4.3. Managing Users

Previous page
Table of content
Next page

4.3. Managing Users

A user can be added using the useradd command. The same command is used to change the new user default parameters.

The command looks as follows : 

 useradd options user_name

There are quite a few options, most of which you are familiar with from the /etc/passwd file considered in Chapter 3 . The options and their functions are the following:

  • -c The comment field of the new user's password file.

  • -d The new user's home directory.

  • -e The date when the user account will be disabled. It is specified in the format YYYY-MM-DD.

  • -f The number of days after the password expires before the account will be disabled. If set to , the account is disabled as soon as the password expires. The feature is disabled if set to -1 . The default value is -1 .

  • -g The user's initial login group . This can be specified either as a name or as an identifier. In Linux, all users are assigned to one group or another.

  • -G, [...] Additional groups, to which the new user will belong. The group names are delimited with a comma only, with no space.

  • -m Instructs the user's home directory to be created if it does not exist. All files from the /etc/skel directory will be copied to this directory.

  • -M Do not create the user home directory. By default, the user home directory is created as /home/user_name. To prevent this from happening, the command must explicitly forbid this.

  • -r Specifies that a system account is to be created.

  • -p An encrypted password, which can be obtained with the help of the crypt command.

  • -s Specifies the user login shell.

  • -u A unique identifier. If omitted, the system will assign a random value.

The last argument is the name of the new user account. Consider this process by adding a user account named robert, with all default options: 

 useradd robert cat /etc/passwd

The first command created a new user account named robert. The second command displays the contents of the /etc/passwd file, where all account information is stored. The last entry in this file will look as follows: 

 robert:x:501:501::/home/robert:/bin/bash

I have already reviewed the format of the file's entries in Section 3.3 . The first parameter is the user name. The next field is the password. Because the actual password is stored in the /etc/shadow file, the field contains an x instead of the password. The next two fields are the UIDs and GIDs. In this case, it just happened that the next available values for both of these parameters turned out to be the same, but this is far from an everyday occurrence. The following filled field is the user home directory. By default, all user directories are created in the /home directory and are given the user's name.

Open the /etc/shadow file. Note that there are two exclamation points in the password field of the robert entry. No password was specified when the account was created, so you cannot enter the system using this account. Actually, I do not recommend specifying a password when adding the user. This is simply extra trouble, because it has to be encrypted using the crypt function even though it is not certain that a strong password will be produced. It is easier to create the password after the user has been added using the passwd command: 

 passwd robert

The command will display the following prompt to change the password, along with the instructions on how to create a strong password: 

 Changing password for user robert. You can now choose the new password or passphrase. A valid password should be a mix of upper and lower case letters, digits and other characters.  You can use an 8-character long password with characters from at least 3 of these 4 classes, or a 7-character long password containing characters from all the classes. Characters that form a common pattern are discarded by the check. A passphrase should be of at least 3 words, 12 to 40 characters long and contain enough different characters. Alternatively, if no one else can see your terminal now, you can pick this as your password: "trial&bullet_scare".

As you can see, the passwd command presents some main rules for creating strong passwords and even offers an example of one. I, however, would not use it because it is made of readable words and can be picked by a variation of the dictionary search that joins various words the way passwd itself does. This procedure will take much longer than picking a one-word password but much less time than picking a password similar to OLhslu_9&Z435drf. This password cannot be picked using the dictionary method, and it will take years to pick it by the enumeration method.

Now take a look what is in the directory of the new user. Do you think it is empty? Check it out. Open the /home/robert directory and execute the following command: 

 ls -al /home/robert

The -a option displays all files, including the system files, and the -1 option displays detailed information. The execution results of this command should look similar to the following: 

 drwx------ 3 robert robert 4096 Nov 26 16:10 . drwxr-xr-x 5 root   root   4096 Nov 26 16:21 .. -rw-r--r-- 1 robert robert   24 Nov 26 16:10 .bash_logout -rw-r--r-- 1 robert robert  191 Nov 26 16:10 .bash_profile -rw-r--r-- 1 robert robert  124 Nov 26 16:10 .bashrc -rw-r--r-- 1 robert robert 2247 Nov 26 16:10 .emacs -rw-r--r-- 1 robert robert  118 Nov 26 16:10 .gtkrc drwxr-xr-x 4 robert robert 4096 Nov 26 16:10 kde

Note that there are six files and one subdirectory in the directory. The most interesting information is contained in the third and fourth columns, in which the file owner's name and group, respectively, are displayed. All file entries contain the name robert in these columns . But although the user with this name was just created, the group was not. The answer is simple: When a user is created, a corresponding user group is automatically created.

