In this project you will install user accounts, change login defaults,
manage user accounts (including email configuration),
set disk quotas, setup security, and examine log files.
Since many of these tasks are complicated, the directions below
instruct you to install and then use the
webmin to perform some of the tasks such as
enabling and setting quotas.
Make sure you keep an accurate system journal of any and all changes
you make to your system!
You will need to turn this in, along with the answers to the questions
This is a lengthy project, so do not wait until the last minute to start! When in doubt remember to use the man pages, including for file descriptions, and use the keyword search feature if in doubt as to the name of some command. Do not hesitate to communicate with your instructor if you wish any help.
Generally UIDs and GIDs below 100 are reserved system and pseudo-system accounts. On some systems (such as Solaris) UIDs above 60000 can't be used or will have limited functionality. The command line and GUI tools know about these limits and should only create accounts within the correct range.
You can change most account information with the
passwd command allows you to
usermod on Linux),
view account status and information, and view and update password
aging and other information.
Linux do this too.
Solaris also has the command
logins -axl username
to view details for
and an expanded set of options to the
command to view and modify most account and password information
for a user account.
In addition Linux systems contain a
that is handy for adding a user to a group.
(For some reason this is difficult to do with
The default contents of a new user's home directory are copied
/etc/login.defs file controls the location of a
user's system mailbox (inbox), what range of UIDs and GIDs to
use, and password aging information.
contains defaults used with the command line utility
(Solaris has similar default files to Linux's
/etc/default/* but the names of the files depend on
the exact version of Unix you have.)
Disk quotas limit how much hard disk space can be consumed per user (and optionally per group), per filesystem. Unix and Linux filesystems support quotas but not all filesystem types do. Quotas have soft limits, hard limits, and a grace period. A user may exceed the soft limit but never the hard limit. As soon as a user has exceed the soft limit, a count-down timer is set to the grace period and starts counting down. When the user reaches the end of the grace period the excess over the soft limit may be deleted, or the account disabled, or the limit may be frozen, or some combination of these. Quotas can be used to limit how much disk space a user can consume per partition, how many files they can create per partition, or both.
Quotas can be enabled by mounting a partition with the
usrquota (and optionally the
(Note that this varies by filesystem and how old your system is;
many filesystems just use
quota as a
You will need to check the
mount man page for your filesystem
type, for the correct option to use.)
Normally this is done by editing
/etc/fstab and adding
usrquota to the mount options part of the entry
for some filesystem.
Then the quota database files on each partition can be initialized with
quotacheck command, which should should also
run monthly or possibly weekly from
Use the commands
to edit the quota limits for individual users per partition (and
the grace period too).
repquota to generate a quota report
for all users.
You can use
manually turn on or off quota checking, although this is usually done
automatically by the boot up rc scripts.
On most systems today the users get email from
so these services must be configured.
Usually there is one or more aliases associated with
One reason for aliases is to not allow hackers gain access to security
information such as your users' account names or real names.
Aliases reflect the job(s) the users have, such as “sales” or
“postmaster” or “webmaster” or “customer-rep”.
A number of email aliases should always be setup, including
“abuse”, “admin” or “administrator”, and others that
people can use to report problems or contact the correct person.
To send email and be able to run some of the commands below, you
need to have an email server (MTA) installed and running.
On Fedora, you can check to see if you have sendmail installed with the
rpm -q sendmail”.
If not, go ahead and install it with
start it with
sudo permissions database is in the file
/etc/sudoers, see the man page for details and
When setting up user accounts it may be necessary to update
/etc/sudoers file with the
command, to provide extra access to some users.
Answer the following questions and perform the following tasks:
webmin. The GUI administration tool works for nearly every Unix or Linux system.
webminis a web server that “listens” in on port
10000rather than the default web server port of
80. (For security reasons
webminusually requires access from the localhost only, so remote administration would require extra setup.)
Note the directions on this assignment for using webmin reflect the version of webmin current at the time the assignment was created. Every so often the user interface of webmin changes a bit, and then the directions below may not match exactly what you see on the screen. Do your best, try to use the help provided, and let your instructor know if any of the directions here need to be updated.
Download the RPM
package for your version of Linux (Fedora) from
and install according to the directions on their web page.
(In practice installing from RPMs is very easy.)
Make sure that
webmin is running (hint: webmin is a
legacy SysV init daemon, so you cannot start or
enable it with
webmin by pointing your web browser to
the correct URL of
Documentation is installed when you installed
or you can view it from the webmin web site.
You should log in as the root user.
What version number of
webmin did you install?
webmin, create a new user account
auserwith the real name
Anne User. Use defaults for all other values.
findcommand to locate recently modified files. Note not all files modified at that time are related to user account creation, only report those files that are related to the creation of the user account.)
Change the initial password for that user to something else (that you can
remember; I like “
Note that an account with a missing password is considered
locked by default.
useraddcommand with the
-Doption. (These and other default settings could also be set by editing files in
What were the options used for each command?
useraddcommand, create a new user account
buserwith real name
Bob User. Make sure the account is initially disabled (locked). Be sure to set a password (that you will remember).
ALL: ALL” line in
/etc/hosts.deny, and start up the
vsftpdservice. From the command line you should now be able to run sucessfully “
ftp localhost” (and login as anonymous). After starting the
sshdservice you should also be able to run “
sftp auser@localhost”. What happens when you try this with a locked account (such as
buser)? (Don't try to login as
root, it won't work.)
buseraccount now using any non-GUI method. What two commands on Linux can be used to enable (unlock) an account? Verify you can use both
sftpfor that user again. What happened?
su -c 'id' buser” and “
su buser”. Did either command work?
