CS469/569
Home
Course Info
Contact
Course materials
Lessons
Syllabus
In Class Code
Course Policy
Assignments
Homework
Quizzes and Tests
Resources
Links
logoISU  

CS469/569 - Linux and Unix Administration and Networking

Spring 2022

User administration:

Reading:

man 5 passwd
man 5 shadow
man 5 group
man 5 gshadow

User management commands:

# useradd [-D] [lots of options]

  • adds a user to the system
  • -D show defaults

# userdel [-r] username

  • delete a user, (-r to remove their home directory as well)

# usermod [lots of options]

  • modify user (changes fields about a user in the user databases (/etc/passwd, /etc/group, etc.)


# adduser

  • script wrapper to useradd

# newusers

  • Add users in bulk, takes a file that is /etc/passwd formatted, with new users to be added, and adds those accounts in bulk.


> chfn [username]

  • Change finger (gecos) information. Requires super-user access to change another users information.

> chsh [username]

  • Change default login shell. Requires super-user access to change another users login shell.

> passwd [-l|-u] [username]

  • Change password for a user. -l will lock their account (prevent login), and -u will unlock their account.

# chpasswd

  • change passwords in bulk


# chage [-l] user

  • change password expiration for a user. (-l show aging information)

Group management commands:

# groupadd group
# groupmod group
# groupdel group
# gpasswd group

  • administer group / gshadow files (in a manner similar to the user* commands)

Files:

/etc/default/useradd

  • defaults for useradd

/etc/skel/

  • Default files for a new user's home directory.

/etc/passwd (man 5 passwd)

  • The user account database, contains the following fields in this order:
    • username
    • password (depreciated): x means it's stored in /etc/shadow
    • uid (User ID)
    • gid (default Group ID)
    • comment / gecos field (General Electric Comprehensive Operating System), personal information displayed by finger, includes Real Name, office and personal address and phone numbers. Set with chfn.
    • home directory
    • login shell (set with chsh)

/etc/shadow (man 5 shadow)

  • The user accounts hashed passwords are stored in this file. It is only accessible to privileged commands to prevent a hacker from seeing the hashes. Contains the following fields:
    • username
    • encrypted password (Passwords starting with ! are locked)
    • date of last password change (# of days since Jan 1 1970)
    • minimum password age
      • # of days before user can change password again.
      • empty = no minimum
    • maximum password age
      • # of days after which the user will have to change their password
      • empty = no maximum
      • < minium = cannot change password
    • warning period
      • # of days before expiry to warn user)
      • empty/0 = no warning
    • inactivity period
      • # of days password is accepted after expiry)
    • account expiration date
      • # of days since Jan 1 1970 after which the account is expired and the user cannot login.
      • empty = never expires (do not use 0)
    • reserved field

/etc/group (man 5 group)

  • The groups database, contains the following fields:
    • group name
    • group password (x = found in /etc/gshadow)
    • gid (Group ID)
    • comma seperated user list of group members.

/etc/gshadow (man 5 gshadow)

  • The hashed group passwords database
    • group name
    • encrypted password
      • Used when a non-group member wishes to gain group access (via newgroup)
    • administrators
      • Comma seperated list of user that can change the group password or members, admins are automatically members
    • members
      • List of users belonging to the group. They are not prompted for a password to join the group.
      • Should be the same as /etc/group

/etc/passwd-
/etc/shadow-
/etc/group-
/etc/gshadow-

  • backup files, the original is copied to the backup before it is modified.

> diff /etc/passwd /etc/passwd-

  • shows last change to passwd file.

Manual editing of passwd/shadow or group/gshadow databases:

These programs lock the file being edited such that it cannot be modified by programs such as passwd, chsh, etc while you're editing it. Should only be used when making complicated or large edits. The editor invoked is defined by the EDITOR environment variable or vi by default.

# vipw [-s]

  • edit passwd / shadow (-s) file

# vigr [-s]

  • edit group / gshadow (-s) file

Switching users/groups

> sudo [-i | -s ] [ command ]

  • Execute a command or start an interactive shell (-s) or login shell (-i) as another user (by default root.)

# su [-] [username] [-c command] [-p]

  • switch user, - invokes a login shell, -p preserves the same environment as the calling user.

# newgroup [-] [group]

  • switch group

# sg [-] [group [-c ] command]

  • like newgroup but accepts a command

> id

  • Display current user/uid and group names/gid's.

> groups

  • Display current group memberships

> login

  • begins a new login session, usually started by gettys on the console, not a command a normal user would use.

Files:

/etc/sudoers

  • sudo configuration file, usually reads sub-configuration files from /etc/sudoers.d/

/etc/login.defs (man 5 login.defs)

  • Controls aspects of the programs in the shadow password suite.

/etc/profile
/etc/csh.login
/etc/profile.d/*

  • Startup scripts for a login shell.

Displaying logins:

> last

  • Display last logins in reverse order.

> sac / ac

  • System login accounting, displays login accounting (usage.)

> dump-utmp / rawtmp

  • Dump out utmp/wtmp data in human readable format.

> finger
> w
> who
> users

  • Display who is currently logged in.

Files:

/var/run/utmp

  • Currently logged in database, used by programs such as w, who, users, and finger.

/var/log/wtmp

  • Login/logout database, used by ac (sac), and last.

Checking Log files:

Log files in /var/log/*

/usr/sbin/klogd

  • System daemon that logs kernel messages (usually through the syslog facility.)

# dmesg

  • Prints kernel messages to the console.

/usr/sbin/syslogd

  • System logging daemon, services send messages to syslogd via a socket and syslog logs them according to its configuration in /etc/syslog.conf.

> logger [options] [message]

  • Command line tool to log messages to the syslog facility.

# logrotate

  • Rotate/compress/mail system logs (config file: /etc/logrotate.conf)

Quotas:

File-system quotas are a limit to the number of blocks of data that any specific user (or group) are allowed to use. The limit could be in blocks or number of inodes. There are two types of limits, a hard limit and a soft limit. No space can be used in excess of a hard limit (if present) no matter what, however space can be used in excess of a soft limit for a period of 7 days (the grace period) after which the limit becomes a hard-limit. An account or group can have either a hard or soft limit, both or neither.

In order for quotas to be enabled on a file-system the kernel needs to support quotas on that file-system and quotas need to be enabled by selecting the quota, usrquota or grpquota mount options for the file-systems you want to enable quotas on. Once a file-system has been mounted with quota support, quotas are only enabled once quotaon has been run for that file-system. Quotas can be disabled by running quotaoff for that file-system.

If quotas become out of sync or quotas are being enabled for a file-system for the first time, quotacheck should be run on the file-system to accumulate usage information for each user using the file-system and update/create the aquota.user file that will be found at each file-systems mount-point (the root of that file-system.)

# quotacheck [-v] [-a] [filesystem]

  • Check and update quota files.
    • aquota.user - User quota file

# quotaon [-a] [fs]

  • Enable quotas on a file-system or (-a) all file-systems.

# quotaoff [-a] [fs]

  • Turn quotas off on a filesystem or (-a) all file-systems.

> quota [-u|-g] [user | group]

  • Display user or group quota

# edquota [-pprotouser] [-u | -g] [ username | groupname ]

  • Edit user/group quota (in an editor). If -p is used, copies the quota information from the prototype user to the given account (useful in scripts to quickly set the quotas for a number of users.)

# setquota [options]

  • Command line quota editor

> warnquota

  • Send email to users over quota

> repquota
> quotastats

  • Quota reports / statistics.