Linux Foundation LFCS – Domain No. 3 – User and Group Management

1. Useradd command

Hello and welcome again. In this lecture we’re gonna create, modify and delete user account. So let’s start. So the command that is used for user ad is sorry to create a user is user ad and the options are what options you want to use and then the user name and the default setting for a new user can be viewed and modified using the D option. So if I were to do user add d, it gives me all the default options that are available. But suppose like in this setting, I don’t want to use the default shell of bin bash, I want to use bin ksh instead. So I will do user add dash bin ksh for corn shell.

And if I were to do user add d now, now whichever user I’m going to create is automatically going to have bin ksh as the default shell. So let me go ahead and change it back because just wanted to show you. So add a simple user. What you’re going to do is user add user one. Suppose my user’s name is one and the user is added. Suppose I want to give them user ID of 1099 and I want to comment it as a new user. I want the default shell to be bin ksh. So how do you do that?

User add u for user ID, give it 1099 c, and then in comment I want to say new user and then s bin ksh user one. Well, user one already exists, so let’s go ahead and I’m going to go ahead and user dell which is for delete user one so I can recreate them. Okay, now I’m going to use the up arrow key and bring this command back.

User s u 1099 is the user ID c, new user s bin ksh one, user one and now it’s created, but it’s still saying that the home directory already exists because the home directory wasn’t deleted, but I deleted the user. Now again, I’m done with these users, so I’m going to go ahead and delete them. User dell, user one and as you saw previously, the home directory doesn’t get deleted. So if I were to go CD to home and I do an LS, you see Larry has a home directory and user one has a home directory. So if you want to get rid of him completely, you can do an rmdir to get rid of the home directory also. So the user we have created so far, he had default shell which was bin ksh.

Suppose if I want to create a user who I don’t want him to have any login, no login shell will be running for running services such as SMTP or FTP, a user without a login shell cannot log into a system and therefore cannot run any command on the system. Interactively processes can run at that users, however. So the way you do it is userad s bin no login and let’s call our user a test user. And now we’re going to look at cat etsy shells. Command our directory. And as you can see, there’s a no login sub directory. Also.

2. Group Management

So in this lecture, we’re going to talk about groups. So there are two types of groups, a primary group and a secondary group. The group database files, are there two of them? More of etsy group. So this is one file just like we had etsy password file. So there’s an etsy group file and then there’s a more etsy g shadow file just like we have an etsy shadow file for passwords. So this is a g shadow which has the encrypted version up. So let’s create a group group ad and the group name, let’s call it school ad group add and group mod would be modifying the group and you can use an option with that like g for group ID g and then I can use 101 and then argument our end group name. So my group name is school. Okay? So it gave it a group ID of 101. So I’ve modified the group and at the end we can delete the group. So for that you have group dell and then the group name Chol and my group is deleted. Also in order to make the net access group add school. So if I were to look in at the group right now, you can see the group has been created which is cool and has a member Tim in it.

3. System wide environment profile

In this lecture we’re going to discuss how to set an unset system wide environment variables in Linux to add system wide no login variable that is one which is available for all users when any of them open new terminal. We’re going to add the following variable. So the file that we need to edit is slash etc bash RC okay, that is if you’re running the Bash cell Bash shell and what you want to include is export variable equals and in the single code we’re going to put this line.

This is system wide variable end code and we’re going to save this. And after doing that, we’re going to source the file. We’re going to do source etsy bashrc. Now, this variable will be available for every user when he or she opens any new terminal. Then we’re going to do echo dollar sign VAR and you’re going to see this is a system wide variable. If you want any environment variable to be available when any of the user on your machine is remotely logged in, but none are opening any new terminal on a local machine, then you need to edit this file bi Etsy profile and then you go to the bottom.

By the way, you go to the bottom by pressing Shift g takes you all the way to the bottom of the screen and then you can do an O to create an extra line. And then you start typing export. Let’s call it bar one equals. This is a system wide variable for only remote sessions. Escape Wqben. Now we’re going to source this file, also source Etsy profile and then we do echo dollar sign VAR one. It shows you the message that we just added to remove this variable.

We’re going to remove the line and then resource it again. However, if you want to add any environment which you want to be available all throughout the system on both remote login session as well as local session, just export the variable in Etsy environment. So we’re going to do a VI at C environment I to insert export variable available everywhere. And after that we’re going to source that environment, file source etc environment and then echo dollar bar twelve and you’re going to see that it has shown.

4. Setting limits for user running processes

Hello students and welcome again. In this topic we are going to discuss how to limit the number of processes started by user and how to check the current limits and modify them. So before we go any further, there are two things we need to point out. The first one is you need to have root access to your system to modify the user limits and then you have you must be extremely careful if you plan to modify these limits because it can have consequences.

To set up user limits we will need to edit this file etsy security and then there’s a file called limits cons. This file is used to apply ulimit created by Pam module. The file has the following syntax so it’s going to have a domain, it’s going to have type, it can have item and it’s going to have value. So let’s just briefly discuss the four items that we just talked about. The first one is domain so this is going to include username groups, group ID, ranges, et cetera. The second one is type. It’s going to be a soft or hard limit.

