Chapter 4: Basic Configuration and Administration
|
| < Day Day Up > |
|
After installation is complete, you still have work to do. To customize the system to meet your needs, user accounts need to be set up, filesystems must be configured, and additional packages may need to be added or removed.
This chapter will get you started with the basics that every RHCE (and many RHCT) level administrator should know. At the end of this chapter, you should know how to manage user accounts and environments, configure and mount filesystems, use RPM to manage packages, manage system daemons, and configure virtual consoles, keyboards, and mice.
Certification Objective 4.01: Adding, Deleting, and Modifying User Accounts
The default Red Hat installation gives you just a single login account: root. You should set up some regular user accounts. Even if you're going to be the only user on the system, it's a good idea to create at least one nonadministrative account to do your day-to-day work. Then you can use the root account only when it's necessary to administer the system. Accounts can be added to Red Hat Enterprise Linux systems using various utilities, including the vi text editor (the manual method), the useradd command (the command line method), and the Red Hat User Manager utility (the graphical method).
 |
Administrative Skills
When you take the Red Hat exams, as long as you don't cheat, it generally does not matter how you come to a solution. For example, you get the same credit whether you add users by directly editing /etc/passwd, using commands such as useradd, or using GUI tools such as the Red Hat User Manager (redhat-config-users). As in the real world, it is the result that matters.
When available, I present more than one method of configuring your Linux computer. Unless otherwise directed on the exam, the method you select is up to you. In general,
I believe it is better and faster to configure Linux directly from the command line interface. But if you get nervous on an exam and forget how to use chkconfig to enable a service at runlevels 3 and 5, it's okay to use Red Hat's GUI Service Configuration Utility. GUI tools just take more time to start, to manage, and to execute.
Many of the skills in this chapter apply only to the RHCE. If you're using this book to study for the RHCT, consult the syllabus for the Red Hat RH133 course at www.redhat.com for more information.
|
| Exam Watch | As discussed earlier, it's faster (but less safe) to log in as root (and not just the super user).While you'll be doing most of the work on the Red Hat exams as root, it's quite possible that you'll be asked to create accounts for regular users (and groups)to configure a workstation. As RHCT requirements are part of the RHCE exam, this applies to both exams. |
User Account Categories
There are three basic types of Linux user accounts: administrative (root), regular, and service. The administrative root account is automatically created when you install Linux, which has administrative privileges for all services on your Linux computer. A cracker who has a chance to take control of this account can take full control of your system.
Nevertheless, there are times when it is appropriate to log in as an administrator (that is, as the root user), such as during most of the Red Hat exams. Red Hat Enterprise Linux builds in safeguards for root users. Log in as the root user, and then run the alias command. You'll see entries such as:
alias rm='rm -i'
which prompt for confirmation before the rm command deletes a file. Unfortunately, a command such as rm -rf directoryname would supersede this safety setting.
Regular users have the necessary privileges to perform standard tasks on a Linux computer. They can access programs such as word processors, databases, and Web browsers. They can store files in their own home directories. Since regular users do not normally have administrative privileges, they cannot accidentally delete critical operating system configuration files. You can assign a regular account to most users, safe in the knowledge that they can't disrupt your system with the privileges they have on that account.
Services such as Apache, Squid, mail, games, and printing have their own individual service accounts. These accounts exist to allow each of these services to interact with your computer. Normally, you won't need to change any service account, but if you see that someone has logged in through one of these accounts, be wary. Someone may have broken into your system.
| On The Job | To review recent logins, run the utmpdump /var/log/wtmp | less command. If the login is from a remote location, it will be associated with a specific IP address outside your network. |
Basic Command Line Tools
There are two basic ways you can add users through the command line interface. You can add users directly by editing the /etc/passwd file in a text editor such as vi. Alternatively, you can use text commands customized for the purpose.
| Exam Watch | You'll probably need to know how to use the vi editor during the Troubleshooting and System Maintenance exam. Other editors such as joe, pico, or emacs are no longer available. I therefore focus on the vi editor throughout this book. |
Adding Users Directly
Open the /etc/passwd file in the text editor of your choice. If you've added regular users to your system, you'll normally see them listed at the bottom of this file. Scroll around this file, and you should see a series of lines like the following:
mj:x:500:500:Michael Jang:/home/mj:/bin/bash
Each column in /etc/passwd, delineated by a colon, has a purpose, which I describe in Table 4-1.
