Another very handy method to set or change a password, especially from a script, is to use the passwd command’s stdin option, which allows you to pipe a new, plain-text password in. For example, the following command changes the user bubba’s password to sekritword, using the stdin option to passwd: # echo ‘sekritword’ | passwd stdin bubba Changing password for user bubba Passwd: all authentication tokens updated successfully. This command pipes the password through the passwd command. When used with the stdin option, passwd reads its input from stdin rather than interactively at the keyboard. Notice that the echo command embeds the password in single quotes because the password contains shell metacharacters that must be protected from expansion. The chsh command changes a user’s login shell. Its syntax is: chsh [-s shell ] [-l] [username] -s shell sets username’s login shell to shell. Unless configured other- wise, shell can be the full pathname of any executable file on the system. One common way to take advantage of this feature is to disable an account by set- ting shell to /bin/false or another command that does not display a login prompt to the user. Using the -l option displays the shells listed in /etc/shells. The chage command changes the expiration policy for a user’s password. Its syntax is: chage [-l] [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] username Table 29-4 lists the valid options that chage accepts. Table 29-4 Options for the chage Command OPTION DESCRIPTION username Specifies username as the account name to query or modify. -l Displays expiration information for username. -m mindays Sets mindays days as the minimum amount of time permitted between password changes. -M maxdays Sets maxdays days as the maximum number of days a password is valid. 714 Chapter 29 37_599496 ch29.qxd 8/30/05 7:20 PM Page 714 Table 29-4 (continued) OPTION DESCRIPTION -d lastday Sets lastday as the date on which the password was last changed, expressed as the number of days elapsed since 1 January 1970. lastday can be set using a more convenient date format, such as June 21, 2003, or 2003-0621. -I inactive Sets inactive days as the number of days username’s account may be inactive after the password has expired before the account is locked. -E expiredate Sets expiredate as the date on which username’s account expires. -W warndays Sets warndays as the number of days before the password expires that a warning message is issued. If no options are used, chage executes in interactive mode, prompting the user for each item of information. The chage command’s -l option to obtain a friendlier display: # chage -l marysue Minimum: 0 Maximum: 99999 Warning: 7 Inactive: -1 Last Change: Apr 04, 2005 Password Expires: Never Password Inactive: Never Account Expires: Never chage does not display the fields in the order in which they appear in /etc/shadow. Modifying Multiple Accounts Simultaneously In busy or large IT environments, system administrators often find themselves faced with the necessity of creating multiple user accounts. Using useradd to add one or two accounts is relatively simple, but it quickly becomes tedious if 10 or 20 accounts need to be created. Fortunately, the shadow password suite includes the newusers utility, which can be used to create and update multi- ple user accounts. As remarked on at the beginning of the chapter, one of the advantages of command line tools is that they can be used to perform bulk or mass changes. Two commands, chpasswd and newusers, make multiple changes to the user password database in a single operation. The syntax is: newusers userfile Administering Users and Groups 715 37_599496 ch29.qxd 8/30/05 7:20 PM Page 715 userfile is the name of a text file consisting of lines in the same format as the standard password file, subject to the following exceptions: ■■ The password field appears as clear text — newusers encrypts it before adding the account. ■■ The pw_age field is ignored for shadow passwords if the user already exists. ■■ The GID can be the name of an existing group or a nonexistent GID. If the GID is the name of an existing group, the named user is added to that group, but if it is a nonexistent numeric value, a new group with the specified GID is created. ■■ If the specified home directory refers to a nonexistent directory, newusers creates it. If the directory already exists, ownership of the directory is set to that of the named user. The following code shows the contents of newusers.txt, which is passed to newusers to create three new user accounts, bubba, joebob, and marysue: bubba:mypass:901:901:Bubba User:/home/bubba:/bin/bash joebob:yourpass:902:902:Joe Bob:/home/joebob:/bin/bash marysue:somepass:903:903:Mary Sue:/home/marysue:/bin/bash After executing the