Module 15

System and User Security

Exam Objective
5.1 Basic Security and Identifying User Types

Objective Description
Various types of users on a Linux system.
Identifying User Accounts
Users and Permissions
● User accounts are designed to provide security on a Linux operating system.

● User accounts allow or disallow a person access to files and directories using
file permissions.

● User accounts also belong to groups.

● This chapter covers commands that provide the ability to view user and
group account information and how to switch to other user accounts.
Administrative Accounts
● Some commands require administrative or root privileges.

● Using root has risks, it is recommended to use sudo or su command

to execute commands as root.

● Risks with logging in as root:

○ Everything will run as root (background processes, executables)
○ May forget you are logged in as root
○ May accidentally run non-admin tasks as root
Switching Users
● The su command allows you to run a shell as a different user.
su [options] [username]

● Using the login shell option results in fully configuring the new shell with settings of
new user. If username is not specified su opens a new shell as root user.
su -
su - root

● After pressing Enter, user must provide password of root user.

● Use the exit command to return to original shell (user account).

sysadmin@localhost:~$ su -

Password:
root@localhost:~# exit

logout
Executing Privileged Commands
● The sudo command also allows users to execute commands as
another user.

● Can be used in distributions that do not allow root user login.

● Prompts for the user’s own password instead that of the root user.
sysadmin@localhost:~$ sudo head /etc/shadow

[sudo] password for sysadmin:

● Results in an entry placed in a log file for accountability and reduces

risk associated with using root.
User Accounts
● The /etc directory contains files which contain account data of users and
groups defined on the system.

● The /etc/passwd file defines some account information for user accounts.

○ Each line contains information about a single user.

sysadmin:x:1001:1001:System Administrator,,,,:/home/sysadmin:/bin/bash

○ Contains; Name, Password Placeholder, User ID, Primary Group ID, Comment, Home
Directory, Shell (fields are separated by a colon)

● Use grep command to check if user is defined on system.

Passwords
● The etc/shadow file contains user password information (must be
logged in as root).
sysadmin:$6$c75ekQWF$.GpiZpFnIXLzkALjDpZXmjxZcIll14OvL2mFSIfnc1aU2cQ/221QL5AX5RjKXpXP
JRQ0uVN35TY3/..c7v0.n0:16874:5:30:7:60:15050::

● Fields include:
○ Username: Username of the account (matches username in /etc/passwd)
○ Password: Encrypted password for the account
○ Last Change: Last time password was changed
○ Min: Minimum # of days between password changes
○ Max: Max # of days password is valid
○ Warn: Number of days before password expiry in the system warns the user
○ Inactive: Grace period in which user’s password can be changed
○ Expire: Number of days when user accounts will expire (from January 1, 1970)
○ Reserved: Currently not used, this field is reserved for future use
System Accounts
● Users log in using regular accounts (UID > 1000).

● Special access root account (UID > 0).

● System accounts are designed for services running on the system (UID 1-499)

● System accounts in /etc/passwd and /etc/shadow have some different

fields:
○ Home directory - typically do not have
○ Shell: Uses nologin
○ Password: Uses *
Group Accounts
● Each user can be a member of one or more groups.

● The /etc/passwd file defines the primary group membership for a user.

● The /etc/group file defines supplemental (or secondary) group

membership.
mail:x:12:mail,postfix

● Fields include:
○ Group Name: Field contains the group name
○ Password Holder: The x means password is not stored in this file
○ GID: Unique group ID associated with group
○ User List: Lists members in the group
Viewing User Accounts
Viewing User Information
● The id command is used to print user and group information.
sysadmin@localhost:~$ id

uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin),4(adm),27(sudo)

● Output:
○ Lists user account information first (UID (uid=1001) and username (sysadmin))
○ After username, the primary group is listed (group ID and group name)
○ Other information includes other groups user belongs to (group IDs and group names)

● To display information for a specific account, use the username as an

argument.

● To print only secondary group membership use the -G option.

Viewing Current Users
● The who command lists users who are currently logged in, as well as
where and when they logged in.
sysadmin@localhost:~$ who

root tty2 2013-10-11 10:00

sysadmin tty1 2013-10-11 09:58 (:0)

sysadmin pts/0 2013-10-11 09:59 (:0.0)

● Output:
○ Username: Indicates user who is logged in and has an open session.

○ Terminal: Indicates which terminal window the user is working in. tty indicates a
local login whereas pts indicates a pseudo terminal.

○ Date: Indicates when user logged in. A hostname means user logged in remotely. A
colon and number means a graphical local login. No location info means user
logged in via local command line.
Viewing Current Users
● The w command provides more detailed information about users
currently on the system.

● Provides info about system status.

● Output looks like:

sysadmin@localhost:~$ w

10:44:03 up 50 min, 4 users, load average: 0.78, 0.44, 0.19

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

root tty2 - 10:00 43:44 0.01s 0.01s -bash

sysadmin tty1 :0 09:58 50:02 5.68s 0.16s pam: gdm-

password

sysadmin pts/0 :0.0 09:59 0.00s 0.14s 0.13s ssh 192.168.1.2

sysadmin pts/1 example.com 10:00 0.00s 0.03s 0.01s w
Viewing Login History
● The last command reads the /var/log/wtmp file all login records.

● Shows previous login sessions as well as current login information.

sysadmin@localhost:~$ last

sysadmin console Tue Sep 18 02:31 still logged in

sysadmin console Tue Sep 18 02:31 - 02:31 (00:00)

wtmp begins Tue Sep 18 02:31:57 2018