Module 15 System and User Security
Exam Objective
5.1 Basic Security and Identifying User Types
Objective Description Various types of users on a Linux system.
Identifying User Accounts
Users and Permissions
¡ñ User accounts are designed to provide security on a Linux operating system.
¡ñ User accounts allow or disallow a person access to files and directories using
file permissions.
¡ñ User accounts also belong to groups.
¡ñ This chapter covers commands that provide the ability to view user and group account information and how to switch to other user accounts.
Administrative Accounts
¡ñ Some commands require administrative or root privileges.
¡ñ Using root has risks, it is recommended to use sudo or su command
to execute commands as root.
¡ñ Risks with logging in as root:
¡ð Everything will run as root (background processes, executables)
¡ð May forget you are logged in as root
¡ð May accidentally run non-admin tasks as root
Switching Users
¡ñ The su command allows you to run a shell as a different user. su [options] [username]
¡ñ Using the login shell option results in fully configuring the new shell with settings of new user. If username is not specified su opens a new shell as root user.
su –
su – root
¡ñ After pressing Enter, user must provide password of root user.
¡ñ Use the exit command to return to original shell (user account).
sysadmin@localhost:~$ su – Password: root@localhost:~# exit logout
Executing Privileged Commands
¡ñ The sudo command also allows users to execute commands as another user.
¡ñ Can be used in distributions that do not allow root user login.
¡ñ Prompts for the user¡¯s own password instead that of the root user.
sysadmin@localhost:~$ sudo head /etc/shadow [sudo] password for sysadmin:
¡ñ Results in an entry placed in a log file for accountability and reduces risk associated with using root.
User Accounts
¡ñ The /etc directory contains files which contain account data of users and groups defined on the system.
¡ñ The /etc/passwd file defines some account information for user accounts.
¡ð Each line contains information about a single user.
sysadmin:x:1001:1001:System Administrator,,,,:/home/sysadmin:/bin/bash
¡ð Contains; Name, Password Placeholder, User ID, Primary Group ID, Comment, Home Directory, Shell (fields are separated by a colon)
¡ñ Use grep command to check if user is defined on system.
Passwords
¡ñ The etc/shadow file contains user password information (must be logged in as root).
sysadmin:$6$c75ekQWF$.GpiZpFnIXLzkALjDpZXmjxZcIll14OvL2mFSIfnc1aU2cQ/221QL5AX5RjKXpXP JRQ0uVN35TY3/..c7v0.n0:16874:5:30:7:60:15050::
¡ñ Fields include:
¡ð Username: Username of the account (matches username in /etc/passwd)
¡ð Password: Encrypted password for the account
¡ð Last Change: Last time password was changed
¡ð Min: Minimum # of days between password changes
¡ð Max: Max # of days password is valid
¡ð Warn: Number of days before password expiry in the system warns the user
¡ð Inactive: Grace period in which user¡¯s password can be changed
¡ð Expire: Number of days when user accounts will expire (from January 1, 1970)
¡ð Reserved: Currently not used, this field is reserved for future use
System Accounts
¡ñ Users log in using regular accounts (UID > 1000).
¡ñ Special access root account (UID > 0).
¡ñ System accounts are designed for services running on the system (UID 1-499)
¡ñ System accounts in /etc/passwd and /etc/shadow have some different
fields:
¡ð Home directory – typically do not have
¡ð Shell: Uses nologin
¡ð Password: Uses *
Group Accounts
¡ñ Each user can be a member of one or more groups.
¡ñ The /etc/passwd file defines the primary group membership for a user.
¡ñ The /etc/group file defines supplemental (or secondary) group membership.
mail:x:12:mail,postfix
¡ñ Fields include:
¡ð Group Name: Field contains the group name
¡ð Password Holder: The x means password is not stored in this file
¡ð GID: Unique group ID associated with group
¡ð User List: Lists members in the group
Viewing User Accounts
Viewing User Information
¡ñ The id command is used to print user and group information.
sysadmin@localhost:~$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin),4(adm),27(sudo)
¡ñ Output:
¡ð Lists user account information first (UID (uid=1001) and username (sysadmin))
¡ð After username, the primary group is listed (group ID and group name)
¡ð Other information includes other groups user belongs to (group IDs and group names)
¡ñ To display information for a specific account, use the username as an argument.
¡ñ To print only secondary group membership use the -G option.
Viewing Current Users
¡ñ The who command lists users who are currently logged in, as well as where and when they logged in.
sysadmin@localhost:~$ who
root tty2
sysadmin tty1
sysadmin pts/0
2013-10-11 10:00
2013-10-11 09:58 (:0)
2013-10-11 09:59 (:0.0)
¡ñ Output:
¡ð Username: Indicates user who is logged in and has an open session.
¡ð Terminal: Indicates which terminal window the user is working in. tty indicates a local login whereas pts indicates a pseudo terminal.
¡ð Date: Indicates when user logged in. A hostname means user logged in remotely. A colon and number means a graphical local login. No location info means user logged in via local command line.
Viewing Current Users
¡ñ The w command provides more detailed information about users currently on the system.
¡ñ Provides info about system status.
¡ñ Output looks like:
sysadmin@localhost:~$ w 10:44:03 up 50 min, 4 users,
USER TTY FROM
root tty2 –
sysadmin tty1 :0 password
sysadmin pts/0 :0.0
sysadmin pts/1 example.com
load average: 0.78, 0.44, 0.19
LOGIN@ IDLE 10:00 43:44 0.01s 09:58 50:02 5.68s
JCPU PCPU WHAT
0.01s -bash
0.16s pam: gdm-
09:59 0.00s 0.14s 0.13s ssh192.168.1.2 10:00 0.00s 0.03s 0.01s w
Viewing Login History
¡ñ The last command reads the /var/log/wtmp file all login records.
¡ñ Shows previous login sessions as well as current login information.
sysadmin@localhost:~$ last
sysadmin console Tue Sep 18 02:31 still logged in
sysadmin console Tue Sep 18 02:31 – 02:31 (00:00) wtmp begins Tue Sep 18 02:31:57 2018