Tải bản đầy đủ - 0 (trang)
Chapter 11.  Managing Users, Groups, and Permissions

Chapter 11.  Managing Users, Groups, and Permissions

Tải bản đầy đủ - 0trang

11.1.ManagingUserAccounts

Evenifyou'retheonlyactualhumanbeingwhousesyourLinux

system,understandinghowtomanageuseraccountsis

importantevenmoresoifyoursystemhostsmultipleusers.

UseraccountsserveanumberofpurposesonUnixsystems.

Mostprominently,theygivethesystemawaytodistinguish

betweendifferentpeoplewhousethesystemforreasonsof

identificationandsecurity.Eachuserhasapersonalaccount

withaseparateusernameandpassword.Asdiscussedin"File

OwnershipandPermissions,"laterinthischapter,usersmayset

permissionsontheirfiles,allowingorrestrictingaccesstothem

byotherusers.Eachfileonthesystemis"owned"bya

particularuser,whomaysetthepermissionsforthatfile.User

accountsareusedtoauthenticateaccesstothesystem;only

thosepeoplewithaccountsmayaccessthemachine.Also,

accountsareusedtoidentifyusers,keepsystemlogs,tag

electronicmailmessageswiththenameofthesender,andso

forth.

Apartfrompersonalaccounts,thereareusersonthesystem

whoprovideadministrativefunctions.Aswe'veseen,the

systemadministratorusestherootaccounttoperform

maintenancebutusuallynotforpersonalsystemuse.Such

accountsareaccessedusingthesucommand,allowinganother

accounttobeaccessedafterlogginginthroughapersonal

account.

Otheraccountsonthesystemmaynotinvolvehuman

interactionatall.Theseaccountsaregenerallyusedbysystem

daemons,whichmustaccessfilesonthesystemthrougha

specificuserIDotherthanrootoroneofthepersonaluser

accounts.Forexample,ifyouconfigureyoursystemtoreceive

anewsfeedfromanothersite,thenewsdaemonmuststore

newsarticlesinaspooldirectorythatanyonecanaccessbut



onlyoneuser(thenewsdaemon)canwriteto.Nohumanbeing

isassociatedwiththenewsaccount;itisan"imaginary"user

setasideforthenewsdaemononly.

Oneofthepermissionbitsthatcanbesetonexecutablesisthe

setuidbit,whichcausestheprogramtobeexecutedwiththe

permissionsoftheownerofthatfile.Forexample,ifthenews

daemonwereownedbytheusernews,andthesetuidbitwere

setontheexecutable,itwouldrunasifbytheusernews.news

wouldhavewriteaccesstothenewsspooldirectory,andall

otheruserswouldhavereadaccesstothearticlesstoredthere.

Thisisasecurityfeature.Newsprogramscangiveusersjust

therightamountofaccesstothenewsspooldirectory,butno

onecanjustplayaroundthere.

Asthesystemadministrator,itisyourjobtocreateand

manageaccountsforallusers(realandvirtual)onyour

machine.Thisisactuallyapainless,hands-offtaskinmost

cases,butit'simportanttounderstandhowitworks.



11.1.1.ThepasswdFile

Everyaccountonthesystemhasanentryinthefile

/etc/passwd.Thisfilecontainsentries,onelineperuser,that

specifyseveralattributesforeachaccount,suchasthe

username,realname,andsoforth.

Eachentryinthisfileisofthefollowingformat:

username:password:uid:gid:gecos:homedir:shell



Thefollowinglistexplainseachfield:



username



Auniquecharacterstring,identifyingtheaccount.For

personalaccounts,thisisthenametheuserlogsinwith.

Onmostsystemsitislimitedtoeightalphanumeric

charactersforexample,larryorkirsten.



password



Anencryptedrepresentationoftheuser'spassword.This

fieldissetusingthepasswdprogramtosettheaccount's

password;itusesaone-wayencryptionschemethatis

difficult(butnotimpossible)tobreak.Youdon'tsetthisby

hand;thepasswdprogramdoesitforyou.Note,however,

thatifthefirstcharacterofthepasswordfieldis*(an

asterisk),theaccountis"disabled";thesystemwillnot

allowloginsasthisuser.See"CreatingAccounts,"laterin

thischapter.



uid



TheuserID,auniqueintegerthesystemusestoidentify

theaccount.Thesystemusestheuidfieldinternallywhen

dealingwithprocessandfilepermissions;it'seasierand

morecompacttodealwithintegersthanbytestrings.

Therefore,boththeuserIDandtheusernameidentifya

particularaccount:theuserIDismoreimportanttothe

system,whereastheusernameismoreconvenientfor

humans.



gid



ThegroupID,anintegerreferringtotheuser'sdefault

group,foundinthefile/etc/group.See"TheGroupFile,"



laterinthischapter.



gecos



Miscellaneousinformationabouttheuser,suchastheuser's

realname,andoptional"locationinformation"suchasthe

user'sofficeaddressorphonenumber.Suchprogramsas

mailandfingerusethisinformationtoidentifyusersonthe

system;we'lltalkmoreaboutitlater.Bytheway,gecosisa

historicalnamedatingbacktothe1970s;itstandsfor

GeneralElectricComprehensiveOperatingSystem.GECOS

hasnothingtodowithUnix,exceptthatthisfieldwas

originallyaddedto/etc/passwdtoprovidecompatibilitywith

someofitsservices.



homedir



Theuser'shomedirectory,fortheuser'spersonaluse;

moreonthislater.Whentheuserfirstlogsin,theshell

findsitscurrentworkingdirectoryinthenamedhome

directory.



shell



Thenameoftheprogramtorunwhentheuserlogsin;in

mostcases,thisisthefullpathnameofashell,suchas

/bin/bashor/bin/tcsh.

Manyofthesefieldsareoptional;theonlyrequiredfieldsare

username,uid,gid,andhomedir.Mostuseraccountshaveallfields

filledin,but"imaginary"oradministrativeaccountsmayuse

onlyafew.

Herearetwosampleentriesyoumightfindin/etc/passwd:



root:ZxPsI9ZjiVd9Y:0:0:Therootofallevil:/root:/bin/bash

aclark:BjDf5hBysDsii:104:50:AnnaClark:/home/aclark:/bin/ba



Thefirstentryisfortherootaccount.Firstofall,noticethatthe

userIDofrootis0.Thisiswhatmakesrootroot:thesystem

knowsthatuid0is"special"andthatitdoesnothavetheusual

securityrestrictions.Thegidofrootisalso0,whichismostlya

convention.Manyofthefilesonthesystemareownedbyroot

andtherootgroup,whichhaveauidandgidof0,respectively.

Moreongroupsinaminute.

Onmanysystems,rootusesthehomedirectory/root,orjust/.

Thisisnotusuallyrelevantbecauseyoumostoftenusesuto

accessrootfromyourownaccount.Also,itistraditionaltouse

aBourne-shellvariant(inthiscase/bin/bash)fortheroot

account,althoughyoucanusetheCshellifyoulike.(Shellsare

discussedinChapter4.)Becareful,though:Bourneshellsand

Cshellshavedifferingsyntax,andswitchingbetweenthem

whenusingrootcanbeconfusingandleadtomistakes.

Thesecondentryisforanactualhumanbeing,username

aclark.Inthiscase,theuidis104.Theuidfieldcantechnically

beanyuniqueinteger;onmanysystems,it'scustomaryto

haveuseraccountsnumbered100andaboveand

administrativeaccountsinthesub-100range.Thegidis50,

whichjustmeansthataclarkisinwhatevergroupisnumbered

50inthe/etc/groupfile.Hangontoyourhats;groupsare

coveredin"TheGroupFile,"laterinthischapter.

Homedirectoriesareoftenfoundin/home,andnamedforthe

usernameoftheirowner.Thisis,forthemostpart,auseful

conventionthatavoidsconfusionwhenfindingaparticular

user'shomedirectory.Youcantechnicallyplaceahome

directoryanywhere,butitmustexistforyoutobeabletolog

intothesystem.Youshould,however,observethedirectory



layoutusedonyoursystem.

Notethatasthesystemadministrator,it'snotusuallynecessary

tomodifythe/etc/passwdfiledirectly.Severalprogramsare

availablethatcanhelpyoucreateandmaintainuseraccounts;

see"CreatingAccounts,"laterinthischapter.Ifyoureallywant

toedittheraw/etc/passwddata,considerusingacommand

suchasvipwthatprotectsthepasswordfileagainstcorruption

fromsimultaneousediting.



11.1.2.ShadowPasswords

Tosomeextent,itisasecurityrisktoleteverybodywithaccess

tothesystemviewtheencryptedpasswordsin/etc/passwd.

Specialcrackprogramsareavailablethattryahugenumberof

possiblepasswordsandcheckwhethertheencryptedversionof

thosepasswordsisequaltoaspecifiedone.