| Field | Example | Purpose |
|---|---|---|
| Username | mj | The user logs in with this name. Usernames can include hyphens (-) or underscores (_). However, they should not start with a number or include uppercase letters. RHEL limits usernames to 32 characters. |
| Password | x | The password. You should see either an 'x,' an asterisk (*), or a seemingly random group of letters and numbers. An 'x' points to /etc/shadow for the actual password. An asterisk means the account is disabled. A random group of letters and numbers represents the encrypted password. |
| User ID | 500 | The unique numeric user ID (UID) for that user. By default, Red Hat starts user IDs at 500. |
| Group ID | 500 | The numeric group ID (GID) associated with that user. By default, Red Hat Enterprise Linux creates a new group for every new user. Some other Linux and Unix systems assign all users to the default Users group (GID=100). |
| User info | Michael Jang | You can enter any information of your choice in this field. Standard options include the user's full name, telephone number, e-mail address, or physical location. You can leave this blank. |
| Home Directory | /home/mj | By default, RHEL places new home directories in /home/username. |
| Login Shell | /bin/bash | By default, RHEL assigns users to the bash shell. You can change this to any legal shell that you have installed. |
You can create a new user in /etc/passwd by copying and then editing a line associated with an existing user. Just substitute the information of your choice to create the new user. Make sure that you at least assign a new username and user ID.
Assuming you've assigned a new home directory for your new user, you have to remember to create that directory. For example, if your new user is ez, you'll probably want to create the /home/ez directory. You'll also need to make sure that ez has ownership permissions on that directory and all of the files that you're going to put in that directory.
You can then populate that new user's home directory. A default environment is available in the /etc/skel directory. You can copy the contents of that directory to the new user's home directory. The /etc/skel directory is covered in more detail later in this chapter.
Adding Users to a Group
Every Linux user is assigned to a group. By default in RHEL 3, every user gets their own private group. By default, they are the only member of that group, as defined in the /etc/group configuration file. Open that file in the editor of your choice. You should see lines similar to the following:
mj:x:500: vp:x:501: managers:x:1000:mj,vp
The contents are straightforward. The users mj and vp are members of their own groups, as well as the managers group. The four columns in each /etc/group line are described in Table 4-2.
| Field | Example | Purpose |
|---|---|---|
| Groupname | mj | Each user gets their own group, with the same name as their username. You can also create unique groupnames. |
| Password | x | The password. You should see either an 'x' or a seemingly random group of letters and numbers. An 'x' points to /etc/gshadow for the actual password. A random group of letters and numbers represents the encrypted password. |
| Group ID | 500 | The numeric group ID (GID) associated with that user. By default, Red Hat Enterprise Linux creates a new group for every new user. |
| Group members | mj,vp | Lists the usernames that are members of the group. If blank, and there is a username that is identical to the groupname, that user is the only member of that group. |
Adding Users at the Command Line
Alternatively, you can automate this process with the useradd command. If you wanted to add a new user named pm, you could just type useradd pm to add this user to the /etc/passwd file. By default, it creates a home directory, /home/pm, adds the standard files from the /etc/skel directory, and assigns the default shell, /bin/bash. But useradd is versatile. It includes a number of command options, shown in Table 4-3.
| Option | Purpose |
|---|---|
| -u UID | Overrides the default assigned UID. By default, in RHEL this starts at 500 and can continue sequentially to 65536. |
| -g GID | Overrides the default assigned GID. By default, RHEL assigns the same GID and UID numbers to each user. The GID you assign must be either 100 (users) or already exist. |
| -c info | Enters the comment of your choice about the user, such as his or her name. |
| -d dir | Overrides the default home directory for the user, /home/username. |
| -s shell | Overrides the default shell for the user, /bin/bash. |
Assigning a Password
You can now use the passwd username command to assign a new password to that user. For example, the passwd pm command lets you assign a new password to user pm. You're prompted to enter a password twice. RHEL is configured to discourage passwords that are based on dictionary words or are shorter than six characters for security reasons. Nevertheless, such passwords are legal, and such a password is accepted by the passwd command when you type it in a second time.
