10/11/2023

University of Buea
Faculty of Engineering and Technology
Department of Computer Engineering Course content
• Chap 1 :Introduction to system administration: Fundamentals and
principles

System Administration • Chap 2: Unix/Linux System Administration: managing Linux

environnent
CEF 473 • Chap 3: Windows System Administration
By Dr. Eng. Ines Djouela • Chap 4: System Security
inesdjouela@gmail.com
• Chap 5: System Maintenance and Troubleshooting
• Chap 6: Emerging Trends

1 2

Course outline Objectives

Chapter 2: Unix/Linux System Administration
At the end of this chapter, you should:
• Have general knowledge on UNIX and Linux system distributions
• What is UNIX?
• Command Line Basics • Set up a virtual environment (VMWare, virtual box)
• Linux architecture: kernel, shell • Install a Linux distribution
• File Permissions and Ownership
• Installation and Configuration of Linux • User and Group Management in • Have knowledge on command shell
• Linux file organisation Linux • Perform basic commands on linux
• Linux directory structure • Have knowledge on the type of users and notion of permission
• Shell Scripting
• Notion of pathname,
• Notion of absolute and relative paths

3 4

3 4
1
 10/11/2023

Unix files
Other useful Linux commands
• history: list the commands that you have issued.
• du: find the amount of space taken by a file or directory
• du * : find the file and directory sizes in the current location in a
human readable format
• echo > file : empty a file without deleting it
Users and group management

5 6

5 6

Users and group management User administration files

User administration files /etc/passwd file
• Users and group management consist in adding, creating and deleting • It is the primary repository of users on a standalone system.
groups and users on a Unix system. • The file contains seven fields separated by colons(:):
• Four main administration files hold information on users and allow to Login name
manage them: Password placeholder
/etc/passwd − Holds the majority of information about accounts on UID
the Unix system. GID
/etc/shadow − Holds the encrypted password of the corresponding Human friendly information (real name, phone…etc.)
account. Not all the systems support this file.
Home directory
/etc/group − Contains the group information for each account.
Login shell
/etc/gshadow − Contains secure group account information.
7 8

7 8
2
 10/11/2023

User administration files: /etc/passwd file User administration files: /etc/passwd file
Login name Login name best practices

• It must be unique on the system • Should be no more than 8 characters for backward compatibility with
legacy systems.
• It cannot contain colons (:) or the newline character(\n) as these have
meanings in the passwd file • Should be all in lower case for consistency
• Linux allows up to 32 characters to form a login name. it also requires • Should not be nicknames; so as not to affect the organization’s image.
the first character to be a lower-case letter or an underscore. Often nicknames are used for e-mails.
• Linux accepts characters from a to z, both lower and upper case, in • It’s wise to use a naming scheme.
addition to dashes (-) and underscores (_). E.g. first initial dot last name.

9 10

9 10

User administration files: /etc/passwd file User administration files

Password placeholder Login name best practices
• The password field in the /etc/passwd is the password holder. • The encrypted string that starts with $ means that it was not encrypted
• The real encrypted password is stored in /etc/shadow file using DES.
E.g: $1$ means an MD5-based algorithm was used,
• You can opt to use /etc/passwd for storing passwords (although not
recommended) using pwunconv command. If you want to revert to while $6$ indicates a SHA512 algorithm.
/etc/shadow use pwconv • If an exclamation mark(!) is placed before the password string this
• Linux supports a number of encryption algorithms. They can be set in means that the account is locked
the /etc/login.defs file, together with the password length. • If two users chose the same password, that does not mean that you
will find the same encrypted string because Linux adds a “salt” string
to the password before encryption.

11 12

11 12
3
 10/11/2023

User administration files :/etc/passwd file User administration files /etc/passwd file
User Identification (UID) Group Identification (GID)
• Used to identify groups by number
• Users are defined by their names only for the benefit of users. All • Only the primary group is listed
applications and filesystems use the UID to identify users on Linux. • The root group GID is 0
• The root has UID of 0. • System users are also assigned to groups
• Although the system permits having multiple users with the same UID, • GID are mainly used to share files among users
it is highly not recommended, especially for the root account. • If setgid is used, any file created in the directory will bear the group id
• It is advised to have the unique UID’s across the entire network. This of this directory instead of it’s own
ensures that every person has the same UID on any system. Such a • Syntaxes:
control will mitigate potential security vulnerabilities when sharing
files, like through NFS for example. • “id –g” or “id –g user” : Find the group id of the current user or of a
specified user
13 14

13 14

User administration files User administration files

UID and (GID) syntaxes Home directory
• Use the id command to find a specific user’s ID.
• The default directory to which the user is put upon logging in
• Syntax:
• It contains environment files like .bash_profile and .bash_rc
id -u username - find the user ID of the user “username”
• id -g username - finds the GID od a specific user • Sometimes administrators create users’ home directories as network
shares on a central server to provide roaming profiles for the users.
• id -G username - find all the groups a specific user belong to That is, the user will have the same environment regardless of the
• id username - find a user ID and all the groups associated to that machine used for logging
user
• If there is no home directory specified for the user, an error message
will be displayed, and the user will be placed on the root directory /

