Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya - PowerPoint PPT Presentation

Facultat d'Informàtica de Barcelona Univ. Politècnica de Catalunya Administració de Sistemes Operatius Users management �������������������������������������������������������������������������� !

Topics � 1. Introduction to OS administration � 2. Installation of the OS � 3. Users management � 4. Applications management � 5. System monitoring � 6. Maintenance of the file system � 7. Local services � 8. Network services � 9. Protection and security

Objectives � Knowledge � System data bases (users, passwords...) � Permissions and protections � Files and directories � SETUID/SETGID bits � Abilities � Users maintenance � Creating user accounts � Groups and group membership � Account disabling and deletion � Commands and files � chmod, chown, id, useradd, userdel, umask � /etc/passwd, /etc/group, /etc/shadow

System data bases � /etc/passwd � /etc/group � /etc/shadow � /etc/aliases N:M 1:1 E-mail aliases Users Passwords N:M Groups

/etc/passwd � Read-only for all users � username:passwd:uid:gid:real-name:homedir:shell root:x:0:0:root:/root:/bin/bash � bin:x:1:1:bin:/bin:/sbin/nologin � daemon:x:2:2:daemon:/sbin:/sbin/nologin � adm:x:3:4:adm:/var/adm:/sbin/nologin � lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin � sync:x:5:0:sync:/sbin:/bin/sync � shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown � halt:x:7:0:halt:/sbin:/sbin/halt � mail:x:8:12:mail:/var/spool/mail:/sbin/nologin � news:x:9:13:news:/etc/news: � nobody:x:99:99:Nobody:/:/sbin/nologin � sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin � aramirez:x:500:500:Alex Ramirez, C6117, 54040:/home/aramirez:/bin/bash �

/etc/group � Several users can belong to the same group � Each user has a main group (/etc/passwd) � Each group has a list of members � groupname:passwd:gid:username,username... root:x:0:root wheel:x:10:root � � bin:x:1:root,bin,daemon Mail:x:12:mail � � daemon:x:2:root,bin,daemon news:x:13:news � � sys:x:3:root,bin,adm uucp:x:14:uucp � � adm:x:4:root,adm,daemon man:x:15: � � tty:x:5: games:x:20: � � disk:x:6:root ftp:x:50: � � lp:x:7:daemon,lp nobody:x:99: � � mem:x:8: users:x:100:aramirez � � kmem:x:9: aramirez:x:500: � �

/etc/shadow � Only root can read and write /etc/shadow � Encripted passwords � Passwords expiration policy � username:passwd:expiration policy � passwd allows to change password � chage allows to change the expiration policy � minimum/maximum amount of time between changes � Account expiration date root:$1$iVKd84gQ$IV7vHG0CHdIGGnYnNs00E/:12260:0:99999:7::: � bin:*:12260:0:99999:7::: � daemon:*:12260:0:99999:7::: � ... � aramirez:$1$jGmk47hy$6Lkk.QYrMI67qPqvhTCdS.:12262::99999:::: �

/etc/aliases � Data base containing e-mail aliases � Allows to redirect e-mail to other addresses � From pseudo-users � To the administrator � to programs � To users in another machine # Basic system aliases -- these MUST be present. mailer-daemon: postmaster postmaster: root # General redirections for pseudo accounts. bin: root webmaster: root support: postmaster # Person who should get root's mail root: aduran, xavim@ac.upc.edu

Activity � Individually � Write down the process of giving a user a new account � Changes in the data bases � Creation of directories � Default files � ... � In group � Discussion � Program the useradd command (pseudocode)

Basic commands � useradd adduser groupadd � userdel groupdel � usermod -> man groupmod � Allows to modify all values except the username � passwd [ -g ] gpasswd � newusers � vipw � vigr � newgrp, sg

Disable users � Temporarily disable a user account � The user will not be able to access the system � Invalidate password � Add an illegal character into the encription (*) � Allows to recover the old password, if necessary � Invalidate its shell � Change it by another binary (/bin/false, /bin/nologin) � Informs the user that his/her account has been disabled � Informs the administrator when the user attempts to access the system

Remove users � When a user does not need his/her account... � Disable account (using an invalid encription for the password) � Check whether it is currently working in the machine � Generate a backup with all his/her data � Delete all data � Eliminate the user from the system data bases � /etc/shadow � /etc/passwd � /etc/group � Redirect his/her e-mail � /etc/aliases

Users and processes /etc/passwd uid, gid fork login init Additional groups password /etc/group setuid/setgid /etc/shadow login exec Root process program fitxer shell fork access? Non-privileged user process

Permissions and protection � (-,d) rwx rwx rwx owner group � 3 types of permissions � Read, write, and execute (rwx) � Applied to regular files... � Applied to directories... � 3 application areas � Owner, group, other (ugo) � Related commands: � chown : changes the owner of files/directories � chgrp : changes the group of files/directories � chmod : changes permissions to files/directories

Permissions and protection � Set-UID/Set-GID bit (s) � Applied to files � Applied to directories � Sticky bit (t) applied to directories

Permissions (summary) ����� ����������� � ����������������� ����������������� � ���������������� ���������������� �������� � ������� �������������������� ������ ���������������������� ���������������� ���������������������� ������ ���������������������� !������������������������� ���� ����������������� ��������� ����������������� ���������� ���������������� "��������������������������� ����������������������������

Activity � In groups � Assign the appropriate permissions to directories and files, so that the file... � $ ls -l ./datadir/data.txt � -rw-rw-r-- 1 aso01 aso01 9778 Nov 28 18:10 ./datadir/data.txt � Only the owner can modify the contents � All members of the group can read it � Only the owner can delete it � Only the owner can list the contents of the directory

Default permissions � When creating a file/directory... � The current user determines the actual owner and group � id reports the current owner/group � newgrp changes the current user group � Permissions are determined by the umask system variable: � It indicates which permissions are not set by default to new files or directories � 022: rwx r-x r-x � 027: rwx r-x ---

Special users and groups � root � UID 0 (the username does not mind) � ftp � Anonymous ftp (with no password) � nobody � Special user for NFS o WWW � wheel � User group with administration privileges

Obtaining privileges � Work as administrator (root) is dangerous � Better to have an administrator user (admin), and obtain the required privileges only when needed � su [user] [-c command] � It allows to change user (defaults to root) � sudo [command] � It allows to execute a command as a different user � The administrator can restrict which commands can execute each user

User management policies � Assigning new UID's � Do not reuse UID's � Assigning usernames � Keep office and phone number to easily contact users � /home organization � Flat � All users (/home/...) � Hierarchical, creating different levels of directories � Departments... office levels, rooms... (/home/ac/user) � ... in different disks

Personal work � Different ways to install applications � Ways of distribute software, and formats � tar, gz, bz2, rpm, deb, zip...