User Account Administration 77 Question 9 When using the admintool command to create a user account, which of the fol- lowing can be specified as the login shell? [Select all that apply.] ❑ a. Bourne (/bin/sh) ❑ b. C (/bin/csh) ❑ c. Korn (/bin/ksh) ❑ d. Other (specify path) All the answers are correct. Question 10 Which commands can be used by root to change a password? [Select all that apply.] ❑ A. admintool ❑ B. passmgmt ❑ C. usermod ❑ D. passwd The correct answers are A and D. The passmgmt and usermod commands (answers B and C) do not provide any facility to specify a password. Question 11 Enter the name of the system used to store user account passwords. The correct answer is /etc/shadow. 03 8699 ch03 11/19/02 10:04 AM Page 77 Chapter 3 78 Need to Know More? Mulligan, John P., Solaris 8 Essential Reference, (New Riders, Indianapolis, IN, 2001). Sorbell, Mark G., A Practical Guide to Solaris (Addison-Wesley, Reading, MA, 1999). Sun Microsystems, System Administration Guide: Basic Administration. Available in printed form on the Web at docs.sun.com and from the online documentation provided with the Solaris 9 operating system. Sun Microsystems, System Reference Manual, Section 1—User Commands. Available in printed form, on the Web at docs.sun.com and from the online documentation provided with the Solaris 9 operating system. Sun Microsystems, System Reference Manual, Section 1M—System Administration Commands. Available in printed form, on the Web at docs.sun.com, and from the online documentation provided with the Solaris 9 operating system. Sun Microsystems, System Reference Manual, Section 4—File Formats, is available in printed form, on the Web at docs.sun.com, and from the online documentation provided with the Solaris 9 operating system. 03 8699 ch03 11/19/02 10:04 AM Page 78 System Security and File Permissions Terms You Need to Understand ✓ User and group accounts ✓ The superuser account ✓ Absolute and symbolic access modes ✓ The /var/adm/utmpx file ✓ The /var/adm/wtmpx file Concepts You Need to Master ✓ Restricting and monitoring the superuser account ✓ Monitoring user activities ✓ Changing default and existing file permissions ✓ Changing file ownership 4 04 8699 ch04 11/19/02 10:03 AM Page 79 Chapter 4 80 Introduction This chapter covers system security and file permissions. System security addresses controlling access to the system by use of passwords and restrict- ing/monitoring the use of the administrative user accounts. The file permis- sions section addresses controlling the access to the data in files by using both basic and extended access controls. System Security Unix system security is based on controlling access to files (programs and data). Access is controlled by defining user and group accounts and granting these accounts different levels of file access. The user accounts are protected by passwords. Administrative accounts are given access to system data and tools that allow them to perform system maintenance. These include accounts such as root, sys, bin, and adm. Several account administration files are used to store the information associ- ated with user and group accounts, such as account name and password. The Superuser (Root) Account The root, or superuser, account is a special administrative account that pro- vides the ultimate in terms of access to data and services, as it can override any file permissions on the system. To enforce good system security, access to the superuser account must be restricted and monitored as closely as pos- sible. Solaris 9 provides several capabilities that support this activity such as restricting where root can log in and recording root usage. Restricting and Monitoring the Superuser Account Logging into the system as root can be restricted to the console. That is, the root account cannot log in remotely but is allowed only from the system con- sole. This restriction can be enforced by the following entry in the /etc/default/login file: CONSOLE=/dev/console By default, the root account is restricted. To disable this feature, edit the /etc/default/login file and put the shell comment character (#) at the beginning of the entry. 