36 System Hardening – Introduction to Linux User and Group Management

Up to this point, learners used Linux to implement specific functions.  This lesson will focus on user, group, and password management within the Linux environment. Learners will see how a hacker can manipulate users and groups to elevate their privileges and install persistence (notional accounts).

Learning Objectives

• Manually be able to create and securely configure new user accounts
• Understand the concept of groups in Linux operating systems
• Define password policies for local systems

Prerequisites

• Chapter 11 – Create an Ubuntu Desktop

Deliverables

• Screenshot of /etc/passwd file showing new users
• Screenshot of /etc/group file showing AccountingDep group

Resources

• Ubuntu Server Documentation – User management – https://ubuntu.com/server/docs/user-management

Contributors and Testers

• Evan Paddock, Cybersecurity Student, ERAU-Prescott

1. Start an Ubuntu virtual machine and login as your primary user

   NOTE: In this chapter, my main user account is named rogue. Anytime you see this, remember to adjust as necessary with your own username.

2. Ensure that your primary user account has administrative privileges by checking if it is a part of the sudoers  group

   > groups | grep “sudo”

   

   NOTE: If the machine was downloaded through VirtualBox with untended installation, the default user typically does not have root privileges . You can test this by executing any command prefixed with sudo.

   

   The above error message shows that this user is not an administrator. If this is the case for you, continue reading; otherwise, continue to step 3.

   Login to the root system account by executing the “substitute user” (su) binary without any arguments.

   > su

   Add your primary account to Sudoers and reboot the machine.

   > adduser rogue sudo

   > reboot

   Login again to your user account and verify that the command executed successfully!

   

3. Simulate the admission of someone to the system by creating a new user account (Figure 4)

   NOTE: Replace the string johndoe with any username of your choice. In this example, we are temporarily disabling the account by not setting the password. Any other information requested, such as full name and phone numbers, can be filled in as needed or left to their defaults by pressing Enter.

   > sudo adduser johndoe –disabled-login

   1. When a new account is created, a new directory is created in /home
   2. By looking at the directory permissions, we can see that the only accounts that can view its contents are root and the new user themselves

      > ls -l /home

      

4. Open the /etc/passwd file to view basic information about all the accounts on the system

   > cat /etc/passwd

   NOTE: This file is owned by root, meaning that no other user user can edit it without sudo permissions. Entries in this file are divided into seven fields, each separated by a semicolon.

   

   Field Value	Description
   johndoe	The username string for this account.
   x	Hashed password (relocated to /etc/shadow).
   1001	User identification number (UID). This  must be unique for every account.
   1001	Group identification number (GID). Every user has their own group, which this number represents. This must be unique for every group.
   John Doe…4321	GECOS fields. This is optional information about the user such as their full name and phone number.
   /home/johndoe	Location of the user’s home directory on the system.
   /bin/bash	The default shell for the user.

5. Deleting an account is just as trivial as creating one
   1. To illustrate this, add a new user on the system: Jane Doe (Figure 7)

      > sudo adduser janedoe –gecos “Jane Doe” –uid 1234

      Switch	Description
      –gecos	Specify additional user information such as full name and phone numbers.
      –uid	Manually assign a unique UID for the user.

   2. In /etc/passwd, verify that the account was successfully created with the correct UID value that we assigned
      

      

   3. Switch to this account

      > su janedoe

      1. This user’s limited privileges makes it impossible to view the contents of John Doe’s home directory

         > cd /home/johndoe

         

      2. Now that we know our home directory is safe from intruders, create a new file in containing Jane Doe’s password so she doesn’t forget

         > cd ~

         > echo “super secret: my password is janedoe123” > do_not_touch.txt

         

      3. Exit the session

         > exit

   4. Terminate this user

      > sudo deluser janedoe

6. What happens if another user has the same UID as someone who was previously deleted?
   1. Add another user on the system – Juan Perez – with the same UID value as Jane Doe (1234)
      

      > sudo adduser juanperez –gecos “Juan Perez” –uid 1234

   2. Login as Juan and list contents of  the /home directory
      

      

      Notice anything interesting? It looks like Jane Doe’s home directory is still there despite her account having been deleted. In addition, the owner of that file is now our new user Juan Perez.

   3. Change to Jane Doe’s directory and try to open the “super secret” file created earlier
      

      

      Oops! Looks like Juan now has access to all of Jane’s files including her not-so-secure password file. Home folders are persistent, even when the owner’s account is deleted. Therefore, any new user with same UID/GID as a deleted user will have access to these files. Since this can be an obvious breach in security, system administrators should either deleted or relocated home directories of terminated users as well as change permissions to solely root.

      The following commands can remedy this situation:

      Command to delete a user including their home directory:

      > deluser username –remove-home

      Command to delete a user and purge all their files:

      > deluser username –remove-all-files

1. Switch to the root user
   1. Open /etc/shadow and search for your personal account

      > grep “rogue” /etc/shadow

   2. . Each row in this file is divided into nine sections, each separated by a colon
      

      

      Field #	Description
      1	Account username.
      2	Hashed and salted passwords.
      3	Time since the account’s password was last changed.
      4	Minimum password age.
      5	Maximum password age.
      6	Warning period before password expires.
      7	Period of inactivity since thee user last logged in.
      8	Password expiration date.
      9	Unused field.

