others-prepare for cks exam with me 1: Linux user and group management

1. Purpose

From this post, I would write a series of posts about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.

List of the series of posts:

-prepare for cks exam with me 1: Linux user and group management

-prepare for cks exam with me 2: Linux ssh hardening

-prepare for cks exam with me 3: Linux remove obsolete packages and services

-prepare for cks exam with me 4: Linux kernal hardening

-prepare for cks exam with me 5: Linux UFW(Uncomplicated firewall)

-prepare for cks exam with me 6: Seccomp in Linux, Docker and Kubernetes

-prepare for cks exam with me 7: Apparmor in Linux, Docker and Kubernetes

-prepare for cks exam with me 8: Security context in Kubernetes

-prepare for cks exam with me 9: Admission controllers in Kubernetes

-prepare for cks exam with me 10: Pod security policy in Kubernetes

-prepare for cks exam with me 11: Open policy agent in Kubernetes

-prepare for cks exam with me 12: Secrets in Kubernetes

-prepare for cks exam with me 13: Container runtimes(gvisor/kata containers) in Kubernetes

-prepare for cks exam with me 14: Container Image security in Docker and Kubernetes

2. Environment

3. The linux user/group management

3.1 Linux user types

There are four types of user accounts in Linux Systems.

  • Normal User Account which is normally created by root users.
  • Root super user UID=0, unlimited access
  • System Account system user, created automatically by the system when the system is installed
  • Service Account service user, created when some applications are installed, such as nginx service account

3.2 Commonly used Linux user management commands

id #look at user id/group id, etc.
who #See users who are online at the same time
last #look at recent online users

3.3 Key user management files

  • /etc/passwd #Store user’s basic information and home directory, shell and other information
  • /etc/shadow #store encrypted user password
  • /etc/group #Which users are in the user group

Let’s dig the /etc/group file:

[[email protected] boot]# cat /etc/group | head -5
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
  • Group name

  • Group password: This configuration is usually used by group administrators, and the same password is rarely stored in /etc/gshadow

  • GID: The group name corresponding to the GID used in the fourth field of /etc/passwd is the corresponding group name here

  • Other users supported by this group: If you know that a user can join multiple groups, when an account wants to join this group, fill in the account in this field.

3.4 How to disable user in linux system?

Modify user permissions to not allow login:

usermod -s /bin/nologin xxxuser

3.5 Add user to a group and remove a user from a group

Add user to a group:

usermod -a -G xxxGroup xxxUser

Remove users from a group:

deluser bob admingroup

3.6 Create user and delete user

Create user:

useradd xxx

Delete user:

userdel xxx

Set password for user:

passwd xxx

3.7 Set user id/group id/home directory etc.

$ vi /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

There are five lines of code above, there are seven or seven paragraphs in each line, separated by:, Let’s talk about the meaning of each paragraph! They are user name, password, UID, GID, user description information, home directory, and default shell. Let’s talk about the detailed meaning separately below!

  • Username: This is the account we use to log in to the system, where the username corresponds to the UID

  • Password: Needless to say, but here is an X, to prevent it from being stolen, put it in another file /etc/shadow

  • UID: Corresponds to our username, the host can identify our username through this

  • GID: As we said in the previous blog, each user corresponds to a user group. The GID here identifies the group name, in another file /etc/group

  • User description information: There is no important purpose, just to explain the meaning of this account

  • Home Directory: The user’s home directory. Take the above as an example, root’s home directory is in /root, so when root logs in, it will immediately go to the /root directory

  • Default shell: When the user logs in to the system, a Shell will be obtained to communicate with the core of the system to perform user operation tasks

You can then edit the file to change his(her) user id/group id/home directory etc.

3.8 Manage user groups

You can use the following commands to manage groups.

groupadd, groupmod, groupdel

4. The theory about Linux User/Group Management

Linux is a multi-user and multi-task operating system. In other words, the Linux system supports multiple users logging in at the same time, and different users can perform different tasks without affecting each other.

For example, there are 4 users on a Linux server, namely root, www, ftp, and mysql. At the same time, the root user may be viewing system logs, managing and maintaining the system; www users may be modifying their own web programs; ftp The user may be uploading software to the server; the mysql user may be executing his own SQL query, each user does not interfere with each other, and conducts his own work in an orderly manner. At the same time, unauthorized access is not allowed between each user. For example, the www user cannot execute SQL query operations of the mysql user, and the ftp user cannot modify the web program of the www user.

Different users have independent permissions, and each user completes different tasks within the scope of permissions. It is through this division and management of permissions that Linux realizes a multi-user and multi-task operation mechanism.

Therefore, if you want to use the resources of the Linux system, you must apply for an account from the system administrator, and then enter the system through this account (account and user are the same concept). By establishing users with different attributes, on the one hand, system resources can be reasonably used and controlled, and on the other hand, users can organize files and provide security protection for user files.

Each user has a unique user name and password. When logging in to the system, only the correct user name and password can enter the system and your home directory.

A user group is a logical collection of users with the same characteristics. Simple understanding, sometimes we need to allow multiple users to have the same permissions, such as viewing and modifying a file. One way is to authorize file access for multiple users separately. If there are 10 users, authorization is required. 10 times, what if there are 100, 1000 or more users?

Obviously, this method is not reasonable. The best way is to create a group, let this group have the permission to view and modify this file, and then put all users who need to access this file into this group. Then, all users have the same permissions as the group, which is the user group.

截屏2021-05-25 10.21.00

Grouping users is a way to manage users and control access rights in the Linux system. By defining user groups, many programs simplify the management of users. The relationship between Linux users and groups There are four types of correspondence between users and user groups:

  • One-to-one: A user can exist in a group and is the only member of the group;
  • One-to-many: A user can exist in multiple user groups, and this user has the common permissions of these multiple groups;
  • Many-to-one: Multiple users can exist in a group, and these users have the same permissions as the group;
  • Many-to-many: Multiple users can exist in multiple groups, which is an extension of the above three relationships.

5. Summary

In this post, I write some commands to to the user/group management in linux systems, especially the commands that secure the user/groups in linux.

-->