Friday, June 15, 2012

Chapter 8 - User Administration

User Account Mgt

The files for user mgt :

[root@server01 downloads]# tail /etc/passwd
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
pulse:x:497:495:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:496:490:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
rhill:x:500:501:Roger Hill:/home/rhill:/bin/bash

[root@server01 downloads]# tail /etc/group
stapdev:x:492:
stapusr:x:491:
webalizer:x:67:
sshd:x:74:
dovecot:x:97:
dovenull:x:490:
tcpdump:x:72:
oprofile:x:16:
slocate:x:21:
rhill:x:501:
[root@server01 downloads]# tail /etc/shadow
avahi:!!:15497::::::
pulse:!!:15497::::::
gdm:!!:15497::::::
webalizer:!!:15497::::::
sshd:!!:15497::::::
dovecot:!!:15497::::::
dovenull:!!:15497::::::
tcpdump:!!:15497::::::
oprofile:!!:15497::::::
rhill:$6$kym9CJ0RrYEiecH6$gN0jATgidcLC8YDC0TFUVaCtAFDYnmHDz7.hjeDE9d3Rg5axjWgPZRBpPm6qfKrWmGIhdx5lPekUT65KyyIuZ/:15497:0:99999:7:::

[root@server01 downloads]# tail /etc/gshadow
stapdev:!::
stapusr:!::
webalizer:!::
sshd:!::
dovecot:!::
dovenull:!::
tcpdump:!::
oprofile:!::
slocate:!::
rhill:!!::
[root@server01 downloads]# tail /etc/login.defs
# the permission mask will be initialized to 022.
UMASK           077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

Command Examples :

[root@server01 downloads]# useradd bob
[root@server01 downloads]# id bob
uid=501(bob) gid=502(bob) groups=502(bob)
[root@server01 downloads]# grep bob /etc/passwd
bob:x:501:502::/home/bob:/bin/bash

[root@server01 downloads]# groupadd project1
[root@server01 downloads]#

[root@server01 downloads]# grep project1 /etc/group
project1:x:503:
[root@server01 downloads]# groupdel project1


# system-config-users

  

Administrative Control

/etc/sudoers

Ability to login is controlled by files :
[root@server01 downloads]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11

and ability to login

[root@server01 downloads]# tail /etc/security/access.conf
#+ : john : 2001:4ca0:0:101::1
#
# User "john" should get access from ipv6 host address (same as above)
#+ : john : 2001:4ca0:0:101:0:0:0:1
#
# User "john" should get access from ipv6 net/mask
#+ : john : 2001:4ca0:0:101::/64
#
# All other users should be denied to get access from all sources.
#- : ALL : ALL

# system-config-users





[root@server01 downloads]# useradd -u 550 -d /home/mary1 -c "Mary Ann" mary
[root@server01 downloads]# id mary
uid=550(mary) gid=550(mary) groups=550(mary)

[root@server01 downloads]# userdel mary

[root@server01 downloads]# useradd -u 550 -d /home/jobe1234 -c "Jobe" jobe
[root@server01 downloads]# useradd fred
[root@server01 downloads]# useradd tom
[root@server01 downloads]# useradd dick
[root@server01 downloads]# useradd gina
[root@server01 downloads]# usermod -e 2012-07-15 gina
[root@server01 downloads]# groupadd project2
[root@server01 downloads]# usermod -G project2 fred
[root@server01 downloads]# usermod -G project2 tom

[root@server01 downloads]# groupmod -g 60002 project2

[root@server01 downloads]# groupmod -n project3 project2

Proper use of the su command configurations :

su - '/sbin/ifconfig -a

SU admin control steps :

  1. Add user into respective group by either vipw or groupadd -G grouptobeaddedto username
  2. Use 'visudo' to access the /etc/sudoers file
  3. Add in the proper permissions, the fiole follows the format of :
Basic format ---
##      user    MACHINE=COMMANDS

user   host = commands_allowed_to_run
OR
%mygroup host = commands_allowed_to_run

The group "mygroup" must exist .

boris   ALL=(ALL) ALL

give root admin privs to boris.

There are many examples within the default /etc/sudoers file

A coomand alias :

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

A Host alias :


User and Shell Configuration

The /etc/skel directory contains default env files for new accounts .

.bashrc = basic bash config file . , aliases, startup commands placed here
.bash_logout = file executed when a user logs off
.bash_profile = PATH and other env variables set here
.gnome2/ = Settings for the GNOME desktop
.kde/ = settings for the KDE Desktop
.mozilla/ = options for firefox browser

The /etc/bashrc is a global file read by all bash users, contains aliaes , functions, sets umask , defines a prompt , and includes settings from *.sh in the /etc/profile.d/ directory .

