Unix for Busy People - Users, superusers, groups, su and sudo

From Public wiki of Kevin P. Inscoe
Jump to navigation Jump to search

Users, superusers, groups, su and sudo

Users

In order to log in to a unix system you must have an account. Accounts are used to control access to the unix system. Normally each individual has their own login id (commonly referred to as an account). When you login to the unix system you are prompted for your login id (commonly referred to as a user id) and this username (or "login") becomes your user throughout your entire session. It is possible to become another user without logging out of your current session but we will talk about that further down.

Groups

Users in the unix system are organized by groups. The intent was to allow multiple users on the system to share resources while maintaining some security and access control. Generally members of the same group can be allowed to access other group members files or in some cases control group members processes. It is possible for a user to be a member of more than one group.

UID and GID's

Each user is assigned a user and group identifier. While a user can be a member of several groups there is only ever one user identifier (UID). Each group also has it's own group identifier (GID).

User accounts and their corresponding UID are stored in the file /etc/passwd. Group identifiers (GID) are stored in the file /etc/group.

The UID and GID numbers must be stored as Octal or base-8 number system (0-7).

Who am I

With apologies to Admiral Stockdale.

whoami command shows you who you are logged in as.

$ whoami

kinscoe

For shell scripting the USER environment variable also shows your login account name (user id):

$ env | grep -i user

USER=kinscoe

We will talk about shell scripting in a future class.

What groups do I belong to?

You can determine what your current group membership is using the command id.

$ id 
uid=101(kinscoe) gid=10(staff)

The groups command show all the groups your a member of.

$ groups

staff mysql wheel class

But let's say we now want to work with a different default group because we are working on a different project with files that have access by group only. We can use the newgrp command to create a new shell with that default group we want. For instance let's say I want to become a default member of the class group:

$ id
uid=101(kinscoe) gid=10(staff)
$ newgrp class
$ id
uid=101(kinscoe) gid=1020(class)

Remember to always exit out of new shells we create when we are done with them.

$ exit
exit

Who is logged in?

There are several commands to show you who is logged into the system: w, who, users and finger commands all will do this.

The "w" command is the usual command used for this. It tells us just about everything we might possibly want to know about other users currently on the system:

$ w
 8:49am  up 62 day(s), 19:32,  3 users,  load average: 0.02, 0.01, 0.00
User     tty           login@  idle   JCPU   PCPU  what
kinscoe  pts/2         8:39am     6                -bash
kinscoe  pts/3         8:45am                      w
slindsay pts/4         8:49am                      -sh

The "who" command is similar but with less information:

$ who

kinscoe pts/2 Apr 12 08:39 (10.88.75.6) kinscoe pts/3 Apr 12 08:45 (10.88.75.6) slindsay pts/4 Apr 12 08:49 (10.88.75.6)

However sometimes less is more and who actually tells us less but more useful information such as the IP address that user has logged in from.

The users command is even more simple and to the point:

$ users

kinscoe kinscoe slindsay

Users is often the command used in shell scripts for this purpose because of it's very simple output.

And finally we have the finger command a very old left over from the BSD world.

$ finger
Login       Name               TTY         Idle    When    Where
kinscoe  Kevin P. Inscoe       pts/2         12 Mon 08:39  10.88.75.6          
kinscoe  Kevin P. Inscoe       pts/3            Mon 08:45  10.88.75.6          
slindsay Shane_Lindsay         pts/4          7 Mon 08:49  10.88.75.6    

Finger, like the who command tells you essentially the same information however it has one additional feature: you can finger individual accounts to see when they last logged in and if they receive email on unix and the last time they checked their email (some see this as an invasion of privacy and this can be turned off at the finger server).

$ finger kinscoe
Login name: kinscoe                     In real life: Kevin P. Inscoe
Directory: /export/home/kinscoe         Shell: /bin/bash
On since Apr 12 08:39:31 on pts/2 from 10.88.75.6
14 minutes Idle Time
No unread mail
Plan:
Hello my name is Kevin Inscoe and work in Unix Engineering. 

Today is Monday, April 12 and I am WFH today.