command newusers newusers.txt, you will see the entries in /etc/passwd, /etc/group, and /etc/ shadow, as shown in List- ing 29-1. # tail -3 /etc/passwd bubba:x:901:901:Bubba User:/home/bubba:/bin/bash joebob:x:902:902:Joe Bob:/home/joebob:/bin/bash marysue:x:903:903:Mary Sue:/home/marysue:/bin/bash # tail -3 /etc/group 901:x:901:bubba 902:x:902:joebob 903:x:903:marysue # tail -3 /etc/shadow bubba:jYNrf8iU4DM:12895:0:99999:7::: joebob:b.hw8uEMl6eNM:12895:0:99999:7::: marysue:R1ER36oNXeUaA:12895:0:99999:7::: Listing 29-1 Entries in user database files after using newusers. The chpasswd command updates existing user passwords en masse. It reads a file consisting of colon-separated username:password pairs. password must be plain text, which will be encrypted at runtime, unless chpasswd is 716 Chapter 29 37_599496 ch29.qxd 8/30/05 7:20 PM Page 716 invoked with the -e option, in which case password must already be encrypted using a crypt(3)-compatible encryption algorithm. TIP Type man 3 crypt to learn more about how the password is encrypted. Viewing Login and Process Information To view current and past login information and to determine what processes users are running, you can use one of the following commands: ■■ last — Displays historical login information ■■ who — Displays information about currently logged in users ■■ w — Displays a user’s currently running process For all logins, last prints the user name, TTY, date, time, elapsed time, and the host name or IP address of the remote host, if applicable, from which the login originated of all user logins, starting with the most recent login. Its syn- tax is: last [-R | [-ai]] [-num |-n num] [username] [tty] By default, last lists all the entries in /var/log/wtmp, so you can use -num and -n num to specify the number of output lines to display. Ordinarily, last displays the hostname in the third column, but using -a places the host- name in the rightmost column, -i shows the hostname’s IP address, and -R completely suppresses display of the hostname. To view the login activity of a specific user, use the username argument. tty enables you to view logins per TTY. Multiple usernames and ttys can be listed. The who command displays information about currently logged-in users. Its default output includes the user name, login TTY, and the date and time each user logged in. who’s syntax is: who [-Hil] | [-q] Using the -H option adds column headings to who’s output. Specifying -i adds each user’s idle time to the display. Use -l to force who to show fully qualified domain names (FQDNs). To obtain the total number of logged-in users, use the -q option by itself. The w command is very similar to who, except that it also displays the com- mand line of each user’s currently running process and a summary of each user’s CPU usage. w’s syntax is: w [-husf] [username] Administering Users and Groups 717 37_599496 ch29.qxd 8/30/05 7:20 PM Page 717 By default, w prints header information when it starts; -h disables the header. -s generates a short output format that omits the login time and the CPU usage. -f disables displaying the host from which users are logged in. Specify- ing username lists only username’s login session and process information. Working with Group Accounts Unlike user accounts, group accounts always represent some sort of logical organization of users. Like user accounts, groups have group identification numbers, or GIDs, and it is common for users to be members of several groups. Groups are used to tie one or more users together to simplify admin- istrative tasks. For example, an administrator can assign a group permission to execute a certain application, and then add and delete users from that group, rather than granting permission to individual users. Handling access control at the group level is a simpler, less labor-intensive approach. Similarly, file access can be controlled at the group level because files are assigned user and group owners when files are created and because files carry separate read, write, and execute permissions for the owner, the group assigned to the file, and any other users. In large part, the group account administration commands parallel the interface of user administration commands with similar names, except that the group commands have fewer command line options. As the section “Under- standing User Private Groups” later in the chapter suggests, Red Hat Linux makes greater use of group accounts than other Linux distributions do. So, knowing how to add, modify, and delete group accounts is more important on Red Hat systems than it is with other Linux distributions. Table 29-5 lists the commands used to add, modify, and delete group accounts. They are discussed in greater detail in the following subsections. As with the discussion