CIS 5406 - Lecture Notes # 6 - Adding New Users, The Filesystem

COMPUTER AND NETWORK
SYSTEM ADINISTRATION
CIS 5406-01
Summer 1997 - Lesson 6

Adding New Users

UNIX: Pretty straightforward - and manually tedious
A. Steps to adding a UNIX user:
--> Number of C library calls (getpwent(), etc.) exist to access
entries in the password file. Many UNIX commands depend on the
file being available, readable, with the proper format.
1. Create an entry in /etc/passwd, selecting a unique 8-char login
name, unique UID, appropriate GID, unique home directory and
appropriate shell.

7 ":" separated fields:
jtbauer:f9cPz5ilB5N0o:2009:20:Jeff Bauer:/home/cs36/jtbauer:/bin/tcsh
Name Password UID GID GECOS Home Directory Shell
(encrypted)
Some UNIXes (BSD) provide "vipw", which will lock out other
SysAdmins from editing the /etc/passwd file simultaneously.
2. Make sure group mapping exists in /etc/group, which has the
format:
groupname:password:gid:user-list
where:
groupname is the name of the group.
gid is the group's numerical ID within the system; it must
be unique.
user-list is a comma-separated list of users allowed in
the group (used for multiple-group memberships by
an individual). You may want to edit the membership
list of other groups, if appropriate. Used thusly:
% id
% groups
% touch file1
% newgrp rosters
% touch file2
% ls -lg file1 file2
Example /etc/group:
u1:*:20:
3. Give the user a password: "passwd username" (as root).
4. Edit their disk quota (if disk quotas are in use) via "edquota".
Type "edquota -p protouser username". How do users see their
current quota usage? "quota -v".
NOTE: Not all UNIXes support disk quotas!
5. Make sure the directory exists and has the right permissions and
that the appropriate default startup files are installed in
the home directory (.login, .cshrc, .Xdefaults, etc.; see
Table 6.1, p. 91 of USA):
mkdir /home/cs36/jtbauer
cp /usr/skel/.[A-Za-z]* /home/cs36/jtbauer
chown -R jtbauer.u1 /home/cs36/jtbauer
-or- (if "name.group" version of chgrp not suported)
chown -R jtbauer1 /home/cs36/jtbauer
chgrp -R u1 /home/cs36/jtbauer
chmod 700 /home/cs36/jtbauer
You can do these steps manually, use a vendor-supplied "adduser"
script, or write your own.
SunOS 4.x: "adduser"
SunOS 5.x: "useradd", "usermod", "userdel".
AIX: "smit"
HP-UX: "sam"
Linux: "adduser" (if part of your Linux distribution)
--> The trend is to provide slick GUI interfaces for most of
SysAdmin functions. <--
Many vendors provide a "shadow" password capability -- move the
encrypted password out of the publicly-readable "/etc/passwd" file
and into a root-accessible-only file. WHY DO THIS?

See "Crack", "satan", "COPS", etc. -- any hacker with CPU cycles to
burn can guess passwords!
Also allows for creation of new fields to support password rules,
password aging, etc. Examples:
SunOS 4.x: /etc/security/passwd.adjunct (See "man passwd.adjunct")
SunOS 5.x: /etc/shadow (See "man shadow")
Linux: See "Shadow Suite":
http://jaka.ece.uiuc.edu/ldp/HOWTO/Shadow-Password-HOWTO.html
NOTE: Excellent source of Linux HOWTOs:

http://jaka.ece.uiuc.edu/ldp/HOWTO/HOWTO-INDEX.html
B. Removing users - just undo the steps above!
o Can be problematic to find all files owned by the user, if you
gave them access to directories outside of their home directory.
- One solution: "repquota", if quotas are used.
- Or, "find / -user username -print"
- Don't forget their unread mailbox (/var/spool/mail/username)
- Don't forget any other system files that might have their
name (system mail alias files, etc.).
C. Disabling users
o One: modify their encrypted password
From:
jtbauer:f9cPz5ilB5N0o:2009:20:Jeff Bauer:/home/jtbauer:/bin/csh
To:
jtbauer:*off*f9cPz5ilB5N0o:2009:20:Jeff Bauer:/home/jtbauer:/bin/csh
o Two: disabling their login shell
jtbauer:*off*f9cPz5ilB5N0o:2009:20:Jeff Bauer:/home/jtbauer:/usr/local/bin/nologin
A. UNIX shells
1. /etc/shells - list of trusted shells users can change to via "chsh"
2. CompSci's artificial shells
user classes:

reg, special, pclab, guest, system
shells classes:
sh, csh, tcsh
15 combinations:
reg-csh, reg-tcsh, etc ....
each artificial shell is a link to either:
- a real shell
- /usr/local/bin/nologin
/etc/guest-csh -> /usr/local/bin/nologin
/etc/pclab-csh -> /usr/local/bin/nologin
/etc/system-csh ->/bin/csh
/etc/reg-csh ->/bin/csh
/usr/local/bin/nologin produces:
*********************************************************
* *
* Sorry, but you do not have authorization to log in to *
* this machine. You may have a guest account in which *
* case you should be able to login to xi.cs.fsu.edu. *
* Please contact the system group if you think that you *
* have received this notification in error. *
* *
*********************************************************
then logs you out
B. "/bin/passwd" binary
1. Modify the source code or obtain a better binary ("npasswd" or "passwd+")
2. Require a reasonable choice of password
3. Have a password server where all must "rlogin" into and neuter
"/bin/passwd" on all other machines. CompSci: "rlogin nu".
C. /etc/passwd
1. create a cron script to make backups
cp /saved/passwd.1 /saved/passwd.2
cp /saved/passwd.0 /saved/passwd.1
cp /etc/passwd /saved/passwd.0
A common problem is having the "root" file system fill up and
the password file getting truncated to a zero-length file. What
is the biggest problem now? How can you get around it?
2. use "pwck" (and "grpck") on BSD systems
to make cursory check of these important
files.
3. Occasionally run password crackers to see if your users
are putting in obvious passwords (notice this is less of a problem
if you require them to have creative passwords with restrictions).
D. Default CompSci "dot" files
/nu1/adm/master
GetDefaultDotFiles
******************************************************************************
Windows NT Users and Groups (Chapter 8 in MWNTS4)
SID = Security Identifier; principal reference for user or group
objects within NT. Creating a user name, deleting it, and re-adding
it with the same name does NOT generate the same SID.
SIDs and other account values are stored in SAM - the Security
Account Manager.
SAM is stored (and managed) on the PDC and BDCs in the user/group's
default domain.
The User Manager for Domains tool is used to manage users and groups.
A user has the following attributes:
o A logon script
o A profile (per-user desktop settings and other restrictions
A group is a useful way of having a common set of permissions clumped
together. A user can be a member of more than one group; the permissions
are additive.

Local *vs* Global
o User Manager for Workstations is used to manage local users & groups, who
can only log into the single machine.
o User Manager for Domains is used to manage domain-level users & groups,
who can log onto any machine within the domain.
Default Local & Global Groups (Page 219 - 222 of WNTS4; note comment
about group "Guests" on page 222). Notice the names are merely text strings;
the permissions (User Rights under Policies) define what they actually
can do.
UNC - Universal Naming Convention (universal to Win-style OSes :)
\\[computer name]\[share name]\[directory]\...\[filename]
Example: \\xi\jtbauer\public_html
Book has excellent examples showing how to use the GUI tool to
perform a variety of common user & group functions.
<< Demonstrate User Manager for Domains >>
******************************************************************************
The UNIX Filesystem
A. Making a device in "/dev"
Device files provide a connection between a device and
standard UNIX system calls. For UNIX filesystems, this is a connection
between the disk drive partition and the eventual mount point.
Identified by a "major" and a "minor" device number, as well
as type "b" (block) or "c" (character, or raw device):
xi->ls -l /dev/sd0a /dev/rsd0a
brw-r----- 1 root 7, 0 May 3 1995 /dev/sd0a
crw-r----- 1 root 17, 0 May 3 1995 /dev/rsd0a
The naming conventions and major/minor device numbers are
extremely machine-specific! See Table 7.3 on page 106 of USA.
Major & minor device numbers used to attribute the device
file with the appropriate kernel device driver (see the jump
table description on page 98 of USA).
A BSD-derived shell script named "/dev/MAKEDEV" does the work on
SunOS 4.x and Linux.
Look at line for nit: "mk nit c 37 40 600" -- it boils down
to a "mknod" command.
Note that the naming conventions vary even between different
versions of the operating system. SunOS 5.x, for example,
provides backwards compatiblity with the old names:
touch->ls -l /dev/sd0a /dev/rsd0a
lrwxrwxrwx 1 root root 13 May 4 1995 /dev/rsd0a ->
rdsk/c0t3d0s0
lrwxrwxrwx 1 root root 12 May 4 1995 /dev/sd0a ->
dsk/c0t3d0s0
touch->ls -l rdsk/c0t3d0s0 dsk/c0t3d0s0
lrwxrwxrwx 1 root root 86 May 4 1995 dsk/c0t3d0s0 ->
../../devices/iommu@0,10000000/sbus@0,10001000/espdma@4,8400000/esp@4,8800000/sd@3,0:a
lrwxrwxrwx 1 root root 90 May 4 1995 rdsk/c0t3d0s0 ->
../../devices/iommu@0,10000000/sbus@0,10001000/espdma@4,8400000/esp@4,8800000/sd@3,0:a,raw
/dev/dsk/cntndnsn block files
/dev/rdsk/cntndnsn raw files
where:
cn controller n
tn SCSI target id n (0-6)
dn SCSI LUN n (0-7)
sn partition n (0-7)
Notice the actual device files in Solaris sit in a separate tree
rooted at "/devices".
SunOS 5.x also does not have a "/dev/MAKEDEV"; the devices
files are created on-the-fly at boot time, when the kernel
detects the hardware. A utility named "devconfig" can be used to
help this process. An annoyance is that you, as root, MUST create
a file named "/reconfigure" (see /etc/rc.S) after you add a new
device and want the device files created.
Also, most kernels these days (including Linux) allow for dynamic loading of kernel
modules and device drivers (see section 7.5 on page 106 of USA).
B. symbolic links
- "ln -s file_to_link_to name_of_link"
- Can span file systems

