Adding New Users
& Filesystems
& NT Shares
UNIX: Pretty straightforward - and manually tedious (Chapter 5 in ESA)
A. Steps to adding a UNIX user:
--> Number of C library calls (getpwent(), etc.) exist to access
entries in the password file. Many UNIX commands depend on the
file being available, readable, with the proper format.
1. Create an entry in /etc/passwd, selecting a unique 8-char login
name, unique UID, appropriate GID, unique home directory and
appropriate shell.
7 ":" separated fields:
jtbauer:f9cPz5ilB5N0o:2009:20:Jeff Bauer:/home/faculty/jtbauer:/bin/tcsh
Name Password UID GID GECOS Home Directory Shell
(encrypted)
Some UNIXes (BSD) provide "vipw", which will lock out other
SysAdmins from editing the /etc/passwd file simultaneously.
2. Make sure group mapping exists in /etc/group, which has the
format:7
groupname:password:gid:user-list
where:
groupname is the name of the group.
gid is the group's numerical ID within the system; it must
be unique.
user-list is a comma-separated list of users allowed in
the group (used for multiple-group memberships by
an individual). You may want to edit the membership
list of other groups, if appropriate. Used thusly:
% id
% groups
% touch file1
% newgrp rosters
% touch file2
% ls -lg file1 file2
Example /etc/group:
u1:*:20:
3. Give the user a password: "passwd username" (as root).
4. Edit their disk quota (if disk quotas are in use) via "edquota".
Type "edquota -p protouser username". How do users see their
current quota usage? "quota -v".
NOTE: Not all UNIXes support disk quotas!
5. Make sure the home directory exists and has the right permissions and
that the appropriate default startup files are installed in
the home directory (.login, .cshrc, .Xdefaults, etc.):
mkdir /home/faculty/jtbauer
cp /usr/skel/.[A-Za-z]* /home/faculty/jtbauer
chown -R jtbauer.u1 /home/faculty/jtbauer
-or- (if "name.group" or "name:group" version
of chgrp not supported)
chown -R jtbauer /home/faculty/jtbauer
chgrp -R u1 /home/faculty/jtbauer
chmod 700 /home/faculty/jtbauer
You can do these steps manually, use a vendor-supplied "adduser"
script, or write your own.
SunOS 4.x: "adduser"
SunOS 5.x: "useradd", "usermod", "userdel".
AIX: "smit"
HP-UX: "sam"
Linux: "adduser" (if part of your Linux distribution)
--> The trend is to provide slick GUI interfaces for most of
SysAdmin functions. <--
Refer to page 15 in ESA.
Many vendors provide a "shadow" password capability -- move the
encrypted password out of the publicly-readable "/etc/passwd" file
and into a root-accessible-only file. WHY DO THIS?
See "Crack", "satan", "COPS", etc. -- any hacker with CPU cycles to
burn can guess passwords, esp. if they are simplistic!
Also allows for creation of new fields to support password rules,
password aging, etc. Examples:
SunOS 4.x: /etc/security/passwd.adjunct (See "man passwd.adjunct")
SunOS 5.x: /etc/shadow (See "man shadow")
Linux: A number of shadow password solutions exist.
B. Removing UNIX users - just undo the steps above!
o Can be problematic to find all files owned by the user, if you
gave them access to directories outside of their home directory.
- One solution: "repquota", if quotas are used.
- Or, "find / -user username -print"
- Don't forget their unread mailbox (/var/spool/mail/username)
- Don't forget any other system files that might have their
name (system mail alias files, etc.).
