File Security in Linux

FILE OWNERSHIP

user owner and group owner

The users and groups of a system can be locally managed in /etc/passwd and /etc/group, or they can be in a NIS, LDAP, or Samba domain. These users and groups can own files. Actually, every file has a user owner and a group owner, as can be seen in the following screenshot.

rizwan@RHELv4u4:~/test$ ls -l

total 24

-rw-rw-r– 1 rizwan rizwan 17 Feb 7 11:53 file1

-rw-rw-r– 1 rizwan rizwan 106 Feb 5 17:04 file2

-rw-rw-r– 1 rizwan proj 984 Feb 5 15:38 data.odt

-rw-r–r– 1 root root 0 Feb 7 16:07 stuff.txt

rizwan@RHELv4u4:~/test$

User rizwan owns three files, two of those are also owned by the group rizwan; data.odt is owned by the group proj. The root user owns the file stuff.txt, as does the group root.

 

chgrp

You can change the group owner of a file using the chgrp command.

root@laika:/home/rizwan# touch FileForRizwan

root@laika:/home/rizwan# ls -l FileForRizwan

-rw-r–r– 1 root root 0 2008-08-06 14:11 FileForRizwan

root@laika:/home/rizwan# chgrp rizwan FileForRizwan

root@laika:/home/rizwan# ls -l FileForRizwan

-rw-r–r– 1 root rizwan 0 2008-08-06 14:11 FileForRizwan

 

chown

The user owner of a file can be changed with chown command.

root@laika:/home/rizwan# ls -l FileForRizwan

-rw-r–r– 1 root rizwan 0 2008-08-06 14:11 FileForRizwan

root@laika:/home/rizwan# chown rizwan FileForRizwan

root@laika:/home/rizwan# ls -l FileForRizwan

-rw-r–r– 1 rizwan rizwan 0 2008-08-06 14:11 FileForRizwan

You can also use chown to change both the user owner and the group owner.

root@laika:/home/rizwan# ls -l FileForRizwan

-rw-r–r– 1 rizwan rizwan 0 2008-08-06 14:11 FileForRizwan

root@laika:/home/rizwan# chown root:project42 FileForRizwan

root@laika:/home/rizwan# ls -l FileForRizwan

-rw-r–r– 1 root project42 0 2008-08-06 14:11 FileForRizwan

 

List Of Special Files

When you use ls -l, for each file you can see ten characters before the user and group owner. The first character tells us the type of file. Regular files get a -, directories get a d, symbolic links are shown with an l, pipes get a p, character devices a c, block devices a b, and sockets an s.

Unix special files

First character            file type

-                                   normal file

d                                  directory

l                                   symbolic link

p                                  named pipe

b                                  block device

c                                  character device

s                                   socket

Below a screenshot of a character device (the console) and a block device (the hard disk).

rizwan@debian6lt~$ ls -ld /dev/console /dev/sda

crw——- 1 root root 5, 1 Mar 15 12:45 /dev/console

brw-rw—- 1 root disk 8, 0 Mar 15 12:45 /dev/sda

And here you can see a directory, a regular file and a symbolic link.

rizwan@debian6lt~$ ls -ld /etc /etc/hosts /etc/motd

drwxr-xr-x 128 root root 12288 Mar 15 18:34 /etc

-rw-r–r– 1 root root 372 Dec 10 17:36 /etc/hosts

lrwxrwxrwx 1 root root 13 Dec 5 10:36 /etc/motd -> /var/run/motd

 

Permissions

rwx

The nine characters following the file type denote the permissions in three triplets. A permission can be r for read access, w for write access, and x for execute. You need the r permission to list (ls) the contents of a directory. You need the x permission to enter (cd) a directory. You need the w permission to create files in or remove files from a directory.

 

standard Unix file permissions

permission                  on a file                                   on a directory

r (read)                         read file contents (cat)   read directory contents (ls)

w (write)                      change file contents (vi)             create files in (touch)

x (execute)                   execute the file              enter the directory (cd)

 

three sets of rwx

We already know that the output of ls -l starts with ten characters for each file. This screenshot shows a regular file (because the first character is a – ).

rizwan@RHELv4u4:~/test$ ls -l proc42.bash

-rwxr-xr– 1 rizwan proj 984 Feb 6 12:01 proc42.bash

Below is a table describing the function of all ten characters.


Unix file permissions position

position                       characters                   function

1                                  –                                   this is a regular file

2-4                               rwx                              permissions for the user owner

5-7                               r-x                                permissions for the group owner

8-10                             r–                                permissions for others

When you are the user owner of a file, then the user owner permissions apply to you. The rest of the permissions have no influence on your access to the file.

When you belong to the group that is the group owner of a file, then the group owner permissions apply to you. The rest of the permissions have no influence on your access to the file.

When you are not the user owner of a file and you do not belong to the group owner, then the others permissions apply to you. The rest of the permissions have no influence on your access to the file.

 

permission examples

Some example combinations on files and directories are seen in this screenshot. The name of the file explains the permissions.

rizwan@laika:~/perms$ ls -lh

total 12K

drwxr-xr-x 2 rizwan rizwan 4.0K 2007-02-07 22:26 AllEnter_UserCreateDelete

-rwxrwxrwx 1 rizwan rizwan 0 2007-02-07 22:21 EveryoneFullControl.txt

-r–r—– 1 rizwan rizwan 0 2007-02-07 22:21 OnlyOwnersRead.txt

-rwxrwx— 1 rizwan rizwan 0 2007-02-07 22:21 OwnersAll_RestNothing.txt

dr-xr-x— 2 rizwan rizwan 4.0K 2007-02-07 22:25 UserAndGroupEnter

dr-x—— 2 rizwan rizwan 4.0K 2007-02-07 22:25 OnlyUserEnter

rizwan@laika:~/perms$

To summarise, the first rwx triplet represents the permissions for the user owner.

The second triplet corresponds to the group owner; it specifies permissions for all members of that group. The third triplet defines permissions for all other users that are not the user owner and are not a member of the group owner.

 

setting permissions (chmod)

Permissions can be changed with chmod. The first example gives the user owner execute permissions.

rizwan@laika:~/perms$ ls -l permissions.txt

-rw-r–r– 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

rizwan@laika:~/perms$ chmod u+x permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rwxr–r– 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

This example removes the group owners read permission.

rizwan@laika:~/perms$ chmod g-r permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rwx—r– 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

This example removes the others read permission.

rizwan@laika:~/perms$ chmod o-r permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rwx—— 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

This example gives all of them the write permission.

rizwan@laika:~/perms$ chmod a+w permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rwx-w–w- 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

You don’t even have to type the a.

rizwan@laika:~/perms$ chmod +x permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rwx-wx-wx 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

You can also set explicit permissions.

rizwan@laika:~/perms$ chmod u=rw permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rw–wx-wx 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

Feel free to make any kind of combination.

rizwan@laika:~/perms$ chmod u=rw,g=rw,o=r permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rw-rw-r– 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

Even fishy combinations are accepted by chmod.

rizwan@laika:~/perms$ chmod u=rwx,ug+rw,o=r permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rwxrw-r– 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

 

setting octal permissions

Most Unix administrators will use the old school octal system to talk about and set permissions. Look at the triplet bitwise, equating r to 4, w to 2, and x to 1.

Octal permissions

binary octal    permission

000                  0          —

001                  1          –x

010                  2          -w-

011                  3          -wx

100                  4          r–

101                  5          r-x

110                  6          rw-

111                  7          rwx

This makes 777 equal to rwxrwxrwx and by the same logic, 654 mean rw-r-xr– . The chmod command will accept these numbers.

rizwan@laika:~/perms$ chmod 777 permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rwxrwxrwx 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

rizwan@laika:~/perms$ chmod 664 permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rw-rw-r– 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt

rizwan@laika:~/perms$ chmod 750 permissions.txt

rizwan@laika:~/perms$ ls -l permissions.txt

-rwxr-x— 1 rizwan rizwan 0 2007-02-07 22:34 permissions.txt


umask

When creating a file or directory, a set of default permissions are applied. These default permissions are determined by the umask. The umask specifies permissions that you do not want set on by default. You can display the umask with the umask command.

[Harry@RHEL4b ~]$ umask

0002

[Harry@RHEL4b ~]$ touch test

[Harry@RHEL4b ~]$ ls -l test

-rw-rw-r– 1 Harry Harry 0 Jul 24 06:03 test

[Harry@RHEL4b ~]$

As you can also see, the file is also not executable by default. This is a general security feature among Unixes; newly created files are never executable by default. You have to explicitly do a chmod +x to make a file executable. This also means that the 1 bit in the umask has no meaning–a umask of 0022 is the same as 0033.

 

mkdir -m

When creating directories with mkdir you can use the -m option to set the mode. This screenshot explains.

rizwan@debian5~$ mkdir -m 700 MyDir

rizwan@debian5~$ mkdir -m 777 Public

rizwan@debian5~$ ls -dl MyDir/ Public/

drwx—— 2 rizwan rizwan 4096 2011-10-16 19:16 MyDir/

drwxrwxrwx 2 rizwan rizwan 4096 2011-10-16 19:16 Public/

 

ADVANCED FILE PERMISSIONS

Sticky Bit On Directory

You can set the sticky bit on a directory to prevent users from removing files that they do not own as a user owner. The sticky bit is displayed at the same location as the x permission for others. The sticky bit is represented by a t (meaning x is also there) or a T (when there is no x for others).

root@RHELv4u4:~# mkdir /project55

root@RHELv4u4:~# ls -ld /project55

drwxr-xr-x 2 root root 4096 Feb 7 17:38 /project55

root@RHELv4u4:~# chmod +t /project55/

root@RHELv4u4:~# ls -ld /project55

drwxr-xr-t 2 root root 4096 Feb 7 17:38 /project55

root@RHELv4u4:~#

The sticky bit can also be set with octal permissions, it is binary 1 in the first of four triplets.

root@RHELv4u4:~# chmod 1775 /project55/

root@RHELv4u4:~# ls -ld /project55

drwxrwxr-t 2 root root 4096 Feb 7 17:38 /project55

root@RHELv4u4:~#

You will typically find the sticky bit on the /tmp directory.

root@barry:~# ls -ld /tmp

drwxrwxrwt 6 root root 4096 2009-06-04 19:02 /tmp

 

Setgid Bit On Directory

setgid can be used on directories to make sure that all files inside the directory are owned by the group owner of the directory. The setgid bit is displayed at the same location as the x permission for group owner. The setgid bit is represented by an s (meaning x is also there) or a S (when there is no x for the group owner). As this example shows, even though root does not belong to the group proj55, the files created by root in /project55 will belong to proj55 since the setgid is set.

root@RHELv4u4:~# groupadd proj55

root@RHELv4u4:~# chown root:proj55 /project55/

root@RHELv4u4:~# chmod 2775 /project55/

root@RHELv4u4:~# touch /project55/fromroot.txt

root@RHELv4u4:~# ls -ld /project55/

drwxrwsr-x 2 root proj55 4096 Feb 7 17:45 /project55/

root@RHELv4u4:~# ls -l /project55/

total 4

-rw-r–r– 1 root proj55 0 Feb 7 17:45 fromroot.txt

root@RHELv4u4:~#

You can use the find command to find all setgid directories.

rizwan@laika:~$ find / -type d -perm -2000 2> /dev/null

/var/log/mysql

/var/log/news

/var/local

 

Setgid And Setuid On Regular Files

These two permissions cause an executable file to be executed with the permissions of the file owner instead of the executing owner. This means that if any user executes a program that belongs to the root user, and the setuid bit is set on that program, then the program runs as root. This can be dangerous, but sometimes this is good for security.

