What is a user?
Every process on the system runs as a particular user. Every file is owned by a particular user. Access to files and directories are restricted by user. The user associate with a running process determine the files and directories accessible to that process.
id - The id command is used to show information about the current logged-in user. Basic information about another user can also be requested by passing in the username of that user as the first argument to the id command.
[student@desktop ~]$ id
uid=1000(student) gid=1000(student) groups=1000(student), 10(wheel)
To view the user associated with a file or directory, use the ls -l command. The third column shows the username:
[student@desktop ~]$ ls -l /tmp
drwx-----. 2 gdm gdm
drwx-----. 2 student student
-rw-r--r-. 1 root root
To view process information, use the ps command. The default is to show only processes in the current shell. Add the a option to view all processes with a terminal. To view the user associated with a process, include the u option. The first column show the username:
[student@desktop ~]$ ps au
User PID %CPU %MEM
root
root
student
The output of the previous commands displays users by name but internally the operating system tracks users by a UID number. The mapping of names to number is defined in databases of account information. By default, system use a simple "flat file". the /etc/passwd file to strore information about local users. The format of /etc/passwd follows (seven colon-separated fields):
username: It is a mapping of a UID to a name for the benefit of human users.
password: password is where, historically, passwords were kept in an encrypted format. Today, they are stored in a separate file called /etc/shadow.
UID: It is a user ID, a number that identifies the user at the most fundamental level.
GID: It is user's primary group ID number. Groups will be discussed in a moment.
GECOS: GECOS field is arbitrary text, which usually includes the user's real name.
/home/dir - It is the location of the user's personal data and configuration files.
shell is a program that runs as the user logs in. For a regular user, this is normally the program that provide the user's command line prompt.
What is a group?
Like users, groups have a name and a number (GID). Local groups are defined in /etc/groups.
Primary groups
Every user has exactly one primary group
For local users, the primary group is defined by the GID number of the group listed in the third field of /etc/passwd
Normally, the primary group owns new files created by the user.
Normally the primary group of newly created user is a newly created group with the same name as the user. The user is the only member of this User Private Group (UPG)
Supplementary groups
User may be a member of zero or more supplementary groups.
The user that are supplementary members of local groups are listed in the last field of the groups entry in /etc/group. For local groups, user membership is determined by a comma-separated list of users found in the last field of the groups entry in /etc/group:
groupname:password:GID:list,of,users,in,this,group
Supplementary group membership is used to help ensure that users have access permissions to files and other resources on the system.
Gaining Superuser Access
The root user
Most operating systems have some sort of superuser, a user that has all power over the system. This user in Red Hat Enterprise Linux is the root user. This user has the power to override normal privileges on the file system and is used to manage and administer the system. In order to perform tasks such as installing or removing software and to manage system files and directories, a user must escalate privileges to the root users.
The root account on Linux is roughly equivalent to the local Administrator account on Windows. In Linux, most system administrators log into an unprivileged user account and use various tools to temporarily gain root privileges.
Switching users with su
The su command allows a user to switch to a different user account. If a username is not specified, the root account is implied. When invokes as a regular user, a prompt will display asking for the password of the account you are switching to; when invoked as root, there is no need to enter the account password.
su [-] <username>
[student@desktop ~]$ su -
Password: redhat
The command su username starts a non-login shell, while the command su - username starts a login shell. The main distinction is su - sets up the shell environment as if this were a clean login as that user, while su just starts a shell as that user with the current environment setting
Running commands as root with sudo
The sudo command allows a user to be permitted to run a command as root, or as another user, based on setting in the /etc/sudoers file. Unlike other tools such as su, sudo requires users to enter their own password for authentication, not the password of the account they are trying to access. This allows an administrator to hand out fine-grained permissions to users to delegate system administration task, without having to hand out the root password.
For example when sudo has been configured to allow the user student to run the command usermod as root, student could run the following command to lock a user account
[student@server~]$ sudo usermod -L username
[sudo] password for student: password
One additional benefit to using sudo is that all commands executed using sudo are logged by default to /var/log/secure
Managing local users
Useradd creates users
useradd username sets reasonable defaults for all fields in /etc/passwd when run without options. The useradd command does not set any valid password by default, and the user cannot log in until a password is set.
useradd --help will display the basic option that can be user to override the defaults.
usermod modifies existing users
usermod --help will display the basic options that can be used to modify an account.
userdel delete users
userdel username removes the user from /etc/passwd, but leaves the home directory intact by default/
userdel -r username removes the user and the users home directory.
