Keyboard Shortcuts

• a - Start presentation.
• c - Show table of contents.
• Esc - Exit slide mode.
• ? - Show help.

The audio accompanying this presentation is AI-generated.

Every file on a Linux system has an owner and belongs to a group. Every user on the system with the exception of the superuser has a limited set of permissions. The proper configuration of these permissions helps to secure the Linux operating system.

A user account provides security boundaries between different people and programs that can run commands. User accounts are fundamental to system security. Every process on the system runs as a particular user. Every file has a particular user as its owner and belongs to a group.

Red Hat Enterprise Linux uses specific UID numbers and ranges of numbers for specific purposes.

The /etc/passwd file lists accounts on the system, one account per line with the seven fields separated by colons.

The /etc/passwd file lists accounts on the system, one account per line with the seven fields separated by colons.

The first field in the /etc/passwd file is the name of the account.

Previously this field held the user's encrypted password which is now stored in the restricted /etc/shadow file.

This field holds the User ID number. This is the number the computer uses to refer to the user account.

The User ID field is followed by the Group ID field. On most Linux distributions each user has a unique private group.

This comment or GECOS field contains the user's actual name, phone number, room number, etc.

This is the user's home directory and the working directory when the user first logs into the system.

The last field is the user's default shell. System accounts use the /sbin/nologin shell. This prevents remote logins to the mail server account, for example, which would raise a red flag with any Linux administrator.

Members of a group share the same file permissions. Group accounts are listed in the /etc/group file.

Group information is kept in the /etc/group file using the same format as the /etc/passwd file with one account per line and fields separated by a colon. Here student belongs to two groups, the private student group and the wheel group.

The first field of the group file is the name of the group.

The second field was used to store the encrypted group password, if used. Now that information is kept in a restricted shadow file.

The third field contains the GID number.

The last field is a list of the users who are members of the group.

Each user belongs to a primary group which is unique to that user and each user can belong to supplementary groups as well. In this screenshot user student belongs to the private primary group student and the supplementary group wheel.

Complete this graded quiz in Canvas.

The superuser or root account is all powerful and should be reserved for system administration tasks. When logged in as root, the entire desktop environment unnecessarily runs with administrative privileges. A security vulnerability that might normally compromise only a normal user's account could potentially compromise the entire system. An ordinary, unprivileged user has limited permissions on the system and as such can not accidentally edit or delete system files.

Here student uses the su command to become megan. Student must first know Megan's password. The -l option assures that the shell environment changes to that of Megan's. If no user name is given then the root account is assumed and the root password must be given.

Users in the sudoers file have elevated privileges and can run some or all commands as root. On a Red Hat system users in the wheel group have full superuser privileges. Lines in the sudoers file starting with a hash tag are commented out.

Users in the sudoers file can use sudo to run commands with elevated privileges. Here Megan's attempt to use sudo fails because she is not in the sudoers file. The incident is logged in /var/log/secure.

This cartoon is from the xkcd website

The -i option to the su command opens a root shell.

The /etc/sudoers file is the main configuration file for the sudo command. The visudo command should be used to edit the /etc/sudoers file or any file in the /etc/sudoers.d/ directory. visudo checks for syntax errors in the file before exiting. Errors in the /etc/sudoers file might prevent the root user from running commands.

• The %wheel string is the group that the rule applies to. Here it applies to all members of the wheel group.
• The first ALL applies to all hosts.
• The second ALL means that users in the wheel group can run commands as any user.
• The third ALL means that users in the wheel group can run commands as any group.
• The last ALL means that users in the wheel group can run any command.
• This effectively gives users in the wheel group full root privileges.

Practice switching to the root account and running commands as root.

Create, modify, and delete local user accounts.

Adding a user in Red Hat Enterprise Linux takes two steps. First the account must be created then a password assigned to the account. Until a password is assigned the account is locked.

In this example, user megan is added to the wheel group which gives her sudo privileges.

The userdel command removes a user from the system. The optional -r removes that user's home directory and mail spool.

This cartoon is from the xkcd website

The passwd command warns that the password given does not meet the password policy set. Root, however, can override the policy but regular users can not. Remember on the command line no characters display when you type the password.

Create several users on your system and set passwords for those users.

The groupadd command adds a new group to the system.

Here the groupmod command is used to correct a misspelling.

Before deleting a group use the find command to locate all files owned by the group. You can not remove the primary group of a user.

This command changes Megan's primary group. A user can belong to only one primary group at a time.

Here Megan is added to the consultants group. The -a (append) assures that Megan is not removed from the other supplemental groups she belongs to.

A user's primary group can be temporarily changed to a supplementary group so new files create belong to the supplementary group.

Set a password management policy for users, and manually lock and unlock user accounts.

Originally, encrypted passwords were stored in the world-readable /etc/passwd file. This was considered adequate until dictionary attacks on encrypted passwords became common. The /etc/shadow file contains encrypted passwords and password expiry information. Similar to the passwd file each row represents a single account and fields are separated by a colon.T he /etc/shadow file require root privileges to read.

Like the /etc/passwd file the first field contains the account name.

The next field contains the encrypted password the $6 indicates that the password is encrypted using SHA512 hashing algorithm.

This field shows the number of days since January 1, 1970 that the password was last changed.

Minimum number of days before password can be changed.

Maximum number of days before password must be changed. Five 9s means that the password doesn't need to be changed.

Days warning before password must be changed.

The number of days without activity, starting with the day that the password expired, before the account is automatically locked.

The day when the account expires in days since the epoch. An empty field means that the account never expires.

The last field is typically empty and is reserved for future use.

The SHA512 hashing algorithm is used for this password.

The salt in use to cryptographically hash the password.

The cryptographical hash of the user's password; combining the salt and the plain text password and then cryptographically hashing to generate the password hash.

The chage or "change age" command displays password information for the listed user. The root user can list password information for any user. The chage command is also used to set a password aging policy.

Root can lock an user's account with the -l option to the usermod command.

The nologin shell prevents logins to system accounts such as the mail server account.

Set password policies for several users.

Set a default local password policy, create a supplementary group for three users, allow that group to use sudo to run commands as root, and modify the password policy for one user.