04 8699 ch04 11/19/02 10:03 AM Page 80 System Security and File Permissions 81 Restricting the root login to the console forces anyone accessing the supe- ruser account remotely to log in with a regular system account and then to use the su(1M) command to become the superuser. The su command can be monitored and logged into several ways. The /etc/default/su file controls this monitoring and logging. The use of the su command can be displayed on the system console by enabling the following entry in the /etc/default/su file. You do so by removing the comment character (#) from the beginning of the line: #CONSOLE=/dev/console Both failed and successful attempts to use the su command are displayed on the console. By default, the use of the su command is not displayed on the console. To enable this feature, edit the /etc/default/su file and remove the shell comment character (#) at the beginning of the entry. Note that this entry is identical to the entry used in the /etc/default/login file to restrict root login to the system console. The following listing shows the messages displayed on the console for two uses of the su command: Jul 25 19:53:01 solaris9 su: ‘su root’ failed for ambro on /dev/pts/5 SU 07/25 19:53 + pts/5 ambro-root Jul 25 19:53:45 solaris9 su: ‘su root’ succeeded for ambro on /dev/pts/5 The first line shows an unsuccessful attempt to become root on the system named solaris9 from the login ambro. The second and third lines show a successful attempt to become the root. The messages that begin with a date are displayed regardless of the CONSOLE entry in the /etc/default/su file. The message beginning with SU is displayed as a result of the CONSOLE entry in the /etc/default/su file being uncommented. The use of the su command can be logged to a file dedicated for su logging and through the system logging facility (syslog) by enabling (removing the # from) the following entry in the /etc/default/su file. (Although the default file is shown here, any file can be used for the sulog.) #SULOG=/var/adm/sulog Both failed and successful attempts to use the su command are logged. By default, the use of the su command is logged to the sulog. To disable this fea- ture, edit the /etc/default/su file and add the shell comment character (#) to the beginning of the entry. The following listing shows the contents of the /var/adm/sulog file: SU 07/18 12:46 + console root-daemon SU 07/22 00:36 + pts/5 ambro-root 04 8699 ch04 11/19/02 10:03 AM Page 81 Chapter 4 82 SU 07/22 08:21 + pts/5 ambro-guest SU 07/25 06:40 + pts/5 ambro-root SU 07/25 19:53 - pts/5 ambro-root SU 07/25 19:53 + pts/5 ambro-root The “+” and “-” following the date and time indicate success or failure, respectively. The next field indicates where the command was entered, and the next field lists the from (who executed the su command) and to (who the user became as a result of the su command) user accounts. The use of the su command can also be logged using the syslog facility. This is enabled by enabling (removing the # from) the following entry to the /etc/default/su file: #SYSLOG=YES However, the syslog facility must be properly configured to capture and log these messages. The syslog facility is covered in Chapter 13. By default, the use of the su command is logged to the syslog facility. To dis- able this feature, edit the /etc/default/su file and add the shell comment character (#) to the beginning of the SYSLOG entry. The sysadmin Group User accounts that are a member of the sysadmin group (numerical group 14) can perform some selected system administration activities using admintool(1M) without being granted full superuser privileges. This allows basic system administration (adding and deleting users, printers, software, and so on) to be performed by more than one person without compromising system security. This is accomplished by configuring the setuid to root per- mission for admintool and requiring membership in the sysadmin group in order to use admintool. Additional information about groups and the setuid permission is provided later in