Chapter 2

Account and Security

Administration, and Access
Control (DAC, RBAC)

Network and System Administration Slide #1

 Topics
1. User and Group Concepts, and User Private Group
Scheme
2. User Administration, Modifying Accounts and Group
Administration
3. Password Aging and Default User Files
4. Managing File Ownership
5. Controlling Access to files
6. Managing Disk Quotas

Network and System Administration Slide #2

User and Group Concepts, and User
Private Group Scheme
Linux is a multi-user operating system, which means more
than one user can use Linux at the same time.
A user or account of a system is uniquely identified by a
numerical number called the UID (User Identification
number) and GID(Group Identification Number).
The user full account information is stored in the
/etc/passwd file and a hash password is stored in the file
/etc/shadow
/etc/group file contains group information for each account
/etc/gshadow contains secure group account information.
Network and System Administration Slide #3
User and Group Concepts, and User
Private Group Scheme
Two different types of user accounts can be created
1. Local user accounts: stored on local computer
2. Domain user accounts: stored in active directory
Account names can be between 1 and 20 characters (letters
and/or numbers)
Account names are not case sensitive
The following characters cannot be used in the account
name: “/ \ [ ] : ; | , + = * ? < > @

Network and System Administration Slide #4

User and Group Concepts, and User
Private Group Scheme
Using groups you can perform a variety of tasks that will
affect the accounts and groups that are members.
Assigning rights to group account to authorize them to
perform a certain task.
Assigning permissions on shared resources to a group so
that all members can access the resource in the same
manner.
Distributing bulk e-mail to all members of the group.
There are two different types of groups.
1. Security groups
2. Distribution groups
Network and System Administration Slide #5
User and Group Concepts, and User
Private Group Scheme
Security groups is a collection of users who have specific
rights and permissions to resources.
Permissions are used to control access to resources.
Distribution groups are used for sharing information.
This group allow applications such as Microsoft exchange
to send e-mails to collection of users.
Active directory provides three different scopes for groups
1. Universal: used for assigning permission to related
resources in multiple domains.
2. Global: shares similar network access requirement
3. Domain Network
Local: assigning permissions to resources
and System Administration Slide #6
 User Administration, Modifying
Accounts and Group Administration
The following are basic commands for user administration

Network and System Administration Slide #7

 User Administration, Modifying
Accounts and Group Administration
The following are basic commands for user administration

Network and System Administration Slide #8

 User Administration, Modifying
Accounts and Group Administration
The following are basic commands for user administration

Network and System Administration Slide #9

 User Administration, Modifying
Accounts and Group Administration
The following are basic commands for user administration

Network and System Administration Slide #10

 User Administration, Modifying
Accounts and Group Administration
User account management

Network and System Administration Slide #11

 User Administration, Modifying
Accounts and Group Administration
Group administration

Network and System Administration Slide #12

 User Administration, Modifying
Accounts and Group Administration
Group administration

Network and System Administration Slide #13

 User Administration, Modifying
Accounts and Group Administration
Group administration

Network and System Administration Slide #14

Password Aging and Default User Files
• Linux user accounts is the mechanism by which the
Linux operating system is able to handle the task of
protection.
• In Linux, there are three forms of user accounts:
1- root
2-user (human) accounts
3-software accounts

Network and System Administration Slide #15

Password Aging and Default User Files
• Username
• Password
 By default, all user home directories are created and

maintained in the /home

directory.
 However, the root user’s home directory is /root

Network and System Administration Slide #16

Password Aging and Default User Files
• To view information about the user_name account
on Linux system, you would enter finger user_name
• The following information about the user account:
 Login This is the username that is used to
authenticate to the system.
 Name This is the user’s full name.
 Directory This is the user’s home directory.

 Shell This is the default shell that will be provided

to the user.
Network and System Administration Slide #17
Password Aging and Default User Files
 Last Login This displays the last time the user
logged in and where from.
• To view the UID for a given user account:
id username
Example: to view information about our chun user
account, we can enter
id chun

Network and System Administration Slide #18

Password Aging and Default User Files
• The root user account is always assigned a UID of 0
on most Linux distributions.

• Other distributions may use a different numbering

scheme for the UID, however. For example, UIDs
on a Red Hat system start at 500 instead of 1000.
• It’s this UID that the operating system actually uses to
control access to files and directories in the file system.

Network and System Administration Slide #19

 Where Linux User Accounts Are
Stored
 Linux is a very flexible operating system. One of its
flexible features is the location of user accounts on the
system.
When you originally installed the system, your
distribution may have given you several options for where
you wanted to store your user accounts. This screen allows
you to choose from the following authentication methods:

Network and System Administration Slide #20

 Where Linux User Accounts Are
Stored
1- Local This option stores user accounts in the /etc/passwd
file. This has been the default configuration used by Linux
systems for many years.
2- LDAP This is a newer option that many Linux
administrators are starting to adopt. Instead of storing user
accounts in a file in the file system, user accounts are stored
in a directory service provided by OpenLDAP. Unlike local
authentication, which is a flat file, the directory service is
hierarchical in nature, allowing you to sort and organize
your user accounts by location,function, or department.