Take the example of passwords; they are stored in /etc/shadow which is only readable by root. (The root user never needs permissions anyway.)

root@RHELv4u4:~# ls -l /etc/shadow

-r——– 1 root root 1260 Jan 21 07:49 /etc/shadow

Changing your password requires an update of this file, so how can normal non-root users do this? Let’s take a look at the permissions on the /usr/bin/passwd.

root@RHELv4u4:~# ls -l /usr/bin/passwd

-r-s–x–x 1 root root 21200 Jun 17 2005 /usr/bin/passwd

When running the passwd program, you are executing it with root credentials. You can use the find command to find all setuid programs.

rizwan@laika:~$ find /usr/bin -type f -perm -04000

/usr/bin/arping

/usr/bin/kgrantpty

/usr/bin/newgrp

/usr/bin/chfn

/usr/bin/sudo

/usr/bin/fping6

/usr/bin/passwd

/usr/bin/gpasswd

In most cases, setting the setuid bit on executables is sufficient. Setting the setgid bit will result in these programs to run with the credentials of their group owner.

 

ACCESS CONTROL LISTS

Acl In /etc/fstab

File systems that support access control lists, or acls, have to be mounted with the acl option listed in /etc/fstab. In the example below, you can see that the root file system has acl support, whereas /home/data does not.

root@laika:~# tail -4 /etc/fstab

/dev/sda1 / ext3 acl,relatime 0 1

/dev/sdb2 /home/data auto noacl,defaults 0 0

pasha:/home/r /home/pasha nfs defaults 0 0

wolf:/srv/data /home/wolf nfs defaults 0 0

 

getfacl

Readingacls can be done with /usr/bin/getfacl. This screenshot shows how to read the acl of file33 with getfacl.

rizwan@laika:~/test$ getfacl file33

# file: file33

# owner: rizwan

# group: rizwan

user::rw

group::r–

mask::rwx

other::r–

 

setfacl

Writing or changing acls can be done with /usr/bin/setfacl. These screenshots show how to change the acl of file33 with setfacl.

First we add user sandra with octal permission 7 to the acl.

rizwan@laika:~/test$ setfacl -m u:sandra:7 file33

Then we add the group tennis with octal permission 6 to the acl of the same file.

rizwan@laika:~/test$ setfacl -m g:tennis:6 file33

The result is visible with getfacl.

rizwan@laika:~/test$ getfacl file33

# file: file33

# owner: rizwan

# group: rizwan

user::rwuser:

sandra:rwx

group::r–

group:tennis:rwmask::

rwx

other::r—

 

Remove an acl entry

The -x option of the setfacl command will remove an acl entry from the targeted file.

rizwan@laika:~/test$ setfacl -m u:sandra:7 file33

rizwan@laika:~/test$ getfacl file33 | grep sandra

user:sandra:rwx

rizwan@laika:~/test$ setfacl -x sandra file33

rizwan@laika:~/test$ getfacl file33 | grep sandra

Note that omitting the u or g when defining the acl for an account will default it to a user account.

 

Remove the complete acl

The -b option of the setfacl command will remove the acl from the targeted file.

rizwan@laika:~/test$ setfacl -b file33

rizwan@laika:~/test$ getfacl file33

# file: file33

# owner: rizwan

# group: rizwan

user::rw

group::r–

other::r–

 

The acl mask

The acl mask defines the maximum effective permissions for any entry in the acl. This mask is calculated every time you execute the setfacl or chmod commands. You can prevent the calculation by using the –no-mask switch.

rizwan@laika:~/test$ setfacl –no-mask -m u:sandra:7 file33

rizwan@laika:~/test$ getfacl file33

# file: file33

# owner: rizwan

# group: rizwan

user::rwuser:

sandra:rwx

#effective:rw

group::r–

mask::rw-

other::r—

 

FILE LINKS

inodes

inode contents

An inode is a data structure that contains metadata about a file. When the file system stores a new file on the hard disk, it stores not only the contents (data) of the file, but also extra properties like the name of the file, the creation date, its permissions, the owner of the file, and more. All this information (except the name of the file and the contents of the file) is stored in the inode of the file.

The ls -l command will display some of the inode contents, as seen in this screenshot.

root@rhel53 ~# ls -ld /home/project42/

drwxr-xr-x 4 root pro42 4.0K Mar 27 14:29 /home/project42/

 

inode table

The inode table contains all of the inodes and is created when you create the file system (with mkfs). You can use the df -i command to see how many inodes are used and free on mounted file systems.

root@rhel53 ~# df -i

Filesystem Inodes IUsed IFree IUse% Mounted on

/dev/mapper/VolGroup00-LogVol00

4947968 115326 4832642 3% /

/dev/hda1 26104 45 26059 1% /boot

tmpfs 64417 1 64416 1% /dev/shm

/dev/sda1 262144 2207 259937 1% /home/project42

/dev/sdb1 74400 5519 68881 8% /home/project33

/dev/sdb5 0 0 0 – /home/sales

/dev/sdb6 100744 11 100733 1% /home/research

In the df -i screenshot above you can see the inode usage for several mounted file systems. You don’t see numbers for /dev/sdb5 because it is a fat file system.

 

inode number

Each inode has a unique number (the inode number). You can see the inode numbers with the ls -li command.

rizwan@RHELv4u4:~/test$ touch file1

rizwan@RHELv4u4:~/test$ touch file2

rizwan@RHELv4u4:~/test$ touch file3

rizwan@RHELv4u4:~/test$ ls -li

total 12

817266 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file1

817267 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file2

817268 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file3

rizwan@RHELv4u4:~/test$

These three files were created one after the other and got three different inodes (the first column). All the information you see with this ls command  resides in the inode, except for the filename (which is contained in the directory).

 

inode and file contents

Let’s put some data in one of the files.

rizwan@RHELv4u4:~/test$ ls -li

total 16

817266 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file1

817270 -rw-rw-r– 1 rizwan rizwan 92 Feb 5 15:42 file2

817268 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file3

rizwan@RHELv4u4:~/test$ cat file2

It is winter now and it is very cold.

We do not like the cold, we prefer hot summer nights.

rizwan@RHELv4u4:~/test$

The data that is displayed by the cat command is not in the inode, but somewhere else on the disk. The inode contains a pointer to that data.

 

About Directories

a directory is a table

A directory is a special kind of file that contains a table which maps filenames to inodes. Listing our current directory with ls -ali will display the contents of the directory file.

rizwan@RHELv4u4:~/test$ ls -ali

total 32

817262 drwxrwxr-x 2 rizwan rizwan 4096 Feb 5 15:42 .

800768 drwx—— 16 rizwan rizwan 4096 Feb 5 15:42 ..

817266 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file1

817270 -rw-rw-r– 1 rizwan rizwan 92 Feb 5 15:42 file2

817268 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file3

rizwan@RHELv4u4:~/test$


. and ..

You can see five names, and the mapping to their five inodes. The dot . is a mapping to itself, and the dotdot .. is a mapping to the parent directory. The three other names are mappings to different inodes.

 

Hard Links

creating hard links

When we create a hard link to a file with ln, an extra entry is added in the directory.

A new file name is mapped to an existing inode.

rizwan@RHELv4u4:~/test$ ln file2 hardlink_to_file2

rizwan@RHELv4u4:~/test$ ls -li

total 24

817266 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file1

817270 -rw-rw-r– 2 rizwan rizwan 92 Feb 5 15:42 file2

817268 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file3

817270 -rw-rw-r– 2 rizwan rizwan 92 Feb 5 15:42 hardlink_to_file2

rizwan@RHELv4u4:~/test$

Both files have the same inode, so they will always have the same permissions and the same owner. Both files will have the same content. Actually, both files are equal now, meaning you can safely remove the original file, the hardlinked file will remain.

The inode contains a counter, counting the number of hard links to itself. When the counter drops to zero, then the inode is emptied.

 

finding hard links

You can use the find command to look for files with a certain inode. The screenshot below shows how to search for all filenames that point to inode 817270. Remember that an inode number is unique to its partition.

rizwan@RHELv4u4:~/test$ find / -inum 817270 2> /dev/null

/home/rizwan/test/file2

/home/rizwan/test/hardlink_to_file2

 

Symbolic Links

Symbolic links (sometimes called soft links) do not link to inodes, but create a name to name mapping. Symbolic links are created with ln -s. As you can see below, the symbolic link gets an inode of its own.

rizwan@RHELv4u4:~/test$ ln -s file2 symlink_to_file2

rizwan@RHELv4u4:~/test$ ls -li

total 32

817273 -rw-rw-r– 1 rizwan rizwan 13 Feb 5 17:06 file1

817270 -rw-rw-r– 2 rizwan rizwan 106 Feb 5 17:04 file2

817268 -rw-rw-r– 1 rizwan rizwan 0 Feb 5 15:38 file3

817270 -rw-rw-r– 2 rizwan rizwan 106 Feb 5 17:04 hardlink_to_file2

817267 lrwxrwxrwx 1 rizwan rizwan 5 Feb 5 16:55 symlink_to_file2 -> file2

rizwan@RHELv4u4:~/test$

Permissions on a symbolic link have no meaning, since the permissions of the target apply. Hard links are limited to their own partition (because they point to an inode), symbolic links can link anywhere (other file systems, even networked).

 

Removing Links

Links can be removed with rm.

rizwan@laika:~$ touch data.txt

rizwan@laika:~$ ln -s data.txt sl_data.txt

rizwan@laika:~$ ln data.txt hl_data.txt

rizwan@laika:~$ rm sl_data.txt

rizwan@laika:~$ rm hl_data.txt

Local Users Management in Unix/Linux:

Identify Yourself

 whoami

The whoami command tells you your username.

[root@RHEL5 ~]# whoami

root

[root@RHEL5 ~]# su – rizwan

[rizwan@RHEL5 ~]$ whoami

rizwan

 

who

The who command will give you information about who is logged on the system.

[rizwan@RHEL5 ~]$ who

root tty1 2008-06-24 13:24

sandra pts/0 2008-06-24 14:05 (192.168.1.34)

rizwan pts/1 2008-06-24 16:23 (192.168.1.37)

 

who am i

With who am i the who command will display only the line pointing to your current session.

[rizwan@RHEL5 ~]$ who am i

rizwan pts/1 2008-06-24 16:23 (192.168.1.34)

 

w

The command shows you who is logged on and what they are doing.

$ w

05:13:36 up 3 min, 4 users, load average: 0.48, 0.72, 0.33

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

root tty1 – 05:11 2.00s 0.32s 0.27s find / -name shad

inge pts/0 192.168.1.33 05:12 0.00s 0.02s 0.02s -ksh

rizwan pts/2 192.168.1.34 05:13 25.00s 0.07s 0.04s top

 

id

The id command will give you your user id, primary group id, and a list of the groups that you belong to.

root@laika:~# id

uid=0(root) gid=0(root) groups=0(root)

root@laika:~# su – brel

brel@laika:~$ id

uid=1001(brel) gid=1001(brel) groups=1001(brel),1008(chanson),11578(wolf)


Users

 user management

User management on any Unix can be done in three complimentary ways. You can use the graphical tools provided by your distribution. These tools have a look and feel that depends on the distribution. If you are a novice Linux user on your home system, then use the graphical tool that is provided by your distribution. This will make sure that you do not run into problems.

Another option is to use command line tools like useradd, usermod, gpasswd, passwd and others. Server administrators are likely to use these tools, since they are familiar and very similar across many different distributions. This chapter will focus on these command line tools.

A third and rather extremist way is to edit the local configuration files directly using vi (or vipw/vigr). Do not attempt this as a novice on production systems!

 

/etc/passwd

The local user database on Linux (and on most Unixes) is /etc/passwd.

[root@RHEL5 ~]# tail /etc/passwd

inge:x:518:524:art dealer:/home/inge:/bin/ksh

ann:x:519:525:flute player:/home/ann:/bin/bash

frederik:x:520:526:rubius poet:/home/frederik:/bin/bash

steven:x:521:527:roman emperor:/home/steven:/bin/bash

pascale:x:522:528:artist:/home/pascale:/bin/ksh

geert:x:524:530:kernel developer:/home/geert:/bin/bash

wim:x:525:531:master damuti:/home/wim:/bin/bash

sandra:x:526:532:radish stresser:/home/sandra:/bin/bash

annelies:x:527:533:sword fighter:/home/annelies:/bin/bash

laura:x:528:534:art dealer:/home/laura:/bin/ksh

As you can see, this file contains seven columns separated by a colon. The columns contain the username, an x, the user id, the primary group id, a description, the name of the home directory, and the login shell.

 

root

The root user also called the superuser is the most powerful account on your Linux system. This user can do almost anything, including the creation of other users. The root user always has userid 0 (regardless of the name of the account).

[root@RHEL5 ~]# head -1 /etc/passwd

root:x:0:0:root:/root:/bin/bash

 

useradd

You can add users with the useradd command. The example below shows how to add a user named yanina (last parameter) and at the same time forcing the creation of the home directory (-m), setting the name of the home directory (-d), and setting a description (-c).

[root@RHEL5 ~]# useradd -m -d /home/yanina -c “yanina wickmayer” yanina

[root@RHEL5 ~]# tail -1 /etc/passwd

yanina:x:529:529:yanina wickmayer:/home/yanina:/bin/bash

The user named yanina received userid 529 and primary group id 529.


/etc/default/useradd

Both Red Hat Enterprise Linux and Debian/Ubuntu have a file called /etc/default/useradd that contains some default user options. Besides using cat to display this file, you can also use useradd -D.

[root@RHEL4 ~]# useradd -D

GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

 

userdel

You can delete the user yanina with userdel. The -r option of userdel will also remove the home directory.

[root@RHEL5 ~]# userdel -r yanina

 

usermod

You can modify the properties of a user with the usermod command. This example uses usermod to change the description of the user harry.

[root@RHEL4 ~]# tail -1 /etc/passwd

harry:x:516:520:harry potter:/home/harry:/bin/bash

[root@RHEL4 ~]# usermod -c ‘wizard’ harry

[root@RHEL4 ~]# tail -1 /etc/passwd

harry:x:516:520:wizard:/home/harry:/bin/bash

 

Passwords

passwd

Passwords of users can be set with the passwd command. Users will have to provide their old password before twice entering the new one.

[harry@RHEL4 ~]$ passwd

Changing password for user harry.

Changing password for harry

(current) UNIX password:

New UNIX password:

BAD PASSWORD: it’s WAY too short

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[harry@RHEL4 ~]$

As you can see, the passwd tool will do some basic verification to prevent users from using too simple passwords. The root user does not have to follow these rules (there will be a warning though). The root user also does not have to provide the old password before entering the new password twice.


/etc/shadow

User passwords are encrypted and kept in /etc/shadow. The /etc/shadow file is read only and can only be read by root. We will see in the file permissions section how it is possible for users to change their password. For now, you will have to know that users can change their password with the /usr/bin/passwd command.

[root@RHEL5 ~]# tail /etc/shadow

inge:$1$yWMSimOV$YsYvcVKqByFVYLKnU3ncd0:14054:0:99999:7:::

ann:!!:14054:0:99999:7:::

frederik:!!:14054:0:99999:7:::

steven:!!:14054:0:99999:7:::

pascale:!!:14054:0:99999:7:::

geert:!!:14054:0:99999:7:::

wim:!!:14054:0:99999:7:::

sandra:!!:14054:0:99999:7:::

annelies:!!:14054:0:99999:7:::

laura:$1$Tvby1Kpa$lL.WzgobujUS3LClIRmdv1:14054:0:99999:7:::

The /etc/shadow file contains nine colon separated columns. The nine fields contain (from left to right) the user name, the encrypted password (note that only inge and laura have an encrypted password), the day the password was last changed (day 1 is January 1, 1970), number of days the password must be left unchanged, password expiry day, warning number of days before password expiry, number of days after expiry before disabling the account, and the day the account was disabled (again, since 1970). The last field has no meaning yet.

 

Password encryption

 encryption with passwd

Passwords are stored in an encrypted format. This encryption is done by the crypt function. The easiest (and recommended) way to add a user with a password to the system is to add the user with the useradd -m user command, and then set the user’s password with passwd.

[root@RHEL4 ~]# useradd -m xavier

[root@RHEL4 ~]# passwd xavier

Changing password for user xavier.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[root@RHEL4 ~]#

 

encryption with openssl

Another way to create users with a password is to use the -p option of useradd, but that option requires an encrypted password. You can generate this encrypted password with the openssl passwd command.

[root@RHEL4 ~]# openssl passwd stargate

ZZNX16QZVgUQg

[root@RHEL4 ~]# useradd -m -p ZZNX16QZVgUQg mohamed


encryption with crypt

A third option is to create your own C program using the crypt function, and compile this into a command.

[rizwan@laika ~]$ cat MyCrypt.c

#include <stdio.h>

#define __USE_XOPEN

#include <unistd.h>

int main(int argc, char** argv)

{

if(argc==3)

{

printf(“%sn”, crypt(argv[1],argv[2]));

}

else

{

printf(“Usage: MyCrypt $password $saltn” );

}

return 0;

}

This little program can be compiled with gcc like this.

[rizwan@laika ~]$ gcc MyCrypt.c -o MyCrypt -lcrypt

To use it, we need to give two parameters to MyCript. The first is the unencrypted

password, the second is the salt. The salt is used to perturb the encryption algorithm in one of 4096 different ways. This variation prevents two users with the same password from having the same entry in /etc/shadow.

rizwan@laika:~$ ./MyCrypt stargate 12

12L4FoTS3/k9U

rizwan@laika:~$ ./MyCrypt stargate 01

01Y.yPnlQ6R.Y

rizwan@laika:~$ ./MyCrypt stargate 33

330asFUbzgVeg

rizwan@laika:~$ ./MyCrypt stargate 42

42XFxoT4R75gk

Did you notice that the first two characters of the password are the salt?

The standard output of the crypt function is using the DES algorithm which is old and can be cracked in minutes. A better method is to use md5 passwords which can be recognized by a salt starting with $1$.

rizwan@laika:~$ ./MyCrypt stargate ‘$1$12′

$1$12$xUIQ4116Us.Q5Osc2Khbm1

rizwan@laika:~$ ./MyCrypt stargate ‘$1$01′

$1$01$yNs8brjp4b4TEw.v9/IlJ/

rizwan@laika:~$ ./MyCrypt stargate ‘$1$33′

$1$33$tLh/Ldy2wskdKAJR.Ph4M0

rizwan@laika:~$ ./MyCrypt stargate ‘$1$42′

$1$42$Hb3nvP0KwHSQ7fQmIlY7R.

The md5 salt can be up to eight characters long. The salt is displayed in /etc/shadow between the second and third $, so never use the password as the salt!

rizwan@laika:~$ ./MyCrypt stargate ‘$1$stargate’

$1$stargate$qqxoLqiSVNvGr5ybMxEVM1

 

password defaults

 /etc/login.defs

The /etc/login.defs file contains some default settings for user passwords like password aging and length settings. (You will also find the numerical limits of user ids and group ids and whether or not a home directory should be created by default).

[root@RHEL4 ~]# grep -i pass /etc/login.defs

# Password aging controls:

# PASS_MAX_DAYS Maximum number of days a password may be used.

# PASS_MIN_DAYS Minimum number of days allowed between password changes.

# PASS_MIN_LEN Minimum acceptable password length.

# PASS_WARN_AGE Number of days warning given before a password expires.

PASS_MAX_DAYS 99999

PASS_MIN_DAYS 0

PASS_MIN_LEN 5

PASS_WARN_AGE 7

 

chage

The chage command can be used to set an expiration date for a user account (-E), set a minimum (-m) and maximum (-M) password age, a password expiration date, and set the number of warning days before the password expiration date. Much of this functionality is also available from the passwd command. The -l option of chage will list these settings for a user.

[root@RHEL4 ~]# chage -l harry

Minimum: 0

Maximum: 99999

Warning: 7

Inactive: -1

Last Change: Jul 23, 2007

Password Expires: Never

Password Inactive: Never

Account Expires: Never

[root@RHEL4 ~]#

 

disabling a password

Passwords in /etc/shadow cannot begin with an exclamation mark. When the second field in /etc/passwd starts with an exclamation mark, then the password can not be used.

Using this feature is often called lockingdisabling, or suspending a user account.

Besides vi (or vipw) you can also accomplish this with usermod.

The first line in the next screenshot will disable the password of user harry, making it impossible for harry to authenticate using this password.

[root@RHEL4 ~]# usermod -L harry

[root@RHEL4 ~]# tail -1 /etc/shadow

harry:!$1$143TO9IZ$RLm/FpQkpDrV4/Tkhku5e1:13717:0:99999:7:::

The root user (and users with sudo rights on su) still will be able to su to harry (because the password is not needed here). Also note that harry will still be able to login if he has set up passwordless ssh!

[root@RHEL4 ~]# su – harry

[harry@RHEL4 ~]$

You can unlock the account again with usermod -U.

Watch out for tiny differences in the command line options of passwdusermod, and useradd on different distributions! Verify the local files when using features like “disabling, suspending, or locking” users and passwords!

 

editing local files

If you still want to manually edit the /etc/passwd or /etc/shadow, after knowing these commands for password management, then use vipw instead of vi(m) directly. The vipw tool will do proper locking of the file.

[root@RHEL5 ~]# vipw /etc/passwd

vipw: the password file is busy (/etc/ptmp present)

 

Home Directories

creating home directories

The easiest way to create a home directory is to supply the -m option with useradd (it is likely set as a default option on Linux).

A less easy way is to create a home directory manually with mkdir which also requires setting the owner and the permissions on the directory with chmod and chown (both commands are discussed in detail in another chapter).

[root@RHEL5 ~]# mkdir /home/laura

[root@RHEL5 ~]# chown laura:laura /home/laura

[root@RHEL5 ~]# chmod 700 /home/laura

[root@RHEL5 ~]# ls -ld /home/laura/

drwx—— 2 laura laura 4096 Jun 24 15:17 /home/laura/

 

/etc/skel/

When using useradd the -m option, the /etc/skel/ directory is copied to the newly created home directory. The /etc/skel/ directory contains some (usually hidden) files that contain profile settings and default values for applications. In this way /etc/skel/ serves as a default home directory and as a default user profile.

[root@RHEL5 ~]# ls -la /etc/skel/

total 48

drwxr-xr-x 2 root root 4096 Apr 1 00:11 .

drwxr-xr-x 97 root root 12288 Jun 24 15:36 ..

-rw-r–r– 1 root root 24 Jul 12 2006 .bash_logout

-rw-r–r– 1 root root 176 Jul 12 2006 .bash_profile

-rw-r–r– 1 root root 124 Jul 12 2006 .bashrc


deleting home directories

The -r option of userdel will make sure that the home directory is deleted together with the user account.

