SUSE Linux Enterprise Desktop Administration - PowerPoint PPT Presentation

1 / 61
About This Presentation
Title:

SUSE Linux Enterprise Desktop Administration

Description:

SUSE Linux Enterprise Desktop Administration ... UNIX system must be able to uniquely identify all users ... As a system administrator, you are advised to log ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 62
Provided by: facult69
Category:

less

Transcript and Presenter's Notes

Title: SUSE Linux Enterprise Desktop Administration


1
SUSE Linux Enterprise Desktop Administration
  • Chapter 9
  • Manage Users, Groups, and Permissions

2
Objectives
  • Objective 1Understand the Multiuser Environment
  • Objective 2Manage User and Group Accounts
  • Objective 3Manage File Permissions and Ownership
  • Objective 4Perform Tasks as a Different User
  • Objective 5Use Encrypted File Systems

3
Objective 1Understand the Multiuser Environment
  • Multiuser capability
  • Allows a number of users to use the system
    simultaneously
  • Multitasking capability
  • Allows programs to run simultaneously
  • Implementation of a multiuser and multitasking
    system
  • Only appears to be simultaneous in a single
    processor system
  • Advantage waiting times for input or output from
    processes can be used for other processes

4
Objective 1Understand the Multiuser Environment
(continued)
  • UNIX implements preemptive multitasking
  • Each process is allowed a certain amount of time
    during which it can work
  • When this time has expired, the operating system
    temporarily stops the execution of one process
  • And executes another process that is waiting to
    run
  • UNIX controls this sharing of processing time,
    which avoids one process hijacking the processor
  • The OS coordinates access to the resources
  • Only one process can be granted access
  • This coordination task is very complex

5
Objective 1Understand the Multiuser Environment
(continued)
Figure 9-1 Two or more processes need the
same resources exclusively
6
Objective 1Understand the Multiuser Environment
(continued)
  • Multithreading
  • An extension of multitasking and helps solve this
    problem
  • A number of parts independent from one another
    (threads) can be created within a process
  • Increases the level of parallel processes with
    each thread
  • A program exists only once in the system
  • However, there can be several processes
    performing the same program

7
Objective 2Manage User and Group Accounts
  • You can manage users and groups with YaST or with
    command-line tools
  • To do this, you need to understand the following
  • Basics About Users and Groups
  • Manage User and Group Accounts with YaST
  • Manage Group Accounts from the Command Line
  • User and Group Configuration Files

8
Basics About Users and Groups
  • UNIX system must be able to uniquely identify all
    users
  • Every user must log in with a username and a
    password
  • Users are represented internally as numbers
  • The number that a user receives is a UID (User
    ID)
  • A Linux system has three kinds of users
  • Regular (normal) user
  • System user
  • The root user

9
Basics About Users and Groups (continued)
  • Users can be grouped together based on shared
    characteristics or activities
  • As with users, each group is also allocated a
    number internally called the GID (Group ID)
  • The GID can be one of the following types
  • Normal groupsGID 100 and above
  • System groupsGIDs from 1 to 99, used by system
    services
  • Root groupGID 0

10
Manage User and Group Accounts with YaST
  • You can access YaST user and group account
    administration in the following ways
  • User administration
  • Group administration
  • If you selected LDAP for authentication during
    the installation
  • You are prompted for the LDAP server
    administrator password

11
Manage User and Group Accounts with YaST
(continued)
  • User administration
  • With the Users button selected, the User and
    Group Administration window lists the existing
    user accounts
  • See Figure 9-2
  • To create a new user account or edit an existing
    account, select Add or Edit
  • See Figure 9-3
  • To set the properties of the user, select the
    Details tab
  • See Figure 9-4

12
Figure 9-2 User administration
13
Figure 9-3 Create a new user account
14
Figure 9-4 Set user properties
15
Manage User and Group Accounts with YaST
(continued)
  • User administration (continued)
  • To set various password parameters, select the
    Password Settings tab
  • See Figure 9-5
  • Set Defaults for New User Accounts
  • You can use YaST to select default settings to be
    applied to new user accounts
  • See Figure 9-6
  • The values are written to the file
    /etc/default/useradd

16
Figure 9-5 Set user password properties
17
Figure 9-6 Set defaults for new user accounts
18
Manage User and Group Accounts with YaST
(continued)
  • Group Administration
  • To administer groups, start YaST and select
    Security and Users gt Group Management
  • See Figure 9-7
  • You can create a new group or edit an existing
    group by selecting Add or Edit
  • See Figure 9-8

19
Figure 9-7 Group administration
20
Figure 9-8 Create a new group or edit an existing
one
21
Manage User and Group Accounts from the Command
Line
  • Manage User Accounts from the Command Line
  • The user root can use the following commands
  • useradd to create a new user account
  • passwd to change a users password
  • userdel to delete an existing user account
  • usermod to modify settings for an existing user
    account
  • Standard configuration information is derived
    from the /etc/default/useradd and /etc/login.defs
    files

22
Manage User and Group Accounts from the Command
Line (continued)
  • Manage User Accounts from the Command Line
    (continued)
  • passwd command can also be used for
  • Lock a user account
  • Status of a user account
  • Change password times

Table 9-1 Options for changing password times
23
Manage User and Group Accounts from the Command
Line (continued)
  • Manage User Accounts from the Command Line
    (continued)
  • The /etc/default/passwd file is checked for the
    encryption method to be used
  • The encryption method is set in the variable
    CRYPT
  • You can use the id command in a terminal window
  • To display information about a users UID and
    which groups the user is assigned to

24
Manage User and Group Accounts from the Command
Line (continued)
  • Manage Groups from the Command Line
  • You can use the following commands
  • groupadd to create a new group
  • groupdel to delete a group
  • groupmod to modify the settings for an existing
    group
  • gpasswd to change passwords for group accounts
  • If you want information on the groups in which
    you are a member, enter groups
  • The newgrp command allows you to change the
    effective group of the executing user

25
User and Group Configuration Files
  • /etc/passwd
  • Stores information for each user such as the
    username, the UID, home directory, and the login
    shell
  • In the past, it also contained the encrypted
    password
  • The encrypted password is now stored in
    /etc/shadow
  • Only readable by root and members of the group
    shadow
  • Each line in the file represents one user
  • See Figure 9-9

26
User and Group Configuration Files (continued)
Figure 9-9 Information contained in each line of
the /etc/passwd file
27
User and Group Configuration Files (continued)
  • /etc/shadow
  • Stores encrypted user passwords and password
    expiration information
  • Can only be changed by the user root and read by
    the user root and members of the group shadow
  • Each line in the file belongs to one user
  • See Figure 9-10

28
User and Group Configuration Files (continued)
Figure 9-10 Information contained in each line of
the /etc/shadow file
29
User and Group Configuration Files (continued)
  • /etc/group
  • Stores group information
  • Each line in the file represents a single group
    record
  • And contains the group name, the GID, and the
    members of the group

30
Exercise 9-1 Manage User Accounts with YaST and
Get User and Group Information from the Command
Line
  • In this exercise, first create and remove a user
    account with the YaST User Management module
  • Perform the following tasks
  • Create a new account labeled tux for the user Tux
    Penguin with the password of novell
  • Log in as the new user tux
  • Open the /etc/passwd file and look for the
    entries for geeko and tux
  • Log in as geeko and remove tuxs account using
    YaST

31
Objective 3Manage File Permissions and Ownership
  • You can change the current values associated with
    ownership and permissions by knowing how to do
    the following
  • Understand File Permissions
  • Change File Permissions with chmod
  • Change File Ownership with chown and chgrp
  • Modify Default Access Permissions
  • Configure Special File Permissions

32
Understand File Permissions
  • ls l command
  • Displays the contents of the current directory
  • Along with the assigned permissions for each file
    or subdirectory
  • Each file (and directory) can belong to only one
    user and one group
  • You can also view the permissions, owner, and
    group from the Nautilus file manager

33
Figure 9-11 File properties in Nautilus file
manager
34
Change File Permissions with chmod
  • You can use the chmod command to add or remove
    permissions
  • The following options can be used to change the
    permissions
  • uChange permissions for the owner (user)
  • gChange permissions for the group
  • oChange permissions for others
  • aChange permissions for all (owner, group, and
    others)

35
Change File Permissions with chmod (continued)
Table 9-2 Examples of the chmod command
36
Change File Permissions with chmod (continued)
  • Using the option -R (recursive) and a specified
    directory
  • You can change the access permissions for the
    directory and all files and subdirectories
    beneath it
  • Besides using letters (rwx), you can also use the
    octal way of representing the permission letters
    with groups of numbers
  • Read 4
  • Write 2
  • Execute 1

37
Change File Permissions with chmod (continued)
Table 9-3 Examples of the chmod command using
numbers equivalents
Table 9-4 Using numbers instead of letters
38
Change File Ownership with chown and chgrp
  • The user root can use the chown command to change
    the user and group affiliation of a file by using
    the following syntax
  • chown new_user.new_group file
  • To change the owner, but not the group
  • chown new_user file
  • To change the group, but not the user
  • chown .new_group file

39
Change File Ownership with chown and chgrp
(continued)
  • You can also change the group affiliation of a
    file with the chgrp command
  • chgrp new_group file
  • Normal users can use the chown command to
    allocate a file that they own to a new group
  • chown .new_group file

40
Exercise 9-2 Manage File Permissions and
Ownership
  • In this exercise, you create directories with
    different permissions

41
Modify Default Access Permissions
  • By default, files are created with the access
    mode 666 and directories with 777
  • To modify (restrict) these default access mode
    settings, you can use the umask command
  • With a three-digit numerical value
  • The permissions set in the umask are removed from
    the default permissions
  • umask without any parameters shows the current
    value of the umask with a leading zero

42
Modify Default Access Permissions (continued)
Table 9-5 Examples of the umask command
43
Configure Special File Permissions
Table 9-6 Special file permissions
44
Ensure File System Security
  • In Linux, file system security is especially
    important
  • Because every resource available on the system is
    represented as a file
  • The Basic Rules for User Write Access
  • Access permissions can be administered separately
    for file owners, user groups, and the rest of the
    world
  • As a general rule, a normal user should only have
    write access in the following directories
  • The home directory of the user
  • The /tmp directory (to store temporary files)

45
Ensure File System Security (continued)
  • The Basic Rules for User Read Access
  • No normal user account should be able to read the
    content of files that store passwords, including
  • /etc/shadow
  • /etc/samba/smbpasswd
  • Files with Apache passwords
  • /etc/openldap/sldap.conf
  • /boot/grub/menu.1st
  • Some password files can be readable for a nonroot
    account
  • This is normally the account under whose user ID
    a service daemon is running

46
Objective 4Perform Tasks as a Different User
  • Some tasks can only be done from the root user
    account
  • Sometimes root might want to delegate tasks to
    normal users
  • This objective covers both scenarios
  • Perform Administrative Tasks as root
  • Delegate Administrative Tasks with sudo

47
Perform Administrative Tasks as root
  • As a system administrator, you are advised to log
    in as a normal user
  • And only switch to root to perform tasks that
    require root permissions
  • Start Programs from GNOME as Another User
  • You can start any program with a different UID
    (as long as you know the password)
  • Using the program gnomesu
  • You can specify a different user than root and
    also start a program directly with the following
    syntax
  • gnomesu--uuser command

48
Perform Administrative Tasks as root (continued)
  • Switch to Another User with su
  • You can use the su (switch user) command to
    assume the UID of root or of other users
  • su syntax
  • suoptions. . .-userargument
  • Switch to Another Group with newgrp
  • A user can be a member of many different groups
  • However, he or she can have only one effective
    (current) group at any one time
  • You can change the effective group GID with the
    command newgrp or sg

49
Delegate Administrative Tasks with sudo
  • The default configuration of sudo in SLED 10
    requires the knowledge of the root password
  • Advantages of using sudo
  • Executed commands are logged to /var/log/messages
  • You do not need to retype the password for each
    command
  • /etc/sudoers configuration file
  • Allows sudo to ask for the user password instead
    of the root password
  • Allows visudo to specify which command a user can
    or cannot enter

50
Delegate Administrative Tasks with sudo
(continued)
Figure 9-12 Example illustrating the flexibility
of sudo
51
Exercise 9-3 Use sudo to Perform Tasks as root
  • In this exercise, you use sudo to view the
    /var/log/messages log file as a normal user
  • First, use visudo as root to change the sudo
    configuration to allow geeko to use the tail
    command to view the last lines of
    /var/log/messages and any new lines added to it
  • Then, as geeko, view the end of the
    /var/log/messages log file using sudo

52
Objective 5Use Encrypted File Systems
  • With SLED 10, it is possible to encrypt a file
    system on a partition
  • Or to create encrypted home directories based on
    images that contain an encrypted file system
  • Both can be set up with YaST
  • Use YaST to Encrypt a Partition
  • Create an Encrypted Image as Home Directory for a
    User

53
Use YaST to Encrypt a Partition
  • You only need to select the appropriate option
    when creating the partition in YaST
  • Enter a password to unlock the partition when it
    is mounted
  • See Figures 9-13 and 9-14
  • The minimum password length required is eight
    characters, but a longer password is advisable

54
Figure 9-13 Create an encrypted partition
55
Figure 9-14 Enter a password for an encrypted
partition
56
Use YaST to Encrypt a Partition (continued)
  • To unlock the partition when the system boots, a
    prompt appears during the boot process
  • The machine boots up even if no password is
    entered, but the partition is not accessible
  • To access the partition, log in as root and enter
    /etc/init.d/boot.crypto start
  • Then enter the password for the partition

57
Create an Encrypted Image as Home Directory for a
User
  • Another approach is offered in YaST as part of
    the User Management module
  • See Figure 9-15
  • Create a file of that size with an encrypted file
    system inside
  • File system can be mounted as a loop device
  • The image file is named username.img and located
    in /home
  • The key used to decrypt the image is username.key
    in /home, and the users password is used to
    unlock it

58
Figure 9-15 Create an encrypted image as a home
directory for a user
59
Summary
  • Linux is a multiuser, multitasking, and
    multithreading operating system
  • Users use normal user accounts to log in to the
    system
  • Each user account is a member of one or more
    groups
  • Linux systems store user information in
    /etc/passwd and password information in
    /etc/shadow
  • For system identification, each user account has
    a UID, and each group account has a GID

60
Summary (continued)
  • The id command displays your UID, GIDs, and
    primary GID
  • The su and gnomesu commands can be used to switch
    to another user account or run a program as
    another user account
  • You can use the useradd, usermod, and userdel
    commands to add, modify, and remove user accounts
    on your system
  • You can change user account passwords, lock user
    accounts, and control password expiry settings
    using the passwd command

61
Summary (continued)
  • YaST can be used to perform all user and group
    management functions
  • You can assign read, write, and execute
    permissions to files and directories
  • Permissions can be set on the owner of a file
    (owner), members of the group of the file
    (group), as well as everyone else on the system
    (others) using the chmod command
  • Encryption can be used as an alternative to file
    and directory permissions
Write a Comment
User Comments (0)
About PowerShow.com