C. Disabling UNIX users
One: modify their encrypted password
From:
jtbauer:f9cPz5ilB5N0o:2009:20:Jeff Bauer:/home/jtbauer:/bin/csh
To:
jtbauer:*off*f9cPz5ilB5N0o:2009:20:Jeff Bauer:/home/jtbauer:/bin/csh
Two: disabling their login shell
jtbauer:f9cPz5ilB5N0o:2009:20:Jeff Bauer:/home/jtbauer:/usr/local/bin/nologin
A. UNIX shells
1. /etc/shells - list of trusted shells users can change to via "chsh"
2. CompSci's artificial shells
User classes:
reg, special, pclab, guest, system
Shells classes:
sh, csh, tcsh, bash
20 combinations:
reg-csh, reg-tcsh, etc ....
Each artificial shell is a link to either:
- a real shell
- /usr/local/bin/nologin
/etc/guest-csh -> /usr/local/bin/nologin
/etc/pclab-csh -> /usr/local/bin/nologin
/etc/system-csh -> /bin/csh
/etc/reg-csh -> /bin/csh
/usr/local/bin/nologin produces...
*********************************************************
* *
* Sorry, but you do not have authorization to log in to *
* this machine. You may have a guest account in which *
* case you should be able to login to xi.cs.fsu.edu. *
* Please contact the system group if you think that you *
* have received this notification in error. *
* *
*********************************************************
...then it logs you out.
B. "/bin/passwd" binary
1. Modify the source code or obtain a better binary ("npasswd" or "passwd+").
2. Require a reasonable choice of password (enforce password
rules, such as we have in CS).
3. Have a password server where all must "rlogin" into and neuter
"/bin/passwd" on all other machines. CompSci: "rlogin nu".
C. /etc/passwd
1. Create a cron script to make backups
cp /saved/passwd.1 /saved/passwd.2
cp /saved/passwd.0 /saved/passwd.1
cp /etc/passwd /saved/passwd.0
A common problem is having the "root" file system fill up and
the password file getting truncated to a zero-length file. What
is the biggest problem now? How can you get around it?
2. Use "pwck" (and "grpck") on BSD systems
to make cursory check of these important
files.
3. Occasionally run password crackers to see if your users
are putting in obvious passwords (notice this is less of a problem
if you require them to have creative passwords with restrictions).
D. Default CompSci "dot" files
/nu1/adm/master
GetDefaultDotFiles
******************************************************************************
Windows NT Users and Groups (Chapter 3 in EWNTSA)
SID = Security Identifier; principal reference for user or group
objects within NT. Creating a user name, deleting it, and re-adding
it with the same name does NOT generate the same SID.
SIDs and other account values are stored in SAM - the Security
Account Manager - which is located in the Registry.
SAM is stored (and managed) on the PDC and BDCs in the user's/group's
default domain.
The User Manager for Domains (USRMGR.EXE) tool is used to manage
users and groups.
A user has the following attributes:
o A logon script
o A profile (per-user desktop settings and other restrictions)
o group memberships
o hours of the day allowed to log on
o permitted machines to log into
o account expiration date
o dialin permission rules (callback modems for DialUp Networking)
A group is a useful way of having a common set of permissions clumped
together. A user can be a member of more than one group; the permissions
are additive.
Local *vs* Global
o User Manager for Workstations (MUSRMGR.EXE) is used to manage local
users & groups, who can only log into the single machine.
o User Manager for Domains (USRMGR.EXE) is used to manage domain-level
users & groups, who can log onto any machine within the domain.
Default Local & Global Groups (Page 59 of EWNTSA).
Notice the names are merely text strings; the permissions
(User Rights under Policies) define what they actually can do.
UNC - Universal Naming Convention (universal to Win-style OSes :)
\\[computer name]\[share name]\[directory]\...\[filename]
Example: \\xi\jtbauer\public_html
Book has excellent examples showing how to use the GUI tool to
perform a variety of common user & group functions.
Windows NT User Profiles
A user profile consists of the following components:
- Desktop layout (icons and their placement)
- Taskbar & Start menu items
- Control panel settings (the ones that are permitted to be changed)
- Programs -> Accessories contents
- Network printer settings
- Some application settings (those that are NT-aware!)