Here is another fine point. The owner of the .. directory, which is the home directory of the robert directory, is root. That is, the user robert is the owner of his directory (/home/robert), but he has no rights to the directory above his (/home).

The user robert has read and write rights to all files and directories in his folder. The users of the robert group and all other users have only read rights, not write rights.

4.3.1. Creating New User Files and Directories

Where do the files in the directory of a newly-created user come from? When a new user account is created, files and directories from the /etc/skel directory are copied into the new user's home directory. Create a file in the /etc/skel directory and check whether it will be copied into the home directory of a user that you will create. To keep things simple, create a new file by executing the following command: 

 ls >> /etc/skel/text

The is command displays the contents of the current directory. The two > characters redirect its output to the text file in the /etc/skel directory. This means that the results of the command's execution will be placed into the specified file. If the specified file does not exist, it will be created. In this way, a new file has been placed in the /etc/skel directory. The contents of the file are of no importance.

Add a new user, and then inspect the contents of his or her home directory: 

 useradd Denver ls -al /home/Denver

You should see that, along with the other files, the text file you created in the /etc/skel directory was copied to the new user's home directory.

I use this handy feature quite often to give a new user the necessary rights, files, documentation, and so on.

One of the files in the /etc/skel directory is bash_profile. It contains the profile of the /bin/bash command interpreter. This file can be used to configure certain user parameters, including the access rights mask. In Section 4.1 , 1 described the permissions that are assigned by default to all new user files. I argued that the default permissions are far from ideal from the security standpoint, and I showed how to lower them using the mask command.

Log into the system as robert and inspect the mask using the umask command. Notice that it is 0022, the default value. That is, in Section 4.1 we changed the then current user's mask, but robert still received the default mask. This exposes his files to the dangers described in Section 4.1 . To prevent this from happening, I recommend adding the following string at the end of the /etc/skel/bash_profile file: 

 umask 0077

Because this file is copied into the home files of all new users, placing this string in it ensures that all new users will receive a proper mask from the security standpoint.

To enhance the security, I do not recommend giving user home directories the same names as their account names. This correspondence may play into the hands of hackers. Once a miscreant knows a user's home directory name, he or she can easily figure out the corresponding user login, and vice versa.

Simply adding some sort of a prefix to a user home directory will make the malefactor's job at least somewhat more difficult.

4.3.2. Modifying the User Default Settings

Now take a look at where the user default settings come from. They are stored in the /etc/default/useradd file. The following are the contents of this file: 

 # useradd defaults file GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel

This file can be edited manually or with the help of the useradd command. You will see how to do this a little later.

I would like, however, to comment on the GROUP parameter. It equals 100 and, theoretically, all new users are supposed to be placed into this group. But, as you could see in Section 4.3 , this does not happen. Red Hat ignores this parameter, and by default when a new user is created, a corresponding new user group is also created. This parameter, however, may be used in other distributions; so it is a good idea to check whether it is.

The number 100 is given as the name to a user group with limited rights. It is sort of like a guest password, which gives only the rights to view files.

The useradd command is also used to either display or update default values of the new user's settings. It is done by issuing the command with the -D option and specifying the following options:

  • -g The new default user group

  • -b The new default new user home directory

  • -f The new default number of days after the password has expired before the account will be disabled

  • -e The new default account expiration date

  • -s The new default shell (command interpreter)

If no options are specified, the command simply displays the current default values of the new user settings.

I advise you to not ignore the account expiration date option. Assume that your company is being audited and the auditors request access to you databases and certain files. In this case, when creating a new account for the auditors to use, set its expiration date to give them 1 day of work (or whatever they may need). Then you will not have to keep it in your head or write it down in a notebook (which you still have to remember to consult ) that on a certain date you have delete this account: It will become inactive by itself.

Some administrators generate temporary users without taking any organized steps for deleting them. This presents a serious security threat, because users of temporary accounts do not normally use strong passwords. Indeed, why bother remembering something like oPih#vg9jGle that you will have to use for a few days only? By deactivating an account that is no longer needed (automatically or manually), you close one of the passages that can be used by a miscreant to penetrate your system. When you see off a guest and come back into your house or apartment, you lock the entrance door behind you to keep unwelcome visitors out. The same applies to the operating system; once a temporary user leaves , close the door after him or her that is, remove his or her account.

4.3.3. Modifying a User Account

A user account can be modified directly by editing the /etc/passwd file. However, I recommend using the usermod command for this purpose. It uses the same options as the useradd command, but instead of creating a user account, it modifies the settings of an already-existing one.