- Can get stale (no kernel enforcement of valid symlinks), thus a
potential for sysadmin overuse.
C. setuid and setgid bits
1. suid and setgid on executables - the effective UID and GID of
the user executing the program temporarily becomes the UID and
GID of the owner of the file, if the suid and guid bits
are set ("chmod 4xxx", "chmod 2xxx", "chmod 6xxx", "chmod u+s",
"chmod g+s", etc. -- see "man chmod" for details).
2. setgid on directory - if set, files inherit the group ID
of the directory (a BSD semantic) and not the group ID of
the creator.
- if a file has setgid bit set and group execute
bit cleared then mandatory record locking is in
effect:
rwxr-Sr-x # the "S" indicates setgid set, but group execute not set
D. sticky bit
On a plain file, the sticky bit indicates that the binary should
remain in memory after the last user finishes executing the text
segment -- the program "sticks" in memory. Typically only settable
by root and used to keep commonly-used programs in memory for
quicker response. This use of the sticky bit has pretty much fallen out
of use with quicker machines and better virtual memory/caching kernels.
On a directory, the sticky bit does (from "man -s 2 chmod"):
If a directory is writable and has S_ISVTX (the sticky bit)
set, files within that directory can be removed or renamed
only if one or more of the following is true (see unlink(2)
and rename(2)):
o the user owns the file
o the user owns the directory
o the file is writable by the user
o the user is a privileged user
Example: shared directories - /tmp and /var/spool/mail
drwxrwsrwt 3 bin staff 512 Jan 27 11:40 tmp
- see xi:/tmp/try_to_delete_me
- /also /var/spool/mail
E. permissions try for access in the following order:
1. owner
2. group
3. all
- you are thwarted at first failure
F. Some UNIXes extend the 9-bit "rwxrwxrwx" permissions to generalized
access lists (AIX, HP-UX, for example). You can control file access
with more flexibility, using com mands like "aclget", "aclput", etc.
G. Directory permissions
- 'r' bit allows one to read directory
- 'x' allows one to enter directory
H. inodes - UNIX information node
0. Unique per file system.
1. The inode for a file holds most information about a file:
size, pointer to 1st disk block, file permission bits,
timestamps (file accessed ("ls -lu") , file modified ("ls -l"),
inode modified "ls -lc"), etc.
2. The directory entry only holds a name-inode pair
3. The "ls" command is a window into the inode (try "ls -li")
4. Actual data structures:
/usr/include/ufs/inode.h (SunOS 4.x)
/usr/include/sys/fs/ufs_inode.h (SunOS 5.x)
/usr/include/linux/fs.h (Linux)
******************************************************************************
Windows NT File Systems
Management of disk drives is not done with FDISK, as in older Microsoft
operating systems, but with Disk Administrator. Adding a new drive to
your machine requires running Disk Administrator to set up partitions,
etc.
Disks are partitioned into separate contiguous space on the drive. Each
partition can then be set up as a volume. Disk Administrator allows you
to view your disks as volumes or partitions and then you can administer them
appropriately.
Note that the partition table format on a PC disk drive is universal
between NT and Linux. Linux, however, permits a greater range of control
over the partitions using the Linux-based fdisk. Too bad it's not as
GUI and pretty as Disk Administrator :) Try fdisk option "l" to see the
list of 16-bit volume types and their names.
The volumes can contain different types of NT-supported file systems.
NTFS - New Technology File System
NTFS is the preferred type of file system for NT.
It is a log-based file system, meaning that it keeps a log
of file transactions. This obviates the need for a file system
repair facility and provides a more reliable system when the
system crashes.