| On The Job | Good passwords are important. Any cracker who may have tapped into your network can try to match the password of any of your users. A password cracking program may be able to find dictionary word passwords in a matter of minutes. In contrast, it may take hours to crack a more complex password such as Ila451MS (which could stand for 'I live at 451 Main Street'). |
The Red Hat User Manager
As of this writing, the Red Hat User Manager can be run only from the Linux graphical user interface (GUI). If you're not in a GUI, and have installed the needed software, the startx command moves you into the GUI, as shown in Figure 4-1.
Figure 4-1: The Red Hat GNOME GUI
Pay attention to the figure of the Red Hat in the lower-left corner of the desktop; it starts program menus like the GNOME foot, the KDE K, or the Microsoft Windows Start buttons. Red Hat refers to it as the 'Main Menu' button, which is the term I'll use throughout this book.
| On The Job | Red Hat has text-based versions of several of its graphical tools. I believe that they will develop text-based versions of GUI tools such as the Red Hat User Manager (redhat-config-users) sometime in the near future. But that does not help you on the current Red Hat exams. |
If you're already in a Linux GUI, you can start the Red Hat User Manager in one of two ways. Enter redhat-config-users from a command line interface in the GUI, or click Main Menu | System Settings | Users and Groups. (This notation indicates you should click the Main Menu button-the 'Red Hat'-in the lower-left corner of the Taskbar, then click System Settings followed by Users in the menus that appear.) Figure 4-2 shows the Red Hat User Manager window.
Figure 4-2: The Red Hat User Manager
| On The Job | If you have not logged in as the root user, you'll be prompted for a root password before opening administrative tools such as the Red Hat User Manager. |
Exercise 4-1: Adding a User with the Red Hat User Manager
|
To add a user with the Red Hat User Manager:
-
Start the Red Hat User Manager. You can do this in one of two ways. Right-click on the desktop, and click New Terminal in the pop-up menu that appears. Type redhat-config-users in the command line terminal. Alternatively, click Main Menu | System Settings | Users and Groups.
-
In the Red Hat User Manager, click the Add User button, or click File | Add User. This will open the Create New User window, as shown here:
-
Complete the form. All entries are required, except Full Name. The entries are fairly self-explanatory; see the previous sections for more information on each field. The password should be at least six characters and should contain a mix of upper- and lowercase letters, numbers, and symbols to keep it more secure from the standard password cracking programs.
-
Enter the identical password in the Confirm Password field.
-
Click OK when you are done.
-
Repeat the process as desired for any additional new users you're expected to support.
|
User Account Management Tips
Although creating user accounts may seem to be a straightforward process, there are a few things that you should consider when configuring new users:
-
By default, RHEL 3 configures individual private group IDs (GID) for each user. As this associates each user with their own exclusive group, this is also known as the Red Hat User Private Group scheme. In the default Red Hat scenario, everyone has a unique private GID (which corresponds to their UID), and regular users do not have access to other users' home directories. These users can still share access to special directories; see Chapter 11 for more information.
-
If your configuration doesn't require each user to have his or her own GID, or if you have no need for the security associated with the User Private Group scheme, you can assign all of your users to the Users group, with a GID of 100. In many cases, this can make system administration easier.
-
Discourage the use of shared accounts, where several people use a single account. Shared accounts are almost always unnecessary and are easily compromised.
-
If you'll be using the Network File System (NFS), make sure all users have the same UID on every system on the network. This can be problematic. One alternative is the Network Information System (NIS). NIS supports a centralized database of users and passwords for users on all participating computers. For more information on NIS, see Chapter 9.
On The Job The Red Hat standard where every user is a member of his or her own exclusive group is known as the User Private Group scheme, which I describe in more detail in Chapter 11.
Deleting a User Account
Removing user accounts is a pretty straightforward process. The easiest way to delete a user account is with the userdel command. By default, this command does not delete that user's home directory. Alternatively, the userdel -r username command deletes that user's home directory along with all of the files stored in that home directory.