Toovercomethispotentialsecurityrisk,shadowpasswords

havebeeninvented.Whenshadowpasswordsareused,the

passwordfieldin/etc/passwdcontainsonlyanxora*,which

canneveroccurintheencryptedversionofapassword.

Instead,asecondfilecalled/etc/shadowisused.Thisfile

containsentriesthatlookverysimilartothosein/etc/passwd,

butcontaintherealencryptedpasswordinthepasswordfield.

/etc/shadowisreadableonlybyroot,sonormalusersdonot

haveaccesstotheencryptedpasswords.Theotherfieldsin

/etc/shadow,excepttheusernameandthepassword,are

presentaswell,butnormallycontainbogusvaluesorare

empty.

Notethatinordertouseshadowpasswords,youneedspecial

versionsoftheprogramsthataccessormodifyuser

information,suchaspasswdorlogin.Nowadays,most

distributionscomewithshadowpasswordsalreadysetup,so

thisshouldnotbeaproblemforyou.Debianusersshoulduse



"shadowconfigon"insteadtoensurethatshadowpasswords

areenabledontheirsystems.

Therearetwotoolsforconverting"normal"userentriesto

shadowentriesandback.pwconvtakesthe/etc/passwdfile,

looksforentriesthatarenotyetpresentin/etc/shadow,

generatesshadowentriesforthose,andmergesthemwiththe

entriesalreadypresentin/etc/shadow.

pwunconvisrarelyusedbecauseitgivesyoulesssecurity

insteadofmore.Itworkslikepwconv,butgeneratestraditional

/etc/passwdentriesthatworkwithout/etc/shadow

counterparts.

ModernLinuxsystemsalsoprovidesomethingcalledpassword

aging.Thisissortofanexpirydateforapassword;ifit

approaches,awarningisissued,aconfigurablenumberofdays

beforethepasswordexpires,andtheuserisaskedtochange

hispassword.Ifhefailstodoso,hisaccountwillbelocked

afterawhile.Itisalsopossibletosetaminimumnumberof

daysbeforeachangedorcreatedpasswordcanbechanged

again.

Allthesesettingsareconfiguredwiththepasswdcommand.

The-noptionsetstheminimumnumberofdaysbetween

changes,-xthemaximumnumberofdaysbetweenchanges,wthenumberofdaysawarningisissuedbeforeapassword

expires,and-ithenumberofdaysofinactivitybetweenthe

expiryofapasswordandthetimetheaccountislocked.

Mostdistributionsprovidegraphicaltoolstochangethese

settings,oftenhiddenonanAdvancedSettingspageorsimilar.



11.1.3.PAMandOtherAuthenticationMethods

Youmightthinkthathavingtwomeansofuserauthentication,



/etc/passwdand/etc/shadow,isalreadyenoughchoice,but

youarewrong.Thereareanumberofotherauthentication

methodswithstrangenames,suchasKerberosauthentication

(sonamedafterthedogfromGreekmythologythatguardsthe

entrancetoHell).Althoughwethinkthatshadowpasswords

provideenoughsecurityforalmostallcases,italldependson

howmuchsecurityyoureallyneedandhowparanoidyouwant

tobe.

Theproblemwithallthoseauthenticationmethodsisthatyou

cannotsimplyswitchfromonetoanotherbecauseyoualways

needasetofprograms,suchasloginandpasswd,thatgowith

thosetools.Toovercomethisproblem,thePluggable

AuthenticationMethods(PAM)systemhasbeeninvented.Once

youhaveaPAM-enabledsetoftools,youcanchangethe

authenticationmethodofyoursystembyreconfiguringPAM.

Thetoolswillautomaticallygetthecodenecessarytoperform

therequiredauthenticationproceduresfromdynamicallyloaded

sharedlibraries.

SettingupandusingPAMisbeyondthescopeofthisbook,but

youcangetalltheinformationyouneedfrom

http://www.kernel.org/pub/linux/libs/pam/.Mostmodern

distributionswillsetupPAMforyouaswell.



11.1.4.TheGroupFile

Usergroupsareaconvenientwaytologicallyorganizesetsof

useraccountsandallowuserstosharefileswithintheirgroup

orgroups.Eachfileonthesystemhasbothauserandagroup

ownerassociatedwithit.Usingls-l,youcanseetheownerand

groupforaparticularfile,asinthefollowingexample:



rutabaga$ls-lboiler.tex

-rwxrw-r--1mdwmegabozo10316Oct620:19boil

rutabaga$



Thisfileisownedbytheusermdwandbelongstothe

megabozogroup.Wecanseefromthefilepermissionsthat

mdwhasread,write,andexecuteaccesstothefile;that

anyoneinthemegabozogrouphasreadandwriteaccess;and

thatallotherusershavereadaccessonly.

