1. System Administration
Now in this unit, we’re going to deal with system administration. So what do we mean by system administration? That’s the operating system. Now, that generally means that we’re going to talk about accessing the operating system and dealing with user accounts and groups of users. Not only must we deal with authentication, but we must also deal with authorization, which is the permissions. What can you do?
Now we’ll talk about managing file and directory permissions on a user-by-user basis or on a group basis, which is probably a lot easier for your administration. We’ll also talk about how this is a discretionary access-control type of operating system, which means that the owner gets to make the decisions about permissions. We’re going to look at configuring environment variables, which are very helpful, especially in scripting and programming. And then we’ll talk about how to configure the GUI environment, which really just means the background pictures, the colors, the scheme, the resolution, the frequencies, and all of that sort of stuff that is part of the system.
2. Topic A: Users and Groups
All right, so in our first topic, we’re going to begin with the authentication, and that is the users and groups. Now, remember, I’m kind of a security fanatic, so you always hear me talk about AAA, which stands for authentication, authorization, and accounting. We’re not going to focus on the accounting so much, and that’s going to drive me crazy. We’ll talk about logging later on, but for now, we’re going to focus on authentication, who you are, and authorization, your permissions. And so you’re going to kind of see all of that as we put it together. So we start off with the authentication of users and groups.
3. User Security – /etc/passwd
All right, so user accounts are generically stored in a file called “password” without the O and the R. It can be found in an Etsy or eBay store. Now you can have many user accounts there. In fact, you should, because Linux is a multiuser operating system. Its core is networking. I mean, it was built into the core of the operating system. So that means that authentication and authorization are very critical because we have people from all over the world accessing this system, accessing this operating system, and trying to get out of our data. Now in this file, every user account will be defined, and it is done line by line in that password file. Now the downside is that if you have permission to open that file and look at it, most everything you see there is going to be in clear text. In fact, even the password itself would be easy enough to copy out of there, break the hash, and find out what the real password is. And so one of the weaknesses right away is that this file is very open, very easy to get into, and very simple to take the password out of, copy it out of, and go and trash that thing and figure out what it is.
Now, when I say trashing a password hash, it can generally be reversed in under two minutes if the original password is ten characters or less. I might even be able to make that same claim for a twelve-character password. It just depends on where we are today with processing power and how much work has been done on this project of precomputed hash tables that we call rainbow tables. So the longer the passwords, the harder it would be to do that. But there’s another way around this issue with security. But you need to know originally that you’re going to find most of that user information defined line-by-line in the Etsy password file system or in the actual file located at that path.
4. Password File Fields
So when we take a look at that password file, and remember, everybody can access this thing, you’re going to see a line for each user and a bunch of different fields. Let’s break it down. The username is pretty straightforward; it tells you who their username is that they logged into. Now the next one is the password or reference. Now, if you are using just this generic file for the password, that’s what can be taken advantage of.
You might even just see an x or a reference point, meaning that it’s actually stored in a secure file that we haven’t yet talked about, called a “shadow file.” Then you’re going to have the user’s ID, their unique identifier, their group identifier, and their Geckos. Geckos? I don’t know. The term “description” refers to a “general-purpose, comprehensive” operating system. And that’s where you might find their actual full name, phone number, or other descriptors about that account. Their home directory and the type of shell they’re going to use would be all of the information you find in this password file field. Again, this is in the etc. PA SSWD. We often just call it the password file.
5. User Security – /etc/shadow
Now, because of the issue of the password being so easy to get out of the actual password file, there’s another more secure file that’s called the shadow file. So it was meant as an improvement to security. And in some cases, all these systems are designed to automatically store the passwords in the shadow file instead of the actual password. Now, this file is not readable by anyone except the root account or different types of kernel functions. That means the operating system functions like an authenticator that can read the file and look for the password. This way, if somebody accesses the password file or even steals it, they still can’t get in because they have to figure out how to get into this particular file to break in and then get the passwords of those users.
Remember, anything stored on a hard drive, I told you I was going to take these securities back roads. Sometimes anything that’s stored on a hard drive is only protected by the operating system while the operating system is running. If somebody can read the hard drive, copy the hard drive, remove the thing from the system, and copy these files, they can open up anything, regardless of who they are. They’re text files. And so you’ve got to be cautious when I talk about security. And having just said that, if it’s physical security, can I touch it? Can I get into the server room? is just as important as all these other elements because it’s very easy, once I have this information, to attack your systems and know your passwords.
