users at the Command Line
Alternatively, you can automate this process with the useradd command. If you wanted to add a new user named pm, you could just type useradd pm to add this user to the /etc/passwd file. By default, it creates a home directory, /home/pm; adds the standard files from the /etc/skel directory; and assigns the default shell, /bin/bash. But useradd is versatile. It includes a number of command options shown in Table 6-3.
| Option | Purpose |
|---|---|
| -u UID | Overrides the default assigned UID. By default, in RHEL this starts at 500 and can continue sequentially the maximum number of users supported by kernel 2.6, which is 232. |
| -g GID | Overrides the default assigned GID. By default, RHEL uses the same GID and UID numbers to each user. If you assign a GID, it must be either 100 (users) or already otherwise exist. |
| -c info | Enters the comment of your choice about the user, such as her name. |
| -d dir | Overrides the default home directory for the user, /home/username. |
| -s shell | Overrides the default shell for the user, /bin/bash. |
Assigning a Password
You can now use the passwd username command to assign a new password to that user. For example, the passwd pm command lets you assign a new password to user pm. You're prompted to enter a password twice. RHEL is configured to discourage passwords that are based on dictionary words or that are shorter than six characters for security reasons. Nevertheless, such passwords are legal, and such a password is accepted by the passwd command when you type it in a second time.
| On the Job | Good passwords are important. Any cracker who may have tapped into your network can try to match the password of any of your users. A password-cracking program may be able to find dictionary word passwords in a matter of minutes. In contrast, it may take hours to crack a more complex password such as Ila451MS (which could stand for "I live at 451 Main Street"). |
|
As of this writing, the Red Hat User Manager can be run only from the Linux GUI. If you're running a command line console and have installed the needed software, the startx command moves you into the GUI. The default GNOME desktop is shown here.
The look of the alternative KDE desktop is slightly closer to that of Microsoft Windows; if you're using KDE, pay attention to the icon of the Red Hat Fedora in the lower-left corner of the desktop; it starts program menus similar to those associated with the Microsoft Windows Start button. When referring to the KDE desktop shown next, I'll refer to it as the Main Menu button.
If you're in the GNOME Desktop Environment, you can access almost all administrative tools from the System | Administration menu from the top taskbar. If you're in the KDE Desktop Environment, you can access the same tools from the Main Menu | Administration submenu.
Because of the variations, this discussion focuses on starting GUI tools using a text command. You can access a text console in the GNOME desktop by choosing Applications | Accessories | Terminal. You can access a text console in the KDE desktop by selecting Main Menu | System | Terminal. Alternatively, you can run a standard text command from either GUI by pressing ALT-F2 and entering the command in the window that appears.
Now from the Linux GUI, you can start the Red Hat User Manager in one of three ways: Enter system-config-users from a command line interface in the GUI, choose System | Administration | Users and Groups in GNOME, or choose Main Menu | Administration | Users and Groups in KDE. The next screen shows the Red Hat User Manager window.
|
| On the Job | If you have not logged in as the root user, you'll be prompted for a root password before opening administrative tools such as the Red Hat User Manager (system-config-users). |
Exercise 6-1: Adding a User with the Red Hat User Manager
|
To add a user with the Red Hat User Manager, open it. If it isn't already open, press ALT-F2. Type system-config-users in the text box that appears.
-
In the Red Hat User Manager, click the Add User button, or choose File | Add User. This will open the Create New User window, as shown here:
-
Complete the form. All entries are required, except Full Name. The entries are fairly self-explanatory (see the earlier discussions of each field). The password should be at least six characters and should contain a mix of upper- and lowercase letters, numbers, and symbols to keep it more secure from the standard password-cracking programs.
-
Enter the identical password in the Confirm Password field.
-
Click OK when you are done.
-
Repeat the process as desired for any additional new users you're expected to support.
|
User Account Management Tips
Although creating user accounts may seem to be a straightforward process, there are a few things to consider when configuring new users:
-
By default, RHEL 5 configures individual private group IDs (GIDs) for each user. As this associates each user with her own exclusive group, this is also known as the Red Hat user private group scheme. In the default Red Hat scenario, each user has a unique private GID (which corresponds to her UID), and regular users do not have access to other users' home directories. These users can still share access to special directories, as described later in this chapter.
-
If your configuration doesn't require each user to have her own GID, or if you have no need for the security associated with the user private group scheme, you can assign all of your users to the Users group, with a GID of 100. In many cases, this can make system administration easier, but it may expose every user's files to every other regular user.
-
Discourage the use of shared accounts, where several people use a single account. Shared accounts are almost always unnecessary and are easily compromised.
-
If you'll be using the Network File System (NFS), make sure all users have the same UID on every system on the network. But this can be problematic. One alternative is the NIS, which supports a centralized database of users and passwords for users on all participating computers, as described later in this chapter.
Deleting a User Account
Removing user accounts is a pretty straightforward process. The easiest way to delete a user account is with the userdel command. By default, this command does not delete that user's home directory. Alternatively, the userdel -r username command deletes that user's home directory along with all of the files stored in that home directory.