/etc/profile is also used for system wide env and startup files

The /etc/profile.d/ dir contains scripts executed by the /etc/profile file

Controlling the umask

[root@server01 ~]# cp /etc/bashrc /root/bashrc.orig
[root@server01 ~]# vi /etc/bashrc

     59     # By default, we want umask to get set. This sets it for non-login shell.
     60     # Current threshold for system reserved uid/gids is 200
     61     # You could check uidgid reservation validity in
     62     # /usr/share/doc/setup-*/uidgid file
     63     if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
     64        #umask 002
     65        umask 077
     66     else
     67        umask 022
     68     fi

Testing this, it doesn't work ???

[root@server01 ~]# su - tom
[tom@server01 ~]$ touch file1.txt
[tom@server01 ~]$ mkdir newdir2
[tom@server01 ~]$ ls -lrt
total 4
-rw-rw-r--. 1 tom tom    0 Jun 15 09:18 file1.txt
drwxrwxr-x. 2 tom tom 4096 Jun 15 09:18 newdir2

reboot the machine and retry ??? hmmm....well wait a minute ?[tom@server01 ~]$ id
uid=552(tom) gid=552(tom) groups=552(tom),60002(project3) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[tom@server01 ~]$



Still nothing ??

[root@server01 ~]# reboot
Broadcast message from root@server01
        (/dev/pts/1) at 9:23 ...
The system is going down for reboot NOW!

[root@server01 ~]# id dick
uid=553(dick) gid=553(dick) groups=553(dick)
[root@server01 ~]# su - dick
[dick@server01 ~]$ touch file1.txt
[dick@server01 ~]$ mkdir newdir4
[dick@server01 ~]$ ls -lrt
total 4
-rw-rw-r--. 1 dick dick    0 Jun 15 09:27 file1.txt
drwxrwxr-x. 2 dick dick 4096 Jun 15 09:27 newdir4

[dick@server01 ~]$ echo $SHELL
/bin/bash
Not too sure why this doesn't work, but to rememdy the problem, thinking back, we just put the umask desired into the individual users .bash_profile ???

[dick@server01 ~]$ vi .bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs
umask 077

PATH=$PATH:$HOME/bin
export PATH

[root@server01 ~]# su - dick
[dick@server01 ~]$
[dick@server01 ~]$ touch newfile1.txt
[dick@server01 ~]$ mkdir newdir777
[dick@server01 ~]$ ls -lrt
total 8
-rw-rw-r--. 1 dick dick    0 Jun 15 09:27 file1.txt
drwxrwxr-x. 2 dick dick 4096 Jun 15 09:27 newdir4
-rw-------. 1 dick dick    0 Jun 15 09:30 newfile1.txt
drwx------. 2 dick dick 4096 Jun 15 09:30 newdir777
...works now, go figure...if you know why this doesn't work in the /etc/bashrc file, send me an email

Users and Network Authentication

LDAP Stuff :

LDAP Client Configuration :

/etc/pam_ldap.conf

[root@server01 ~]# cat /etc/pam_ldap.conf
cat: /etc/pam_ldap.conf: No such file or directory

[root@server01 ~]# yum search ldap
Loaded plugins: downloadonly, product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
===================================================================== N/S Matched: ldap ======================================================================
apr-util-ldap.x86_64 : APR utility library LDAP support
bind-dyndb-ldap.x86_64 : LDAP back-end plug-in for BIND
compat-openldap.i686 : OpenLDAP compatibility shared libraries
compat-openldap.x86_64 : OpenLDAP compatibility shared libraries
krb5-server-ldap.i686 : The LDAP storage plugin for the Kerberos 5 KDC
krb5-server-ldap.x86_64 : The LDAP storage plugin for the Kerberos 5 KDC
ldapjdk.x86_64 : The Mozilla LDAP Java SDK
mod_authz_ldap.x86_64 : LDAP authorization module for the Apache HTTP Server
openldap.i686 : LDAP support libraries
openldap.x86_64 : LDAP support libraries
openldap-clients.x86_64 : LDAP client utilities
openldap-devel.i686 : LDAP development libraries and header files
openldap-devel.x86_64 : LDAP development libraries and header files
openldap-servers.x86_64 : LDAP server
pam_ldap.i686 : PAM module for LDAP
pam_ldap.x86_64 : PAM module for LDAP
perl-LDAP.noarch : LDAP Perl module
perl-Mozilla-LDAP.x86_64 : LDAP Perl module that wraps the OpenLDAP C SDK
php-ldap.x86_64 : A module for PHP applications that use LDAP
python-ldap.x86_64 : An object-oriented API to access LDAP directory servers
libldb.i686 : A schema-less, ldap like, API and database
libldb.x86_64 : A schema-less, ldap like, API and database
migrationtools.noarch : Migration scripts for LDAP
nss-pam-ldapd.i686 : An nsswitch module which uses directory servers
nss-pam-ldapd.x86_64 : An nsswitch module which uses directory servers
  Name and summary matches only, use "search all" for everything.

[root@server01 ~]# yum install openldap openldap-clients -y

... File was still missing ...