this chapter. Login and Logout Procedures There are several commands used to log in to and out of a system. These logins/logouts and attempts to login are recorded to maintain a usage history. Logging into a Solaris 9 System The login(1) command is used to log in (or into or on to) a system. When a connection is made to a system via the network or tty device, typically the login command is used to interact with the user to prompt for and obtain a 04 8699 ch04 11/19/02 10:03 AM Page 82 System Security and File Permissions 83 user account name and password. These are then compared to the entries in the /etc/passwd and /etc/shadow files to determine whether the user is to be given access to the system. If the user is to be given access, the login shell specified in the /etc/passwd file is started to provide the user an interface to the system. If the user is not specified to be given access, the login command attempts to obtain a valid user account and password several more times. If all these fail, the connection to the system is dropped. Logging into a Remote Solaris 9 System Two commands provide the capability to log in to a remote system as a local user over the network. These are the telnet command and the rlogin command. The telnet Command The telnet command is used to remotely log in to a system over the net- work. The user must provide a valid user account name and password as defined on the remote system because the telnet command uses standard Unix login/password authentication. The hostname or IP address of the remote system is typically specified as a command-line argument. If not specified, the telnet command is placed in an interactive mode. The remote system will prompt for a user account name and password. The following example shows using the telnet command to log into the remote system solaris9 using the dla user account name. $ telnet solaris9 Trying 192.168.99.9 Connected to solaris9. Escape character is ‘^]’. SunOS 5.9 login: dla Password: Last login: Sat Sep 3 22:34:56 from winnt40 Sun Microsystems Inc. SunOS 5.9 $ The rlogin Command The rlogin command can also be used to remotely log in to a system over the network. If the remote authentication database has been set up properly, the user might be able to log in without providing a valid user account name and password. If this database has not been set up properly, the user must, as with the telnet command, provide a valid user account name and password as defined on the remote system. If the user account name executing the rlogin 04 8699 ch04 11/19/02 10:03 AM Page 83 Chapter 4 84 command on the local system exists on the remote system, the user account name is not required (it is assumed to be the same as the user account name of the local system). If another user account is to be used on the remote sys- tem, the user account name must be specified on the rlogin command line using the -l command-line argument. The following listing shows three examples of using the rlogin command to log into the remote system solaris9. In the first, the database has been set up to allow the local user account (dla) to log into the same user account on the remote system. In the second example, the database has not been set up. The user account name of dla is assumed and a prompt is issued for a password. In the third example, a different user account is used (ambro) and the user account name is specified as the rlogin -l command-line argument. $ rlogin solaris9 Last login: Sun Sep 4 21:28:44 from solaris9 Sun Microsystems Inc. SunOS 5.9 $ $ rlogin solaris9 Password: Last login: Sun Sep 4 21:28:44 from solaris9 Sun Microsystems Inc. SunOS 5.9 $ $ rlogin -l ambro solaris9 Password: Last login: Sun Sep 4 21:28:44 from solaris9 Sun Microsystems Inc. SunOS 5.9 $ Failed Login Attempts Failed login attempts are saved in the /var/adm/loginlog file after five unsuccessful attempts. This logging is enabled by creating the loginlog file and disabled by deleting it. The file should be created with read/write per- missions for root only. Logging Out of a Solaris 9 System In most situations, the exit(1) command can be used to log out of (or in some circles, off of) a system. This command is recognized by all three shells. For csh, the logout(1) command can also be used to log off a system. 