Unix - Security
TechNotes      |     Unix Home
Commands:
 Creating a user
 
The instructions listed here are the manual way to administer users and groups. This is also the way I was taught to manage users. It's helpful now, so you can see the files that are updated, and the components withint those files that define the user or group.
The more accurate way and to help you not forget something is completed with one of the add, delete and modify commands listed below.
 
Online Manpages:
useradd
userdel
usermod
 
groupadd
groupdel
groupmod

 
Create the user:
  1. login as root
  2. > cd /etc
  3. > vi passwd file
    • Make sure the user wasn't added previously.
    • /user (where user is the users id - ie: widvlc)
    • If none is found add the new user
  4. add a new entry on the last line
    • userid:x:123:456:name:/home/userid:/bin/ksh
    • 123 = user id (must be unique)
    • 456 = group id (the primary group this user is part of)
    • name = name of the user
  5. close and save (:wq!)
 
Set up Password
  1. > vi shadow file
  2. add new entry on the last line
  3. userid::::::::
    • 8 colons (:)
    • userid is the id you defined in the passwd file (widvlc)
  4. close and save (:wq!)
  5. from the command line
    1. > passwd userid
    • You'll be prompted to set a new password
  6. > cat shadow
  • You'll see
    • userid:jiberish:99999::::::
    • jiberish = the encrypted password
    • 99999 = machine date for when the password was created
 
Set up the group
  1. > vi group file
  2. If the desired group does not exist in the file, add it on the last line.
    1. groupname::gid:userid
    • webadmin::456:widc1s,widvlc
    • gid must be the unique group id number
  3. Other wise, add the user to the end of the line where the group is defined.
  4. close and save (:wq!)
 
Set up the users home directory
  1. typically created in /home/userid
  2. > cd /home
  3. > mkdir userid
  4. > chmod 755 userid
  • this allows for world read) if you don't want that, set permissions accordingly (750)
  1. > chown userid|group

 Permissions

 

Online Manpages
chmod
chown
chgrp
Set up in 3 levels
  • user | group | world
  • Each level contains 3 fields which define the permisson state.
    1. read - denoted by a 4
    2. write - denoted by a 2
    3. execute - denoted by a 1
  • These are set with a number in the chmod command, but are viewed in english.
    • ie: rwx rwx rwx = read, write, execute for all 3 levels of access.
  • These numbers are added together to define the permission state for that level of access.
    • to set rwx = add all the numbers together 4+2+1 = 7
    • to set r-x = add the numbers 4+0+1 = 5
    • to set r-- = add the numbers 4+0+0 = 4
    • to set --- = add the numbers 0+0+0 = 0
  • Level designators:
You can also use one of the level designators to set permisions.
u - the users permission set
g - the group permission set
o - the world (or other) permission set
a - all the permission sets
  • Operator designators:
If you use the level designators, you will also have to use one of the operator parameters to define what you want to change in the permission set.
- (minus sign) - remove a permission
+ (plus sign) - add a permission
= (equal sign) - assign permissions absolutely
  • Permissions are indicated as follows:
r  -  the file is readable
w  -  the file is writable
x  -  the file is executable
-  -  the indicated permission is not granted
s  -  the set-user-ID or set-group-ID bit is on, and
       the corresponding user or group execution bit is also on
S  -  undefined bit-state (the set-user-ID bit is on and the user execution bit is off)
t  -  the 1000 (octal) bit, or sticky bit, is on (see chmod(1)), and execution is on
T  -  the 1000 bit is turned on, and execution is off
 Directory / File Attributes
In addition to the 3 levels of permissions seen on a files attribute defines what kind of file or directory the item is. When the ls -la command is used, this first character can be one of the following:
d    (ie: drwxr-xr-x)
The entry is a directory.
D    (ie: Drwxr-xr-x)
The entry is a door.
l    (ie: 1rwxr-xr-x)
The entry is a symbolic link.
b    (ie: brwxr-xr-x)
The entry is a block special file.
c    (ie: crwxr-xr-x)
The entry is a character special file.
p    (ie: prwxr-xr-x)
The entry is a FIFO (or "named pipe") special file.
s    (ie: srwxr-xr-x)
The entry is an AF_UNIX address family socket.
-    (ie: -rwxr-xr-x)
The entry is an ordinary file.
 Set permissions on a file or directory
 For a directory
> cd to the parent directory

> ls -la = list the details of the contents of that directory

You'll see a list that looks like this:

drwxr-x-r-x     space   lastchngdate   directoryname
-rwxr-x-r-x     space   lastchngdate   filename
d = identifies the entry as a directory
  1. > chmod 774 directory name
  • this will set permissions for the directory to drwxrwxr--
 
For a file
  1. > cd to the directory where the file exists
  2. > chmod 700 filename
  • this will set permissions for the file to rwx------
 
To set execute permissions to a user, yet maintain the running of the process as the user id that owns the file:
  1. the file must be owned by root
  2. > cd to the directory where the file exists
  3. > chmod 4755 filename
  • this will set permissions for the file to rwxrwxrsx
  • the s defines the process permission
 
To define permissions for a directory and all it's subordinate contents:
  1. > cd to the parent directory
  2. > chmod -R 774 directory name
    • R = recursive
    • r = hide the directory and it's contents (careful with this)

Using the Level Designators:
  1. If you want to use one of the letters to designate which set of permissions you're working with, the chmod command is defined as follows:
  2. > chmod -R g+r file.name
    • R = recursive
    • g+r = add read access to the group permission set.

Notes:
Absolute changes don't work for the set-group-ID bit of a directory. Instead, you must use the g+s or g-s parameters.