Aim

Gain knowledge and experience in how passwords are stored and permissions set in Linux.

Tasks

In a new virtnet node do the following:

1. Create at least three new users. I will refer to them as U1, U2 and U3, but you should choose other, realistic usernames. Set their passwords to different values, but don't use passwords that you actually use in other systems.
2. View the password information stored for the new users in /etc/passwd and /etc/shadow. Understand the information stored. E.g. Where is the salt stored? How many bits in the salt? What hash algorithm is used? Which file stores the hash?
3. Create at least one new group, where at least two users are in that group, and at least one user is not in that group. I will refer to the group as G1 but you should choose a realistic group name.
4. Create some directories and files inside each users home.
5. Configure access control so that:
   • No other user can access U1's files or directories
   • U2 has a directory that all members of G1 can view and create files in. Other files and directories of U2 are not accessible by other users.
   • All users can view U3's files.
   • If the above does not specify all requirements, then the default permissions (set when the users were created) can be used.
6. Test that the access control works by logging in as each user and checking they can(not) access the specified files/directories.

Submission

There are three pieces of information to be submitted: the password information (/etc/shadow), group members (/etc/group) and listing of files/directories for the users. To obtain the listing, as network user run:

network@node1:~$ sudo ls -lR /home/U1 /home/U2 /home/U3 > ~/listing.txt

Then archive and compress the files into a single file called submit-ID.tgz:

network@node1:~$ sudo tar czvf submit-ID.tgz listing.txt /etc/group /etc/shadow

Now use OpenSSL to sign the file submit-ID.tgz using SHA1 (using your key pair from Homework 1), saving the signature as sign-ID.bin.

Submit the two files submit-ID.tgz and sign-ID.bin on Moodle.

Marking

If you submit correctly and have create the files and set permissions correctly, you will get full marks for this homework. Even if there are some mistakes in your permissions on files, you can get full marks. In this homework I will not be checking all of the permissions you set in detail, nor will I be checking that you understand the password information (I will assume you do understand if you submit). However there may be questions in the exam related to these tasks.

When I receive your submissions I will verify the signature, unpack the files and then take a quick look at the three files to see the users/groups you have created and the permissions you have set.

Linux Commands

Create a new user called username:

network@node1:~$ sudo adduser username

Create a new group called groupname:

network@node1:~$ sudo addgroup groupname

Add a user called username to the group called groupname:

network@node1:~$ sudo adduser username groupname

Open a text file in an editor (e.g. /etc/passwd, /etc/shadow). You can also use this to create a new file.

network@node1:~$ nano filename

Some files/operations are restricted for the admin users (including the user called network). To access these files or perform these operations, precede the command with sudo:

network@node1:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
network@node1:~$ sudo cat /etc/shadow
root: ....

Create a new directory called dir:

network@node1:~$ mkdir dir

View the contents of directories:

network@node1:~$ ls -l

Set the mode (permissions) for a file called filename (or directory):

network@node1:~$ chmod mode filename

where mode is formatted as: SubjectOperationPermission. Subject includes: u, g, o, a. Operation includes: +, -, =. Permission includes: r, w, x. E.g.

• chmod u+r filename
• chmod go-rx filename
• chmod a+rw dirname

Change the user owner and group owner of a file (or directory) to be user username and group groupname:

network@node1:~$ chown username.groupname filename

For example:

network@node1:~$ ls -l abc.txt
-rw-rw-r-- 1 sgordon sgordon 428 Sep 20 16:37 abc.txt
network@node1:~$ chown sgordon.faculty abc.txt
network@node1:~$ ls -l abc.txt
-rw-rw-r-- 1 sgordon faculty 428 Sep 20 16:37 abc.txt

Feedback

I've written up a detailed example of one approach of solving this homework. With grading, I generally gave full marks, even if there were some mistakes in the permissions. You may have lost some marks because of either:

• signature verification failed (check that the public/key pair you are using is correct; the public key of yours that I used is listed here)
• you didn't change the ownership of a directory to be owned by a group
• you didn't create any/enough files/directories such that you could have tested the permissions
• or a few other items that you can see in your individual feedback.

A listing of all submissions, including password information from /etc/shadow, group names from /etc/group and listings.txt, as well as some of my comments (SGCOMMENT) is available here. I hope you didn't use any valuable passwords!