In this project you will install user accounts, change login defaults,
manage user accounts (including email configuration),
set disk quotas, setup security, and examine log files.
Since many of these tasks are complicated, the directions below
instruct you to install and then use the
GUI tool
webmin
to perform some of the tasks such as
enabling and setting quotas.
Make sure you keep an accurate system journal of any and all changes
you make to your system!
You will need to turn this in, along with the answers to the questions
asked below.
This is a lengthy project, so do not wait until the last minute to start! When in doubt remember to use the man pages, including for file descriptions, and use the keyword search feature if in doubt as to the name of some command. Do not hesitate to communicate with your instructor if you wish any help.
Generally UIDs and GIDs below 100 are reserved system and pseudo-system accounts. On some systems (such as Solaris) UIDs above 60000 can't be used or will have limited functionality. The command line and GUI tools know about these limits and should only create accounts within the correct range.
You can change most account information with the
usermod
command.
The passwd
command allows you to
lock/unlock
accounts1
(so does usermod
on Linux),
view account status and information, and view and update password
aging and other information.
chage
and chfn
on
Linux do this too.
Solaris also has the command logins -axl username
to view details for username
,
and an expanded set of options to the passwd
command to view and modify most account and password information
for a user account.
In addition Linux systems contain a gpasswd
utility
that is handy for adding a user to a group.
(For some reason this is difficult to do with usermod
.)
The default contents of a new user's home directory are copied
from /etc/skel
.
The /etc/login.defs
file controls the location of a
user's system mailbox (inbox), what range of UIDs and GIDs to
use, and password aging information.
The file /etc/default/useradd
contains defaults used with the command line utility
useradd
.
(Solaris has similar default files to Linux's
/etc/login.defs
and /etc/default/*
but the names of the files depend on
the exact version of Unix you have.)
Disk quotas limit how much hard disk space can be consumed per user (and optionally per group), per filesystem. Unix and Linux filesystems support quotas but not all filesystem types do. Quotas have soft limits, hard limits, and a grace period. A user may exceed the soft limit but never the hard limit. As soon as a user has exceed the soft limit, a count-down timer is set to the grace period and starts counting down. When the user reaches the end of the grace period the excess over the soft limit may be deleted, or the account disabled, or the limit may be frozen, or some combination of these. Quotas can be used to limit how much disk space a user can consume per partition, how many files they can create per partition, or both.
Quotas can be enabled by mounting a partition with the
usrquota
(and optionally the grpquota
)
mount option(s).
(Note that this varies by filesystem and how old your system is;
many filesystems just use quota
as a mount
option.
You will need to check the mount
man page for your filesystem
type, for the correct option to use.)
Normally this is done by editing /etc/fstab
and adding
usrquota
to the mount options part of the entry
for some filesystem.
Then the quota database files on each partition can be initialized with
the quotacheck
command, which should should also
run monthly or possibly weekly from cron
.
Use the commands edquota
or setquota
to edit the quota limits for individual users per partition (and
the grace period too).
Use repquota
to generate a quota report
for all users.
You can use quotaon
and quotaoff
to
manually turn on or off quota checking, although this is usually done
automatically by the boot up rc scripts.
On most systems today the users get email from
POP
or IMAP
,
so these services must be configured.
Usually there is one or more aliases associated with
user accounts.
One reason for aliases is to not allow hackers gain access to security
information such as your users' account names or real names.
Aliases reflect the job(s) the users have, such as “sales” or
“postmaster” or “webmaster” or “customer-rep”.
A number of email aliases should always be setup, including
“abuse”, “admin” or “administrator”, and others that
people can use to report problems or contact the correct person.
To send email and be able to run some of the commands below, you
need to have an email server (MTA) installed and running.
On Fedora, you can check to see if you have sendmail installed with the
command “rpm -q sendmail
”.
If not, go ahead and install it with dnf
, then
start it with systemctl
.
The sudo
permissions database is in the file
/etc/sudoers
, see the man page for details and
examples.
When setting up user accounts it may be necessary to update
the /etc/sudoers
file with the visudo
command, to provide extra access to some users.
Answer the following questions and perform the following tasks:
webmin
.
The GUI administration tool works for nearly every Unix or
Linux system.
webmin
is a web server that “listens” in on
port 10000
rather than the default web server
port of 80
.
(For security reasons webmin
usually requires
access from the localhost only, so remote administration
would require extra setup.)
