| Ownership | ||
|---|---|---|
 |
Chapter 6. Authentication |  |
| Ownership | ||
|---|---|---|
| |
Chapter 6. Authentication | |
Working as root makes it simpler but easily huge damages to the system could occur. So create a user and work when possible as user. A user belongs to a primary group and optionally to supplementary groups. Devices and demons are also defined as users and groups.
useradd -m -G users,wheel,audio -s /bin/bash<username>
Creates the user account and its home directory where the files .bash_logout .bash_profile .bashrc and the empty directory .ssh get created.
It uses the file /etc/default/useradd for the defaults. However it also uses settings in /etc/login.defs that contains PASS_MAX_DAYS the maximum number of days a password may be used.
It also assigns a unique number to the user and assigns numbers for its belonging groups.
passwd <username> sets a password
Over time a lot of other directories and files are created in the user account. Most of them are hidden and start therefore with a . character. Some of them can be considered as garbage from no more installed programs or can even contain outdated incompatible data that might cause problems.
To delete a user userdel <username> or the same but including its data userdel -r <username>
/etc/passwd contains list of users
<user>:<password>:<UID>:<GID>:<comment>:<Home directory>:<Shell>
GID Group ID is the primary group of the user, if the user creates a file, then this is the group id given to the file.
root =0
system=1-99
users=100
own groups=101….
UID User ID
root=0
daemons=1-499 (daemons are programs running in background)
users=500…
A file belongs to an owner and a group.
Users have numbers (UID). Not the user name but the UID is stored with files and directories. If you share data between computers make sure that your user has on all computers the same UID! The same applies for the primary GID.
In the past the passwords were in this file but now it contains just an x since /etc/passwd is to easy accessible and creates therefore a security risk, so the passwords got
moved to /etc/shadow accessible just by root. See man 5 shadow. The
file contains additional data defining as expiration date of a password.
Password * means nobody can log in. Nothing means no password and you will get prompted for one when you log in next time.
chown -R<my name> /home/<my name> to fix the user name.
For the groups /etc/group contains the configuration:
<group name>:<password>:<GID>:<list of users>
groups have a password and a group id. The password is usually not used it allowed users to add themselves to other groups knowing the password. This now commonly done by the administrator having root privileges.
Users belong to primary group but can also belong to a supplementary group. Users using this group as supplementary group are added here as well.
The supplementary groups are where the user has access rights, but just the primary group
/etc/passwd is the group where files and directories are created.
There are different philosophies how groups are assigned:
every user has as primary group the group: users
every user has as primary group a group with the same name as the <username> and has the secondary group: users
The first method is more open. Sensitive data should be kept in encrypted directories (as encfs).
The second method that has become the default is more restrictive and can block easily file read access between the users. /etc/login.defs sets this behavior when it contains
USERGROUPS_ENAB yes
Manually changing the user number and group number afterwards is possible but obviously not the standard way to go. usermod is the way.
chgrp -R <primary group name = username> /home/<username> will assign to all files in the user accounts the group ownership
Passwords can be reset by using a liveCD or mount the physical hard disk on an other computer and delete the passwords in /etc/shadow
Just make the password field empty since this means no password and next time you will be prompted to add a new password.
So change
root:<Some sting>:<some number>:0:::::
to
root::<some number>:0:::::
Maybe this is not necessary since Linux can read the Window disk (if not encrypted).
fdisk -l shows the disks
The disk must be writable so ntfs-3g /dev/sd<nm> /mnt/windows and repeat this for all the partitions.
cd <...>/Windows/System32/config
chntpw -l SAM shows all Windows users
chntpw -u <username> SAM modifies the user information as clearing the password and unlock the account
Multiple computers on a network exchange usually files between them. To keep it simple make sure that:
the user number assignments UID is consistent between the computers
the primary group number assignment GID is consistent between the computers.
The numbers are more important than the names, since they are stored with the individual
files. The names are just defined in /etc/passwd and
/etc/group.
To fix the ownership edit /etc/passwd and
/etc/group or use a tool for it.
For people that like it complicated NIS (Network information service) is used to coordinate user accounts and group data over a network.
/etc/login.defs contains behavior data of login as timeouts,
retries, …
passwd is the command to change the password. passwd<username> can be used by root to reset/set a user
password.
groups show groups where I’m member
groupadd creates new group
useradd -m -G users<username> Adds a new user
usrmod modifies a user
userdel deletes a user
grpmodmodifies a group
groupdel deletes a group
id<username> shows UID and to what group <username> belongs. id does the same with the current user
chown change file owner. The following command sets the <username> to all files in the users
home directory: chown -R<username> /home/<username>
chgrp change the primary group ownership. The following command sets the <primarygroup> to all files in the home
directory: chgrp -R <primarygroup> /home/<username>. In case <primarygroup> is the same string as <username> the command is chgrp -R <username> /home/<username>
| |
|
|
| Chapter 6. Authentication |
|
Administrator |
