Access
users
- a user is a person or program with an ID on the system
- assignment of user accounts
- each user should have a separate account
- guest users sometimes share a guest account
- other accounts are used by programs rather than by humans
- users file:
/etc/passwd (7 fields, colon delimited)
- login name: text, begins with
a-z, may contain a-z, 0-9, -
- encrypted password: a single character indicates the password is stored elsewhere
- user ID: a number which identifies the user
- group ID: a number which identifies the primary group
- comment (also called GECOS): descriptive text used by some utilities
- home directory: full pathname, usually
/home/login-name
- login program: full pathname, usually a shell
- see details with:
man 5 passwd
- encrypted passwords
- Linux file:
/etc/shadow (readable only by root)
- FreeBSD files:
/etc/master.passwd, /etc/spwd.db (readable only by root)
- root user
- user ID
0
- not restricted by UNIX permissions so errors made by root can be catastrophic
- always login as a user other than root unless you need root privilege
groups
- a group is set of users
- assignment of group members
- in modern systems each user usually has a separate group
- users sometimes share a group
- other groups are used by programs rather than by humans
- groups file:
/etc/group (4 fields, colon delimited)
- group name: text, begins with
a-z, may contain a-z, 0-9, -
- encrypted password: often empty, meaning no password
- group ID: a number which identifies the group
- group members: comma-separated list of users
- see details with:
man 5 group
cryptography
- hash functions
- one-way
- used for intregity, identification/searching, passwords
- MD5 (Message Digest)
- SHA-1 (Secure Hash Algorithm)
- symmetric key
- encrypt and decrypt with same key
- efficient, difficult key management
- DES, Triple DES (Data Encryption Standard)
- AES (Advanced Encryption Standard)
- Blowfish, Twofish
- asymetric key
- RSA system (Rivest, Shamir, Adleman)
- encrypt with recipient's public key, decrypt with private key
- sign (hash) with sender's private key, confirm with public key
- D-H (Diffie-Hellman) key exchange
- public key infrastructure
- identifies holders of public keys
- CA (certificate authority) issues and revokes digital certificates with identity, public key
authentication
- verifies identity of user
- password
- something the user knows
- should be hard to guess but easy to remember
- ticket from an authentication server
- allows single sign-in for multiple services
- out-of-band
- confirmation via phone, text, email, etc
- used for multi-factor authentication
- hardware token
- something the user possesses
- FIDO (Fast IDentity Online) U2F (Universal 2nd Factor) devices
- often used for multi-factor authentication
- biometric
- fingerprint, retina image, facial image, etc.
- vulnerable to spoofing
process attributes
- a process acts as an agent for a user
- UID (user ID)
- user who started the process
- GID (group ID)
- group of user who started the process
- EUID (effective user ID)
- may be different from user who started the process, e.g. user associated with program
- EGID (effective group ID)
- may be different from group of user who started the process, e.g. group associated with program
utilities
ssh user@host- opens a secure (encrypted) connection to
host and starts a shell as user
- authenticates based on host, keys, and/or password
- many options
passwd user- run as root or as an ordinary user to change your own password
- sets or changes password for
user
su user- requires password of
user unless run as root
- starts a shell with UID
user (default root)
sudo command- requires explicit permission in
/etc/sudoers
- runs
command as root
visudo- run as root
- edits
/etc/sudoers (format is rather complex, see details with man 5 sudoers)
useradd user- run as root
- performs most actions required to create a new account for
user
- The
-m option makes a home directory
- on some systems called
adduser
usermod user modifies account of useruserdel user deletes account of user