Note the directions on this assignment for using webmin reflect the version of webmin current at the time the assignment was created. Every so often the user interface of webmin changes a bit, and then the directions below may not match exactly what you see on the screen. Do your best, try to use the help provided, and let your instructor know if any of the directions here need to be updated.
Download the RPM
package for your version of Linux (Fedora) from
www.webmin.com
and install according to the directions on their web page.
(In practice installing from RPMs is very easy.)
Make sure that webmin
is running (hint: webmin is a
legacy SysV init daemon, so you cannot start or
enable it with systemctl
), then
begin using webmin
by pointing your web browser to
the correct URL of
http://localhost:10000/
or
https://localhost:10000/ (for
SSL security).
Documentation is installed when you installed webmin
,
or you can view it from the webmin web site.
You should log in as the root user.
What version number of webmin
did you install?
webmin
, create a new user account
auser
with the real name Anne User
.
Use defaults for all other values.
find
command to locate recently
modified files. Note not all files modified at that time
are related to user account creation, only report those files
that are related to the creation of the user account.)
Change the initial password for that user to something else (that you can
remember; I like “secret
”).
Note that an account with a missing password is considered
locked by default.
useradd
command with the -D
option.
(These and other default settings could also be set by editing files in
/etc/login.defs
and /etc/default/useradd
.)
/bin/bash
. What were the options used for each command?
useradd
command, create a new user
account buser
with real name Bob User
.
Make sure the account is initially disabled (locked).
Be sure to set a password (that you will remember).
ALL: ALL
” line in
/etc/hosts.deny
, and start up the vsftpd
service.
From the command line you should now be able to run sucessfully
“ftp localhost
” (and login as anonymous).
After starting the sshd
service you should also be
able to run “sftp auser@localhost
”.
What happens when you try this with a
locked account (such as buser
)?
(Don't try to login as root
, it won't work.) buser
account now using
any non-GUI method.
What two commands on Linux can be used
to enable (unlock) an account?
Verify you can use both ftp
and sftp
with the buser
account now. buser
to
“/sbin/nologin
”.
Try ftp
and sftp
for that user again.
What happened? su -c 'id' buser
”
and
“su buser
”.
Did either command work?
buser
to
“/bin/false
”.
Try both ftp
and sftp
for that user again.
What happened this time?
Can you explain these results?
(HINT: Examine /etc/shells
for a list of
valid shells on your system.)
buser
to
“/bin/bash
”.
As root, try the following commands:
“su buser
”
and
“su -c 'id' buser
”.
Did either command work this time?
buser
to change the password immediately
at the next login.
(On Linux use the chage
command.
On Solaris, use the passwd
command.)
What was the exact command used?
man
command to find out.
Be sure to examine both man pages, and note the options available.
/home
partition for auser
.
Then cause that user to exceed the limits and observe the results.
Although this can be done from webmin, we will use the command line for
some of the tasks in the directions below.
If you have ever logged in as auser
from the
GUI, the desktop environment used (kde or
gnome) will create a large number of additional files (big ones) and
directories in the user's home directory.
If you have never done this,
you most likely have about 40k of files and
you can use quota limits of 100k (soft) and 200k (hard)
limits, with a grace period of 2
(two) minutes or less.
However if you've ever used the GUI as
auser
, you most likely have used about 5.5MiB of disk space, so
don't use those small quota limits.
Instead use the du -h
command to determine how
much space is actually used and set the quotas to that value plus
100k (soft) and that value plus 200k (hard), with a grace period of
1
(one) hour or less.
If you used the smaller values, don't ever log into
auser
or buser
from the GUI
(or the attempt to create 530k of files will fail, causing
the GUI system to be corrupted for that user).
How can you set the system to use text based logins, or if
GUI logins are the default how can you use a
non-GUI login for some user?
(Hint: see init
for the default run level
(or systemd
for the default target),
and remember about how to switch between virtual consoles.)
On production systems, few users have login permission. For the servers that do, quotas are set based on the expected need of users. Software developers need little, multi-media developers may need a lot. (Managers often need the least but this may be a political issue!)
System
” button./home
link.
Change the drop-down list for
“Use Quotas?
”
to either “User only
” or
“User and Group
”.
Save your changes and go back to the main Webmin page.
Note:
If /home
is in use you can't remount it to activate
the new mount option(s).
Instead you can save the changes to /etc/fstab
(i.e., the permanent mount list).
Then remount /home
and build the initial quota database
file(s) before proceeding.
Note you can't do this if /home
is busy!
So if you logged in as your non-root user, you will need to log out and
then enable quotas as root.
This is best done from the command line:
/home
if it is busy.) mount -o remount /home
Which simply remounts /home with the usrquota
flags you set
using webmin.
quotacheck -cuvvM /home restorecon /home/aquota*
The “restorecon
” command fixes an SE
Linux issue in some versions of Fedora.
You will need to do this for all newly created quota files, if you are
running SE Linux in enforcing mode.
quotaon -a
/home
.
Make sure Quotas are enabled for this storage volume (they are if
you see Disable Quotas
at the end
of the line.)
If not, go back to the previous steps and enable them.
(Remember you may have to log out and log in as root
before you can remount /home
.)
Click the /home
link.
Note that the quota database files, “/home/aquota.*
”
are created with permissions determined by umask
.
This normally means the files will only be readable by the owner
(root
).
If you wish to allow normal users to check their quota using the
quota
command, these files must be readable by
everyone (but writable only by root).
Use “chmod 644 /home/aquota.*
” to fix this.
Note you won't be allowed to touch this file while quota checking is on,
so turn off quota checking first (“quotaoff -a;
chmod a+r /home/aquota.*; quotaon -a
”).
auser
(or select
auser
from the list of users that shows, or
from the popup list you get by clicking on the “...” button).
Enter your quotas and limits for this user.
Note when entering in a number in the form you must also click
the radio button or the quota limits will remain set to
“unlimited”!
When done click the update
button.
If you have problems using webmin you can use these steps instead:
setquota -ta 604800 604800 # 7*24*60*60 = 1 week grace setquota auser soft-blk hard-blk soft-files hard-files /home repquota -a # display quota report
auser
.
(Don't login from the GUI unless you set the
quota limits appropriately!)
To log in as “auser” you can either switch to some virtual console or use:
TERM=dumb ssh auser@localhost
The “TERM=dumb
” prevents ssh
from clearing the screen when you close the connection,
giving you a chance to see any messages.
Note that sshd
daemon must be running before
you can login in via ssh
.
Now go over your soft limit.
You can copy files (from /usr/share/doc
),
create large files by using the dd
command, or by
saving large man pages as files by running the command:
man bash > bash.txt
Use the du
command and verify you are over your
soft limit.
What message (if any) was displayed?
Check this user's email.
Was any email sent as a result of going over the quota?
Use the quota
command to see the current quota
status.
(Remember, this won't work if you login as a non-root user,
unless you made the quota database file(s) readable by everyone.)
What was the output of this command?
Run the command:
( ls -als; quota; ) | lpr -T "your-name: before"
Suppose you remain over your soft limit for more than the grace period (set earlier). What do you think will happen?
auser
.
Was this allowed?
If so, was any email sent?
/home/auser
.
(You may have to do this step as root if you can't login as this user.)
Now attempt to login as auser
.
Was this allowed?
If so, was any email sent?
Run the quota
command now.
What is the “grace” period now?
buser
(“Bob User”).
Email aliases are created by editing the file /etc/aliases
,
and then running the command newaliases
to update the
aliases database file that sendmail
actually uses.
sales
for buser
. abuse
for buser
. postmaster
for
buser
. sysadmins
for users buser
and root
(i.e., a simple mailing list). anne@xyz.com.REDIRECT
for auser
. root
's email forwarded to
your personal account. newaliases
command. pine
) try
to send email messages in turn to each of auser
,
buser
,
root
, and sysadmins
.
What happened in each case?
(There is really too much to do already for this project.
But if you have the time and desire, see if you can figure out how
to setup a new user account cuser
(“Chen User
”) that cannot be used
with telnet or ssh (that is, no login permitted), but can be used as
a POP email account only.
Hint: see the man page for /sbin/nologin
and determine
what would happen if this was used instead of /bin/bash
as the shell for this user.)
The answers to the questions above and the portion of your system journal describing the changes you made to the disk.
You can submit your project as email to . Please see your syllabus for more information about submitting projects.
!
' characters to the
front of the password in /etc/shadow
.
By removing the '!
' characters you can unlock the account,
which is exactly what the GUI and command line tools do.
So locking then unlocking an account leaves the password intact.
On Solaris when you lock an account, the password is
changed to "*LK*
", so the only way to unlock an account
is to set a new password for that account.
Back