6. Shadow File Fields
Now, the shadow file field has other information that is really about that password, because that’s what we’re doing. We’re managing passwords. So obviously it has the username and password, but it also stores for us the date and time of the last password change. How many days until the minimum day can you still change your password? How many days at most can you keep your password until I force you to change it? How many days of warning do I give you? Do you get a grace period? And if you forget to change your password, at what time will I disable you? So let’s think about that. A lot of times we tell people, “Hey, you’ve got to change your password.”
And so they’ll change it, and then they’ll change it right back to the old one again. So they met the requirement of changing the password. In fact, they did it twice. So, if you say “at least ten days,” it means they changed their password. Now they can’t change it for ten days, and if I say every 60 days, you have to change it, then in 60 days, you’re going to have to change it. And I might give you seven days of warning, saying, “Hey, we’re getting really close to you having to change it.” If you still don’t get it done, maybe I’ll give you some time after the 60-day grace period, and at some point, I’m just going to disable your account. Because we cannot let passwords go unchanged in today’s world when we know that, even by brute force, it may only take a few days or a few weeks to figure out your password,
7. Privilege Escalation
Now, a lot of times the commands that we have to use to either open up the shadow file or to even add users or create new groups need to have certain permissions. And so we do what’s called privilege escalation. Now, as a good practice for security, you should never be logged in as the root or anyone with root access. You should be logged in as an ordinary user so that you do not unintentionally install malicious software while opening emails, browsing the internet, or performing other tasks. You have to have those permissions. And so what we see then is that you log in as an ordinary user, and when you need to become the switch user, you can use the command Su, which stands for switch user. We talked about this in another unit.
When you say Su and switch users, you can then switch to the root or to some administratively levelled account routetype of an account, put in the password, and then issue your commands under that new context. Or if it’s a one-time command, which would be even better to do, you can use sudo, which is the Su switch user, with a do command that says, “Now do this command.” So sudo allows me to run a specific command and use my root type as an account or privilege user to do so. It’s a very common thing that we would do. So if you wanted to open up the shadow file, you’d probably prefer opening it with a pseudo command.
8. Demo – Exploring User Accounts
Okay, we’re going to take a tour of the user accounts, and we’ll start off probably in a nice little spot, which is where are they stored? So I’m going to open up a terminal here and notice when I am. You should be able to tell that I’m a live user and not root just based on that prompt. And the reason that’s important is that I want to make sure that you see the difference between being the root and being some other user when it involves looking at files. Now I’m going to use the cat command, and we’re going to look at the password file. I’m going to pipe that into the system so it doesn’t just scroll off our screen. And here you can see information about the users.
So here’s user root, there’s their password, and X. Now that is our indication that the password is actually being managed in the shadow file. All right. And then, of course, the root directory that I would be going to, and then the location of where my bash shell is located. and you see that all the way through. Now, as I’m going through here, you see a lot of these different types of service accounts and user accounts. I hit the space bar, and since I’m not the only other user account on this system, what you’re seeing here is me at the bottom of the list. So again, my password, which I don’t actually have, is stored in the shadow file. They all are. And I do start here at my home location, and that is where my bash shell is. And this, of course, is my full name. So all this stuff is pretty straightforward, I hope, in locating the information and figuring out who the users are. And if you wanted to, you could actually edit this file and add users manually that way. But what I wanted to show you beyond that—let me clear the screen—is the shadow file.
So let’s LS, etc. And here you should see the shadow file. In fact, let’s compare the LS, etc. to the LF to make it easier to see. And as I start looking through this list, here we go. Here’s a shadow file. What normally would be the list of permissions is one of the things that you find interesting when looking at the shadow file. Nothing’s listed at all as far as permissions go, basically saying that nobody’s going to do any work with this file except for the root account or system account. It’s owned by the root. You must make the root group your primary group. So I shouldn’t be able to open it. and let’s test that out. If I say cat and then put it in the etc. shadow, it tells me that, in fact, permission is denied. So that’s kind of what we wanted. We wanted to make sure that I actually couldn’t see the passwords there. Now I’m going to sue to be promoted to super user.
