Andrew Hudson - Fedora™ Unleashed, 2008 edition

► userdel — This command completely removes a user's account (thereby eliminating that user's home directory and all files it contains).

► passwd — This command updates the authentication tokens used by the password management system.

To lock a user out of his account, use the following command:

# passwd -l username

This prepends a double !(exclamation point, also called a bang) to the user's encrypted password; the command to reverse the process uses the -u option. This is a more elegant and preferred solution to the problem than the traditional UNIX way of manually editing the file.

► usermod — This command changes several user attributes. The most commonly used arguments are -sto change the shell and -u to change the UID. No changes can be made while the user is logged in or running a process.

► chsh — This command changes the user's default shell. For Fedora, the default shell is /bin/bash, known as the Bash , or Bourne Again Shell.

Monitoring user activity is part of the sysadmin's duties and an essential task in tracking how system resources are being used. The wcommand tells the sysadmin who is logged in, where he is logged in, and what he is doing. No one is able to hide from the super user. The wcommand can be followed by a specific user's name to show only that user.

The accommand provides information about the total connect time of a user measured in hours. It accesses the /var/log/wtmpfile for the source of its information. The accommand is most useful in shell scripts to generate reports on operating system usage for management review.

Interestingly, a phenomenon known as timewarp can occur in which an entry in the wtmpfiles jumps back into the past and acshows unusual amounts of connected time for users. Although this can be attributed to some innocuous factors having to do with the system clock, it is worthy of investigation by the sysadmin because it can also be the result of a security breach.

The lastcommand searches through the /var/log/wtmpfile and lists all the users logged in and out since that file was first created. The user rebootexists so that you might know who has logged in since the last reboot. A companion to lastis the command lastb, which shows all failed, or bad, logins. It is useful for determining whether a legitimate user is having trouble or a hacker is attempting access.

The accounting system on your computer keeps track of user usage statistics and is kept in the current /var/log/wtmpfile. That file is managed by the initand loginprocesses. If you want to explore the depths of the accounting system, use the GNU info system: info accounting.

Under Linux (and UNIX), everything in the file system, including directories and devices, is a file. And every file on your system has an accompanying set of permissions based on owner ship. These permissions form the basis for security under Linux, and designate each file's read, write, and execute permission for you, members of your group, and all others on the system.

You can examine the default permissions for a file you create by using the umaskcommand, or as a practical example, by using the touchcommand and then the ls command's long-format listing, like this:

$ touch file

$ ls -l file

-rw-rw-r-- 1 andrew andrew 0 2007-10-23 18:50 file

In this example, the touchcommand is used to quickly create a file. The lscommand then reports on the file, displaying information (from left to right) in the first field of output (such as -rw-rw-r--previously):

► The first character of the field is the type of file created— The common indicator of the type of file is a leading letter in the output. A blank (which is represented by a dash in the preceding example) designates a plain file, ddesignates a directory, cdesignates a character device (such as /dev/ttyS0), and b is used for a block device (such as /dev/hda).

► Permissions— Read, write, and execute permissions for the owner, group, and all others on the system. (You learn more about these permissions later in this section.)

► Number of links to the file— The number one ( 1) designates that there is only one file, whereas any other number indicates that there might be one or more hard-linked files. Links are created with the lncommand. A hard-linked file is an exact copy of the file, but it might be located elsewhere on the system. Symbolic links of directories can also be created, but only the root operator can create a hard link of a directory.

► The owner— The account that created or owns the file; you can change this designation by using the chowncommand.

► The group— The group of users allowed to access the file; you can change this designation by using the chgrpcommand.

► File size and creation/modification date— The last two elements indicate the size of the file in bytes and the date the file was created or last modified.

Under Linux, permissions are grouped by owner, group, and others, with read, write, and execute permission assigned to each, like so:

Owner Group Others

rwx rwx rwx

Permissions can be indicated by mnemonic or octal characters. You can use the following mnemonic characters:

► rindicates permission for an owner, member of the owner's group, or others to open and read the file.

► windicates permission for an owner, member of the owner's group, or others to open and write to the file.

► xindicates permission for an owner, member of the owner's group, or others to execute the file (or read a directory).

In the previous example for the file named file, the owner, andrew, has read and write permission, as does any member of the group named andrew.All other users may only read the file. Also note that default permissions for files created by the root operator will differ! This happens because of umasksettings assigned by the shell.

Many users prefer to represent permissions with numeric codes, based on octal (base 8) values. Here's what these values mean:

► 4indicates read permission.

► 2indicates write permission.

► 1indicates execute permission.

In octal notation, the previous example file has a permission setting of 664(read + write or 4 + 2, read + write or 4 + 2, read-only or 4). Although you can use either form of permissions notation, octal is easy to use quickly after you visualize and understand how permissions are numbered.

In Linux, you can create groups to assign a number of users access to common directories and files based on permissions. You might assign everyone in accounting to a group named accounting, for example, and allow that group access to accounts payable files while disallowing access by other departments. Defined groups are maintained by the root operator, but you can use the newgrpcommand to temporarily join other groups to access files (as long as the root operator has added you to the other groups). You can also allow or deny access to your files by other groups by modifying the group permissions of your files.