User Administration

User Administration:
 
In Solaris each user requires following details:
1. A unique user name
2. A user ID
3. home directory
4. login shell
5. Group to which the user belongs.

System files used for storing user account information are:
 
The /etc/passwd file: 
It contains login information for authorized system user. It displays following seven fields in each entry:
loginIDA string maximum of 8 chars including numbers & lowercase and uppercase letters. The first character should be a letter.
xIt is the password place holder which is stored under /etc/shadow file.
UIDUnique user ID. System reserves the values 0 to 99 for system accounts. The UID 60001 is reserved for the nobody account & 60002 is reserved for the noaccess account. The UID after 60000 should be avoided.
GIDGroup ID. System reserves the values 0 to 99 for system accounts. The GID numbers for users ranges from 100 to 60000.
commentGenerally contains user full name.
home directoryFull path for user's home directory.
login shellThe user's default login shell. It can be anyone from the list : Bourne shell, Korn shell, C shell, Z shell, BASH shell, TC shell.

 
Few default system account entries:
User nameUser IDDescription
root0Root user account which has access to the entire system
daemon1The system daemon account associated with routine system tasks
bin2The Administrative daemon account that is associated with routine system tasks
sys3The Administrative daemon account that is associated with system logging or updating files in temporary directories.
adm4The Administrative daemon account that is associated with system logging
lp71Printer daemon account


The /etc/shadow file:
It contains encrypted password.The encrypted password is 13 characters long and encrypted with 128 bit DESA encryption. 
The /etc/shadow file contains following fields:
loginID It contains the user's login name
password It contains the 13 letter encrypted password
lastchgNumber of days between 1st January & last password modification date.
minMinimum number of days to pass before you can change the password.
maxMaximum number of days after which a password change is necessary.
warnThe number of days prior to password expiry that the user is warned.
inactiveThe number of inactive days allowed for the user before the user account is locked.
expireThe number of days after which the user account would expire. The number of days are counted since 1st Jan 1970.
flagIt is used to track failed logins. It maintains count in low order.
 

The /etc/group file: 
It contains default system group entries. This file is used to create/modify the groups.The /etc/shadow file contains following fields:
groupnameIt contains the name assigned to the group. Maximum 8 characters.
group-passwordIt is group password and is generally empty due to security reasons.
GIDGroup's GID number.
username-listIt contains the list of secondary groups with which user is associated. This list is separated by commas and by default maximum of 15 secondary groups can be associated to each user.
 
The /etc/default/passwd File:
It is used to control the properties for all user passwords on the system. The /etc/default/passwd contains following fields:
MAXWEEKSIt is used to set the maximum time period in weeks for which the password is valid.
MINWEEKSIt is the minimum time period after which the password can be changed.
PASSLENGHTMinimum number of characters for password length.
WARNWEEKSIt sets the time period prior to password's expiry that the user should be warned.
NAMECHECK=NOSets the password controls to verify that the user is not using the login name as a component of password.
HISTORY=0Forces the passwd program to store the number of old passwords. The maximum number of allowed is 26.
DICTIONLIST=Causes the passwd program to perform dictionary word lookups from comma-separated dictionary files.
DICTIONBDIR=/var/passwdThe location of the dictionary where the generated dictionary database reside.
 
Values in /etc/default/passwd:
Password Management:

pam_unix_auth module is responsible for the password management in Solaris. To configure locking of user account after specified number of attempts following parameters are modified:
1. LOCK_AFTER_RETRIES tunable parameter in the /etc/security/policy.conf file & 
2. lock_after-retries key in the /etc/user_attr file is modified. 
Note: The LOCK_AFTER_RETRIES parameter  is used to specify the number of failed login attempts after which the user account is locked. The number of attempts are defined by RETRIES parameter in the /etc/default/login  file.

passwd command:
The passwd command is used to set the password for the user account.
syntax:
#passwd <options> <user name>

Various options used with the passwd command are described below:
-s  Shows password attributes for a particular user. When used with the -a option, attributes for all user accounts are displayed.
-d  Deletes password for name and unlocks the account. The login name is not prompted for a password.
-e   Changes the login shell, in the /etc/passwd file, for a user.
-f  Forces the user to change passwords at the next login by expiring the password.
-h  Changes the home directory, in the /etc/passwd file, for a user.
-l  Lock a user's account. Use the -d or -u option to unlock the account.
-N  Makes the password entry for <name> a value that cannot be used for login but does not lock the account. It is used to create password for non-login account(e.g accounts for running cron jobs). 
-u     Unlocks a locked account.
 
Preventing user from using previously used password:
1. Edit the /etc/default/passwd file and uncomment the line HISTORY=0
2. Set the value of HISTORY=n, where n is the number of passwords to be logged and checked.


Managing User Accounts:

Adding a user account:
#useradd -u <User ID> -g <Primary Group> -S <secondary group> -d <user home dir> -m -c <user Desc> -s <User login shell> <User Name>
The option -m forcibly creates the user home directory if it is not there.
Note: The default group id will be 1(group name is system).

useradd command options:
-c <comment> A short description of the login, typically the user's name and phone extension. This string can be up to 256 characters.
-d <directory> Specifies the home directory of the new user. This string is limited to 1,024 characters.
-g <group> Specifies the user's primary group membership.
-G <group>  Specifies the user's secondary group membership.
-n <login> Specifies the user's login name.
-s <shell> Specifies the user's login shell.
-u <uid> Specifies the user ID of the user you want to add. If you do not specify this option, the system assigns the next available unique UID greater than 100.
-m  SeCreates a new home directory if one does not already exist.
 
Default values for creating a user account:
There is a preset range of default values associated with the useradd command. These values can be displayed using -D option. The useradd command with -D option creates a file  /use/sadm/defadduser for the first time. The values in  /use/sadm/defadduser is used as default values for useradd command.
Example: Adding a new user account test.













Note: When a user account is created using useradd command it is locked and need to be unlocked & password is set using passwd command.

Modifying a user account:
Modifying a user id: # usermod -u <New User ID> <User Name>
Modifying a primary group: #usermod -g <New Primary Group> <User Name>
Modifying a secondary group: #usermod -G <New Secondary Group> <User Name>
In similar manner we can modify other user related information.

Deleting a user  account:
#userdel <user name> → user's home directory is not deleted
#userdel -r <user name> → user's home directory is deleted

Locking a User Account:
# passwd -l <user name>

Unlock a User Account:
#passwd -u <user name>

Note: uid=0 (Super user, administrator having all privileges). By default root is having uid = 0 which can be duplicated. This is the only user id which can be duplicated. 
For example:
1. #useradd -u 0 -o <user name>
2. #usermod -u 0 -o <user name>
Here option -o is used to duplicate the user id 0.

smuser command:
This command is used for remote management of user accounts.
Example: If you want to add a user raviranjan in nis domain office.com on system MainPC use smuser command as follows:
# /usr/sadm/bin/ smuser add -D nis:/MainPC/office.com -- -u 111 -n raviranjan 

The subcommands used with smuser command:
addTo add a new user account.
modifyTo modify a user account.
deleteTo delete a user account.
listTo list one or more user accounts.
 
smuser add options:
-c <comment> A short description of the login, typically the user's name and phone extension. This string can be up to 256 characters.
-d <directory> Specifies the home directory of the new user. This string is limited to 1,024 characters.
-g <group> Specifies the user's primary group membership.
-G <group>  Specifies the user's secondary group membership.
-n <login> Specifies the user's login name.
-s <shell> Specifies the user's login shell.
-u <uid> Specifies the user ID of the user you want to add. If you do not specify this option, the system assigns the next available unique UID greater than 100.
-x autohome=Y|N Sets the home directory to automount if set to Y.
 
smgroup command:
This command is used for remote management of groups.
Example: If you want to add a group admin in nis domain office.com on system MainPC use smgroup command as follows:
#/usr/sadm/bin/smgroup add -D nis:/MainPC/office.com -- -g 101 -n admin 

The subcommands used with smgroup command:
addTo add a new group.
modifyTo modify a group.
deleteTo delete a group.
listTo list one or more group.
 
Note: The use of subcommands requires authorization with the Solaris Management Console server. Solaris Management Console also need to be initialized.

Managing Groups:

There are two groups related to a user account:
1. Primary Group: The maximum and minimum number of primary group for a user is 1.
2. Secondary Group: A user can be member of maximum 15 secondary groups.

Adding a group
#groupadd <groupname>
#groupadd -g <groupid> <groupname>


The group id is updated under /etc/group.
#vi /etc/group
ss2::645

Note: Here ss2 is group name and 645 is group id.

Modifying a group
By group ID: #groupmod -g <New Group ID> <Old Group Name>
By group Name: #groupmod -n <New Group Name> <Old Group Name>

Note:
For every group we are having a group name and id(for kernel reference). By default 0-99 group ids are system defined.
The complete information about the group is stored under /etc/group file.
 
Deleting a group
# groupdel <group name>

Variables for customizing a user session:
VariableSet ByDescription

LOGNAMEloginDefines the user login name
HOMEloginused to set path of user's home directory and is the default argument of the cd command
SHELLloginContains path to the default shell
PATHloginSets the default path where the command is searched
MAILloginSets path to the mailbox of the user
TERMloginUsed to define the terminal
PWDshellDefines the current working directory
PS1shellDefines shell prompt for bourne or korn shell
promptshellContains the shell prompt for C shell

Setting login variables for the shell:
ShellUser's Initialization file
Bourne/KornVARIABLE=value;export VARIBLE
eg:#PS1="$HOSTNAME";export PS1
Csetenv variable value

Monitoring System Access:

who command :
This command displays the list of users currently logged in to the system.
It contains user's login name, device(eg. console or terminal), login date & time and the remote host IP address.

ruser command:
This command displays the list of users logged in to the local and remote host. The output is similar to the who command. 

