User Admin
User, Group, Quota, PAM and File Security
To add, modify and remove users, use useradd, usermod and userdel commands are used.
userdel -r deletes the home directory as well.
We can also add/delete/modify users by manually editing /etc/passwd, /etc/shadow and /etc/group files.
When a user is created, the default .profile/.bash_profile files are copied from /etc/skel directory.
groupadd, groupmod and groupdel commands are used to create/modify/delete groups.
Password aging Policies:
chage: used to chage the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change her password
Usage: chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user
chage command can also be used to find out the last password change, password expiration date, numberdays between password channge, etc..
# chage -l root Last password change : Aug 18, 2005 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
The setgid Access Mode:
When a file is created in a directory, it belongs to the primary group of the user that created the file. However, if the setgid bit is set for the directory, new files that are created in the directory have their group ownership set to the same group as the owner of the directory.
To set gid to a directory
chmod g+s <direcroty> chmod 2770 <directory>
User Environment:
- /etc/skel # default template for a newly added user’s home directory
- /etc/profile # First script executed when a user logs in to the system
- ~/.bash_profile # executed after /etc/profile
- ~/.bashrc # Called by ~/.bash_profile. This file contains user’s aliases and settings. It runs whenever a user starts up a non-login interactive shell and the default users ~/.bash_profile also calls it whenever the user logs in.
- /etc/bashrc # Usually called by ~/.bash_profile. Contains global aliases and settings. It allows system adminstrator to set alised for every user like c for clear and h for history
- /etc/profile.d # This directory contains initialization scripts specifig to software packages installed by RPM. These scripts are called by /etc/profile on login, or by /etc/bashrc if called by a non-login interactive shell.
PAM: Pluggable Authentication Module
Redhat Linux uses PAM system to check for authorized users. PAM includes a group of dynamically loadable library modules that govern how individual applications verify their users. You can modify PAM configuration files to suit your needs. PAM modules are documented in the /usr/share/doc/pam-0.XX directory
Applications calls libpam.so for authentication. An application <service> linked against libpam.so will lookup /etc/pam.d/<service> for configuration. If this file does not exist in /etc/pam.d, PAM will default to /etc/pam.d/other. Based on the configuration file, additional libraries are called to deterine the overall success or failure of the service access.
Each line of the config file has the following syntax:
module-type control-flag module-path arguments
Example:
auth required pam_unix.so nullok
01. First field indicates the type of library module. (auth, account, password, session)
- Authentication management (auth) Establishes the identity of a user. For example, a PAM auth command decides whether to prompt for a username and or a password.
- Account management (account) Allows or denies access according to the account policies. For example, a PAM account command may deny access according to time, password expiration, or a specific list of restricted users.
- Password management (password) Manages other password policies. For example, a PAM password command may limit the number of times a user can try to log in before a console is reset.
- Session management (session) Applies settings for an application. For example, the PAM session command may set default settings for a login console.
02. The second field determins the effect an individual library has on the overall result.
- required -- sucess is required., failure will still call the remaining modules but the command will still fail.
- requisite -- Failure will immediatly terminate the authentication process
- sufficient -- success bypasses remaining modules, failure is ignored
- optional -- result is ignored.
Normally, each application that uses PAM has its own configuration file. Redhat uses /usr/lib/security/pam_stack.so and /etc/pam.d/system-auth to configure global or default tests. /usr/lib/security/pam_stack.so calls another PAM service much like a funtion.
Example:
/etc/pam.d/login:
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
/etc/pam.d/system-auth:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so=]
In the above example, login service calls system-auth thru pam_stack.so. pam_stack will check all auth calls for this extra service. The value of $ISA variable is usually empty.
Core PAM Modules pam_unix: Standard Authentication pam_env: Sets Environment Variable pam_securetty: limit root login to secure terminals pam_stack: calls another PAM service pam_nologin: tests for /etc/nologin pam_console: previleges for users at the console
NIS Client Configuration
NIS client requires ypbind and portmap daemons
Can define NIS server binding manually by
- Define NISDOMAIN in /etc/sysconfig/network
- Define NISDOMAIN in NIS server specification in /etc/yp.conf
- Update PAM’s /etc/nsswitch.conf file
Also, system can be configured as NIS client using ‘/usr/sbin/authconfig’ utility.
Linux Quota System:
The quota system enables administrator to limit the disk usage for every users. Because, resource accounting must accur with every file creation, quotas must be implemented within the kernel. It is enabled per filesystem basis.
In order for a partition to implement quotas, it must be mounted with the userquota or group quota options. These options can be added to the appropriate entries in /etc/fstab. After editing, the options can be made to immeditely take effect by remounting the filesystem.
To implement quota for /home file system.
01. Modify the /etc/fstab for /home file systems as follows
Device Mount point Filesys Options dump Fsck LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 /dev/hdd1 /home ext3 exec,dev,suid,rw,usrquota,grpquota 1 2
02. Mount /home filesystem
mount -o remount /home
Starting and Stopping quotas:
Quotas are turned on or off by running quotaon and quotaoff commands. These commands rarely needs to be run, because they are included in default Redhat linux script /etc/rc.d/rc.sysinit.
quotaon /home
(or)
quotaon -a # To turn on quota for /home filesystem.
Editing user policies:
User policies are implemented with the edquota command. This command invokes an editor and loads a template, which can then be edited to establish the appropriate values. These values are committed to the database upon exiting the editor.
To implement a quota policy for a user
edquota <user name>
To define grace time periode for the quota
edquota -t
Generating quota reports: Users can inspect their disk usage and quotas by issuing /usr/bin/quota command. An administrator can generate a report of disk usages by all users with the /usr/sbin/repquota command. Users over their quota can be warned by placing /usr/sbin/warnquota in the cron job.
Create and update the quota database: The disk usage database is stored in specially named binary files within a partition’s top-level directory, aquota.user and aquota.group. These files may have to be created manually using touch command at the beginning. In case of database corruption/out of sync with the actual state of the partion, the database can be brought up to date by running quotachek command.
quotocheck -cm /home # -c Don’t read existing quota files. Perform a new scan and save it to disk