- Help System bookmarks
Profiles can be of three types:
- Local: stored and used only on a single machine
- Roaming: stored in a network-accessible directory and used
on each machine the person logs into
- Mandatory: Required, read-only roaming user profiles
Profiles are stored in the filesystem structure (see FIgure 3-6, page 76 of EWNTSA).
You correlate a predefined user profile in USRMGR.EXE; the location and permissions
of the policy determine which of type it is.
Note a potential confusion point - Windows NT System Policies are different
than User Profiles, even though both can be used to customization the
environment for NT users. System policies, discussed later, allow a
fine-grained control over user's abilities/security settings. Edited via
either POLEDIT.EXE or Start -> Programs -> Administrative Tools (Common) ->
System Policy Editor (refer to page 302 in EWNTSA).
******************************************************************************
The UNIX Filesystem
Reference: Chapter 9 in ESA.
A. Making a device in "/dev"
Device files provide a connection between a device and
standard UNIX system calls. For UNIX filesystems, this is a connection
between the disk drive partition and the eventual mount point.
Identified by a "major" and a "minor" device number, as well
as type "b" (block) or "c" (character, or raw device) -- these
examples are from SunOS 4.x/BSD:
sunos4->ls -l /dev/sd0a /dev/rsd0a
brw-r----- 1 root 7, 0 May 3 1995 /dev/sd0a
crw-r----- 1 root 17, 0 May 3 1995 /dev/rsd0a
The naming conventions and major/minor device numbers are
extremely machine-specific! See page 396 of ESA.
Major & minor device numbers used to attribute the device
file with the appropriate kernel device driver.
A BSD-derived shell script named "/dev/MAKEDEV" does the work on
SunOS 4.x and Linux.
Look at line for nit: "mk nit c 37 40 600" -- it boils down
to a "mknod" command.
Note that the naming conventions vary even between different
versions of the operating system. SunOS 5.x, for example,
provides backwards compatiblity with the old names:
touch->ls -l /dev/sd0a /dev/rsd0a
lrwxrwxrwx 1 root root 13 May 4 1995 /dev/rsd0a ->
rdsk/c0t3d0s0
lrwxrwxrwx 1 root root 12 May 4 1995 /dev/sd0a ->
dsk/c0t3d0s0
touch->ls -l rdsk/c0t3d0s0 dsk/c0t3d0s0
lrwxrwxrwx 1 root root 86 May 4 1995 dsk/c0t3d0s0 ->
../../devices/iommu@0,10000000/sbus@0,10001000/espdma@4,8400000/esp@4,8800000/sd@3,0:a
lrwxrwxrwx 1 root root 90 May 4 1995 rdsk/c0t3d0s0 ->
../../devices/iommu@0,10000000/sbus@0,10001000/espdma@4,8400000/esp@4,8800000/sd@3,0:a,raw
The actual naming convention that counts is the one that is used
by the various sysadmin tools (fsck, mount, etc.).
Solaris/System V naming convention:
/dev/dsk/cntndnsn block files
/dev/rdsk/cntndnsn raw files
where:
cn controller n
tn SCSI target id n
dn SCSI LUN n
sn partition n
Notice the actual device files in Solaris sit in a separate tree
rooted at "/devices" (this is a Sun-ism).
SunOS 5.x also does not have a "/dev/MAKEDEV"; the devices
files are created on-the-fly at boot time, when the kernel
detects the hardware. A utility named "devconfig" can be used to
help this process. An annoyance is that you, as root, MUST create
a file named "/reconfigure" (see /etc/rc.S) after you add a new
device and want the device files created, OR you can use the "-r"
option at boot time.
Also, most kernels these days (including Linux) allow for dynamic
loading of kernel modules and device drivers.
B. Symbolic links
- "ln -s file_to_link_to name_of_link"
- Can span file systems
- Can get stale (no kernel enforcement of valid symlinks), thus a
potential for sysadmin overuse and "broken links".