Finger Command:
By default, the finger command displays in multi-column format the following information about each logged-in user:
user name
user's full name
terminal name(prepended with a '*' (asterisk) if write-permission is denied)
idle time
login time
host name, if logged in remotely

Syntax:
finger [ -bfhilmpqsw ] [ username...  ]
finger [-l ]  [  username@hostname1[@hostname2...@hostnamen]     ...  ]
finger [-l ] [ @hostname1[@hostname2...@hostnamen] ...  ]

Options:
-b    Suppress printing the user's home directory and  shell in a long format printout.
-f    Suppress printing the header that is normally  printed in a non-long format printout.
-h    Suppress printing of the .project file in a long  format printout.
-i    Force "idle" output format,which is similarto short format except that only the login name,terminal,login time,and idle time are printed.
-l    Force long output format.
-m    Match arguments only on user name (not first or last name).
-p    Suppress printing of the .plan file in a  long  format printout.
-q    Force quick output format, which is similar  to  short format  except  that only the login name, terminal, and login time are printed.
-s    Force short output format.
-w    Suppress printing the full  name  in  a  short  format printout.

Note: The username@hostname form supports only the -l option.


last command:
The output of this command is very long and contains information about all the users. We can user the last command in following ways:
1. To display the n lines from the o/p of last command:
#last -n 10

2. Login information specific to a user:
#last <user name>

3. last n reboot activities:
#last -10 reboot



Recording failed login attempts:
1. Create a file /var/adm/loginlog.
#touch /var/adm/loginlog
2. Root user should be the owner of this file and it should belog to group sys.
#chown root:sys /var/adm/loginlog
3. Assign read and write permission for the root user.
#chmod 600 /var/adm/loginlog

This will log all failed login attempts after five consecutive failed attempts. This can be changed by modifying the RETRIES entry in /etc/default/login. 

The loginlog file contains:
user's login name
user's login device
time of the failed attempt

su command:
The su (substitute user) command enables to change a login session's owner without the owner having to first log out of that session.

Syntax:
#su [options] [commands] [-] [username]

Examples:
#su
The operating system assumes that, in the absence of a username, the user wants to change to a root session, and thus the user is prompted for the root password as soon as the ENTER key is pressed. This produces the same result as typing:
#su root

To transfer the ownership of a session to any other user, the name of that user is typed after su and a space.
#su ravi

The user will then be prompted for the password of the account with the username ravi. 

The '-' option with su command:
1. Executes the shell initialization files of the switched user.
2. Modifies the work environment to change it to the work environment of the specified user.
3. Changes the user's home directory.

The whoami command:
This command displays the name of the currently logged in user.
Example:
#su ravi
$whoami
ravi
$

The 'who am i' command:
This displays the login name of the original user.
Example:
#whoami
root
#su ravi
$who am i
root
$

Monitoring su attempts:
You can monitor su attempts by monitoring the /var/adm/sulog file. This file logs each time the su command is used. The su logging in this file is enabled by default through the following entry in the /etc/default/su file:
SULOG=/var/adm/sulog
The sulog file lists all uses of the su command, not only the su attempts that are used to switch from user to superuser. The entries show the date and time the command was entered, whether or not the attempt was successful (+ or -), the port from which the command was issued, and finally, the name of the user and the switched identity.

The console parameter in /etc/default/su file contains the device name to which all atempts to switch user should be logged
CONSOLE=/dev/console
By default this option is commented.

Controlling system Access: 

1. /etc/default/login: CONSOLE Variable: This parameter can be used to restrict the root user login. The value /dev/console for CONSOLE variable enables the root user to login from system console only. The remote login for root is user is not possible. However, if the parameter CONSOLE is commented or not defined, the root user can login to the device from any other system on the networ.


PASSREQ: If set to YES, forces user to enter the password when they login for first time. This is applicable for the user account with no password.


2. /etc/default/passwd: 
It is centralized password aging file for all this normal users. If we update any information to this file, automatically all users will be updated.

3. /etc/nologin: 

It is the file which is responsible for restricting all the normal users not to access server. By default this file does not exists.
To restrict all normal users from login:
#touch /etc/nologin
#vi /etc/nologin
Server is under maintenance. Please try after 6:00PM.
:wq! 
 