2. Since the first account created was initialized with the disabled-login switch, no password was set, and thus it cannot be logged into
   1. Open shadow and search for John Doe’s account

      > grep “johndoe” /etc/shadow

      

      You will notice that there is a bang (!) in place of a password hash in the second field. In Linux, there are four symbols other than a password hash that a system admin may encounter: a single bang (!) represents that the account is locked; a double bang (!!) represents that no password was given during account creation; an asterisk (*) represents that password authentication has been disabled; and finally, a blank field means that no password is required to login to the account.

      NOTE: Even if an account has a disabled password, it can still be accessed via other means of authentication such as SSH keys.

   2. Enable John Doe’s account by assigning it a password

      > passwd johndoe

      

      NOTE: Notice how the bang (!) in John Doe’s Shadow entry was replaced with a hash string.

   3. Verify this was successful by logging into the account (Figure 16)

1. Still signed into root, check John Doe’s password management status

   > passwd -S johndoe

   

   The output of this command it spit into seven fields separated by spaces: username, password status, date of last password change, minimum password age, maximum password age, warning period, and inactivity period.

2. Make the following adjustments to John Doe’s account
   1. Change the minimum number of days between password resets

      > passwd –mindays 5 johndoe

      NOTE: Entering zero (0) indicates that there is no restriction as to when the user may change their password.

   2. Change the maximum password age before it must be changed again

      > passwd –maxdays 30 johndoe

   3. Change the number of days before password expiration that the user will be notified to reset their password

      > passwd –warndays 3 johndoe

   4. Manually expire John Doe’s password to force them to reset it the next time they login

      > passwd –expire johndoe

   5. If the user is inactive for a predetermined threshold of days, it is good practice to disable the account until they return

      > passwd –inactive 7 johndoe

3. Re-check the status of John Doe’s account to verify that these specifications went into effect

   > passwd -S johndoe

   

1. Login as root
2. Add two new users to the machine – Jerry Jones (jerryjones) and Mary Smith (marysmith)
3. Create a new group called AccountingDept

   > groupadd AccountingDept

   NOTE: You can also delete groups with the following command:

   > delgroup <groupname>

   However, be aware that the same problem as discussed in Phase I, Step 6 arises when two groups share the same Group ID (GID). Ensure that all files related to the group you are deleting are cleaned up.

   1. If successfully created, the group name will be added as an entry in the file /etc/group
      

      

   2. Add both newly created users to the group

      > usermod -aG AccountingDept jerryjones

      > usermod -aG AccountingDept marysmith

   3. Looking at /etc/group again, we can see that its new members are now listed
      

      

4. Navigate to the /home directory and make a new folder called Accounting_Files
   

   > mkdir /home/Accounting_Files

   1. View the default permissions of this directory to see that it is owned by the root account and group

      > ls -ld /home/Accounting_Files

      

   2. Modify the permissions so that it is owned by the AccountingDept group

      > chgrp AccountingDept /home/Accounting_Files

   3. Verify these changes went into effect
      

      

5. Switch to an account that’s a member of AccountingDept (either Jerry or Mary)
   1. Try to create a file in the Accounting_Files directory

      > touch /home/Accounting_Files/important_document.txt

      

      The group owns this directory but users in that group can’t write to the directory. This is where permission management comes in!

1. Modify the Accounting_File to grant the AccountingDept group write permissions

   > chmod g=rwx /home/Accounting_Files

   NOTE: The chmod command has two different ways to edit permissions. One is symbolic which is used above. In symbolic u represents user owner of the file, g represents group owner of the file, and o represents others. Similarly, r is read, w is write, and x is execute. A + will add the permissions, a – will take away the permissions, and a = will set the permissions to whatever you specified. The other way of editing permissions with chmod is using numbers. In the numbered mode, a 1 is execute, a 2 is write, and a 4 is read. Adding them up will signal different permissions. For example, 5 would be execute and read permission. When using chmod in numbered mode, the first number is the file owner, the second number is the group owner, and the last number is other users. So using chmod 750 would give the owner all permissions, the group read and execute permissions, and other users no permissions.

   1. Verify that the permissions were updated
      

      

2. Again, switch to an account that’s a member of AccountingDept (either Jerry or Mary)
   1. Try to create a file in the Accounting_Files directory

      > touch /home/Accounting_Files/important_document.txt

   2. Verify that it was successfully created
      

      

      Notice how, although it was successfully created, the file permissions still default to the account that created it: Jerry Jones. Because of this, other AccountingDept users will be unable to write to this file. In order to facilitate cooperation we need files in the directory to be assigned to the same group.

3. As root, set the special SGID permission on the directory

   > chmod g+s /home/Accounting_Files

   NOTE: To check if the permission was set properly, you should see an s instead of an x in the group segment of the file permissions.

4. Now login in as the other user that’s part of the group and create a new file

   > touch /home/Accounting_Files/marys_file.txt

   1. Check the owner and group of the two files
      

      

      NOTE: Notice how after we applied the SGID permission, the file created inherited the group of the directory.

End of Lab

Figures for Printed Copy