You can use this command to add an existing user to an existing group. Do this with the user account robert; assign it to the root group to allow the user perform some administrative functions: 

 usermod -G root robert

The command was executed with the -G option, which specifies the groups, to which the user is to belong (the root group in this case). Several groups, delimited by commas, can be specified. More detailed information about the usermod command can be viewed in usermod man .

4.3.4. Deleting a User

A user can be deleted by the userdel command, with the user account to be deleted as the argument. For example, user Denver is deleted by the following command: 

 userdel Denver

The user to be deleted cannot be currently logged in.

The command as used here does not delete the user's directory; you have to do this manually. Issuing the command with the -r option will delete the user's home directory, along with the files in it: 

 userdel -r Denver

I strongly recommend that you do not use the command in this way. Always delete directories manually, after ascertaining that there are no files that you do not wish to delete in them.

If there are no other members of the group of the user being deleted, the user group can also be deleted by the groupdel command.

4.3.5. A Few Remarks

To completely understand the process of creating user accounts, you have to be familiar with the /etc/login.defs file. The settings used when adding users are stored in this file. Listing 4.1 shows the contents of the file.

Listing 4.1: The contents of the /etc/login.defs file
image from book 
 # *REQUIRED* #   Directory where mailboxes reside, _or_ name of file, #   relative to the home directory. If you _do_ define #   both, MAIL_DIR takes precedence. #   QMAIL_DIR is for Qmail # #QMAIL_DIR       Maildir MAIL_DIR       /var/spool/mail #MAIL_FILE       .mail # Password aging controls: # #PASS_MAX_DAYS  Max number of days password may be used. #PASS_MIN_DAYS  Min number of days allowed between # password changes #PASS_MIN_LEN   Min acceptable password length #PASS_WARN_AGE Number of days warning given # before a password expires # PASS_MAX_DAYS       99999 PASS_MIN_DAYS           0 PASS_MIN_LEN            5 PASS_WARN_AGE           7 # # Min/max values for automatic UID selection in useradd # UID_MIN                 500 UID_MAX               60000 # # Min/max values for automatic GID selection in groupadd # GID_MIN                 500 GID_MAX               60000 # # If defined, this command is run when removing # a user. It should remove any at/cron/print jobs # etc. owned by the user to be removed (passed as the # first argument). # #USERDEL_CMD       /usr/sbin/userdel_local # # If useradd should create home directories for users by # default on RH systems, we do. This option is ORed with # the -m flag on useradd command line. # CREATE_HOME       yes
image from book
 

The file contains some interesting settings that can be used to enhance the system security. The function of the parameters is explained in the comments to them. I would only like to expand on one of them:

  • PASS_MIN_LEN Minimum acceptable password length. It is used only in the passwd command; the useradd command ignores it. In most distributions, the value of this parameter is 5. I recommend changing it to at least 8. This will make it impossible to set the qwerty password so beloved by so many users.

4.3.6. Cracking Passwords

I want to remind you again about the danger of using simple passwords, not only by the administrators but also by the lowest system user. There are lots of exploits that allow a simple user to raise his or her rights to those of the administrator. But to use such an exploit, the hacker first has to enter the system as that simple user.

To prevent this, all users, no matter what their rights may be, must use strong passwords. If a hacker obtains access to the /etc/shadow file with, for example, 1,000 password entries, the task of picking at least one password becomes significantly easier. As you remember, the passwords stored in the /etc/shadow file are irreversibly encrypted. This means that when picking the password using a straight-search method, each possible combination is also encrypted and then compared with the corresponding entry in the /etc/shadow file. Because the encryption is a rather processor- intensive process, this takes a long time if working with only one entry.

But having 1,000 entries speeds up the process practically a thousandfold, because the encryption has to be done only once, with the result compared with all 1,000 entries. The chances of a hit increase several times.

When hackers lay their hands on the /etc/shadow file, the first thing they do is check for entries, in which the password is the same as the login. You won't believe how often this happens: If the password file is large enough, chances are one out of ten passwords will be the same as the corresponding login.

If this does not work, then the dictionary method is resorted to. Here the chances of a successful hit are close to 100%, because out of ten users there is bound to be one beginner who will use a simple password. You should instruct every new user in the fine art of password creation and periodically run a program to detect weak passwords, such as those made up of common words. If you can pick such passwords, hackers can do this even more easily.


Previous page
Table of content
Next page
Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141
Authors: Michael Flenov
BUY ON AMAZON
Java I/O
Software Configuration Management
WebLogic: The Definitive Guide
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy