user accounts and authorization - santa monica...
TRANSCRIPT
1
© David Morgan 2010-2015
User accounts and User accounts and
authorizationauthorization
© David Morgan 2010-2015
Authentication Authentication vsvs authorizationauthorization
� Authentication: proving the identity of someone
� Authorization: allowing a user to access certain resources
2
© David Morgan 2010-2015
Government authorizationGovernment authorization
� documents have “classifications”
� employees have “clearances”
– confidential
– secret
– top secret
access decision = = f ( document’s classification, clearance )
z = f ( x , y )
© David Morgan 2010-2015
Computer auth not so different Computer auth not so different
� linux
– files have permissions for particular user accounts
– processes (the true file “users”) carry a user account
identity
� Windows
– resource security policies
– processes carry user and group affiliation
access decision = = f ( file’s permissions, user )
3
© David Morgan 2010-2015
Linux usersLinux users
� system keeps a list of user accounts
� system usage demands a user identification
– supplied at login… no login, no usage
� a user id is implicit in all session activities
– all session activities are performed by processes
– every process has some user id as an attribute
– helps determine access to resources by that process
� users can be grouped
© David Morgan 2010-2015
The files of recordThe files of record
� /etc/passwd – holds list of recognized users
� /etc/shadow – holds their passwords
� /etc/group – holds list of recognized groups,names of member users for each
4
© David Morgan 2010-2015
Editing the files of record safelyEditing the files of record safely
� plain editors invite error introduction and multiuser conflicts
� /etc/passwd – use usermod or vipw
� /etc/shadow – use passwd, chage, usermod
� /etc/group – use groupmod and usermod, or vigr
© David Morgan 2010-2015
/etc//etc/passwdpasswd entries holdentries hold
user informationuser information
craig:x:507:507:Craig Smith:/home/craig:/bin/bash
official
name
password
(placeholder)
UID GID real
name
home
directory
login
shell
5
© David Morgan 2010-2015
/etc/shadow entries hold/etc/shadow entries hold
ancillary user informationancillary user information
craig:$1$2YL52jhL$:11992:60:75:3:14:12417:134550548
user
name
hashed
password
various values all relating to password aging
reserved
© David Morgan 2010-2015
/etc/group entries hold/etc/group entries hold
group informationgroup information
children:x:522:hansel, pinochio,gretel,heidi
official
name
pass
word
(not used)
GID member
list
6
© David Morgan 2010-2015
Adding users Adding users –– actions involvedactions involved
� record added to /etc/passwd
� record added to /etc/shadow
� record added to /etc/group
� create user home directory /home/<username>
� copy default startup files to home directory
� set permissions on new files and directories
� set password
� customize user info with, e.g., usermod or chage
© David Morgan 2010-2015
Ways to add usersWays to add users
� do everything by hand
� let account management utilities do most of it
– useradd
– passwd
� write/get a custom program to do it to your taste
7
© David Morgan 2010-2015
Adding users in 2 stepsAdding users in 2 steps
� use useradd
� then set password with passwd
© David Morgan 2010-2015
Adding users in batch modeAdding users in batch mode
able:apple
baker:banana
charlie:cantelope
Set up a source file listing users in the form username:password
e.g., file “userinfo”
8
© David Morgan 2010-2015
Assigning passwords in batch Assigning passwords in batch
mode with mode with chpasswdchpasswd commandcommand
man chpasswd:
“chpasswd reads a file of user name and password pairs from
standard input and uses this information to update a group
of existing users. …
[but] The named user must exist.”
Solution: make the named users exist first, with a script
that “useradd”s them by looping through the list, then
feed the list to chpasswd
© David Morgan 2010-2015
#!/bin/bash
while read LINE
do
user=`echo $LINE | cut -f 1 -d :`
useradd $user
done < userinfo
cat userinfo | chpasswd
Adding users in batch modeAdding users in batch mode
able:apple
baker:banana
charlie:cantelope
file userinfo:
9
© David Morgan 2010-2015
Security drawback of Security drawback of chpasswdchpasswd
� uses a file of cleartext passwords
� keep it on/use it from removable media only
� when finished destroy it
© David Morgan 2010-2015
Adding users in 2 stepsAdding users in 2 steps
[root@EMACH1 /root]# useradd charlie
[root@EMACH1 /root]# passwd charlie
Changing password for user charlie
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
[root@EMACH1 /root]# su charlie
[charlie@EMACH1 /root]$ cd
[charlie@EMACH1 charlie]$ pwd
/home/charlie
[charlie@EMACH1 charlie]$ ls -a
. .Xdefaults .bash_profile .kde .screenrc
.. .bash_logout .bashrc .kderc Desktop
[charlie@EMACH1 charlie]$ cat /etc/passwd | grep charlie
charlie:x:531:539::/home/charlie:/bin/bash
step 1
become charlie
step 2
enter his home directory
identify home directory
directory is populated
charlie’s in the list alright
Now find out what happened!
10
© David Morgan 2010-2015
Ways to remove usersWays to remove users
� do everything by hand
� let account management utilities to most of it
– userdel –r
� write/get a custom program to do it to your taste
© David Morgan 2010-2015
Deleting usersDeleting users
[root@EMACH1 /root]# userdel -r charlie
[root@EMACH1 /root]# su charlie
su: user charlie does not exist
[root@EMACH1 /root]# ls -a /home/charlie
ls: /home/charlie: No such file or directory
[root@EMACH1 /root]# cat /etc/passwd | grep charlie
[root@EMACH1 /root]#gone. really!
doesn’t live here anymore
home directory who??
11
© David Morgan 2010-2015
Disabling login withoutDisabling login without
removing userremoving user
� replace shell
� substitute a “do nothing” program instead of /bin/bash
� /bin/false does nothing, returns immediately
usermod -s /bin/false <username>
© David Morgan 2010-2015
DiablingDiabling a usera user’’s login abilitys login ability
[root@EMACH1 /root]# su charlie
[charlie@EMACH1 /root]$ exit
exit
[root@EMACH1 /root]# usermod -s /bin/false charlie
[root@EMACH1 /root]# su charlie
[root@EMACH1 /root]# cat /etc/passwd | grep charlie
charlie:x:531:539::/home/charlie:/bin/false
[root@EMACH1 /root]# usermod -s /bin/bash charlie
[root@EMACH1 /root]# cat /etc/passwd | grep charlie
charlie:x:531:539::/home/charlie:/bin/bash
[root@EMACH1 /root]# su charlie
[charlie@EMACH1 /root]$
login as charlie works, gets a prompt
login as charlie “works,” but reverts
right back to root’s prompt
/bin/false returns,
does nothing
bash shell is back, login as charlie
gets a user prompt again
12
© David Morgan 2010-2015
GroupsGroups
� Purpose
– Let a set of users share files by extending
common permissions to them
� Mechanism
– Files have a group affiliation
– Users have group memberships
– Separate access to a file can be extended to
members of its group
© David Morgan 2010-2015
There are groupsThere are groups
.
.
administrators:x:542:socrates,roy
teachers:x:543:plato
students:x:544:aristotle
.
.
Groups are defined in /etc/group
file /etc/group
Groups
13
© David Morgan 2010-2015
Creating/destroying groupsCreating/destroying groups
� create a group
groupadd employees
� remove a group
groupdel employees
man page caveats: “You must manually check all file systems to insure that no files
remain with the named group as the file group ID.... You may not remove the primary group of any existing user. You must remove the user before you remove the group."
© David Morgan 2010-2015
Composing a groupComposing a group
� assign groups to users
– use usermod
usermod -G employees,salesmen willie
� or, assign users to groups
– use gpasswd
gpasswd –a willie employees
gpasswd –a willie salesmen
gpasswd –M willie,billy,milly fools
same
result
14
© David Morgan 2010-2015
Files have (1) a user affiliationFiles have (1) a user affiliation
[root@EMACH1 schools]# ls -l
total 12
-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments
-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades
-rw-r----- 1 root administ 95 Dec 8 17:10 salaries
Files
Their affiliated users
Files’ user affiliations are shown by the ls –l command:
© David Morgan 2010-2015
Files have (2) a group affiliationFiles have (2) a group affiliation
[root@EMACH1 schools]# ls -l
total 12
-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments
-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades
-rw-r----- 1 root administ 95 Dec 8 17:10 salaries
Files
Their affiliated groups
Files’ group affiliations are shown by the ls –l command:
15
© David Morgan 2010-2015
Files have (3) a permissions settingFiles have (3) a permissions setting
[root@EMACH1 schools]# ls -l
total 12
-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments
-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades
-rw-r----- 1 root administ 95 Dec 8 17:10 salaries
Files
Their permissions settings
Files’ permissions settings are shown by the ls –l command:
© David Morgan 2010-2015
Users have group membershipsUsers have group memberships
.
.
administrators:x:542:socrates,roy
teachers:x:543:plato
students:x:544:aristotle
.
.
Users’ memberships appear in the file that defines the groups,
(/etc/group) not the one that defines the users (/etc/passwd)
file /etc/group
The members
The group
16
© David Morgan 2010-2015
One of 3 permissions triplets applies One of 3 permissions triplets applies
in any given casein any given case
� File type (file, directory, device,…)
� Accesses granted to file’s associated User
� Accesses granted to members of file’s Group
� Accesses granted to all Other users
-rwxr-x---
© David Morgan 2010-2015
Meaning for filesMeaning for files
� r – can read
– can open file
�w – write
– can modify file
�x – execute
– can execute file
� - – can’t read
– can’t open file
� - – can’t write
– can’t modify file
� - – can’t execute
– can’t execute file
-or else-letter : hyphen :
17
© David Morgan 2010-2015
Commands for controlling theseCommands for controlling these
[root@EMACH1 schools]# ls -l
total 12
-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments
-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades
-rw-r----- 1 root administ 95 Dec 8 17:10 salaries
chmod chownchgrp
© David Morgan 2010-2015
chmodchmod –– change file permissionschange file permissions
� To restrict/extend access to others
� To enable script execution
18
© David Morgan 2010-2015
chmodchmod –– change file permissionschange file permissions
� “entire” granularity (all 9-at-a-time)
– use octal specification
� “surgical” granularity (just 1, or a couple, at a time)
– use who/how/what specification
© David Morgan 2010-2015
changing all permissionschanging all permissions
–– octal specificationoctal specification
- - -
- - x
- w -
- w x
r - -
r – x
r w –
r w x
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
0
1
2
3
4
5
6
7
e.g., 750 = rwxr-x---
Used in triples:
19
© David Morgan 2010-2015
changing just some permissionschanging just some permissions
–– who/how/what specificationwho/how/what specification
who
u
g
o
a
how
+
-
=
what
r
w
x
s
© David Morgan 2010-2015
whowho/how/what/how/what
� u – for that user associated with the file (“owner”)
� g – for those users in group associated with the file
� o – for anybody else (“world”)
� a – all three of them
20
© David Morgan 2010-2015
who/who/howhow/what/what
� + add, other existing permissions unaffected
� - remove, other existing permissions unaffected
� = set, existing permissions replaced
© David Morgan 2010-2015
who/how/who/how/whatwhat
� r - read
� w - write
� x – execute
� s – establish “set id” behavior
21
© David Morgan 2010-2015
chmodchmod –– examplesexamples
© David Morgan 2010-2015
Access decision mechanicsAccess decision mechanics
� the actor – which user?
� the file’s affiliated user – which is that?
– if one and the same 1st triplet applies, else
� the file’s affiliated group – which is it?
– if actor in that group 2nd triplet applies, else
� actor is unrelated to file, a “bystander”
– 3rd triplet applies
22
© David Morgan 2010-2015
Who can read what?Who can read what?
[root@EMACH1 schools]# ls -l
total 12
-rw-r--r-- 1 root students 121 Dec 8 17:15 assignments
-rw-rw---- 1 root teachers 119 Dec 8 17:13 grades
-rw-r----- 1 root administ 95 Dec 8 17:10 salaries
socrates (an administrator) can read:
salaries (because he’s an administrator)
assignments (because bystanders can)plato (a teacher) can read:
grades (because he’s a teacher)
assignments (because bystanders can)aristotle (a student) can read:
assignments (because he’s student)
© David Morgan 2010-2015
Permission sets donPermission sets don’’t overlapt overlap
because david is xxx400’s
affiliated user
because tom is xxx040’s
affiliated group’s member
because mary is xxx400’s
3rd-party bystander
prohibited! because david is xxx004’s affiliated user (“owner”)
He is not in xxx004’s “other” category, which would permit.
