ITS 2320 - Linux II

Week 11, Chapter 7, Administering the System, part 2

Objectives:

This lesson discusses several features that all administrators should be able to manage and maintain. Objectives important to this lesson:

  1. Users and groups
  2. Email
  3. Logs and journals
  4. System time
Concepts:

We stopped last week after discussing the first two fields in the /etc/shadow file. There are up to nine fields in this file, but in most records several fields can be blank.

  1. User account name
  2. A salted, hashed password is expected.
    A ! or !! alone indicates the user has no password.
    Also, if the field holds a ! or a *, the user cannot log in.
    If there is a ! preceding the password, that means the account is locked.
  3. Date the password was last changed, expressed in Unix Epoch Time, but as the number of days instead of seconds.
  4. Number of days a password must age before it can be changed again.
  5. Number of days remaining until password expiration.
  6. The number of days before password expiration that the user is given a warning about the upcoming expiration.
  7. Number of days after password expiration that the associated account will be deactivated unless the password is changed.
  8. Date the account will expire, if set, expressed in Unix Epoch Time (days).
  9. Field reserved for future use.

The text cautions us to refer to the default settings for users before using the useradd command, which is demonstrated briefly. Several options for the command are listed in table 7.5. Table 7.6 displays several options for the passwd command, such as removing a user's password.It also demonstrates removing a user account with the userdel command. Note that the text uses the -r switch, which removes not only the user but the user's home directory as well as that folder's contents.

The text also demonstrates the use of the chage command, which can display the time related settings for a user's account in an understandable manner. Check age = chage?

use chage to see expiration data

Note that the switch used is a lower case "ell", not a one. In this case, my password on my CentOS system does not have to change, does not expire, and need not age before I can change it. A little risky, isn't it? Also, note that you need to use sudo with the command, unless you are logged in as the root user.

Note listing 7.15, which shows using the usermod command to lock out a user (-L), using passwd and getent to confirm the lock, and using the usermod -U option to unlock the account.

The text changes its topic to talk about managing group membership for a user. This is a listing of one of the text's code examples:

getent example for groups

In the listing above, the author first gets the entry for DAdams from the passwd file. It shows that the default group ID and the user ID have the same number. Not much help, since that can happen. The use of the groups command is more help, but you may not realize it. The groups command is given a username as its argument, and we see that the default group this user belongs to has his name as well. This happens when a real group is not assigned when the user is created. A group named after the user is created and the user is assigned to it. The other two commands are less revealing.

The author then creates a new group with the groupadd command, using the -g switch, a specific GID, and a specific group name. This is followed by a getent command to read the entry for the Project42 group from the group file, and a grep command which does the same thing, but it shows us that the group file is /etc/group. We are told that if groups have passwords, they will be stored in encrypted form in the /etc/gshadow file.

Along the way, we learn that the group file has four fields:

  1. group name
  2. group password placeholder (an x means there is an encrypted password in the /etc/gshadow file)
  3. GID (group ID)
  4. list of members

A lot of this is covered in the video I gave you last week from Eli the Computer Guy. Review it for some things you can do in another window while watching him.

The chapter goes on to talk about email. It begins with a primer about email in Linux. The author explains that Linux wants us to use modules for each major function of email, such that they can interact properly regardless of the choices the administrator makes in selecting each module. Figure 7.2 illustrates the major functions:

  • a Mail Transfer Agent (MTA) communicates with other MTAs (post offices) on other systems, sending email to them and receiving email from them. It also communicates with the MDA to give it incoming mail.
  • a Mail Delivery Agent (MDA) delivers mail to users by placing it in the local mail database; this is like a postal carrier taking the mail to various addresses
  • a Mail User Agent (MUA) is poorly named since there is no verb in that string. It is the agent that allows user to view their mail queues.
  • the text does not list it in the bullet points, but the diagram makes it clear that there must be a mail database, or the whole thing fails

The text discusses some commonly used products in the MTA category: Sendmail, Postfix, and Exim. It also discusses an MDA component called mail or binmail. Most of this discussion is tediously text oriented, considering the GUI capable most of us have used in email products on Windows and Linux machines.

The next major topic is system logs that an administrator needs to know about. This link will take you to an article about log files, and the associated video for the article appears below.


.


Week 11 Assignments

  • Project 3: This is due before class in week 12.