[root@RHEL5 ~]# ls -ld /home/wim/

drwx—— 2 wim wim 4096 Jun 24 15:19 /home/wim/

[root@RHEL5 ~]# userdel -r wim

[root@RHEL5 ~]# ls -ld /home/wim/

ls: /home/wim/: No such file or directory

 

User Shell

 login shell

The /etc/passwd file specifies the login shell for the user. In the screenshot below you can see that user annelies will log in with the /bin/bash shell, and user laura with the /bin/ksh shell.

[root@RHEL5 ~]# tail -2 /etc/passwd

annelies:x:527:533:sword fighter:/home/annelies:/bin/bash

laura:x:528:534:art dealer:/home/laura:/bin/ksh

You can use the usermod command to change the shell for a user.

[root@RHEL5 ~]# usermod -s /bin/bash laura

[root@RHEL5 ~]# tail -1 /etc/passwd

laura:x:528:534:art dealer:/home/laura:/bin/bash

 

chsh

Users can change their login shell with the chsh command. First, user harry obtains a list of available shells (he could also have done a cat /etc/shells) and then changes his login shell to the Korn shell (/bin/ksh). At the next login, harry will default into ksh instead of bash.

[harry@RHEL4 ~]$ chsh -l

/bin/sh

/bin/bash

/sbin/nologin

/bin/ash

/bin/bsh

/bin/ksh

/usr/bin/ksh

/usr/bin/pdksh

/bin/tcsh

/bin/csh

/bin/zsh

[harry@RHEL4 ~]$ chsh -s /bin/ksh

Changing shell for harry.

Password:

Shell changed.

[harry@RHEL4 ~]$


Switch Users With su

 

su to another user

The su command allows a user to run a shell as another user.

[rizwan@RHEL4b ~]$ su harry

Password:

[harry@RHEL4b rizwan]$

 

su to root

Yes you can alsu su to become root, when you know the root password.

[harry@RHEL4b rizwan]$ su root

Password:

[root@RHEL4b rizwan]#

 

su as root

Unless you are logged in as root, running a shell as another user requires that you know the password of that user. The root user can become any user without knowing the user’s password.

[root@RHEL4b rizwan]# su serena

[serena@RHEL4b rizwan]$

 

su – $username

By default, the su command maintains the same shell environment. To become another user and also get the target user’s environment, issue the su – command followed by the target username.

[rizwan@RHEL4b ~]$ su – harry

Password:

[harry@RHEL4b ~]$

 

su -

When no username is provided to su or su -, the command will assume root is the target.

[harry@RHEL4b ~]$ su -

Password:

[root@RHEL4b ~]#

 

Run A Program As Another User

 about sudo

The sudo program allows a user to start a program with the credentials of another user. Before this works, the system administrator has to set up the /etc/sudoers file.

This can be useful to delegate administrative tasks to another user (without giving the root password).

The screenshot below shows the usage of sudo. User rizwan received the right to run useradd with the credentials of root. This allows rizwan to create new users on the system without becoming root and without knowing the root password.

rizwan@laika:~$ useradd -m inge

useradd: unable to lock password file

rizwan@laika:~$ sudo useradd -m inge

[sudo] password for rizwan:

rizwan@laika:~$

 

setuid on sudo

The sudo binary has the setuid bit set, so any user can run it with the effective userid of root.

rizwan@laika:~$ ls -l `which sudo`

-rwsr-xr-x 2 root root 107872 2008-05-15 02:41 /usr/bin/sudo

rizwan@laika:~$

 

visudo

Check the man page of visudo before playing with the /etc/sudoers file.

 

sudo su

On some linux systems like Ubuntu and Kubuntu, the root user does not have a password set. This means that it is not possible to login as root (extra security). To perform tasks as root, the first user is given all sudo rights via the /etc/sudoers. In fact all users that are members of the admin group can use sudo to run all commands as root.

root@laika:~# grep admin /etc/sudoers

# Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

The end result of this is that the user can type sudo su – and become root without having to enter the root password. The sudo command does require you to enter your own password. Thus the password prompt in the screenshot below is for sudo, not for su.

rizwan@laika:~$ sudo su -

Password:

root@laika:~#

 

Shell Environment

It is nice to have these preset and custom aliases and variables, but where do they all come from ? The shell uses a number of startup files that are checked (and executed) whenever the shell is invoked. What follows is an overview of startup scripts.

 

/etc/profile

Both the bash and the ksh shell will verify the existence of /etc/profile and execute it if it exists.

When reading this script, you might notice (at least on Debian Lenny and on Red Hat Enterprise Linux 5) that it builds the PATH environment variable. The script might also change the PS1 variable, set the HOSTNAME and execute even more scripts like /etc/inputrc

You can use this script to set aliases and variables for every user on the system.

 

~/.bash_profile

When this file exists in the users home directory, then bash will execute it. On Debian Linux it does not exist by default.

RHEL5 uses a brief ~/.bash_profile where it checks for the existence of ~/.bashrc and then executes it. It also adds $HOME/bin to the $PATH variable.

[serena@rhel53 ~]$ cat .bash_profile

# .bash_profile

# Get the aliases and functions

if [ -f ~/.bashrc ]; then

. ~/.bashrc

fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH

 

~/.bash_login

When .bash_profile does not exist, then bash will check for ~/.bash_login and execute it.

Neither Debian nor Red Hat have this file by default.

 

~/.profile

When neither ~/.bash_profile and ~/.bash_login exist, then bash will verify the existence of ~/.profile and execute it. This file does not exist by default on Red Hat.

On Debian this script can execute ~/.bashrc and will add $HOME/bin to the $PATH variable.

serena@deb503:~$ tail -12 .profile

# if running bash

if [ -n "$BASH_VERSION" ]; then

# include .bashrc if it exists

if [ -f "$HOME/.bashrc" ]; then

. “$HOME/.bashrc”

fi

fi

# set PATH so it includes user’s private bin if it exists

if [ -d "$HOME/bin" ] ; then

PATH=”$HOME/bin:$PATH”

fi

 

~/.bashrc

As seen in the previous points, the ~/.bashrc script might be executed by other scripts.

Let us take a look at what it does by default.

Red Hat uses a very simple ~/.bashrc, checking for /etc/bashrc and executing it. It also leaves room for custom aliases and functions.

[serena@rhel53 ~]$ more .bashrc

# .bashrc

# Source global definitions

if [ -f /etc/bashrc ]; then

. /etc/bashrc

fi

# User specific aliases and functions

On Debian this script is quite a bit longer and configures $PS1, some history variables and a number af active and inactive aliases.

serena@deb503:~$ ls -l .bashrc

-rw-r–r– 1 serena serena 3116 2008-05-12 21:02 .bashrc

 

~/.bash_logout

When exiting bash, it can execute ~/.bash_logout. Debian and Red Hat both use this opportunity to clear the screen.

serena@deb503:~$ cat .bash_logout

# ~/.bash_logout: executed by bash(1) when login shell exits.

# when leaving the console clear the screen to increase privacy

if [ "$SHLVL" = 1 ]; then

[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q

fi

[serena@rhel53 ~]$ cat .bash_logout

# ~/.bash_logout

/usr/bin/clear

 

Debian overview

Below is a table overview of when Debian is running any of these bash startup scripts.

 

Debian User Environment

script                           su        su –      ssh       gdm

~./bashrc                      no        yes       yes       yes

~/.profile                      no        yes       yes       yes

/etc/profile                    no        yes       yes       yes

/etc/bash.bashrc            yes       no        no        yes

 

RHEL5 overview

Below is a table overview of when Red Hat Enterprise Linux 5 is running any of these bash startup scripts.

 

Red Hat User Environment

script                           su        su –      ssh       gdm

~./bashrc                      yes       yes       yes       yes

~/.bash_profile             no        yes       yes       yes

/etc/profile                    no        yes       yes       yes

/etc/bashrc                    yes       yes       yes       yes

 

Groups:

about groups

Users can be listed in groups. Groups allow you to set permissions on the group level instead of having to set permissions for every individual user. Every Unix or Linux distribution will have a graphical tool to manage groups. Novice users are advised to use this graphical tool. More experienced users can use command line tools to manage users, but be careful: Some distributions do not allow the mixed use of GUI and CLI tools to manage groups (YaST in Novell Suse). Senior administrators can edit the relevant files directly with vi or vigr.

 

groupadd

Groups can be created with the groupadd command. The example below shows the creation of five (empty) groups.

root@laika:~# groupadd tennis

root@laika:~# groupadd football

root@laika:~# groupadd snooker

root@laika:~# groupadd formula1

root@laika:~# groupadd salsa

 

/etc/group

Users can be a member of several groups. Group membership is defined by the /etc/group file.

root@laika:~# tail -5 /etc/group

tennis:x:1006:

football:x:1007:

snooker:x:1008:

formula1:x:1009:

salsa:x:1010:

root@laika:~#

The first field is the group’s name. The second field is the group’s (encrypted) password (can be empty). The third field is the group identification or GID. The fourth field is the list of members, these groups have no members.

 

usermod

Group membership can be modified with the useradd or usermod command.

root@laika:~# usermod -a -G tennis inge

root@laika:~# usermod -a -G tennis katrien

root@laika:~# usermod -a -G salsa katrien

root@laika:~# usermod -a -G snooker sandra

root@laika:~# usermod -a -G formula1 annelies

root@laika:~# tail -5 /etc/group

tennis:x:1006:inge,katrien

football:x:1007:

snooker:x:1008:sandra

formula1:x:1009:annelies

salsa:x:1010:katrien

root@laika:~#

Be careful when using usermod to add users to groups. By default, the usermod command will remove the user from every group of which he is a member if the group is not listed in the command! Using the -a (append) switch prevents this behaviour.

 

groupmod

You can change the group name with the groupmod command.

root@laika:~# groupmod -n darts snooker

root@laika:~# tail -5 /etc/group

tennis:x:1006:inge,katrien

football:x:1007:

formula1:x:1009:annelies

salsa:x:1010:katrien

darts:x:1008:sandra

 

groupdel

You can permanently remove a group with the groupdel command.

root@laika:~# groupdel tennis

root@laika:~#

 

groups

A user can type the groups command to see a list of groups where the user belongs to.

[harry@RHEL4b ~]$ groups

harry sports

[harry@RHEL4b ~]$

 

gpasswd

You can delegate control of group membership to another user with the gpasswd command. In the example below we delegate permissions to add and remove group members to serena for the sports group. Then we su to serena and add harry to the sports group.

[root@RHEL4b ~]# gpasswd -A serena sports

[root@RHEL4b ~]# su – serena

[serena@RHEL4b ~]$ id harry

uid=516(harry) gid=520(harry) groups=520(harry)

[serena@RHEL4b ~]$ gpasswd -a harry sports

Adding user harry to group sports

[serena@RHEL4b ~]$ id harry

uid=516(harry) gid=520(harry) groups=520(harry),522(sports)

[serena@RHEL4b ~]$ tail -1 /etc/group

sports:x:522:serena,venus,harry

[serena@RHEL4b ~]$

Group administrators do not have to be a member of the group. They can remove themselves from a group, but this does not influence their ability to add or remove members.

[serena@RHEL4b ~]$ gpasswd -d serena sports

Removing user serena from group sports

[serena@RHEL4b ~]$ exit

Information about group administrators is kept in the /etc/gshadow file.

[root@RHEL4b ~]# tail -1 /etc/gshadow

sports:!:serena:venus,harry

[root@RHEL4b ~]#

To remove all group administrators from a group, use the gpasswd command to set an empty administrators list.

[root@RHEL4b ~]# gpasswd -A “” sports

 

vigr

Similar to vipw, the vigr command can be used to manually edit the /etc/group file, since it will do proper locking of the file. Only experienced senior administrators should use vi or vigr to manage groups.