of the password file in the previous section, you will find the following discussion of working with group accounts less confusing if you understand the format of the group file, /etc/group. It has one entry per line, and each line has the format: groupname:password:gid:userlist ■■ groupname is the name of the group ■■ password is an optional field containing the encrypted group password ■■ gid is the numeric group ID number ■■ userlist is a comma-separated list of the user account names that compose the group 718 Chapter 29 37_599496 ch29.qxd 8/30/05 7:20 PM Page 718 Table 29-5 Group Account Administrative Commands COMMAND DESCRIPTION gpasswd Sets group passwords and modifies group accounts groupadd Creates a new group account groupdel Deletes an existing group account groupmod Modifies existing group accounts If x appears in the password field, nonmembers of the group cannot join it using the newgrp command. A typical entry in the group file might resemble the following: admins:x:507:joebob,marysue,bubba groupname is admins; password is empty, meaning no group password has been set; gid is 503; and userlist is joebob,marysue,bubba. Creating Groups To create a new group, use the groupadd command. Its syntax is: groupadd [[-g gid [-o]] [-r] [-f] groupname groupname is the only required argument and must be the name of a nonexistent group. When invoked with only the name of the new group, groupadd creates the group and assigns it the first unused GID that is both greater than 500 and not already in use. Specify -f to force groupadd to accept an existing groupname. Use the -g gid option if you want to specify the new group’s GID, replacing gid with a unique GID (use the -o option to force groupadd to accept a nonunique GID). To create system group, one that has special privileges, use the -r option. The following command creates a new group named admins: # groupadd admins Here is the resulting entry created in /etc/group: admins:x:507: As this point, admins has no members and the password field has an x in it, meaning that no one (which is everyone at this point) except root can join the group using newgrp. Administering Users and Groups 719 37_599496 ch29.qxd 8/30/05 7:20 PM Page 719 Modifying and Deleting Groups After creating a new group, you will likely want to add user accounts to it. Two commands modify group accounts, each serving different purposes. groupmod enables you to change a group’s GID or name, and gpasswd enables you to set and modify a group’s authentication and membership infor- mation. You should rarely need to change a group’s name or GID; you’re on your own to read the groupmod’s short manual page. We’re more interested in gpasswd, which enables the root user to administer all aspects of a group account and to delegate some administrative responsibilities to a group administrator. For simplicity’s sake, the following discussion explains the uses of gpasswd only available to root. Then it covers the gpasswd calls a group administrator can perform. From root’s perspective, gpasswd’s syntax is: gpasswd [-A username] [-M username] groupname Root can use -A username to assign username as groupname’s group administrator. -M username adds username to groupname’s membership roster. Assigning a group administrator using -A does not make the adminis- trator a member of the group; you have to use -M to add the administrator as a member of the group. Multiple username’s can be specified with -A and -M. The following command shows how to add marysue and joebob to the admins group: # gpasswd -M marysue,joebob admins NOTE To use the -A option, the shadow group file, /etc/gshadow must exist. Read the subsection titled “Using a Shadowed Group File” to understand the implications of using shadowed group files. After this change, the admins entries in /etc/group should resemble the following: admins:!:507:marysue,joebob Notice that adding users to the admins group account replaced x with ! in the password field, meaning that password-based access to the group (using newgrp) is disabled. For group administrators, gpasswd’s syntax is: gpasswd [-R] [-r] [-a username] [-d username] groupname 720 Chapter 29 37_599496 ch29.qxd 8/30/05 7:20 PM Page 720 gpasswd called with only groupname changes the group password. Once a group password is set, group members can still use newgrp to join the group without a password, but nonmembers of the group must supply the password. For example, the following commands show what happens when the user bubba uses newgrp to join the admins group after root sets a group pass- word, which, for the record, is secret: NOTE newgrp groupname changes the group identification of the calling user to groupname. After calling newgrp successfully, file access permissions are calculated based on