Now, that was very easy. I’m sorry to switch users, but we used to call it Super User. But anyway, it moves me to the root. It was easy because there’s no root password either. In fact, this is a very insecure installation of Linux, but it’s done for our purposes in labs. And now I’m going to try that same command. Oh, look at this—no up arrow. Oh, there we go. I do have an up arrow. All right, so I’m going to look at that shadow, I’m going to cat it, I’m going to put it out with more command, and boom, I can see it. And the reason I can see it is because I changed my user account to the root account, so I can start looking at the information.
And then, if I wanted to, I could try to start reversing any of the password information that I had. But as you can tell, we really don’t have any password information. All of this stuff is just blanked out. Okay, again, you’ll notice if I don’t point it out that there is an entry in this shadow file for everybody that was in the password file, and that’s because it should be, anyway, a one-to-one relationship between the user accounts and the information that’s being stored in the password file. Shadow, again, was our way of keeping passwords private so that people couldn’t just literally copy them out of the password file. It was our added security, and that’s our first introduction, anyway, to the user accounts.
9. Demo – Adding Your Account to the sudoers File
Okay, we’ll get to work here, adding our account to the sudurs file. That’s the sudo thing. And let me start off by showing you who I am. I am currently logged in as root, but what we’re going to do is take my Trainer account and add that to this file. So that’s my trainer. Basically, our goal is to make sure that the user trainer can, from any computer, issue any command by entering their password with the pseudo command.
So at least that’s what our goal is—to add us in there. We’re basically cheating by giving us some extra capability. and we’re going to use VI. This command appears strange because there should be a space between VI and sudo, but it is a special purpose command that will allow me to edit this file and lock it so that no one else can work with it. All right. So it’s telling me, in fact, that it has to be edited with the VI sudo command as the root. And I am the root. And I’m going to move my mouse down all the way to the bottom. And from here, I’m going to add in my user account, which is Trainer. And we’re going to put in an all-equal password.
So we do need to have the password, colon and all. So again, we’re going to add it so that as long as I have the password to that account, I can run this from any location. Now, the bottom of my screen, this being VI, shows me all these little shortcuts; that little carrot there actually means the control key. If you weren’t aware of that, I’m going to press Control-X to exit, and it’s going to ask me if I want to save. I’m going to hit “Y” for yes, to save. And from there, it says that I should have everything done. It also instructs you to write the file name. You can see that it’s going to write it as a temporary file. I actually don’t want it to save it as a temporary file. I want it to be the duper’s file. So I’m going to backspace that up. That’s this line right across here. and I’m going to press enter. Do I want to overwrite? Yes, I do. And there the temperature was unchanged, but we made the changes to the Sudur file.
Okay, I suppose we could always use the Cats Etsy and To Doers to confirm that. Trainer and all equal passwords for all types of connections can be found at the bottom. And I’m going to exit this shell or quit this shell. There we go. See, I’m just going to close it down. wouldn’t let me kill it that way. The purpose of that is so that I can open up a new shell in the terminal. Now, who am I? I am a trainer. So you can see that I certainly am not the root. I’m going to do the Pseudo, and then I want to cat the Etsy Pseudoers file. In fact, before I do that, let me just show you what happens if I try to do thecat for that command and it says, “Permission denied.” So that’s why. Examine this up arrow control with a pseudo space. Remember, knowing these little shortcuts is really going to save you a lot of time when you’re working with these things. and hit enter. And it says, “We trust you received the usual lecture from the admin boildowns.” It says “respective privacy.” Think before you type. I like the password for trainer. And boom, I knew the password, and I was able to show you the files, so I had the ability to run it. So that was a special. Again, enter or edit the Suduors file.
10. User Accounts
You can now use a simple command called user account to create a user account via the command line. In some cases, there is now also the option to add a user. The add user is kind of a soft link that goes back to the user ad, but on some versions it might actually be a script, like a perl script, that automatically does the user ad in interactive mode. So it could ask you questions like “home directory,” “group ID,” and that sort of stuff, making it a little easier to put it all together. However, the user account or command is the command we use to do exactly that: create a new user and add them to the system. So when we’re putting it together, there are some switches that you use to fill in the blanks.
Remember that this user has a lot of different fields, so some of the switches would be “which home directory do they get,” “what’s that path,” “what’s their group ID,” and “their main group.” Now we haven’t gotten to permissions yet, so we’ll talk about that with this group ID in a bit, their encrypted password, what shell they’re going to use, their user ID, and this thing we call the skeleton directory, and we’ll get to talk about some more of these as we move on. But this is a simple command that adds this account to your Linux operating system so that somebody can now log in with this new account.