04 8699 ch04 11/19/02 10:03 AM Page 84 System Security and File Permissions 85 User Access and Administrative Information Two system data files (referred to as extended databases) are used to store user access and other administrative information. These files are ➤ /var/adm/utmpx—current user access (users currently logged in) ➤ /var/adm/wtmpx—history of user access (based on utmpx entries) Both files have identical types of entries that include ➤ User login name ➤ Device used to log in (console, terminal, and so on) ➤ Process ID (PID) of shell ➤ Entry timestamp ➤ Process termination/exit status The content of these two files is used by the commands in the next section of this chapter to identify the users currently logged in and user login/logout history. Identifying and Monitoring Users Several commands can be used to identify and monitor users: ➤ id(1M)—Displays the real and effective User ID (UID) and Group ID (GID) ➤ finger(1)—Displays information about local and remote users ➤ last(1)—Displays who logged into the system and when, who is still logged in, and who logged out and when ➤ who(1) and w(1)—Display the users currently logged into the system ➤ whodo(1M)—Displays who is doing what The id Command The id command is used to display the real and effective UID and GID for the invoking process or specified user account. If invoked with -a as an option, all groups in which the user ID is a member will be returned. The following listing shows the results of executing the id command: # id -a uid=0(root) gid=1(other)groups=1(other),0(root),2(bin), 3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon) # 04 8699 ch04 11/19/02 10:03 AM Page 85 Chapter 4 86 The finger Command The finger command is used to display information about the user logged into the local system or a specified remote system by examining the contents of the /var/adm/utmpx file. The -l command-line argument causes the detailed information to be displayed. The user account name of a logged-in user can be specified as a command-line argument to limit the information displayed to a single user. The following listing shows the results of several finger commands using different command-line arguments. $ finger Login Name TTY Idle When Where root Super-User console Thu 18:49 :0 ambro Darrell Ambro pts/6 4 Thu 18:55 solaris9 $ $ finger -l Login name: root In real life: Super-User Directory: / Shell: /sbin/sh On since Jul 25 18:49:31 on console from :0 No unread mail No Plan. Login name: ambro Directory: /export/home/ambro Shell: /bin/sh On since Jul 25 18:55:26 on pts/6 from solaris9 4 minutes 44 seconds Idle Time No unread mail No Plan. $ $ finger ambro Login name: ambro Directory: /export/home/ambro Shell: /bin/shOn since Jul 25 18:55:26 on pts/6 from solaris9 5 minutes 7 seconds Idle Time No unread mail No Plan. $ The finger command can also be used to display information about users logged into a remote system by specifying a hostname preceded with the @ character. For example, to display information about users logged into the system solaris9, use the following command: $ finger @solaris9 [solaris9] Login Name TTY Idle When Where root Super-User console Thu 18:49 :0 ambro Darrell Ambro pts/6 7 Thu 18:55 solaris9 $ 04 8699 ch04 11/19/02 10:03 AM Page 86 [...]... ambro pts/6 solaris9 ➥still logged in ambro root console :0 ➥still logged in reboot system boot reboot system boot ambro pts/5 192 .168 .99 .200 ambro ftp 192 .168 .99 .200 root console :0 reboot system boot root console :0 reboot system boot ambro pts/7 192 .168 .99 .200 ambro ftp 192 .168 .99 .200 ambro ftp solaris9 -28 ambro ftp 192 .168 .99 .201 root console :0 reboot system boot root console :0 reboot system boot... Jul 11 13: 09 Thu Jul 11 13: 08 Fri Jul 5 09: 22 Fri Jul 5 09: 02 Tue Jul 2 19: 38 Tue Jul 2 17 :36 Sat Jun 29 17:55 Sat Jun 29 17: 53 Sat Jun 29 17: 49 Fri Jun 21 10:17 Fri Jun 21 10:15 Fri Jun 14 02:11 Sat May 25 18:20 Sat