Owner more restricted than others, on his own file .
23
© David Morgan 2010-2015
NonNon--file resources similarlyfile resources similarly““everything is a file in everything is a file in unixunix””
directories
devices (disk partition)
kernel memory flag (suppress ping response)
© David Morgan 2010-2015
How to extend permission toHow to extend permission to……
� a certain group, plus one other guy(who doesn’t belong in it) ?
� two groups? three?
� miscellaneous ungrouped users?
24
© David Morgan 2010-2015
Access Access contolcontol lists (lists (ACLsACLs))
� ACLs extend the rules
– “to define more fine-grained discretionary access
rights” ACL man page
– apply arbitrary permissions for arbitrary users on
arbitrary files in any combination
� ACLs reside in the filesystem (ext2)
– each file can have its own
� for users in a file’s ACL
– ACL’s triplet eclipses/replaces permission string’s
� for any others
– permission string’s sub-triplet still governs unaffected
© David Morgan 2010-2015
Access Access contolcontol lists (lists (ACLsACLs))
student can’t read grades, teacher can
student can now read grades, teacher no longer can
(ACL overrides)
make special
changes, via ACL
grades’ ACL
ACL exists for this file
25
© David Morgan 2010-2015
Windows AuthorizationWindows Authorization
� Windows has a different form of authorization, depending on the network
– workgroups – small networks
� Each client must specify his/her own authorization
– Local Security Policies
– domains – large networks with domain
controllers
� group policies - policies that are set forth for the
entire network, based on user permissions
© David Morgan 2010-2015
Windows Authorization*Windows Authorization*
*ntfs filesystem
26
© David Morgan 2010-2015
Password aging featuresPassword aging features
� time since last password change
� number of days before password can be changed
� number of days after which password must be changed
� days before password expiry to give warning at login
� days after password expiry to expire account
� deadline at which to auto-disable account
© David Morgan 2010-2015
/etc/shadow entries hold/etc/shadow entries hold
password aging informationpassword aging information
craig:$1$2YL52jhL$:11992:60:75:3:14:12417:134550548
user
name
hashed
password
days therafter
before change
permitted
days thereafter
when change re-
quired (pass-
word expires)
login warning
pre-expiry
leadtime days
post-expiry
inactivity interval
before account locked
auto-disablement
deadline (12/31/03)
last
password
change
(11/1/02)
reserved
chage -d
chage -Wchage -M
chage -m
chage -I
chage -E
27
© David Morgan 2010-2015
Use Use chagechage to viewto view……
[root@EMACH1 /root]# chage -l craig
Minimum: 60
Maximum: 75
Warning: 3
Inactive: 14
Last Change: Nov 01, 2002
Password Expires: Jan 15, 2003
Password Inactive: Jan 29, 2003
Account Expires: Dec 31, 2003
last change + maximum
… + inactive
© David Morgan 2010-2015
……or to modifyor to modify
Item modified
Minimum
Maximum
Warning
Inactive
Last Change
Account Expires
chage
option
used
-m
-M
-W
-I
-d
-E
28
© David Morgan 2010-2015
Login during warning periodLogin during warning period
EMACH1 login: craig
Password:
Warning: your password will expire in 3 days
Last login: Sat Jan 11 16:03:31 on tty2
[craig@EMACH1 craig]$ date
Sat Jan 11 16:04:37 PST 2003
date of this login
© David Morgan 2010-2015
Login after password expiryLogin after password expiry
EMACH1 login: craig
Password:
Your password has expired; please change it!
Changing password for craig
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
Last login: Sat Jan 11 16:04:34 on tty2
[craig@EMACH1 craig]$
[craig@EMACH1 craig]$ date
Thu Jan 16 16:00:34 PST 2003
date of this login
user asked to change password
he changes it
29
© David Morgan 2010-2015
New values thereafterNew values thereafter
[root@EMACH1 /root]# chage -l craig
Minimum: 60
Maximum: 75
Warning: 3
Inactive: 14
Last Change: Jan 17, 2003
Password Expires: Apr 02, 2003
Password Inactive: Apr 16, 2003
Account Expires: Dec 31, 2003
new change date reflected
deadlines advanced
accordingly
© David Morgan 2010-2015
WebminWebmin