15 16

15 16
4
 10/11/2023

User administration files Types of accounts in LINUX

The /etc/shadow file The /etc/shadow file
• Used to store the encrypted passwords
• Both /etc/shadow and /etc/passwd must co-exist for user Maximum number of days allowed before a user can change the
management. Tools like useradd and usermod are used to manage password
both of them. Number of warning days before the password expires
• The file contains the following nine fields: Number of days before the account gets disabled after a password
Username has expired
Encrypted password Account expiration date. It represents the number of days since
1/1/1970. If left blank, the account will never expire.
The date of last password change
Minimum number of days allowed before a user can change the
password
17 18

17 18

Types of accounts in LINUX Types of accounts in Linux

The /etc/group file Types of accounts in Linux
• It contains the current groups on the system and the users listed in each
one
• Each group is represented by a line. Fields are separated by colons, no • Three main accounts in Linux:
spaces are allowed The root account
• The line contains the following fields: The system accounts and
Group name User accounts
Encrypted password or a placeholder
GID
Member users
The password placeholder is used if the group has a password set
(using gpasswd command). However, it is highly unusual. 19 20

19 20
5
 10/11/2023

Types of accounts in LINUX Types of accounts in LINUX

1) Root account Root account: The power of Root
• The root account has the id of 0.
• A process with the id of 0 can do any operations on any other file or
• Also called superuser account. Would have complete and process
unfettered control of the system
• In addition, some tasks can only be performed by the root account like:
• A superuser can run any commands without restrictions. Setting the machine’s hostname or IP address
This user should be assumed as system administrator.
Changing the system’s date and time
• The UID 0 process can even change it’s own UID and GID. This happens
when a normal user logs into the system. The login process changes it’s
UID and GID to those of the user. This change cannot be rolled back.

21 22

21 22

Types of accounts in LINUX Types of accounts in LINUX

Root account: How to make a strong Root Root account: How to make a strong Root
password? password?
• Should be at least 8 characters long
• For example: “I like Ubuntu 18” may be used like this ILikeUbuntu18!
• Using a meaningless mix of numbers, special characters, small and it’s long, has special characters, contains numbers as well as upper and
capital letters is a good approach but it is hard to remember. As a lower case letters. Yet, it is easy for you and only you to remember.
result, an admin may write it down to paper, he also may enter it
slowly, both of which poses a security risk of revealing the password. • The root password should be changed every 3 months at most.
• A more modern approach nowadays is to use passphrases. That is, a • It’s advisable to store root passwords. However, maximum security
long phrase that means something to you, and that is unpredictable. measures should be applied to the place/software they’re stored in

23 24

23 24
6
 10/11/2023

Types of accounts in LINUX Types of accounts in LINUX

Should I login as root? Using the su command
• The su command is short for substitute user
• The short answer is no, it’s not a good idea for the following reasons:
You lose the user accountability: who did what, and when? • Root can su to any user without specifying the password
You give a hacker one step forward: instead of having to break a • You can use it to change your current login session to a different user
normal user’s password first, then the root password, you leave him session or to root. Provided that you have the appropriate password.
with only one password to crack: the root one. Syntax: su username
• The recommended approach is to give administrators normal,  When omitting username, the username default to root
unprivileged accounts. When the root power is needed, they either su to PS: The root account in Ubuntu is disabled by default. i.e. it
root, or use the sudo command
has no password and no attempt to authenticate with root's
password will succeed. Therefore, su or su - will not work.
• Use sudo command... To run a command as root instead of su
25
• Sudo –i to run your shell as root instead of su- 26

25 26

Types of accounts in LINUX Types of accounts in LINUX

Delegating root powers with sudo (1/2) 2) System account
• The sudo command is used to specify specific commands to be run as • They are needed for the operation of system-specific components
another user or, typically, as root (system services) e.g mail accounts
• Syntax: sudo [command] for root and
• The idea is to use them instead of using the root account for such tasks
sudo –u [command] for running the command as the user
sudo–g [command] for running the command as the group • They are protected from being used for login, by placing an asterisk
instead of the password hash in the shadow file. Also, by setting the
• The user is prompted for his own password when issuing sudo before default shell to /bin/false or /bin/nologin
allowing the command to run.
• Their UID’s are generally under 100.
• A user that has just used sudo can continue running commands without
being prompted for password for 5 minutes • You should use these guidelines when creating a custom user account
for a service or an application
• All sudo commands are logged into a log file.
27 28

27 28
7
 10/11/2023

Types of accounts in LINUX Types of accounts in LINUX

3) User account Creating groups
• We need to create groups before creating any account otherwise, we
• They provide interactive access to the system for users and groups of can make use of the existing groups in our system.
users. • Syntax: groupadd [-g gid [-o]] [-r] [-f] groupname
• General users are typically assigned to these accounts and usually have -g GID: specify the numerical value of the group's ID. If the
limited access to critical system files and directories. specified one already exists, other (unique)GID is chosen
• They possess various properties that define their characteristics and -o: add group with non-unique GID
access privileges. -r: This flag instructs groupadd to add a system account
• Unix supports a concept of Group Account which logically groups a -f: This option causes to just exit with success status, if the
number of accounts. specified group already exists.
• Every account would be a part of another group account. A Unix group groupname: Actual group name to be created
plays important role in handling file permissions and process • Ps: If no option is specified, the system creates the group with default
management. 29 values. 30