E.g.
[root@server ~]# useradd prince
[root@server ~]# ls -l /home
[root@server ~]# userdel prince
[root@server ~]# ls -l /home
[root@server ~]# useradd bob
[root@server ~]# ls -l /home
UID ranges
Specific UID numbers and ranges of numbers are used for specific purpose by Red Hat Enterprise Linux.
UID 0 is always assigned to the superuser account, root.
UID 1-200 is a range of "system users" assigned statically to system process by Red Hat.
UID 201-999 is a range of "system user" user by system processes that do not own files on the file system. They are typically assigned dynamically from the available pool when the software that needs them is installed. programs run as these "Unprivileged" system users in order to limit their access to just the resources they need to function.
UID 1000+ is the range available for assignment to regular users.
Managing supplementary groups
Groupadd creates groups
groupadd groupname without options uses the next available GID from the range specified in the /etc/login.defs file
The -g GID option is used to specify a specific GID.
[student@server ~]$ sudo groupadd -g 5000 ateam
Always GID greater than 1000+ to avoid collision with system groups
The -r option will create a system group usig a GID from the range of valid system GID numbers listed in the /etc/login.defs file.
[student@server ~]$ sudo groupadd -r appusers
groupmod modifies existing groups
The groupmod command is used to change a group name to a GID mapping. The -n option is used to specify a new name.
[student@server ~]$ sudo groupmod -n javaapp appusers
The -g option is used to specify a new GID.
[student@server ~]$ sudo groupmod -g 6000 ateam
groupdel deletes a group
The groupdel command will remove a group
[student@server ~]$ sudo groupdel javaapp
usermod alters group membership
The membership of a group is controlled with user management. Change a user's primary group with usermod -g groupname
[student@server ~]$ sudo usermod -g student student
Add a user to a supplementary group with usermode -aG groupname username.
[student@server ~]$ sudo usermod -aG Wheel elvis
Every process on the system runs as a particular user. Every file is owned by a particular user. Access to files and directories are restricted by user. The user associate with a running process determine the files and directories accessible to that process.
id - The id command is used to show information about the current logged-in user. Basic information about another user can also be requested by passing in the username of that user as the first argument to the id command.
[student@desktop ~]$ id
uid=1000(student) gid=1000(student) groups=1000(student), 10(wheel)
To view the user associated with a file or directory, use the ls -l command. The third column shows the username:
[student@desktop ~]$ ls -l /tmp
drwx-----. 2 gdm gdm
drwx-----. 2 student student
-rw-r--r-. 1 root root
To view process information, use the ps command. The default is to show only processes in the current shell. Add the a option to view all processes with a terminal. To view the user associated with a process, include the u option. The first column show the username:
[student@desktop ~]$ ps au
User PID %CPU %MEM
root
root
student
The output of the previous commands displays users by name but internally the operating system tracks users by a UID number. The mapping of names to number is defined in databases of account information. By default, system use a simple "flat file". the /etc/passwd file to strore information about local users. The format of /etc/passwd follows (seven colon-separated fields):
username: It is a mapping of a UID to a name for the benefit of human users.
password: password is where, historically, passwords were kept in an encrypted format. Today, they are stored in a separate file called /etc/shadow.
UID: It is a user ID, a number that identifies the user at the most fundamental level.
GID: It is user's primary group ID number. Groups will be discussed in a moment.
GECOS: GECOS field is arbitrary text, which usually includes the user's real name.
/home/dir - It is the location of the user's personal data and configuration files.
shell is a program that runs as the user logs in. For a regular user, this is normally the program that provide the user's command line prompt.
What is a group?
Like users, groups have a name and a number (GID). Local groups are defined in /etc/groups.
Primary groups
Every user has exactly one primary group
For local users, the primary group is defined by the GID number of the group listed in the third field of /etc/passwd
Normally, the primary group owns new files created by the user.
Normally the primary group of newly created user is a newly created group with the same name as the user. The user is the only member of this User Private Group (UPG)
Supplementary groups
User may be a member of zero or more supplementary groups.