Thisdoesn'tmeanthatmdwisinthemegabozogroup;it

simplymeansthefilemaybeaccessed,asshownbythe

permissionbits,byanyoneinthemegabozogroup(whichmay

ormaynotincludemdw).

Thisway,filescanbesharedamonggroupsofusers,and

permissionscanbespecifiedseparatelyfortheownerofthe

file,thegrouptowhichthefilebelongs,andeveryoneelse.An

introductiontopermissionsappearsin"FileOwnershipand

Permissions,"laterinthischapter.

Everyuserisassignedtoatleastonegroup,whichyouspecify

inthegidfieldofthe/etc/passwdfile.However,ausercanbea

memberofmultiplegroups.Thefile/etc/groupcontainsaonelineentryforeachgrouponthesystem,verysimilarinnature

to/etc/passwd.Theformatofthisfileis

groupname:password:gid:members



Here,groupnameisacharacterstringidentifyingthegroup;itis

thegroupnameprintedwhenusingcommandssuchasls-l.

passwordisanoptionalencryptedpasswordassociatedwiththe



group,whichallowsusersnotinthisgrouptoaccessthegroup

withthenewgrpcommand.Readonforinformationonthis.

gidisthegroupIDusedbythesystemtorefertothegroup;it



isthenumberusedinthegidfieldof/etc/passwdtospecifya



user'sdefaultgroup.

membersisacomma-separatedlistofusernames(withno



whitespaceinbetween),identifyingthoseuserswhoare

membersofthisgroupbutwhohaveadifferentgidin

/etc/passwd.Thatis,thislistneednotcontainthoseuserswho

havethisgroupsetastheir"default"groupin/etc/passwd;it's

onlyforuserswhoareadditionalmembersofthegroup.

Forexample,/etc/groupmightcontainthefollowingentries:

root:*:0:

bin:*:1:root,daemon

users:*:50:

bozo:*:51:linus,mdw

megabozo:*:52:kibo



Thefirstentries,forthegroupsrootandbin,areadministrative

groups,similarinnaturetothe"imaginary"accountsusedon

thesystem.Manyfilesareownedbygroups,suchasrootand

bin.Theothergroupsareforuseraccounts.LikeuserIDs,the

groupIDvaluesforusergroupsareoftenplacedinranges

above50or100.

Thepasswordfieldofthegroupfileissomethingofacuriosity.It

isn'tusedmuch,butinconjunctionwiththenewgrpprogramit

allowsuserswhoaren'tmembersofaparticulargroupto

assumethatgroupIDiftheyhavethepassword.Forexample,

usingthecommand

rutabaga$newgrpbozo

Password:passwordforgroupbozo

rutabaga$



startsanewshellwiththegroupIDofbozo.Ifthepassword

fieldisblank,orthefirstcharacterisanasterisk,youreceivea

permissiondeniederrorifyouattempttonewgrptothatgroup.

However,thepasswordfieldofthegroupfileisseldomused

andisreallynotnecessary.(Infact,mostsystemsdon'tprovide

toolstosetthepasswordforagroup;youcouldusepasswdto

setthepasswordforadummyuserwiththesamenameasthe

groupin/etc/passwdandcopytheencryptedpasswordfieldto

/etc/group.)Instead,youcanmakeauseramemberof

multiplegroupssimplybyincludingtheusernameinthe

membersfieldforeachadditionalgroup.Intheprevious

example,theuserslinusandmdwaremembersofthebozo

group,aswellaswhatevergrouptheyareassignedtointhe

/etc/passwdfile.Ifwewantedtoaddlinustothemegabozo

groupaswell,we'dchangethelastlineofthepreviousexample

to:

megabozo:*:52:kibo,linus



Thecommandgroupstellsyouwhichgroupsyoubelongto:

rutabaga$groups

usersbozo



Givingalistofusernamestogroupsliststhegroupstowhich

eachuserinthelistbelongs.

Whenyoulogin,youareautomaticallyassignedtothegroup

IDgivenin/etc/passwd,aswellasanyadditionalgroupsfor

whichyou'relistedin/etc/group.Thismeansyouhave"group

access"toanyfilesonthesystemwithagroupIDcontainedin

yourlistofgroups.Inthiscase,thegrouppermissionbits(set

withchmodg+...)forthosefilesapplytoyou(unlessyou'rethe



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 11.  Managing Users, Groups, and Permissions

Tải bản đầy đủ ngay(0 tr)

×