NTFS is required to support all the file permission attributes visible
under Properties/Security/Permissions, as well as other features
(long file names, file ownership, file auditing, etc.).
NTFS also uses "hot fixing" or "sector sparing" technology to
dynamically remap data blocks from bad to good disk sectors.
NTFS is also required to use NT's built-in software-based
RAID technology. You can mirror and stripe filesystems on
multiple drives! See Chapter 20 in MWNTS4 for details (nice
RAID table on page 641).
FAT - File Allocation Table (MS-DOS) File System
NT can reside using old-style FAT filesystems, if the disk
partition is to be shared between NT and DOS.
A utility exists, CONVERT.EXE, that will convert a DOS file
system into an NTFS file system.
HPFS - High Performance File System (and HPFS386 for Microsoft LAN
Manager).
HPFS is an earlier effort to create a better structure than
FAT under OS/2. Interestingly, HPFS is not supported under Windows NT
4.0 (probably due to the Microsoft/IBM rift between OS/2 and NT).
ISO9660/CDFS/High Sierra with Rock Ridge extensions (long file names)
This is an attempt at coming up with a common file system format for
CD-ROMs so any computer can see files. Operating systems that
support ISO9660-based file systems include NT, Linux and MacOS.
Interesting note: apparently you cannot put an NTFS file system on a floppy?
(Try the Format option under the Properties of a floppy drive *vs* a hard drive.)
NT also provides a form of automatic file mirroring called Windows NT
Replication Services, where you can have a machine replicate common files or
directories on a different machine. Details start on page 286 of MWNTS4.
File Permissions and Sharing
NTFS file systems have a large set of file permissions. Look under
Properties/Security for any object in Explorer. You can control the
file permissions, auditing and ownership.
File permissions:
Read, Write, Execute, Delete, Change Permission, Take Ownership
The Permissions settings include pre-defined sets of the above
permissions. Page 260 of MWNTS4 details the set names and their
elements. In short:
No Access - empty set
List - R
Read - R, X
Add - W, X
Add & Read - R, W, X
Change - R, W, X, D
Full Control - R, W, X, D, P, O
Special Directory - user-defined set of permissions
Special File - " " " " "
Note that new directories inherit the permissions of the parent
directory. Also note that you not only have full control over
the permission sets but you can use your current user and group
matrix to assign specific sets of users certain permissions!
File auditing:
On a per-file or recursive directory level you can select
the security auditing you wish to have logged and visible from
the Event Viewer.
File ownership:
This description is from the on-line help.
When you create a file or directory, you become the owner of it. By granting permissions,
the owner controls how the file or directory is used. The owner can grant permission to
another user to take ownership of a file or directory. Otherwise, you must be logged
on as a member of the Administrators group to take ownership.

Although an administrator can take ownership, an administrator cannot transfer
ownership to others. This preserves security. For example, only an administrator who
takes ownership and changes permissions can gain access to a file on which you have
set No Access permission. By checking the ownership of the file, you would see the
ownership change and know who had violated the permission you set on the file.
The Properties/Sharing (or Sharing directly off of the right mouse
menu) dialog allows you to enable other computers
to access your directories and drives. Default is to not share the
object. You can enable sharing, decide how many simultaneous users
can access your share and set share permissions.
Share permissions:
No access, Read, Change, Full Control

Notice that share permissions are not element-selectable, as
are file/directory permissions.
Shared directories and drives get connected into the local filespace
as a separate drive letter. You can connect a share drive in a variety of
ways:
In Explorer, use the Connect network drive icon or
Tools/Map Network Drive or browse up the file space
and back down the Neighborhood Network tree.
Use Neighborhood Network on the desktop.
You can disconnect a network drive in similar places.
Administrative Shares
NT uses special share names (that end in $) to manage
various services (page 257 of MWNTS4):
ADMIN$
NETLOGON
C$, D$, E$, ...
IPC$
PRINT$
REPL$
You can see which shares are in use with Server Manager

COMPUTER AND NETWORK SYSTEM ADINISTRATION CIS 5406-01 Summer 1997 - Lesson 6

Adding New Users

COMPUTER AND NETWORK
SYSTEM ADINISTRATION
CIS 5406-01
Summer 1997 - Lesson 6