This is a lot faster than the GUI method, where you start the X Window System, open the Red Hat User Manager, select the user, and then click Delete. While it's probably easier for a less experienced user to remember the GUI method, text commands are faster.
| Exam Watch | If you know both the text and GUI tools to perform a task, use the text method. It almost always saves time. |
Modifying a User Account
As a Linux administrator, you may want to add some limitations to your user accounts. The easiest way to illustrate some of what you can do is through the Red Hat User Manager. Start the Red Hat User Manager, select a currently configured user, and then click Properties to open the User Properties dialog box.
Click the Account Info tab for the account expiration information shown in Figure 4-3. As shown in the figure, you can limit the life of an account so that it expires on a specific date, or you can disable an account by locking it. Click the Password Info tab.
Figure 4-3: Managing user account life
As shown in Figure 4-4, you can set several characteristics related to an individual user's password. Even when you set good passwords, frequent password changes can help provide additional security. The categories shown in the figure are self-explanatory; a 0 in any of these text boxes means that the limit does not apply.
Figure 4-4: Configuring password information
Click the Groups tab. Users can belong to more than one group in Linux. Under the Groups properties tab shown in Figure 4-5, you can assign the subject user to other groups. For example, if you want to collect the files supporting the managers in your company together in a directory, you can give access to these files to the group named managers. Alternatively, you can then assign members of that project team to the project group through the Groups tab.
Figure 4-5: Assigning groups
| Exam Watch | You may not have access to a GUI during the troubleshooting portion of either Red Hat exam. Therefore, you need to know how to manage users independent of GUI tools such as the Red Hat User Manager. In any case, text-based tools are almost always faster. |
Regular User Management Commands
While the Red Hat User Manager GUI utility is convenient, it's often faster to perform the associated administrative functions at the command line interface. I've described some of these commands such as useradd and userdel. Two other key user administration commands are usermod and chage.
usermod
The usermod command modifies various settings in /etc/passwd. It also allows you to set an expiration date for an account or an additional group. For example, the following command sets the account associated with user test1 to expire on June 8, 2004:
# usermod -e 2004-06-08 test1
The following command makes user test1 a member of the special group:
# usermod -G special test1
chage
You can use the chage command to manage the expiration date of a password. Password aging information is stored in the /etc/shadow file. In order, the columns in /etc/shadow are shown in Table 4-4. The associated chage switch is shown with each description entry. For example, if you wanted to require that user test1 keep a password for at least two days, use the chage test1 -m 2 command.
| Column | Field | Description |
|---|---|---|
| 1 | Username | Username |
| 2 | Password | Encrypted password; requires an 'x' in the second column of /etc/passwd |
| 3 | Password history | Date of the last password change, in number of days after January 1, 1970 |
| 4 | mindays | Minimum number of days which you must keep a password (-m) |
| 5 | maxdays | Maximum number of days after which a password has to be changed (-M) |
| 6 | warndays | Number of days before password expiration - when a warning is given (-W) |
| 7 | inactive | Number of days after password expiration when an account is made inactive (-I) |
| 8 | disabled | Number of days after password expiration when an account is disabled (-E) |
Limiting Access to su
As described earlier, I've recommended that you use the root account during the Red Hat exams. However, I assume you still need to configure Linux computers in real life. One security measure that can help is to limit regular users who can access the root account via the su command. This takes two basic steps.
First, you'll need to add the users who you want to allow access to the su command. Make them a part of the wheel group. By default, this line in /etc/group looks like:
wheel:x:10:root
You can add the users of your choice to the end of this line directly, with the usermod -G wheel username command, or with the Red Hat User Manager.
Next, you'll need to make your Pluggable Authentication Modules look for this group. You can do so by activating the following command in your /etc/pam.d/su file:
# auth required /lib/security/$ISA/pam_wheel.so use_uid
|
| < Day Day Up > |
|
![RCHE Red Hat Certified Engineer Linux Study Guide[c] Exam (Rh302)](/icons/blank_book.jpg "RCHE Red Hat Certified Engineer Linux Study Guide[c] Exam (Rh302)"){kind=icon}
EAN: N/A
Pages: 194