C. Setuid and setgid bits
1. suid and setgid on executables - the effective UID and GID of
the user executing the program temporarily becomes the UID and
GID of the owner of the file, if the suid and guid bits
are set ("chmod 4xxx", "chmod 2xxx", "chmod 6xxx", "chmod u+s",
"chmod g+s", etc. -- see "man chmod" for details).
# ls -l /usr/lib/sendmail
-r-s--x--x 1 root sys 397768 Nov 24 1998 /usr/lib/sendmail
2. setgid on directory - if set, files inherit the group ID
of the directory (a BSD semantic) and not the group ID of
the creator.
- if a file has setgid bit set and group execute
bit cleared then mandatory record locking is in
effect:
rwxr-Sr-x # the "S" indicates setgid set, but group execute not set
D. Sticky bit
On a plain file, the sticky bit indicates that the binary should
remain in memory after the last user finishes executing the text
segment -- the program "sticks" in memory. Typically only settable
by root and used to keep commonly-used programs in memory for
quicker response. This use of the sticky bit has pretty much fallen out
of use with quicker machines and better virtual memory/caching kernels.
On a directory, the sticky bit does (from "man -s 2 chmod"):
If a directory is writable and has S_ISVTX (the sticky bit)
set, files within that directory can be removed or renamed
only if one or more of the following is true (see unlink(2)
and rename(2)):
o the user owns the file
o the user owns the directory
o the file is writable by the user
o the user is a privileged user
Example: shared directories - /tmp and /var/spool/mail
drwxrwsrwt 3 bin staff 512 Jan 27 11:40 tmp
- see xi:/tmp/try_to_delete_me
- /also /var/spool/mail
E. Permissions try for access in the following order:
1. owner
2. group
3. all
- you are stopped at first failure
F. Some UNIXes extend the 9-bit "rwxrwxrwx" permissions to generalized
access lists (AIX, HP-UX, for example). You can control file access
with more flexibility, using commands like "aclget", "aclput", etc.
G. Directory permissions
- 'r' bit allows one to read directory
- 'x' allows one to enter directory
H. inodes - UNIX information node
0. Unique inode number per file per file system.
1. The inode for a file holds most information about a file:
size, pointer to 1st disk block, file permission bits,
timestamps (file accessed ("ls -lu") , file modified ("ls -l"),
inode modified "ls -lc"), etc.
2. The directory entry only holds a name-inode pair
3. The "ls" command is a window into the inode (try "ls -li")
******************************************************************************
Windows NT File Systems
Reference: Chapter 5 & 6 in EWNTSA.
Management of disk drives is not done with FDISK, as in older Microsoft
operating systems, but with Disk Administrator. Adding a new drive to
your machine requires running Disk Administrator to set up partitions,
etc. (WINDISK.EXE).
Disks are partitioned into separate contiguous space on the drive. Each
partition can then be set up as a volume. Disk Administrator allows you
to view your disks as volumes or partitions and then you can administer them
appropriately.
Note that the partition table format on a PC disk drive is universal
between NT and Linux. Linux, however, permits a greater range of control
over the partitions using the Linux-based fdisk. Too bad it's not as
GUI and pretty as Disk Administrator :) Try Linux fdisk option "l" to see the
list of volume types and their names.
The partitions can contain different types of NT-supported file systems:
NTFS - New Technology File System
NTFS is the preferred type of file system for NT.
It is a log-based file system, meaning that it keeps a log
of file transactions. This obviates the need for a file system
repair facility and provides a more reliable system when the
system crashes.
NTFS is required to support all the file permission attributes visible
under Properties/Security/Permissions, as well as other features
(long file names, file ownership, file auditing, etc.).
NTFS also uses "hot fixing" or "sector sparing" technology to
dynamically remap data blocks from bad to good disk sectors.
NTFS supports built-in file compression technology.