This is a lot faster than the GUI method, for which you start the X Window System, open the Red Hat User Manager, select the user, and then click Delete. While it's probably easier for a less experienced user to remember the GUI method, text commands are faster.
|
If you know both the text and GUI tools to perform a task, use the text method. It almost always saves time.
|
Modifying a User Account
As a Linux administrator, you may want to add some limitations to your user accounts. The easiest way to illustrate some of what you can do is through the Red Hat User Manager. Start the Red Hat User Manager, select a currently configured user, and then click Properties to open the User Properties dialog box.
Click the Account Info tab for the account expiration information shown in Figure 6-1. As shown in the figure, you can limit the life of an account so that it expires on a specific date, or you can disable an account by locking it.
Figure 6-1: Managing user account life
Click the Password Info tab. As shown in Figure 6-2, you can set several characteristics related to an individual user's password. Even when you set good passwords, frequent password changes can help provide additional security. The categories shown in the figure are self-explanatory; a 0 in any of these text boxes means that the limit does not apply.
Figure 6-2: Configuring password information
Click the Groups tab. Users can belong to more than one group in Linux. Under the Groups properties tab shown in Figure 6-3, you can assign the target user to other groups. For example, if you want to collect the files supporting the managers in your company into one directory, you can assign appropriate users to the group named managers. Alternatively, you can then assign members of that project team to the project group through the Groups tab.
Figure 6-3: Assigning groups
|
You may not have access to a GUI during the Troubleshooting portion of either Red Hat exam. Therefore, you need to know how to manage users independent of GUI tools such as the Red Hat User Manager. In any case, text-based tools are almost always faster.
|
Regular User Management Commands
While the Red Hat User Manager GUI utility is convenient, it's often faster to perform the associated administrative functions at the command line interface. I've described some of these commands such as useradd and userdel. Two other key user administration commands are usermod and chage.
usermod
The usermod command modifies various settings in /etc/passwd. It also allows you to set an expiration date for an account or an additional group. For example, the following command sets the account associated with user test1 to expire on June 8, 2007:
# usermod -e 2007-06-08 test1
The following command makes user test1 a member of the special group:
# usermod -G special test1
chage
You can use the chage command to manage the expiration date of a password. Password aging information is stored in the /etc/shadow file. In order, the columns in /etc/shadow are shown in Table 6-4. The associated chage switch, where available, is shown with each description entry. For example, if you wanted to require that user test1 keep a password for at least two days, use the chage test1 -m 2 command.
| Column | Field | Description |
|---|---|---|
| 1 | Username | Username |
| 2 | Password | Encrypted password; requires an x in the second column of /etc/passwd |
| 3 | Password history | Date of the last password change, in number of days after January 1, 1970 |
| 4 | mindays | Minimum number of days that you must keep a password (-m) |
| 5 | maxdays | Maximum number of days after which a password must be changed (-M) |
| 6 | warndays | Number of days before password expiration when a warning is given (-W) |
| 7 | inactive | Number of days after password expiration when an account is made inactive (-I) |
| 8 | disabled | Number of days after password expiration when an account is disabled (-E) |
Limiting Access to su
As described earlier, I recommended that you use the root account during the Red Hat exams. However, I assume you still need to configure Linux computers in real life. One security measure that can help is to limit regular users who can access the root account via the su command. This takes two basic steps.
First, you'll need to add the users who you want to allow access to the su command. Make them a part of the wheel group. By default, this line in /etc/group looks like:
wheel:x:10:root
You can add the users of your choice to the end of this line directly, with the usermod -G wheel username command, or with the Red Hat User Manager.
Next, you'll need to make your Pluggable Authentication Modules (PAM) look for this group. You can do so by activating the following command in your /etc/pam.d/ su file:
# auth required pam_wheel.so use_uid
You'll learn more about how this works later in this chapter.
Limiting Access to sudo
Alternatively, you can limit access to the sudo command. Regular users who are authorized in /etc/sudoers can access administrative commands with their own password. You don't need to give out the administrative password to everyone who thinks they know as much as you do about Linux.
To access /etc/sudoers in the vi editor, run the visudo command. From the following directive, the root user is allowed full access to administrative commands:
root ALL=(ALL) ALL
For example, if you want to allow user boris full administrative access, add the following directive to /etc/sudoers:
boris ALL=(ALL) ALL
In this case, all boris needs to do to run an administrative command such as starting the vsFTPd service from his regular account is to run the following command, entering his own user password (note the regular user prompt, $):
$ sudo /sbin/service vsftpd start Password:
You can even allow special users administrative access without a password. As suggested by the comments, the following directive in /etc/sudoers would allow all users in the wheel group to run administrative commands without a password:
%wheel ALL=(ALL) NOPASSWD: ALL
But you don't have to allow full administrative access. For example, if you want to allow those in the %users group to shut down the local system, you can activate the following directive:
%users localhost=/sbin/shutdown -h now
EAN: 2147483647
Pages: 227