May 18 21: 39 Sat May 18 21 :32 08:40 20:28 down 15: 03 06: 53 13: 13 13: 10 13: 09 14 :33 22:14 17:55 down 23: 03 18:20 down wtmp begins Sat May 18 21 :32 $ The who Command The who command is used... STATE PRI NICE 97 93 ambro 1 032 K 844K cpu0 58 0 97 89 ambro 296 0K 2 132 K sleep 58 0 217 root 190 8K 1100K sleep 53 0 31 2 root 1 93 6K 660K sleep 48 0 39 7 root 64M 47M sleep 59 0 97 90 ambro 808K 628K sleep 41 0 177 root 1576K 0K sleep 30 0 2 29 root 2 692 K 0K sleep 48 0 165 root 194 0K 696 K sleep 58 0 180 daemon 2188K 152K sleep 53 0 250 root 804K 480K sleep 58 0 188 root 2720K 664K sleep 58 0 1 43 root 2144K 672K... 192 .168 .99 .200 root console :0 reboot system boot root console :0 reboot system boot reboot system boot ambro pts/6 192 .168 .99 .200 root console :0 reboot system boot Thu Jul 25 18:55 Thu Jul 25 18: 49 Wed Jul 24 14:18 Mon Jul 22 19: 43 Mon Jul 22 08:27 Sun Jul 21 20:28 Sun Jul 21 17:57 Sun Jul 21 17:56 Sat Jul 20 14 :38 Sat Jul 20 14 :35 Sat Jul 13 06:52 Thu Jul 11 13: 12 Thu Jul 11 13: 09 Thu Jul 11 13: 08... 18: 49 18:50 18:50 18:55 19: 40 (:0) (:0.0) (:0.0) (solaris9 ) ( 192 .168 .99 .200) up 1 day(s), 6:18, tty login@ console 6:49pm 3 users, load average: 0.00, 0.00, 0.01 idle JCPU PCPU what 1:48 3 /usr/dt/bin/sdt_shell -c pts/4 pts/5 pts/6 pts/7 1: 03 1:42 1:42 6:50pm 6:50pm 6:55pm 7:40pm 3 4 -sh telnet solaris9 -sh w 04 8 699 ch04 11/ 19/ 02 10: 03 AM Page 89 System Security and File... shows examples of the permission field portion of the output generated by the ls command See Chapter 12, “Advanced Access Control,” for a description of ACLs # ls -l total 2 drwxrwxrwt -rwsrwxr-x lrwxrwsr-x -rwxrwlrwx+ 2 1 1 1 ambro ambro ambro ambro other other other other 512 1112 1112 1112 Jul Jul Jul Jul 24 24 24 24 13: 49 13: 53 13: 53 13: 53 dir1 file1 file2 file3 99 04 8 699 ch04 11/ 19/ 02 10: 03 AM... the system administrator to combine the information from who with process information to produce a list of what users are doing The following listing shows the results of a whodo command # whodo Thu Jul 25 19: 02:12 EDT 2002 solaris9 console ? pts /3 pts /3 pts /3 pts /3 ? ? ? ? ? ? ? pts/5 pts/5 ? ? pts/4 pts/4 pts/4 ? ? ? ? root 18: 49 5 73 0:00 617 0:00 632 0:00 620 0:00 633 0:00 640 0:00 638 0:02 636 0:07... total 18 -rw-rw-rw1 guest -rw-rw-rw1 guest -rw-r r-1 guest # other other other 120 Jun 28 07 :38 data 6528 Jun 28 07 :38 junk 636 Jun 28 07: 39 list other other other 120 Jun 28 07 :38 data 6528 Jun 28 07 :38 junk 636 Jun 28 07: 39 list other other other 120 Jun 28 07 :38 data 6528 Jun 28 07 :38 junk 636 Jun 28 07: 39 list The chown command supports a recursive command-line argument, -R When used to change the... docs.sun.com, and from the online documentation provided with the Solaris 9 operating system Sun Microsystems, System Reference Manual, Section 4—File Formats Available in printed form, on the Web at docs.sun.com, and from the online documentation provided with the Solaris 9 operating system 04 8 699 ch04 11/ 19/ 02 10: 03 AM Page 106 05 8 699 ch05 11/ 19/ 02 10:08 AM Page 107 5 Controlling Processes ... ls -l total 18 -rw-rw-rw1 sys -rw-rw-rw1 sys -rw-r r-1 sys # staff staff staff 120 Jun 28 07 :38 data 6528 Jun 28 07 :38 junk 636 Jun 28 07: 39 list staff other staff 120 Jun 28 07 :38 data 6528 Jun 28 07 :38 junk 636 Jun 28 07: 39 list other other other 120 Jun 28 07 :38 data 6528 Jun 28 07 :38 junk 636 Jun 28 07: 39 list Like the chown command, the chgrp command supports a recursive commandline argument, -R . 15: 03 reboot system boot Sat Jul 20 14 :35 ambro pts/7 192 .168 .99 .200 Sat Jul 13 06:52 - 06: 53 ambro ftp 192 .168 .99 .200 Thu Jul 11 13: 12 - 13: 13 ambro ftp solaris9 -28 Thu Jul 11 13: 09 - 13: 10 ambro. ftp 192 .168 .99 .201 Thu Jul 11 13: 08 - 13: 09 root console :0 Fri Jul 5 09: 22 - 14 :33 reboot system boot Fri Jul 5 09: 02 root console :0 Tue Jul 2 19: 38 - 22:14 reboot system boot Tue Jul 2 17 :36 . 25 19: 02:12 EDT 2002 solaris9 console root 18: 49 ? 5 73 0:00 Xsession pts /3 617 0:00 sdt_shell pts /3 632 0:00 ttsession pts /3 620 0:00 sh pts /3 633 0:00 dtsession ? 640 0:00 sdtperfmeter ? 638