RH133. 5.USER ADMINISTRATION





useradd  <user>   -->adds a user and updates below files
passwd   <user>   -->add password for a user
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow

         uid     gid
root         0        0
systemuser   1-499   1-499
normaluser   500+    500+

FILEDS OF /ETC/PASSWD

1. User
2. password pointer
3. uid
4. gid
5. comments
6. home dir
7. shell

To edit fields of user, or to create user with option

useradd -u  <uid> <user>     ->Add user with specified uid
useradd -g  <gid> <user>     ->changes users primary group
useradd -G  <gid> <user>     ->changes users secondary group
useradd -c  <comments> <user> ->Add comments to user
useradd -d  <homedir> <user>  ->Add specified home dir
useradd -s  <shell>   <user>  ->Add specified shell to user OR
chsh    <user>                -->change shell of user


finger  <user>                -->shows shell of user
id <user>  -->shows users uid,gid info

usermod  -option  <user> -->modify existing info of user
userdel    <user>        -->Delete user, but leave home dir
userdel -r <user>        -->Delete user and  home dir both

when we add user it copies hidden file from /etc/skel dir.
and password aging policy are read from /etc/login.defs

2. FIELDS OF /ETC/SHADOW

1. user
2. password
3. num of days since jan 1970 passwd is changed
4. min num of days to wait for user to change his password
5. max num of days after which user is forced to change  password
6. Once password is above to expire start giving warnign message
7. If pasword is expired, also disable a/c aftr this many days

chage -l <user> --->show password aging policy of user 
chage  <user>   --->Change password aging policy of user 

3. FIELDS OF /ETC/GROUP
1. group
2. group password
3. gid
4. members of group

4. FIELDS OF /ETC/GSHADOW
1. group
2. group password
3. admin of group
4. members of group

groupadd <grp>  --> Add a group
groupdel <grp>  --> Delete a group
gpasswd  <grp>  --> Set password for a group

AS ROOT
gpasswd  -M  <u1,u2> <grp1>-->Add u1,u2 as members to group grp1
gpasswd  -A  <u1> <grp1>    -->Make u1 as Admin to group grp1
gpasswd  -d  <u2> <grp1>    -->Delete u2 from group grp1
       
AS ADMIN (Login as admin and try below commands)
gpasswd  -a  <u3> <grp1>    -->Add u3  to group grp1
gpasswd  -d  <u3> <grp1>    -->Delete u3 from group grp1

newgrp <grp>  -->when you know grouppassword of other group
        you can change your group temporarily
       
    ACL -ACCESS CONTROL LIST

getfacl  <file>             ->shows acl of file
setfacl -m u:u1:rw  <file>  ->set acl for user
setfacl -m g:g1:r   <file>  ->set acl for othergroup
setfacl -m o::--    <file>  ->set acl for other users leftout
setfacl -x u:u1    <file>   ->Delete acl set for user u1
setfacl -x g:g1    <file>   ->Delete acl set for group g1
setfacl -b         <file>   ->Delete all acls been set.
setfacl -Rm u:u1:rw <dir>   ->Acls set for dir is inherited by
                 files under that dir
           
            VISUDO
VISUDO->Give privilege of root user to a induvidual user without
giving him root password.

Permissions can be given to user
Permissions can be given to existing group
Permissions can be given to virutal group

To give to user
copy line 76 and edit tht copied line
ex: t1     ALL=SERVICES

To give to existing group
copy line 83 and edit tht copied line
ex: %india      ALL=SERVICES

To give to Virtual group
copy line 20 and edit tht copied line
+ copy line 76 and edit tht copied line
ex:  User_Alias ABC = i2, t2  //line 20 exp +
     ABC     ALL=SERVICES

Once visudo is set, when user who got privilege of visudo tries to
execute the command, he has to include sudo  + full path of command
ex:  sudo /sbin/service network restart

LOG MESSAGES OF VISUDO
1. tailf /var/log/secure


            SGID
Group owner of the directory should be inherited by the
file under that group.

1.groupadd admin         //Add a group
2.mkdir /share         //Create dir under /
3.ll -d /share        //See permission of dir created
4.chgrp admin /share    //Change groupowner of dir
5.ll -d /share        //See permission of dir created
6.touch /share/a    //Create file under dir
7.ll -d /share         //Permission of file dir
8.ll /share/a        //permission of file
9.chmod 2770 /share    //Add special permission 2 to dir
10.ll -d /share        //permission of dir
11.touch /share/b    //create file under dir
12.ll /share/b        // permission of dir

If you found this post useful, I would really love it, if you can Like the Page, or share it with your Facebook/Google+/Twitter Friends... It will keep me motivated. Thank you!

No comments:

Post a Comment