Wednesday, July 11, 2007

User permission management in Linux

We have been doing identity management and access control for a long time now but few times we don’t put much of restrictions on our development team keeping in mind that they are our friends. I believe that is true but still I feel that it is very necessary to define fine grained access control to all the people.


In this post I am going to discuss some of the very common and simple Linux user management tasks.


1) Adding a new user to Linux (useradd)


-d home directory
-s starting program (shell)
-g (primary group assigned to the users)
-G (Other groups the user belongs to)
-m (Create the user's home directory


example:


useradd -gusers -Gmgmt -s/bin/shell -d/home/roger -m roger


2) Modifying existing user (usermod)


-d home directory
-s starting program (shell)
-p password
-g (primary group assigned to the users)
-G (Other groups the user belongs to)


example:


usermod -Gothers roger


3) Deleting a user (userdel)


-r (remove home directory)


example:


userdel -r roger


4) /etc/passwd is the file which keeps User names and primary groups. Format of the file is


User name (normally all lower case)
Password (encrypted - only contains the letter 'x')
User ID (a unique number of each user)
Primary Group ID
Comment (Normally the person's full name)
Home directory (normally /home/<user name>
Default shell (normally /bin/bash)


Each field is separated by a colon.


5) Password for each user is stored in /etc/passwd file


6) Group information for the user is stored in /etc/group. Format of this file is


Group name
Group password (hardly ever used)
Group ID
User names (separated by commas)


Note: Do not edit this file directly. Edit the user using the command usermod which will directly modify this file.


Sudo


As I mentioned earlier you don’t want users to use a shared account. Sudo is there to help us achieving this task. I am going to give some simple usages by which this can be used


1) Sudo permissions are stored in the file /etc/sudoers


2) Never edit the file using vi. Use visudo to edit the file.


visudo -e -f /etc/sudoers


3) Add the users into group for which you want to assign sudo permissions. This way sudo file will look clean.


4) Enable sudo logging by putting below text in sudoers file


Defaults logfile=/var/log/sudolog


There is a lot more which can be done using sudoers but here I am to give real life usable things not to put man pages of linux. Please use man page if you want more :-)

No comments: