Friends we have learned about the colonel services and system services. And now here in this lecture we are going to learn about user administration or the user administration. We will be learning about configuring configuring user and group accounts, modifying file ownership and permissions. Use a special permissions or su ID gi SD ID. A sticky is a configuration of network users with NIS and LD AP, and set ACLs. We will learning these things.
Here in this lecture. We have learned already learned about users groups and other related information on primary level in the essentials. And now here in this video, we are going to learn about them in detail. The first thing with a user account is to add a new user. We can add a new user by using the common method called User add command, which have various options. Under username, you simply need to write user ad, write any option like minus a, b, and so on and provide a username.
The username you want to pass as a username. It will be used for running user ad, which is equivalent to editing the password in etc. The Shadow file a group and it created and populate a home directory. It said permission and ownership. You can set account password using the password command. P SS WD we have learned about this thing earlier.
Accounts may be added in a batch with new users as well. Then there are user private groups. When a user account is created. A private group is also created with the same name Users are assigned to this private group, users new file affiliated with this group. advantage of using a private group is that it prevents new files from belonging to a public group. And adding file which has been created by a user is not public by default, it is a private.
The disadvantage is that it may encourage making files board accessible. Like the default, everyone could access it. We can make files public. In general cases, we should not do that thing. Then comes a modifying or deleting user account. After we have created a user sometimes we need some point of time To delete a user.
For cases like when an employee left an organization, we need to delete that person's user account or if we want to Delete yourself is suspicious account or any other reason to take change our face in our users, etc password entry, you can edit the file by hand. You can use user mode with options and provide a user name. To modify the entry of user. To remove a user either directly, you can use the user del command. To remove a user just simply write user del provide any argument like minus R and provide the user name. It allows you to manually remove the user from EDC, password, Shadow group g shadow and emails that entries.
Then there is a thing that is called group administration. You could configure these things, you can configure entry of group administration with ATC group and UTC g shadow A shadow that is used to store passwords as we have learned in essential sections. The group ad group mode and group delete command are similarly use as users for group to add a group you need to run the command group ad. To modify the group permissions you can use the group mode to delete a group you could use the group Dell command the password aging policies are there. A generally you have created a password for your user account or group account. And those password lamps for our by default for infinite amount of time till the hardware exists.
But sometimes we need to or passwords to expire after a certain period of time. Suppose we had a person for a six month job and allows him some access non root access on our PC. Sorry on our server. We have Created account and the password, and we want to expand it account over a period of time. Or sometimes for passwords, we may need certain things that for example, user should change their password over a period of one month one week in rotation. To enable this enforce the security concerns, by default passwords on do not expire.
Keep in mind, we have to force password to expire in part of a strong policy security policy. To modify default expiration settings in EDC login dot depths, you could enforce this thing to modify password aging for existing users. Use the change command the CH ag not change. Ch age. Provide the options or enter username. It only change the age Then here comes our switching accounts, you can switch it from different users that route or non root users using the SU command to switch user command.
We've already learned about this earlier, it allows the user to temporarily become another user. default user is root, the temporary. When you log up, the user does change. It is generally used in the virtual consoles, or terminals. The minus option makes the new shell as a login shell. Then there comes a sudo command, which is used to get the admin privileges to execute certain commands.
Suppose we have different commands that for example, the installation thing, suppose we have configured em to be executed only by root. And if we are logged in with other users, and we want to install certain tools or utilities on our system, by running the yarn yum install command We should be using the sudo command to get their privileges, we should write sudo yum install the user listed in etc sudo users can execute this command. Not all other users could execute all these certain users to a certain level. It takes effective user ID of zero, the group ID of roots group. Only roots group good access this command and Administration Administrator will be called tactic if a user not listed in sudo users attempt to use sudo. So a system administration the administrator, the main administrator, the root user, get informed about any request or any attempt to use the sudo command by non root user.
It is a security concern as well. The net danger comes on network users we have may have network users in Information about users may be centrally stored and managed on a remote server. The two types of information must always be provided for each user account, the UID account information the UID number, default shell home directory, group membership and so on. And authentication a way to tell that password provided provided or login for an account is correct. For network users. Authentication configuration is can be done by system config authentication option in the GI mode of the genome.
It is as you add tool to configure authentication for text based tool use art config minus t while load art configure GTK rpm. The supported account information services are local files and is LD AP AC word when bind and so on the supported option dication mechanisms are MSS, Eros, LD AP smartcard SMB when when you don't need to remember these things, but when you are configuring, going to configure the authentication, you should go through these things. Then there comes an example of an IIS configuration. We must install wipey bind and port map RPMs for ns configuration. It is a popular service used to centrally manage system and account information. It uses one or more NIS server, each running wipey server to serve information with NIS client system running like in mind, the master server may also run RPC ypp password, which allow users to on NIS claim to date and the password is stolen and is the both NIS and NIS server client and server must run a local service called port map which helps remote system contact the local program.
Client and server which communicate with each other are normally member of the NIS domain, identified by an arbitrary name. It enables NIH to provide user information by going to NIS sorry, system config authentication, the graphical utility. It actually gives a file text based configuration files that are changed. Then there comes an LD AP configuration you must install LD AP and open LD AP RPM To run system config authentication to provide user information you need to enable LD AP is specify server, the search base, our domain and TLS. You can enable LD AP to provide authentication. Then there are s UID and SD IDs as user IDs and group IDs.