/bin/false”. Try both
sftpfor that user again. What happened this time? Can you explain these results? (HINT: Examine
/etc/shellsfor a list of valid shells on your system.)
/bin/bash”. As root, try the following commands: “
su buser” and “
su -c 'id' buser”. Did either command work this time?
buserto change the password immediately at the next login. (On Linux use the
chagecommand. On Solaris, use the
passwdcommand.) What was the exact command used?
mancommand to find out. Be sure to examine both man pages, and note the options available.
auser. Then cause that user to exceed the limits and observe the results. Although this can be done from webmin, we will use the command line for some of the tasks in the directions below.
If you have ever logged in as
auser from the
GUI, the desktop environment used (kde or
gnome) will create a large number of additional files (big ones) and
directories in the user's home directory.
If you have never done this,
you most likely have about 40k of files and
you can use quota limits of 100k (soft) and 200k (hard)
limits, with a grace period of
2 (two) minutes or less.
However if you've ever used the GUI as
auser, you most likely have used about 5.5MiB of disk space, so
don't use those small quota limits.
Instead use the
du -h command to determine how
much space is actually used and set the quotas to that value plus
100k (soft) and that value plus 200k (hard), with a grace period of
1 (one) hour or less.
If you used the smaller values, don't ever log into
buser from the GUI
(or the attempt to create 530k of files will fail, causing
the GUI system to be corrupted for that user).
How can you set the system to use text based logins, or if
GUI logins are the default how can you use a
non-GUI login for some user?
init for the default run level
systemd for the default target),
and remember about how to switch between virtual consoles.)
On production systems, few users have login permission. For the servers that do, quotas are set based on the expected need of users. Software developers need little, multi-media developers may need a lot. (Managers often need the least but this may be a political issue!)
/homelink. Change the drop-down list for “
Use Quotas?” to either “
User only” or “
User and Group”. Save your changes and go back to the main Webmin page.
/home is in use you can't remount it to activate
the new mount option(s).
Instead you can save the changes to
(i.e., the permanent mount list).
/home and build the initial quota database
file(s) before proceeding.
Note you can't do this if
/home is busy!
So if you logged in as your non-root user, you will need to log out and
then enable quotas as root.
This is best done from the command line:
/homeif it is busy.)
mount -o remount /home
Which simply remounts /home with the
usrquota flags you set
quotacheck -cuvvM /home restorecon /home/aquota*
restorecon” command fixes an SE
Linux issue in some versions of Fedora.
You will need to do this for all newly created quota files, if you are
running SE Linux in enforcing mode.
/home. Make sure Quotas are enabled for this storage volume (they are if you see
Disable Quotasat the end of the line.) If not, go back to the previous steps and enable them. (Remember you may have to log out and log in as root before you can remount
/home.) Click the
Note that the quota database files, “
are created with permissions determined by
This normally means the files will only be readable by the owner
If you wish to allow normal users to check their quota using the
quota command, these files must be readable by
everyone (but writable only by root).
chmod 644 /home/aquota.*” to fix this.
Note you won't be allowed to touch this file while quota checking is on,
so turn off quota checking first (“
chmod a+r /home/aquota.*; quotaon -a”).
auserfrom the list of users that shows, or from the popup list you get by clicking on the “...” button). Enter your quotas and limits for this user. Note when entering in a number in the form you must also click the radio button or the quota limits will remain set to “unlimited”! When done click the
If you have problems using webmin you can use these steps instead:
setquota -ta 604800 604800 # 7*24*60*60 = 1 week grace setquota auser soft-blk hard-blk soft-files hard-files /home repquota -a # display quota report
auser. (Don't login from the GUI unless you set the quota limits appropriately!)
To log in as “auser” you can either switch to some virtual console or use:
TERM=dumb ssh auser@localhost
from clearing the screen when you close the connection,
giving you a chance to see any messages.
sshd daemon must be running before
you can login in via
Now go over your soft limit.
You can copy files (from
create large files by using the
dd command, or by
saving large man pages as files by running the command:
man bash > bash.txt
du command and verify you are over your
What message (if any) was displayed?
Check this user's email.
Was any email sent as a result of going over the quota?
quota command to see the current quota
(Remember, this won't work if you login as a non-root user,
unless you made the quota database file(s) readable by everyone.)
What was the output of this command?
Run the command:
( ls -als; quota; ) | lpr -T "your-name: before"
Suppose you remain over your soft limit for more than the grace period (set earlier). What do you think will happen?
auser. Was this allowed? If so, was any email sent?
/home/auser. (You may have to do this step as root if you can't login as this user.) Now attempt to login as
auser. Was this allowed? If so, was any email sent? Run the
quotacommand now. What is the “grace” period now?
buser(“Bob User”). Email aliases are created by editing the file
/etc/aliases, and then running the command
newaliasesto update the aliases database file that
root(i.e., a simple mailing list).
root's email forwarded to your personal account.
pine) try to send email messages in turn to each of
sysadmins. What happened in each case?
(There is really too much to do already for this project.
But if you have the time and desire, see if you can figure out how
to setup a new user account
Chen User”) that cannot be used
with telnet or ssh (that is, no login permitted), but can be used as
a POP email account only.
Hint: see the man page for
/sbin/nologin and determine
what would happen if this was used instead of
as the shell for this user.)
The answers to the questions above and the portion of your system journal describing the changes you made to the disk.
You can submit your project as email to . Please see your syllabus for more information about submitting projects.
!' characters to the front of the password in
/etc/shadow. By removing the '
!' characters you can unlock the account, which is exactly what the GUI and command line tools do. So locking then unlocking an account leaves the password intact.
On Solaris when you lock an account, the password is
changed to "
*LK*", so the only way to unlock an account
is to set a new password for that account.