Aim

Gain knowledge and experience in how passwords are stored and permissions set in Linux.

Submission

There are three pieces of information to be submitted: the password information (/etc/shadow), group members (/etc/group) and listing of files/directories for the users. To obtain the listing, as network user run:

network@node1:~$ sudo ls -lR /home/ > /home/network/listing.txt

Then archive and compress the files into a single file called submit-ID.tgz:

network@node1:~$ sudo tar czvf submit-ID.tgz /home/network/listing.txt /etc/group /etc/shadow

Now use OpenSSL to sign the file submit-ID.tgz using SHA1 (using your key pair from Homework 2), saving the signature as sign-ID.bin.

Submit the two files submit-ID.tgz and sign-ID.bin on Moodle.

Marking

If you submit correctly and have create the files and set permissions correctly, you will get full marks for this homework. Even if there are some mistakes in your permissions on files, you can get full marks. In this homework I will not be checking all of the permissions you set in detail, nor will I be checking that you understand the password information (I will assume you do understand if you submit). However there may be questions in the exam related to these tasks.

When I receive your submissions I will verify the signature, unpack the files and then take a quick look at the three files to see the users/groups you have created and the permissions you have set.

Tasks

In a new virtnet node do the following:

1. Create at least five new users . I will refer to them as U1 to U5 but you should choose other, realistic usernames (e.g. using names of people in the class). Set their passwords to different values, but don't use passwords that you actually use in other systems.
2. View the password information stored for the new users in /etc/passwd and /etc/shadow. Understand the information stored. E.g. Where is the salt stored? How many bits in the salt? What hash algorithm is used? Which file stores the hash? Hint: look in the man pages for passwd and crypt.
3. Create three new groups named allstaff, prog (short for programmers) and mgmt (short for management). Four users are staff members, of those four staff members: two users are programmers only, one user is a manager only and one user is both programmer and manager. The 5th user is not in another of the three groups.
4. Inside their home directory, each programmer has a directory called code (for source code) and a directory called documents (for documentation). Inside the code directory are several source code files, as well as one application called myapp. Each manager has a directory called documents and a directory called finance (for financial information). Each user also has a file called schedule.txt in their home directory. Create the directories and create some example files in each. The user that is not a staff member has some files in their directory.
5. Configure access control so that:
   • All users can view each others schedules, but not other files in their home directory (except for as stated in the following).
   • All staff can view the documents of other staff.
   • Programmers can view and edit each others source code, create new files in any code directory, as well as run each others myapp.
   • Financial information (in the finance directory) is only viewable by the manager that owns the files; not by other staff.
   • If the above does not specify all requirements, then the default permissions (set when the users were created) can be used.
6. Use only the basic Linux permissions (see example commands below). Do NOT use advanced permissions such as with setfacl or getfacl.
7. Test that the access control works by logging in as each user and checking they can(not) access the specified files/directories.

Linux Commands

Create a new user called username:

network@node1:~$ sudo adduser username

Create a new group called groupname:

network@node1:~$ sudo addgroup groupname

Add a user called username to the group called groupname:

network@node1:~$ sudo adduser username groupname

Switch to another user called username:

network@node1:~$ su username

Read the manual (help) page for a command, e.g. for adduser:

network@node1:~$ man adduser

Open a text file in an editor (e.g. /etc/passwd, /etc/shadow). You can also use this to create a new file.

network@node1:~$ nano filename

Some files/operations are restricted for the admin users (including the user called network). To access these files or perform these operations, precede the command with sudo:

network@node1:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
network@node1:~$ sudo cat /etc/shadow
root: ....

Create a new directory called dir:

network@node1:~$ mkdir dir

View the contents of directories:

network@node1:~$ ls -l

Set the mode (permissions) for a file called filename (or directory):

network@node1:~$ chmod mode filename

where mode is formatted as: SubjectOperationPermission. Subject includes: u, g, o, a. Operation includes: +, -, =. Permission includes: r, w, x. E.g.

• chmod u+r filename
• chmod go-rx filename
• chmod a+rw dirname

Change the user owner and group owner of a file (or directory) to be user username and group groupname:

network@node1:~$ chown username.groupname filename

For example:

network@node1:~$ ls -l abc.txt
-rw-rw-r-- 1 sgordon sgordon 428 Sep 20 16:37 abc.txt
network@node1:~$ chown sgordon.faculty abc.txt
network@node1:~$ ls -l abc.txt
-rw-rw-r-- 1 sgordon faculty 428 Sep 20 16:37 abc.txt

An example from last year (which was a similar task) is described in detail here.