29 30

Types of accounts in LINUX Types of accounts in LINUX

Modifying and deleting groups Creating new user account
• The useradd command is used to add new users to the system.
• we use groupmod to modify the group
• Syntax: useradd -d homedir -g groupname –G groupname2 -m -s
Syntax: $groupmod -n new_modified_group_name shell -u userid accountname
old_group_name
-d : Specifies a different home directory than the default for the
E.g: groupmod –n staff staff_2 -changes the name of staff_2 to account
staff
-g : Specifies a different primary group account for this account
groupmod –g 545 staff –changes the GID of staff
-G add the user to a supplementary group
• To delete a group, use the groupdel command -m: Creates the home directory if it doesn't exist
• Syntax: groupdel groupname -s : Specifies the default login shell for this account
-u : You can specify a user id for this account
31
accountname: Actual account name to be created 32

31 32
8
 10/11/2023

Types of accounts in LINUX Types of accounts in LINUX

Creating new user account Modifying user account
• The useradd command does the following tasks:
Adds a user entry to the /etc/passwd file • The usermod command enables you to make changes to an existing
Adds a new group with the same name as the login name to the /etc/group file account from the command line.
Creates a new directory with the same name as the login name to /home
directory • It uses the same arguments as the useradd command, plus the -l
Sets the appropriate ownership and permissions to the home directory argument, which allows you to change the account name.
Sets the user’s mail directory and creates a mail alias • E.g. To change the account name staff to staff20 and to change home
directory accordingly, you will need to issue the following command
• Users can be added using, the vipw and vipw–s commands instead, $usermode –d /home/staff20 –m –l staff staff20
which would edit the /etc/passwd and /etc/shadow files respectively
• You must assign a password for the new user before he/she can use
the account. Passwords are assigned using the passwd accountname
command 33 34

33 34

Types of accounts in LINUX Types of accounts in LINUX

User’s locking and unlocking Adding more than one user on the go
• Bulk user accounts can be created using the newusers command
• You can prevent a user from logging in (locking) using usermod–L login. • The command takes a file that contains the user accounts as it’s
You can unlock the account using usermod–U login arguments
• Locking the account means putting an asterisk (*) or an exclamation • The file is formatted the same way as the /etc/passwdfile, except that
mark (!) before the encrypted password field in the /etc/shadow file as the x placeholder in the password field is replaced with the actual
this destroys the hash. password, in clear text.
• Unlocking the password removes those characters. • The newusers command does not copy the startup files from
/etc/skeldirectory. Those files have to be manually created
• The user’s file can be created using a script that will guarantee creating
strong passwords. This file should be highly secured, and removed
35
once the creation process is complete. 36

35 36
9
 10/11/2023

Types of accounts in LINUX Types of accounts in LINUX

Assign Users to Groups in Linux Extracting information with Awk
• The /etc/passwd file can be overwhelming (too many information)
when opening it to view users created
• Once a group is created, users can be added to it*
Cat /etc/passwd
• E.G The command “sudo usermod -aG marketing sarahsmith” assigns
the user sarahsmith to the marketing group • Awk is a powerful pattern-scanning and text-processing language
available on Linux systems.
• It provides a wide range of functionalities, including the ability to
extract specific information from files and format it according to
specific criteria.
• In the context of checking users in a Linux system, the AWK command
can be utilized to extract and format user information from the
/etc/passwd file
37 38

37 38

Types of accounts in LINUX Types of accounts in LINUX

Extracting information with Awk Deleting user account
• E.G.
• The userdel command can be used to delete an existing user. This is
• To extract only user information from the /etc/passwd file, we can add
a very dangerous command if not used with caution.
options like
Syntax: userdel -r username
cat /etc/passwd | awk -F: '{print $1}’
-F is the separator • There is only one argument or option available for the command .r,
for removing the account's home directory and mail file.
• To extract the user and the uid issue
• E.g To remove account staff20, issue the following command −
awk -F: '{print "Username: " $1 ", UID: " $3}' /etc/passwd
$ userdel -r staff20
$1 represent the first field of /etc/passwd
• If you want to keep the home directory for backup purposes, omit
$3 represents the third field
the -r option. You can remove the home directory as needed at a
-F is the separator later time.
39 40

39 40
10
 10/11/2023

Types of accounts in LINUX

Deleting user account
• Users can be deleted using the userdel command.
• In Ubuntu there is the deluserscript, which is a wrapper to userdel.
• It uses the configuration file /etc/deluser.conf to provide the following Shell Scripting
features (they can be turned on or off):
Remove the user’s home directory
Backup the user’s files
Remove all the files owned by the user
Delete the user’s group if empty

41

41 42

11