The user that are supplementary members of local groups are listed in the last field of the groups entry in /etc/group. For local groups, user membership is determined by a comma-separated list of users found in the last field of the groups entry in /etc/group:
groupname:password:GID:list,of,users,in,this,group
Supplementary group membership is used to help ensure that users have access permissions to files and other resources on the system.
Gaining Superuser Access
The root user
Most operating systems have some sort of superuser, a user that has all power over the system. This user in Red Hat Enterprise Linux is the root user. This user has the power to override normal privileges on the file system and is used to manage and administer the system. In order to perform tasks such as installing or removing software and to manage system files and directories, a user must escalate privileges to the root users.
The root account on Linux is roughly equivalent to the local Administrator account on Windows. In Linux, most system administrators log into an unprivileged user account and use various tools to temporarily gain root privileges.
Switching users with su
The su command allows a user to switch to a different user account. If a username is not specified, the root account is implied. When invokes as a regular user, a prompt will display asking for the password of the account you are switching to; when invoked as root, there is no need to enter the account password.
su [-] <username>
[student@desktop ~]$ su -
Password: redhat
The command su username starts a non-login shell, while the command su - username starts a login shell. The main distinction is su - sets up the shell environment as if this were a clean login as that user, while su just starts a shell as that user with the current environment setting
Running commands as root with sudo
The sudo command allows a user to be permitted to run a command as root, or as another user, based on setting in the /etc/sudoers file. Unlike other tools such as su, sudo requires users to enter their own password for authentication, not the password of the account they are trying to access. This allows an administrator to hand out fine-grained permissions to users to delegate system administration task, without having to hand out the root password.
For example when sudo has been configured to allow the user student to run the command usermod as root, student could run the following command to lock a user account
[student@server~]$ sudo usermod -L username
[sudo] password for student: password
One additional benefit to using sudo is that all commands executed using sudo are logged by default to /var/log/secure
Managing local users
Useradd creates users
useradd username sets reasonable defaults for all fields in /etc/passwd when run without options. The useradd command does not set any valid password by default, and the user cannot log in until a password is set.
useradd --help will display the basic option that can be user to override the defaults.
usermod modifies existing users
usermod --help will display the basic options that can be used to modify an account.
userdel delete users
userdel username removes the user from /etc/passwd, but leaves the home directory intact by default/
userdel -r username removes the user and the users home directory.
E.g.
[root@server ~]# useradd prince
[root@server ~]# ls -l /home
[root@server ~]# userdel prince
[root@server ~]# ls -l /home
[root@server ~]# useradd bob
[root@server ~]# ls -l /home
UID ranges
Specific UID numbers and ranges of numbers are used for specific purpose by Red Hat Enterprise Linux.
UID 0 is always assigned to the superuser account, root.
UID 1-200 is a range of "system users" assigned statically to system process by Red Hat.
UID 201-999 is a range of "system user" user by system processes that do not own files on the file system. They are typically assigned dynamically from the available pool when the software that needs them is installed. programs run as these "Unprivileged" system users in order to limit their access to just the resources they need to function.
UID 1000+ is the range available for assignment to regular users.
Managing supplementary groups
Groupadd creates groups
groupadd groupname without options uses the next available GID from the range specified in the /etc/login.defs file
The -g GID option is used to specify a specific GID.
[student@server ~]$ sudo groupadd -g 5000 ateam
Always GID greater than 1000+ to avoid collision with system groups
The -r option will create a system group usig a GID from the range of valid system GID numbers listed in the /etc/login.defs file.
[student@server ~]$ sudo groupadd -r appusers
groupmod modifies existing groups
The groupmod command is used to change a group name to a GID mapping. The -n option is used to specify a new name.
[student@server ~]$ sudo groupmod -n javaapp appusers
The -g option is used to specify a new GID.
[student@server ~]$ sudo groupmod -g 6000 ateam
groupdel deletes a group
The groupdel command will remove a group
[student@server ~]$ sudo groupdel javaapp
usermod alters group membership
The membership of a group is controlled with user management. Change a user's primary group with usermod -g groupname
[student@server ~]$ sudo usermod -g student student
Add a user to a supplementary group with usermode -aG groupname username.
[student@server ~]$ sudo usermod -aG Wheel elvis
No comments:
Post a Comment