My web site is at http://kinscoe.hmhpub.com

Have a nice day! :-)


Login name: kinscoe                     In real life: Kevin P. Inscoe
Directory: /export/home/kinscoe         Shell: /bin/bash
On since Apr 12 08:45:38 on pts/3 from 10.88.75.6

Finger in it's day (early-80's to mid-90's) was much like the world wide web is now. I can remember updating my finger .plan file daily with witty sayings and quotes much like web sites are now. I should note that for various reasons finger is not normally installed on Linux systems but still comes shipped on Solaris systems even today in OpenSolaris. So have fun with it.

Superusers

In order to maintain any system you must have an account which is has "super powers" over all other accounts and in unix this is known as "root". Actually any account having a UID of 0 would become like root but it's a bad idea to have more than one account having the same UID (and just won't work in Solaris and Linux). In that case it is possible to have an account like root as far as file permissions go by assigning it a member of GID 1.

Becoming a superuser

The su command is the standard way of becoming root the root user although you can login directly to the account if you know the password (don't ask haha). Because of security the root account is often disabled for logins from any where but the system console. Must installations require the use of the su command for auditing purposes. It should be noted that if you are root or if you know the password of another account it is possible to su to another account not just root from your account.

$ su -
Password: 
-----------------------------------------
Welcome to the Unix for Busy People
Solaris lab server.

Questions? You can reach Kevin Inscoe
at 407-345-2569 or email after hours
at kevin@inscoe.org
-----------------------------------------

Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008

# id
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),
8(lp),9(nuucp),12(daemon)

It should be noted that the root prompt is typically "#" and the non-privileged user's prompt is usually "$" however that is convention and often many folks customize their prompts (particularly on Linux) so that is not always true. However for the purposes of documentation I always show the prompt as "$" for users and "#" for root commands.

$ su - slindsay
Password: 
-----------------------------------------
Welcome to the Unix for Busy People
Solaris lab server.

Questions? You can reach Kevin Inscoe
at 407-345-2569 or email after hours
at kevin@inscoe.org
-----------------------------------------

Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008

$ id
uid=1007(slindsay) gid=1020(class)

Sudo

Sudo is a third party command that is not installed by default on most unix systems except on many Linux distributions. However it is widely used at HMH to control access to certain commands or accounts. Sudo reads a file controlled by the root account that dictates what commands or what accounts a given login can execute. The command takes the form of:

$ sudo <command>

Here are some examples:

$ sudo -u root id
uid=0(root) gid=0(root)
$ sudo -u slindsay id
uid=1007(slindsay) gid=1020(class)

sudo command assumes you wish to run a command as root be default unless you use the -u option. It will also by default (and as configured here at HMH) ask you for your login password prior to executing the command on the off chance you left your seat and someone unscrupulous is now sitting at your computer trying to make access with your still logged in account.

Some examples of legitimate and not legitimate requests:

$ sudo ls -l /                                                            
total 426
lrwxrwxrwx   1 root     root           9 Dec 17 10:29 bin -> ./usr/bin
drwxr-xr-x   6 root     sys            7 Dec 17 10:29 boot
drwxr-xr-x   2 root     root           4 Dec 17 05:04 cdrom
drwxr-xr-x 276 root     sys          276 Feb  8 12:17 dev
drwxr-xr-x  10 root     sys           10 Feb  8 12:17 devices
drwxr-xr-x  86 root     sys          235 Apr 12 09:17 etc
drwxr-xr-x   4 root     root           4 Jan 11 12:55 export
dr-xr-xr-x   1 root     root           1 Feb  8 12:18 home
drwxr-xr-x  19 root     sys           20 Dec 17 10:13 kernel
...

$ sudo rm file.x                                                          
Sorry, user slindsay is not allowed to execute '/usr/bin/rm file.x' as root on kinscoe-solaris.

$ sudo ls                                                                 

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: 
slindsay is not in the sudoers file.  This incident will be reported.

Further reading: http://docstore.mik.ua/orelly/networking/puis/ch04_01.htm

http://oreilly.com/catalog/9780596003234