That normally, they normally process is started by a user run under the user and group security context of that user as UID. And as the ID bit set on an executable file, cause it to run under the user group security context of the files owner or group. The SDI directories are used to create collaborative directory Normally files created in a directory belong to user and the default group. When a file is created in a directory with SDI ID but said it will also the same group as the directory. So as the ID and Su ID would allow you to configure the group and user related security concerns, you could use the ID key for user and group. The sticky bit is another thing that is widely used for facility.
It may seem counter intuitive that write permissions on a directory would allow one user to delete another user's file within that directory. Consider our that our directory is really just a file itself, whose content are references to other files. So deleting a file is therefore an edit to a directory. pious list of other files manually. user needs to be able to create and delete files on temp the temporary file temporary directory. Even if users do not actively create files in temp, many applications, they will use them as a location for temporary files.
Setting the sticky bit. The role of SDK B, prevent users from deleting each user's files. Even though they have all full access to the data free SDK which secures other users file with the sticky bit set on a dead tree only the owner of the file can delete the file not other However, they can access it read it. You can write a command m as here, LS minus LD temp and d D w. The permission said permission for the file. Right now called route road, and so on with the time is 10. You can set a sticky bits, like sticky informations and there comes our default file permissions like READ WRITE, not execute for all the default for a file, you get set default permissions that is to be used when a file is being created.
Suppose you forget to write permissions, what permissions are there with a file, you can set default permissions. Whenever you create a new file and the does not define a permission for the file explicitly, the default permissions is associated with that file. READ WRITE and execute is a default for directories unmask can be used to withhold permissions on file creation users unmasked is zero to the files will have permission of six for for the 70s combination of READ WRITE and execute, as we have learned in essentials. Six is a read read permission, the four is simply read permission. A five is read plus a review, the files will have a permission of six for the same user. For for the group have the same user and for for rest other users.
Similarly for directories, they have permissions of 755 and it may need to change to 002 for group collaboration. You can grant access control lists or ACLs. By using the grant our if our Ws command to files and directories for multiple users or groups, you can use the following command mt minus l ACL directory, get cycle, set facking and so on. The file system includes support for access control list which allows final grained control of the files permission that are possible with a standard three access categories that are normally provided many file system commands such as copy move, CP and MB, have been modified to copy the associated ups for a file. In order to enable ACS on a file system, the file system must be mounted with the ACL mount option. The file system created using AC during installation include ACL flag in their default mount option and you can remote using various options.
The mount is used with the command the first command amount minus o ACL directory is used for mounting and get get flcl for getting the access control list, and you can also set access control list with set of ACL Come on. Then there comes another topic It's very important to sc Linux implementation, the security enhanced Linux. In an effort to deal with ever increasing threat to the data systems, the US government assigned the National Security Agency or NSA, this will be the history for implementation of SL annex. The US government assigned NSA with the task of developing a single set of rules that all other agencies would follow in handling confidential informations. by evaluating previous breaches the NSA determined data major harder to security date to securing data was internal users bypassing local security. In some cases, user would inadvertently open access to a system.
A classic example would be a user executing the command ch mod 777. That is a is a stupid idea to know that you should provide only that particular information or sorry permission to a user. That is actually required. You should not provide all the info all the permission READ WRITE execute to anyone. That is a stupid idea. to the user, this may seem an easy way to allow co workers to share files to prove his work listed Yes.
But that is a major security breach. They may not realize that this gives everyone in the world access to potentially confidential information. Anyone could access using the remote shell, remote acts, and various authentication modes. In more extreme cases, users would intentionally disable security for more insidious reasons. Both of these situations are example of user having discretion to control the access of their system. NSA Veritas solution was that having a system implement mandatory access control on Mac policy over the users in Mac a set of rules known as the policy identity identify what a process is allowed to do anything that is not explicitly permitted is by default denied.
Ideally different policies could be implemented depending upon how strict a security needs. Then the concept of type and formal enforcement or DC was there which is a discretionary access control. rule set called a policy determines how strict the control I feel Amex implements a policy to get rid of such users who provide for all the permissions to everyone. The policy If I want resources, restricted processes are allowed to access any action that is not explicitly allowed is by default denied. All files and process have a security context. The context has several elements depending on the security meet user role and so on.
Usually paired with other options such as E minus E, the LS minus ad PS minus ad is command to process a type of unconfirmed and restricted by se Linux to view the entire processes stack you can use PS minus keys add on So, you can see line x could be used to for targeted policy setting. The targeted policy is loaded at installed time must most local processes are unconfirmed, confined Principally, it uses the type element for type and format enforcement. The security context can be changed with ch con, the command ch con minus T, temp, etc host the safer way to use is restore on command. By writing the Restore con EDC host, the SE Lang could be used for management purposes. The modes for enforcing permissive disabled changing enforcement, which is allowed in the targeted policies. The get enforce set enforce command.
You can disable the grub with hustle and x equals to zero argument. You can even disable the grub, strike as heel and x equals to zero. In certain cases, you might need this thing if grub is proving to be a factor security concern You could configure the SC line x on EDC sis config directory, the system config security level is you is a graphical utility to change more disabling requires we would similarly for system config unseal annex for Boolean and set troubleshoot, to advise on how to avoid errors and not to answer a security. This was about user administration, we have learned about various security concerns with facilities, the user ID property, and a lot of things. We will learn more in the coming videos. Till then keep learning and keep growing