Network and System Administration Slide #21

 Where Linux User Accounts Are
Stored
• /etc/passwd This file contains the user account
information for your system.
• /etc/shadow This file contains passwords for your
user accounts.
• /etc/group This file contains your system’s groups.

Network and System Administration Slide #22

 Where Linux User Accounts Are
Stored
 Username:Password:UID:GID:Full_Name:Home_D
irectory:Default_Shell
• Username: The Username field simply identifies the
username the user will supply when logging in to the
system
• Password: This is a legacy field. At one time, the
user’s password was stored in encrypted form in this
field in the passwd file. However, for security
reasons, the password has been moved from
/etc/passwd to /etc/shadow.
Network and System Administration Slide #23
 Where Linux User Accounts Are
Stored
• UID This is the user ID for the user account
• GID This field references the group ID number of
the user’s default group
• Full_Name This field contains the user’s full name
• Home_Directory This field contains the path to the
user’s home directory.
• Default_Shell This field specifies the shell that will
be used by default

Network and System Administration Slide #24

 Local options
• Username:Password:Last_Modified:Min_Days:Max_Day
s:Days_Warn:Disabled_Days:Expire
• Username This is the user’s login name from /etc/passwd.
• Password This is the user’s password in encrypted
format
• Last_Modified This field displays the number of
days since the password was last changed

Network and System Administration Slide #25

 Password security mechanisms
• Min_Days This field displays the minimum number of days
required before a password can be changed.
• Max_Days This field displays the maximum number of
days before a password must be changed.
• Days_Warn This field displays the number of days prior to
password expiration that the user will be warned of the
pending expiration.
• Disabled_Days This field displays the number of days to
wait after a password has expired to disable the account.
• Expire This field displays the number of days since after
which the account will be disabled.
Network and System Administration Slide #26
 Controlling Access to files and
permission
• Permissions are a mechanism to support operating system
protection.
• Protection ensures that users do not misuse system resources (CPU,
memory, network, partitions, directories and files).
• Permissions specify who can access a file or directory and the types
of access.
• In Linux, permissions are controlled at three levels:
• 1- Owner (called user, or ‘u’ for short)
• 2- Group (‘g’ for short)
• 3- The rest of the world (called other, or ‘o’ for short)

Network and System Administration Slide #27

 Controlling Access to files
 Each level of access provides:
• Read: for a file, it can be viewed or copied. For a directory, the
directory’s contents can be viewed by ls.
• Write: for a file, it can be overwritten (e.g., using save as). for a
directory, files can be written there.
• Execute: for a file, it can be executed (this is necessary for executable
programs and
• shel l scripts). for a directory, a user can cd into it
• Note: to delete a file, you must have write access to the directory that
contains it.

Network and System Administration Slide #28

 Controlling Access to files
 In the long listing (ls -l) The first 10 characters of a line are a
combination of letters and hyphens.

Network and System Administration Slide #29

 File Permission
On a Linux system, each file and directory is
assigned access rights for the owner of the file,
the members of a group of related users, and
everybody else.
Rights can be assigned to read a file, to write a
file, and to execute a file.
To see the permission settings for a file, we can
use the ls -l command.

Network and System Administration Slide #30

 File Permission
Example, we will look at the file1.txt
permissions:
$ ls –l file1.txt
$ -rwxr-xr-x 1 root root 316848 Feb 27
2017
Here we can see:
The file “file1.txt" is owned by user "root"
The super user has the right to read, write, and
execute this file
Network and System Administration Slide #31
 File Permission
The file is owned by the group "root"
Members of the group "root" can also read and
execute this file
Everybody else can read and execute this file
To change a file’s permission, the command is
chmod. The command’s syntax is
• chmod permissions file(s)
where permissions can be specified using one of
three different approaches:
Network and System Administration Slide #32
 File Permission
• 1-Describe the changes to be applied as a
combination of u, g, o along with r, w, x. To add a
permission, use + and to remove a permission, use –
.
Example: file1.txt currently readable and writable
by u and g and readable by o. To remove writable by
group and remove readable by other. The command
would be:
• chmod g–w,o–r file1.txt
Network and System Administration Slide #33
 File Permission
• 2-Altering permissions uses an = to assign new
permissions rather than a change to the permissions.
• Example: To make file1.txt readable, writable, and
executable to the user, readable to the group, and
nothing to the world, this could be done with:
• chmod u=rwx,g=r,o= file1.txt
• Can combine =, +, and - as in:
• chmod u=rwx,g–w+x,o–r file1.txt

Network and System Administration Slide #34

 File Permission
• 3-Using a 3-digit number. Each digit is the
summation of the access rights granted to that
party (user, group, other) where readable is a 4,
writable is a 2, and executable is a 1.
• Readability, write ability, and execute ability would
be 4 + 2 + 1 = 7.
• Readability and execute ability would be 4+1=5.
• No access at all would be 0.