[root@server01 ~]# yum search pam
Loaded plugins: downloadonly, product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
====================================================================== N/S Matched: pam ======================================================================
PyPAM.x86_64 : PAM bindings for Python
fprintd-pam.i686 : PAM module for fingerprint authentication
fprintd-pam.x86_64 : PAM module for fingerprint authentication
gnome-keyring-pam.i686 : Pam module for unlocking keyrings
gnome-keyring-pam.x86_64 : Pam module for unlocking keyrings
pam-devel.i686 : Files needed for developing PAM-aware applications and modules for PAM
pam-devel.x86_64 : Files needed for developing PAM-aware applications and modules for PAM
pam_ldap.i686 : PAM module for LDAP
pam_ldap.x86_64 : PAM module for LDAP
pam_pkcs11.i686 : PKCS #11/NSS PAM login module
pam_pkcs11.x86_64 : PKCS #11/NSS PAM login module
spamassassin.x86_64 : Spam filter for email which can be invoked from mail delivery agents
nss-pam-ldapd.i686 : An nsswitch module which uses directory servers
nss-pam-ldapd.x86_64 : An nsswitch module which uses directory servers
pam.i686 : An extensible library which provides authentication for applications
pam.x86_64 : An extensible library which provides authentication for applications
pam_krb5.i686 : A Pluggable Authentication Module for Kerberos 5
pam_krb5.x86_64 : A Pluggable Authentication Module for Kerberos 5
pam_passwdqc.i686 : Pluggable password quality-control module
pam_passwdqc.x86_64 : Pluggable password quality-control module
passwd.x86_64 : An utility for setting or changing passwords using PAM
sssd-client.i686 : SSSD Client libraries for NSS and PAM
sssd-client.x86_64 : SSSD Client libraries for NSS and PAM
  Name and summary matches only, use "search all" for everything.
[root@server01 ~]#
[root@server01 ~]#
[root@server01 ~]# yum install pam_ldap -y

That's better :

[root@server01 ~]# cat /etc/pam_ldap.conf | egrep -v "#|^$"
host 127.0.0.1
base dc=example,dc=com

Two more directives are important here :

[root@server01 ~]# grep -A2 -B2 "ssl start_tls" /etc/pam_ldap.conf
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

[root@server01 ~]# grep -A2 -B2 "pam_password" /etc/pam_ldap.conf | head
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

The ldap.conf file is also needed :

[root@server01 ~]# find /etc -name ldap.conf
/etc/openldap/ldap.conf
[root@server01 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com/ ldap://ldap-master.example.com:666/
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

The Name Service Switch File:

determines name resolution, among some other things

/etc/nsswitch.conf

[root@server01 ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis
passwd:     files
shadow:     files
group:      files
#hosts:     db files nisplus nis dns
hosts:      files dns
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   nisplus
publickey:  nisplus
automount:  files nisplus
aliases:    files nisplus

GUI Stuff for Network Authentication Tools :

# system-config-authentication



# authconfig-tui






Special Groups :

SGID Bit on directories means every file created in or copied into this directory will assume the group ownership of the same as the directory :

[root@server01 ~]# groupadd -g 70000 accounting
[root@server01 ~]# usermod -G accounting bob
[root@server01 ~]# usermod -G accounting dick
[root@server01 ~]# usermod -G accounting gina
[root@server01 ~]# usermod -G accounting fred


[root@server01 ~]# mkdir /home/accshared

[root@server01 ~]# chown nobody.accounting /home/accshared
[root@server01 ~]# chmod 2770 /home/accshared
[root@server01 ~]# ls -l /home/accshared
total 0
[root@server01 ~]# ls -ld /home/accshared
drwxrws---. 2 nobody accounting 4096 Jun 15 10:14 /home/accshared












[dick@server01 ~]$ touch /home/accshared/dicksfile1.txt
[dick@server01 ~]$ cp *.txt /home/accshared
[dick@server01 ~]$ ls -lrt /home/accshared
total 0
-rw-------. 1 dick accounting 0 Jun 15 10:20 dicksfile1.txt
-rw-------. 1 dick accounting 0 Jun 15 10:22 newfile1.txt
-rw-------. 1 dick accounting 0 Jun 15 10:22 file1.txt

... except ...not with the 'cp -p' option ....

[dick@server01 ~]$ touch newfile1000.txt
[dick@server01 ~]$ ls -ltr newfile1000.txt
-rw-------. 1 dick dick 0 Jun 15 10:23 newfile1000.txt

[dick@server01 ~]$ cp -p newfile1000.txt /home/accshared/
[dick@server01 ~]$ ls -l /home/accshared/newfile1000.txt
-rw-------. 1 dick dick 0 Jun 15 10:23 /home/accshared/newfile1000.txt




The commands 'exit' , 'logout' and CTRL+D all do the same thing, log the user account off the system.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)