MANAGING LOCAL LINUX USERS, GROUPS & PERMISSIONS.

User and Group Concepts in Linux

1. What is the usage of the ‘id’ command?

The main reason to use the id command is to find out what groups a user belongs to and sometimes to find out which user you are logged in as especially if you use the su command to switch between users.
In the latter case you can use the whoami command to find out who you are logged in as and you can use the groups command to find out which groups a user belongs to.
Prints a lot of information:
                                ♦user id
                                ♦username
                                ♦group id
                                ♦group name
                                ♦ id of other groups
                                ♦names of other groups

1

2. What is the purpose of the /etc/passwd file?

The /etc/passwd file contains basic user attributes. This is an ASCII file that contains an entry for each user. Each entry defines the basic attributes applied to a user. When you use the mkuser command to add a user to your system, the command updates the /etc/passwd file.

2

3. Explain a line in the /etc/passwd file using an example.

E.g.: –

3

♦ Username: It is used when user logs in. It should be between 1 and 32 characters in length.
♦ Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to computes the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file.
♦ User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
♦ Group ID (GID): The primary group ID (stored in /etc/group file)
♦ User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
♦ Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
♦ Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

4

4. What is the difference between Primary Groups and Supplementary Groups? Show using an example of a primary group.

♦ Primary Group: This is the group applied to you when you log in; in most user cases it has the same name as your login name. The primary group is used by default when creating new files (or directories), modifying files, or executing commands.
♦ Supplementary Groups: These are groups you are a member of beyond your primary group. As an example, this means that if a directory or file belongs to the www-data group (as used by the web server process in this case), then all www-data group members can read or modify these files directly.

5

5. Create a user named hwsec and a group call hwsecgrp. Are you allowed to perform this operation? What is the reason?

No, since we do not have created the Group it is unable to create a user in that group. In order to add the user we must first add the group under the group name hwsecgrp.

6

Gaining Super User Access

Escalate privileges to run commands as the super user.

1. What do you understand about a Super User?

Sudo, the one command to rule them all. It stands for “super user do!”. As a Linux system administrator or power user, it’s one of the most important commands.

7

2. What does it mean when the uid=0 and gid=0? Can multiple user account have with uid=0?

                         ♦ uid=user id
                         ♦ gid=group id.
Each uid is unique on a system (usually) but gids (=groups) can have many uids(=users) in them.

8

3. How can you run commands as root? What are the steps to create a root user?

                     ♦ Log in to your server as the root user.
                     ♦ Use the adduser command to add a new user to your system.
                     ♦ Use the usermod command to add the user to the wheel group
                     ♦ Test sudo access on new user account

94. Re-try creating a user named hwsec and a group call hwsecgrp. Are you allowed to perform this operation?

            No.

10

5. Set the password as abcd1234 for user hwsec. Add the user hwsec to a newly create group called hwsecgrp. Is hwsecgrp a primary or a supplementary group? Where can you find this piece of information?

          Supplementary.

11

6. What is the difference between using su and su- to gain super user access?

You are switching user to the root user and asking the system to change all the environment variables applicable to root and take me to the root’s home directory.
Using su – is same as logging into a fresh session on a terminal. 

But when you type only su without a dash (-) in that case the session is switched to root (if any username is not mentioned along with su command) without applying any of the environment variable of the root user.

12

 

Managing Local User Accounts and Local Group Accounts and Basic File Permissions

1. Use one or more of the following commands [ useradd | usermod | userdel | groupadd | groupdel ] to accomplish the tasks given in the following scenario. Assume you work as an Administrator for organization XYZ.
• HR and Accounts departments need separate folders in the /usr directory to store their respective information.
• Tiron and Ruvin are two associates joining HR, while Tania is a new recruit for Accounts. Their local accounts need to be created. Set all their passwords to hws@123.
• Only Tiron and Ruvin needs to have access to the HR folder while only Tania needs to have access to the Accounts folder. Show that this is the case by trying to create a file.

131415

Managing User Passwords

Manage password aging policies for users and manually lock, unlock, and expire accounts.

1. What is the purpose of the /etc/shadow file? What is the format of the /etc/shadow – show using an example?

Use to increase the security level of passwords by restricting all but highly privileged users’ access to hashed password data.

1617

 

1. Username: It is your login name.
2. Password: It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, the $id is the algorithm used On GNU/Linux as follows:
                   • $1$ is MD5
                   • $2a$ is Blowfish
                   • $2y$ is Blowfish
                   • $5$ is SHA-256
                   • $6$ is SHA-512
3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
6. Warn: The number of days before password is to expire that user is warned that his/her password must be changed
7. Inactive: The number of days after password expires that account is disabled
8. Expire: days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

2. What are the three pieces of information stored in a modern password hash? Shown using an example.

18

1. The first field is a numerical number that tells you the hashing algorithm that’s being used.
2. The second field is the salt value.
3. The last field is the hash value of salt+user password (we will be discussing this shortly).
*What is the problem with using MD5?

Using salted md5 for passwords is a bad idea. Not because of MD5’s cryptographic weaknesses, but because it’s fast. This means that an attacker can try billions of candidate passwords per second on a single GPU.

3. Lock the user account hwsec.
    Unlock the user account hwsec.

If user passwd is not set and if we use usermod command to lock the account, it will show double exclamation sign.

19

4. Change the password policy for hwsec to require a new password every 90 days.

2021

5. Create a new user called pwduser and set the password pwd@123 and force a password change on the first login for the account.

Change the age of password to 0 day.
Syntax: – chage -d 0 {user-name}

22

23

6. Determine a date 180 days in the future.

24

7. Set the account pwduser to expire on that date.

25

8. Make sure that the password of any new user is changed every 60 days.

Need to set default password expiry using /etc/login.defs file
Open file /etc/login.defs using text editor, and setup values as needed.

25_2

 

 

S.H.M Lahiru Prabath Balasuriya.

 

 

 

 

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s