the new GID. If groupname is omitted, the GID is changed to the calling user’s primary (login) GID. $ newgrp admins Password: $ groups admins bubba By contrast, here is what happens when joebob, who is a member of admins, uses newgrp to join the admins group. Notice that joebob is not prompted for a password as bubba was: $ newgrp admins $ groups admins joebob Conversely, if no group password is set, only group members can use newgrp to join the group. To remove a group password, use the -r option. The next snippet shows what happens when bubba tries to join admins after the group password is removed. Keep in mind that the password field in the group file will be empty after the password is removed using -r: $ newgrp admins newgrp: Permission denied. This time, bubba was not even prompted for a password. joebob, how- ever, has no problem: $ newgrp admins $ groups admins joebob Calling gpasswd with the -R option disables access to a group using the newgrp command. Oddly, if you use this option, gpasswd places a ! in the password field in the group file, so nonmembers of the group get a password prompt but no password works. Administering Users and Groups 721 37_599496 ch29.qxd 8/30/05 7:20 PM Page 721 To add a user to the group, a group administrator must use the -a username option. The -d username option removes a user from a group. The next exam- ple shows how to add and remove bubba using gpasswd’s -a and -d options: # gpasswd -a bubba admins Adding user bubba to group admins # grep admins /etc/group admins:!:507:marysue,joebob,bubba # gpasswd -d bubba admins Removing user bubba from group admins # grep admins /etc/group admins:!:507:marysue,joebob Using a Shadowed Group File Much of the behavior described in the previous subsection does not apply if the shadow group file, /etc/gshadow, is present. In particular, if the shadow group file is in use: ■■ Adding a group creates an entry for that group in the shadow group file that resembles the following: admins:x:507: admins:!:: ■■ Adding a user to a group adds that user to both the standard group file and the shadow group file: # gpasswd -M marysue admins # grep admins /etc/group /etc/gshadow group:admins:x:507:marysue gshadow:admins:!::marysue ■■ The third field in the shadow group file holds the name of the group administrator, not the GID, if an administrator is added using gpasswd’s -A username option: # gpasswd -A marysue admins # grep admins /etc/gshadow admins:!:marysue:marysue ■■ A group administrator cannot join the group unless the administrator’s account is also a member of the group. Similarly, a group administrator can add and delete her user account from the group without affecting her administrative function. 722 Chapter 29 37_599496 ch29.qxd 8/30/05 7:20 PM Page 722 ■■ Only group members can use newgrp to join the group. To put it another way, nonmembers of a group cannot use newgrp to join groups of which they are not members, even if they know the group password. In fact, passwords are irrelevant because they do not work for non- members and members do not need to use them. Deleting a group is quite simple. Use the groupdel command, which takes no options except the name of the group to delete. For example, the following command deletes the admins group: # groupdel admins NOTE Those of you who find typing commands tedious, the next section, “Administering Users and Groups with User Manager,” shows you how to use User Manager, Red Hat’s new GUI tool for administering user and group accounts. Using User Private Groups You need to understand the user private group (UPG) scheme and how the UPG scheme uses the semantics of set-GID directories. The UPG scheme as adopted in early Red Hat Linux distributions and carried forward into Fedora Core and RHEL. UPGs are intended to make Linux groups easier to use. Although the UPG scheme does not add or change the normal Linux way of handling groups, it does introduce a new convention that is different from tra- ditional Linux user and group idioms: when you create a new user, Fedora Core and RHEL create a unique group for that user. Although it is unusual and a departure from traditional norms, after you become accustomed to the UPG scheme, you will find that it is very natural to use and makes good sense. The UPG scheme has the following salient characteristics: ■■ Each user has a primary group with the same name as the user account. For example, the user named bubba has a primary or initial group of bubba. ■■ Each user is the only member of her primary group. Thus, the user bubba is the only member of the group bubba. ■■ Each user’s umask defaults to 002; because every user has her own pri- vate group in the UPG scheme, the group protection afforded by the normal Linux umask of 022 is unnecessary. Administering Users and Groups 723 37_599496 ch29.qxd 8/30/05 7:20 PM Page 723 [...]