Network and System Administration Slide #35

 File Permission
• Example: we want file1. txt to have readable,
writable, and executable access for the owner,
readable, and executable access for the group and no
access for the world. The command would be:
•
• chmod 750 file1.txt

Network and System Administration Slide #36

 Managing File Ownership
• You can specify a different user and/or group as the
owner of a given file or directory. To change the
user who owns a file, you must be logged in as root.
To change the group that owns a file, you must be
logged in as root or as the user who currently owns
the file.
 Using chown

 Using chgrp

Network and System Administration Slide #37

 Using chown
– The chown utility can be used to change the user or
group that owns a file or directory.
Syntax chown user.group file or directory.
Ex: If I wanted to change the file’s owner to the ncth1 user,
I would enter
chown ncth1 /tmp/myfile.txt

Network and System Administration Slide #38

 Using chown
– If I wanted to change this to the users group, of which
users is a member, I would enter
chown .users /tmp/myfile.txt
Notice that I used a period (.) before the group name to tell
chown that the entity specified is a group, not a user
account.
Ex: chown student.users /tmp/myfile.txt
Note: You can use the –R option with chown to change
ownership on many files at once recursively.

Network and System Administration Slide #39

 Using chgrp
• In addition to chown, you can also use chgrp to change the
group that owns a file or directory.
• Syntax:
chgrp group file (or directory)
• For example:
chgrp student /tmp/newfile.txt.

Network and System Administration Slide #40

 Managing Disk Quotas
Implementing a disk quota will prevent users or groups
from using too much storage space on a Linux system.
This is very useful on systems such as file servers that
allow many users to connect and store data, as it ensures
that no particular user can utilize an unexpected amount of
storage and interrupt storage or processes on the server by
making it run out of disk space.
Linux administrators should always put a quota on the
maximum storage usage for users, as well as other user
environment limits like max number of processes and open
files.
Network and System Administration Slide #41
 Managing Disk Quotas
Implementing a disk quota will prevent users or groups
from using too much storage space on a Linux system.
This is very useful on systems such as file servers that
allow many users to connect and store data, as it ensures
that no particular user can utilize an unexpected amount of
storage and interrupt storage or processes on the server by
making it run out of disk space.
Linux administrators should always put a quota on the
maximum storage usage for users, as well as other user
environment limits like max number of processes and open
files.
Network and System Administration Slide #42
 Managing Disk Quotas
There are three major concepts that you should understand
prior to implementing disk quotas:
Hard Limit
The hard limit defines the absolute maximum amount of disk
space that a user or group can use. Once this limit is reached,
no further disk space can be used.
Soft Limit
The soft limit defines the maximum amount of disk space that
can be used. However, unlike the hard limit, the soft limit can
be exceeded for a certain amount of time.
That time is known as the grace period.
Network and System Administration Slide #43
 Managing Disk Quotas
Grace Period
The grace period is the time during which the soft limit may be
exceeded.
The grace period can be expressed in seconds, minutes, hours,
days, weeks, or months, giving the system administrator a great
deal of freedom in determining how much time to give users
to get their disk usage below their soft limit.

Network and System Administration Slide #44

these steps.
Managing Disk Quotas
1. Install quota
a) sudo apt-get install quota
2. Inform system about quota
a) Edit /ect/fstab
a) append defaults,[usrquota],[grpquota]
3. Remount the disk
a) Mount –o remount /home
4. Create the quota database
a) Quotacheck –c <u/g> filesystem
5) Assign the quotas
a) Assign per user or per group quotas
a) edquota-<u/g>

Network and System Administration Slide #45

 Managing Disk Quotas
To implement disk quotas, use the following steps:

Enable quotas per file system by modifying /etc/fstab

Remount the file system(s)
Create the quota files and generate the disk usage table
Assign quotas
1. modify /etc/fstab
2. Remounting the file system(s)
3. Running quotacheck
4. Assigning quotas

Network and System Administration Slide #46

 Managing Disk Quotas
Enabling Quotas: Edit fstab to enable usrquota

LABEL=/1 / ext3 defaults 11

LABEL=/boot /boot ext3 defaults 12
LABEL=/users /users ext3 exec,dev,suid,rw,usrquota 12
LABEL=/var /var ext3 defaults 12
LABEL=SWAP-sda5 swap swap defaults 00

Network and System Administration Slide #47

 Managing Disk Quotas
Remounting the File Systems: Issue the umount command followed
by the mount command to remount the file system in which quota has
been implemented (umount /users;mount /users)

Creating the Quota Database Files: Use quotacheck command to

create quota.user file
quotacheck -cu /users

Assigning Quotas per User: assigning the disk quotas with the
edquota command (edquota <username>)
Disk quotas for user web_cc (uid 524):
Filesystem blocks soft hard inodes soft hard
/dev/sdb1 988612 1024000 1075200 7862 0 0

Network and System Administration Slide #48