NTFS is also required to use NT's built-in software-based
RAID technology. You can mirror and stripe filesystems on
multiple drives! See page 140 in EWNTSA for more information.
FAT - File Allocation Table (MS-DOS) File System
NT can reside using old-style FAT filesystems, if the disk
partition is to be shared between NT and DOS.
A utility exists, CONVERT.EXE, that will convert a DOS file
system into an NTFS file system.
HPFS - High Performance File System (and HPFS386 for Microsoft LAN
Manager).
HPFS is an earlier effort to create a better structure than
FAT under OS/2. Interestingly, HPFS is not supported under Windows NT
4.0 (probably due to the Microsoft/IBM rift between OS/2 and NT).
ISO9660/CDFS/High Sierra with Rock Ridge extensions (long file names)
This is an attempt at coming up with a common file system format for
CD-ROMs so any computer can see files. Operating systems that
support ISO9660-based file systems include NT, Linux and MacOS.
Interesting note: apparently you cannot put an NTFS file system on a floppy!
(Try the Format option under the Properties of a floppy drive *vs* a hard drive.)
NT also provides a form of automatic file mirroring called Windows NT
Replication Services, where you can have a machine replicate common files or
directories on a different machine. Details start on page 394 of EWNTSA.
NTFS File Permissions and Sharing
NTFS file systems have a large set of file permissions. Look under
Properties/Security for any object in Explorer. You can control the
file permissions, auditing and ownership.
File permissions:
Read, Write, Execute, Delete, Change Permission, Take Ownership
The Permissions settings include pre-defined sets of the above
permissions. Chapter 6 in EWNTSA details the set names and their
elements. In short:
No Access - empty set
List - R
Read - R, X
Add - W, X
Add & Read - R, W, X
Change - R, W, X, D
Full Control - R, W, X, D, P, O
Special Directory - user-defined set of permissions
Special File - " " " " "
Note that new directories inherit the permissions of the parent
directory. Also note that you not only have full control over
the permission sets but you can use your current user and group
matrix to assign specific sets of users certain permissions.
File auditing:
On a per-file or recursive directory level you can select
the security auditing you wish to have logged and visible from
the Event Viewer.
File ownership:
This description is from the on-line help.
When you create a file or directory, you become the owner of it. By granting permissions,
the owner controls how the file or directory is used. The owner can grant permission to
another user to take ownership of a file or directory. Otherwise, you must be logged
on as a member of the Administrators group to take ownership.
Although an administrator can take ownership, an administrator cannot transfer
ownership to others. This preserves security. For example, only an administrator who
takes ownership and changes permissions can gain access to a file on which you have
set No Access permission. By checking the ownership of the file, you would see the
ownership change and know who had violated the permission you set on the file.
File Sharing
The Properties/Sharing (or Sharing directly off of the right mouse
menu) dialog allows you to enable other computers
to access your directories and drives. Default is to not share the
object. You can enable sharing, decide how many simultaneous users
can access your share and set share permissions.
Share permissions:
No access, Read, Change, Full Control
Notice that share permissions are not element-selectable, as
are file/directory permissions.
Shared directories and drives get connected into the local filespace
as a separate drive letter. You can connect a share drive in a variety of
ways:
In Explorer, use the Connect network drive icon or
Tools/Map Network Drive or browse up the file space
and back down the Neighborhood Network tree.
Use Neighborhood Network on the desktop.
Use the "net share" command in a CMD.EXE prompt.
You can disconnect a network drive in similar places.
Administrative Shares
NT uses special share names (that end in $) to manage
various services; must be an admin to use them. These
are also known as hidden shares:
ADMIN$ -- directory NT programs reside in
NETLOGON -- directory containing the logon scripts
C$, D$, E$, ... -- root of every local drive letter
IPC$ -- named pipe for inter-workstation IPC
PRINT$ -- shared printers
REPL$ -- part of the replication service mechanism
You can see which directories/files are being shared with Server Manager