The third one is going to be the item. The item that will be limited could be core size, could be file size, could be end process size or the value but this is the value of the given limit. So I’m going to show you an example could be student and the type is hard, the item is n process and the hard limb the limit is 20. So the above line sets a hard limit of maximum 20 processes on the student group. This adds shows you that it’s a group. If you want to see the limits of a certain process you can simply cat the limits file like this and we’re going to do it in a second where PID is the actual process ID.

You can find out process ID by using P s command and so let’s see an example. So the example we’re going to use here would be we get a cat. Pros 99 is one of the processes and then type limits and these are all the limits that are set up for this process. And as you can see it’s pretty self explanatory. Limit is maximum CPU time, maximum file size is unlimited, hard limit is unlimited and units are in bytes, maximum core file size is zero, hard limit is unlimited, limited. And so these are all different values that you can set for a user running processes.

5. Creating and editing sudoers file

So in this short lecture we’re going to discuss the pseudo command. Pseudo command provides a mechanism for granting administrator privileges. Ordinary. These privileges are only available to the root user and the pseudo command is provided to normal user. And in this short lecture we’re going to show you how to do that. There is one way to do it with the sudo r’s file.

But we’re going to try to do it a different way in this lecture. Okay? First step we’re going to do is we’re going to do add user and let’s call this user Billy. Okay? Now we’re going to use the password command to set a password for billing. Okay? And a new password. I’m going to give it a very simple password. Okay. So the password is set for him. So now I’m going to use the user mod command user modification commander Billy to the wheel group. And what is the wheel group?

Let me finish this command and I’ll tell you. So by default in the red hat and sent us members of the wheel group have pseudo privileges. So that’s why we are assigning Billy to the wheel group. Enter. And now we’re going to test his privileges if we have actually given it to him. Now we have become Billy. As you can see, my command prompt has changed and we are logged in as Billy right now. So as the new user, we’re going to try a command that usually regular users don’t have access to. Okay? So we’re going to do pseudo LS la and we’re going to try to CD to root, which normally a regular user would not have. And it’s going to ask you Billy’s password. And now right now we are logged in or we can see because we did an LSLA, we can see what’s in the root directory.

So Billy has been given the privilege, which is pseudo, which is very similar to what root can do. So now we’re going to do the same thing. We’re going to add the user in the pseudo arts file so that our user will have all commands using scudo without a password. Sudo. Open the pseudos’ file. We do sudov I s. Although I was logged in as root, so I could have gone just as root as well. But I just wanted to show you the use of the pseudo command. I’m going to press shift G. It’ll bring me all the way down to the end of the line. And then I’m going to hit O to open a line and then I’ll type in Billy. I’ll say all. All that mean all x’s equals no password. All caps all happens.

Remember previously we did pseudo, we did LSLA and then we did root and it asked for a password. Now it doesn’t because he’s hard coded into the pseudos’ file.

6. Configure PAM

Hello students and welcome. In this lecture we’re going to talk about Linux Pam, our pluggable authentication module, which is a very flexible method for implementing authentication services in applications and various system services. It divides authentication functions into four major management modules, namely account modules, dedication modules, password modules and session modules. The Audit D tool uses the Pam underscore TTY underscore audit Pam module to enable or disable auditing of TTY input for specific users. Once a user is configured to be audited, pam underscore TTY audit works in conjunction with the audit D to track a user’s actions on the terminal and if configured, captures the exact keystroke the user makes and then records them in VAR log audit log.

You can configure Pam for auditing a particular user’s TTY input in the Etsy Pam D systemaut and Etsypam D password auto files using the enable option. On the other hand, as expected, the disabled turns it off for the specified users. Now we’re going to take a look at an example where we’ll configure Pam underscore TTY underscore audit to record the actions of the user name Joseph, including keystrokes across all terminals, while we disable TTY auditing for all other system users. So first we’re going to start these two files. We’re going to VI at Gpam d systemaut. And in here, we’re going to add a line. It’ll go to the bottom of it. And then we’re going to type O to open a line.

Then we’ll type in session, and then we’ll type required. And then we’ll type pam underscore, TTY underscore audit so disable equals everything. Enable equals Joseph and log password. And I’m going to copy this because we need to enter the same information into another file as well. So in Linux console you can just highlight it and it gets into the buffer, it gets copied. And I did a WQ bank and I got out. The next file we need to get into is v I at c pam d password AUT and I pressed small I to insert and I just copied the same file here as well WQ bang and it saves it.

So after that we’re going to go ahead and suit Joseph and we’re just going to do some of the stuff that’s going to be recorded. So I’m going to have him CD to home Joseph, have him CD to have him make dirt test, I’m going to have him remove test or render test. I’m going to have him touch school doing LS al. So these are just some of the actions that should be recorded in the auditing. That’s what I’m trying to do. So after I’m done with that, I’m going to run audit report TTY. So as you can see, Joseph is right here and he did a CD to haul Joseph, then he did some back spaces, then he did a make door of test, then he removed test. So everything that he has done is being recorded. It’s been audited. So that’s the purpose of having pet.

7. Summary Domain – 3

Hello, students. We have just finished domain number three, which was user management. And we created and we completed topics like creating and deleting users, modifying local groups and group memberships, managing system wide environments, and we managed user privileges, configuring, resource limits, configure pam so all of this, this was completed, and if you have any questions, please feel free to send me a feedback and let me know. Or if you want further details on this, I can further expand and probably add another module to take care of any concerns that you might have. And I’m going to attach quiz also like I have done in the past two domains, so that way you’ll have something to practice with.