... character not in the specified range For example, [0-9] matches any non-numeric character ■ ■ \x: Escapes the character x, including *, ?, [, ], (, ), @, !, =, :, ,, and \ 4 Add the following line in the user specification section: PWADMIN ALL = PW This statement says that the PWADMIN users can use the PW command on all hosts (the ALL keyword) More generally, a user privilege specification takes the form:... accounts, click File ➪ Quit or press Ctrl+Q to save your changes and close User Manager Understanding the Root Account With very few and limited exceptions, the root account has unlimited power on any Linux or UNIX system, and, in this respect, Red Hat Linux is no exception The root account, or, to use the expression you see throughout this chapter, root, can access any file and modify any process Indeed,... over quota, that is, to exceed the defined limits Red Hat configures the default time limit, called a grace period, to seven days To change this default value, execute the following command: # edquota -u -t By default, edquota uses the vi editor, so the resulting screen should resemble the following: Grace period before enforcing soft limits for users: Time units may be: days, hours, minutes, or seconds... seconds Filesystem Block grace period Inode grace period /dev/hdb1 7days 7days To change the time limit, change the text that reads 7days to another value You can use time units of seconds, minutes, hours, and days So, for example, to set a time limit of two weeks, change the line that reads: /dev/hdb1 7days 7days 14days 14days so that it reads: /dev/hdb1 After making the changes, save them, and exit... mortal user) that have traditionally been solely root’s domain, such as printer management, user account administration, system backups, or maintaining a particular Internet service In other operating systems, such users are often called wheel users or administrative users Indeed, in 731 732 Chapter 29 many environments, subdividing system administration responsibilities is a necessity because the responsibilities... ext2 and ext3 file systems also restrict root’s power, although only slightly The ext2 and ext3 file systems support a number of special file attributes, including immutability Using the chattr utility, root can set a file’s Administering Users and Groups immutable attribute, which prevents all users, including root, from modifying the file; it cannot be deleted, renamed, or written to, and hard links... privileges that you can enable and disable Eventually, POSIX capabilities will also be applied to files in the file system The most immediately useful application is what is referred to as a capability bounding set, which defines a list of capabilities any process running on a Linux system can hold If a capability does not appear in the bounding set, no process, regardless of how privileged it is, can exercise... the monitored file system How big is a block? It varies from system to system depending on the size of the underlying disk On this system, a block is 1024K How can you find out the block size of a file system? One cheesy way that we use is sfdisk -l device, replacing device with the disk device in which you’re interested For example: # sfdisk -l /dev/hda Disk /dev/hda: 38792 cylinders, 16 heads, 63 sectors/track... another file system, such as XFS or ReiserFS, you should use the quota semantics described in their manual pages to set up and manage quotas Creating the Quota Files Now that the system is prepared, the next phase of the procedure for setting up quotas is to create the accounting files quota uses to monitor file system usage There are two such files for each file system on which quotas are used, aquota.user... code repository at ftp://ftp.kernel.org/pub /linux/ libs/security/ linux- privs/ The LCAP editor’s old Web page, http://pweb.netcom.com/~spoon/ lcap /, no longer works Nevertheless, you can still download the editor from the kernel.org FTP site or from the Security Focus Web site, security focus.com/tools/lcap-0.0.2.tar N OT E Security Enhanced Linux, or SELinux, offers another alternative for reigning in . unlimited power on any Linux or UNIX system, and, in this respect, Red Hat Linux is no excep- tion. The root account, or, to use the expression you see throughout this chap- ter, root, can access any. all logins, last prints the user name, TTY, date, time, elapsed time, and the host name or IP address of the remote host, if applicable, from which the login originated of all user logins, starting. group accounts than other Linux distributions do. So, knowing how to add, modify, and delete group accounts is more important on Red Hat systems than it is with other Linux distributions. Table