RH033读书笔记(14)-Lab 15 Switching Users and Setting a Umask

Lab 15 Switching Users and Setting a Umask

Goal: Become familiar with the use of several essential commands in user
identification and account switching.

System Setup: A working, installed Red Hat Enterprise Linux system with an unprivileged
user account named student with the password student and an
unprivileged user account named visitor with a password password.

Sequence 1: Switching user accounts

Instructions:

1. Switch to virtual terminal 1 (tty1) by pressing: Ctrl-Alt-F1 and log in as visitor with
the password password.

2. Record the output of the following commands:
id
uid=503(visitor) gid=508(visitor) groups=508(visitor)

pwd
/home/visitor

3. Switch to the user student by running su - student and run the commands again:
id
uid=502(student) gid=507(student) groups=507(student)

pwd
/home/student

4. Run exit to terminate student's login and return to your original visitor login.

5. Switch to the student account again, but this time run su student (without the hyphen).
Run id and pwd again:
id
uid=502(student) gid=507(student) groups=507(student)

pwd
/home/visitor

Why do these results differ from those you recorded in the previous step?

The hyphen option to su initiates a new login shell, which includes changing the CWD to
the new user's home directory and running the user's startup scripts (~/.bash_profile,
etc). When su is run without the hyphen, your UID is changed, but all other details of the
login session, including CWD and environment variables, remain the same.

6. Log out of all the shells that you used during this sequence.

Sequence 2: Using umask to set default permissions on newlycreated files

Instructions:

1. Log in to your workstation as student.

2. View your current umask.

[student@stationX ~]$ umask
0002

3. Create a couple of files and a directory (do not examine the permissions yet).

[student@stationX ~]$ touch world_readable_file1
[student@stationX ~]$ touch world_readable_file2
[student@stationX ~]$ mkdir world_readable_dir1

4. Change your umask to a more paranoid (okay, maybe you prefer the word "secure") setting.Create new files and a directory.

[student@stationX ~]$ umask 027
[student@stationX ~]$ touch restricted_file1
[student@stationX ~]$ touch restricted_file2
[student@stationX ~]$ mkdir restricted_dir1

List the files to see if you are correct:

[student@stationX ~]$ ls -ld world_readable* restricted*

drwxr-x--- 2 student student 4096 Dec 10 15:23 restricted_dir1
-rw-r----- 1 student student 0 Dec 10 15:23 restricted_file1
-rw-r----- 1 student student 0 Dec 10 15:23 restricted_file2

drwxrwxr-x 2 student student 4096 Dec 10 15:22 world_readable_dir1
-rw-rw-r-- 1 student student 0 Dec 10 15:22 world_readable_file1
-rw-rw-r-- 1 student student 0 Dec 10 15:22 world_readable_file2

5. What is the advantage of setting umask over creating files then using the chmod command?

Using umask, you leave no window of vulnerability. In fact, if you restrict enough your
umask, you can avoid any world-readable file by default.

Sequence 3: Setting a Umask

Instructions:

1. Switch to virtual terminal 1 (tty1) by pressing: Ctrl-Alt-F1

2. Log in as the user visitor with a password of password.

3. Display your current umask:

[visitor@stationX ~]$ umask

4. Below is a table of umasks. Fill in the table with the permissions of files and directories given the umask.
Umask Directory Permissions File Permissions

5. Decide on a reasonable umask for the visitor account and add the appropriate umask command to visitor's .bashrc file. Log out of the visitor account, log in again, and create a file and a directory. View the permissions. Did the directory and file permissions match your expectation? If not, revisit the table in step 4, above, and retry with a new umask.

Sequence 4: Using the Graphical User-Management Tools

Scenario: A new contractor at your office needs an account on one of the Linux systems. The username and initial password should be contractor. The account should also be a member of the web group (without changing the user's primary group!). Finally, the account should automatically expire 7 days from today.

Instructions:

1. Run System->Administration->Users and Groups and enter the root password if prompted

2. Click Add Group and enter web in the Group Name field.

3. Click Ok and return to the main Users and Groups interface

4. Click Add User, enter contractor as the username and password in the appropriate fields. Leave all other fields at their default values

5. Click Ok to return to the main Users and Groups interface

6. Select the contractor user and click Properties

7. Go to the Account Info tab and check Enable Account Expiration. Calculate the date one week from now and enter it into the Account Expires fields.

8. Go to the Groups tab, scroll to the web group and check the checkbox next to it.

9. Click Ok to return to the main Users and Groups interface.

10. Close the Users and Groups window.

Challenge Sequence 5: Automating User Creation

Scenario: You have been asked to create a large number of user accounts. Since performing repetitive tasks by hand is for chumps, you have decided to write a shell script that uses a for loop on a list of users to create the accounts, generate a random password (different for each user) and send an email notifying users of their account information.

Instructions:

1. First of all, create a file called ~/userlist, which contains the usernames you are about to create. For example, your file might look like this:

sara
harry
marion
tyrone
tappy

2. Devise a command that could be used to create a user whose name is provided by a shell variable called $NAME
/usr/sbin/useradd $NAME

3. Devise a command that generates a 10 byte long, base64-encoded, random value and a command line that stores its output in a variable called PASSWORD

HINT: This will require a command you have not seen before. Start by looking at openssl rand --help

PASSWORD=$(openssl rand -base64 10)

4. Devise a command that non-interactively changes the password of $NAME to $PASSWORD.

HINT: passwd --stdin causes passwd to accept a password on STDIN, meaning you can pass values to it over a pipe.

echo $PASSWORD | passwd --stdin $NAME

5. Devise a command line that uses the mail command to email the values of $NAME and $PASSWORD to root@example.com. The email should have the subject "Account Info".

echo "username: $NAME, password: $PASSWORD" | mail -s "Account Info"
root@example.com

6. Finally, gather all your commands within a for loop that sets the NAME variable to each line of the userlist in turn.

Your finished script should look something like this:

#!/bin/bash
# Script for creating all users defined in
# a file called ~/userlist.
for NAME in $(cat ~/userlist)
do
　　/usr/sbin/useradd $NAME
　　PASSWORD=$(openssl rand -base64 10)
　　echo PASSWORD | passwd --stdin $NAME
　　echo "username: $NAME, password: $PASSWORD" | mail -s "Account Info" root@example.com
done

Note that there are still several things that could be improved about this script. For example, passwords are being sent in unencrypted emails. Although anything more complex than what we have here would be outside the scope of this course, you are encouraged to experiment with ways to add your own improvements!

7. Test your script (be sure to use sudo or log in as root first!). Try adding -x to your shbang
if you have problems.