4./etc/skel: It is the directory which contains all the users environmental files information. When we are creating the user with useradd command along with -m attributes it starts copying all the environmental files from /etc/skel to user’s home directory.

5. /etc/security/policy.conf

To lock the user after repeated failed logins#vi /etc/security/policy.conf
(go to last line)
LOCK_FAILED_LOGINS = NO (Change it to YES)


6
. /var/adm/lastlog
7. /var/adm/wtmp
8.
/etc/ntmp

Note:
The following file systems are the binary files responsible for recording last users login & log out information:
1. /var/adm/lastlog
2. /var/adm/wtmp
3. /etc/ntmp

9. /etc/ftpd/ftpuser: 
This contains the list of user not allowed to access the system using the ftp protocol.

chown command:Use the chown command to change file ownership. Only the owner of the file or superuser can change the ownership of a file. 
Syntax:
#chown -option <user name>|<user ID> <file name>

You can change ownership on groups of files or on all of the files in a directory by using metacharacters such as * and ? in place of file names or in combination with them.

You can change ownership recursively by use the chown -R option. When you use the -R option, the chown command descends through the directory and any sub directories setting the ownership ID. If a symbolic link is encountered, the ownership is changed only on the target file itself.


chgrp command:
This command is used to change the ownership of the group owner of the file or directory. 
Syntax:
#chgrp <group name>|<group ID> <file names>

setuid Permission:
When setuid (set-user identification) permission is set on an executable file, a process that runs this file is granted access based on the owner of the file (usually root), rather than the user who created the process. This permission enables a user to access files and directories that are normally available only to the owner.

The setuid permission is shown as an s in the file permissions. For example, the setuid permission on the passwd command enables a user to change passwords, assuming the permissions of the root ID are the following:

# ls -l /usr/bin/passwd
-r-sr-sr-x   3 root     sys        96796 Jul 15 21:23 /usr/bin/passwd


NOTE:  Using setuid permissions with the reserved UIDs (0-99) from a program may not set the effective UID correctly. Instead, use a shell script to avoid using the reserved UIDs with setuid permissions.

You setuid permissions by using the chmod command to assign the octal value 4 as the first number in a series of four octal values. Use the following steps to setuid permissions:

    1.  If you are not the owner of the file or directory, become superuser.
    2.  Type chmod <4nnn> <filename> and press Return.
    3.  Type ls -l <filename> and press Return to verify that the permissions of the file have changed.

The following example sets setuid permission on the myprog file:

#chmod 4555 myfile
-r-sr-xr-x   1 ravi admin 12796 Jul 15 21:23 myfile
#


setgid Permission
The setgid (set-group identification) permission is similar to setuid, except that the effective group ID for the process is changed to the group owner of the file and a user is granted access based on permissions granted to that group. The /usr/bin/mail program has setgid permissions:

# ls -l /usr/bin/mail
-r-x—s—x   1 bin      mail       64376 Jul 15 21:27 /usr/bin/mail
#

When setgid permission is applied to a directory, files subsequently created in the directory belong to the group the directory belongs to, not to the group the creating process belongs to. Any user who has write permission in the directory can create a file there; however, the file does not belong to the group of the user, but instead belongs to the group of the directory.

You can set setgid permissions by using the chmod command to assign the octal value 2 as the first number in a series of four octal values. Use the following steps to set setgid permissions:

    1.  If you are not the owner of the file or directory, become superuser.
    2.  Type chmod <2nnn> <filename> and press Return.
    3.  Type ls -l <filename> and press Return to verify that the permissions of the file have changed.

The following example sets setuid permission on the myfile:

#chmod 2551 myfile
#ls -l myfile
-r-xr-s—x   1 ravi admin 26876 Jul 15 21:23 myfile
#

Sticky Bit
The sticky bit on a directory is a permission bit that protects files within that directory. If the directory has the sticky bit set, only the owner of the file, the owner of the directory, or root can delete the file. The sticky bit prevents a user from deleting other users' files from public directories, such as uucppublic:

# ls -l /var/spool/uucppublic
drwxrwxrwt   2 uucp     uucp         512 Sep 10 18:06 uucppublic

When you set up a public directory on a TMPFS temporary file system, make sure that you set the sticky bit manually.

You can set sticky bit permissions by using the chmod command to assign the octal value 1 as the first number in a series of four octal values. Use the following steps to set the sticky bit on a directory:

    1.  If you are not the owner of the file or directory, become superuser.
    2.  Type chmod <1nnn> <filename> and press Return.
    3.  Type ls -l <filename> and press Return to verify that the permissions of the file have changed.

The following example sets the sticky bit permission on the pubdir directory:

# chmod 1777 pubdir
# ls -l pubdir
drwxrwxrwt   2 winsor    staff    512 Jul 15 21:23 pubdir

 



















No comments:

Post a Comment