Saturday, May 16, 2015

Linux - User Account Management, Part II

In my post titled, "Linux - User Account Management, Part I," I talked about how to check a user's account for expiration.  I set a user account to expire on 5/15/2015.  It is now 5/16/2015.  The user account has expired.  When I attempt to log into this account, it shows as expired:
ron@slackbox:~$ su nor
Password:
Your login has expired.  Contact the system administrator.
 To re-enable the account, I will use either of the following commands:
usermod -e yyyy-mm-dd username
chage -E yyyy-mm-dd username 
When running the chage command, there's no message or prompt after execution. I'm able to log back in without issue.

Next, we'll learn how to set the number of days until a password change is required.  We'll set the password to expire for 30 days:
ron@slackbox:~$ron@slackbox:~$ sudo chage -M 30 nor
ron@slackbox:~$
ron@slackbox:~$ sudo chage -l nor
Last password change                                 : May 10, 2015
Password expires                                     : Jun 09, 2015
Password inactive                                    : never
Account expires                                      : Dec 31, 2015
Minimum number of days between password change       : 0
Maximum number of days between password change       : 30
Number of days of warning before password expires    :  7  
ron@slackbox:~$
We'll check this account again after 30 days and use the 'password -u nor' command to re-enable the expired password at that time.



Thursday, May 14, 2015

VENOM vulnerability(CVE-2015-3456)

For those of you with Linodes and are curious/concerned about the recent VENOM (CVE-2015-3456) vulnerability, this Linode blog entry describes the vulnerability and why Linode VPSs aren't affected.

Even if you've no Linode, it would behoove you to understand the vulnerability so that you can ask questions of your VPS provider to ensure you're not affected by this vulnerability.  And note that this vulnerability affects QEMU, which is an open-source emulator.  That means that it's free (as in source and beer) and that it'll most likely be widespread in use.  Many IT security products use virtualization and if they're using QEMU, that's a problem, this can be as widespread an issue as Heartbleed was.

I'll be sure to post as I discover more information about this vulnerability.

Tuesday, May 12, 2015

How to configure a user to run privileged commands & and how to switch user accounts...all via CLI.

How to switch users in Linux?  How to run privileged commands without having to run the command as root (or switch to the root account, which can be dangerous)?

'su' can be used to switch from a regular user to the root user.  You can check to see which user you are by using the 'whoami' command.  Or, you can tell what type of user account you're using by looking at the prompt.  The # prompt is the root account and the $ prompt is a regular user account.

You can also use sudo to run privileged commands if the system admin allows your account to run privileged commands.

One quick way to configure sudo to allow a regular user to run privileged commands is to:

Type visudo, which will open up the /etc/sudoers file using vi.  Visudo allows you to edit the file in a safe fashion. (visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors.)  You should find "# %wheel ALL=(ALL) ALL".  If you see # in front of a row, it usually means that it's been commented out.  That means that any commands will be treated as regular file comments/notes and will not be executed as commands.  It means the command is disabled, so to enable that particular command, remove the "#".  Save and quit the edit session by typing ":wq" which means write to file and quit the session.

Next, type 'vigr', which opens up the /etc/group file in a safe fashion for you to edit.  Find the wheel group within the file and add the account name to the group.  For example, my current wheel group within /etc/group shows the following:

wheel:x:10:root,ron,nor

I added the 'nor' user.  Type ':wq' again, which saves the edit and quits the session.

Now, when you need to run root-level commands, you don't have use 'su -c' and enter the root password.  What happens is that you'll still be prompted for a password, but you'll type in the password associated with the regular account.  This keeps the admin from having to share out the system's root password.

Again, these are pretty basic and simple steps unless you're totally not familiar with *nix (these steps can apply to the BSDs or other Unix clones, as well).

Monday, May 11, 2015

Linux - User Account Management, Part I

I've never administered user accounts in Linux.  I know Linux but I'd be lying if I said I knew every facet of it.  I've created accounts and actually gave a fellow Linux user access to my machine once (checking the logs from time to time just to ensure he wasn't doing things he wasn't supposed to do), but I'd never made an account that had an expiration date (nor a password that had an expiration date).  So, yesterday, I created a test account that had an account expiration of May 15, 2015.  I want to be able to unexpire the account once it has expired.

I referenced some commands that would allow me to monitor a user account's status.  'chage' is one of those commands:
ron@slackbox:~$ sudo chage -l nor
Password:
Last password change                                    : May 10, 2015
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : May 15, 2015
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
I'd use the 'usermod' or 'chage' commands to change the expiration date (using sudo):
usermod -e yyyy-mm-dd username
chage -E yyyy-mm-dd username 
I'll use the above commands in a few days just to test.

To check if the password has expired, use the following:
grep ‘username’ /etc/shadow
The following command would re-enable an expired password:
password -u username
I encourage you to read the chage and passwd manual pages for further insight on how to use these two commands.

I know these are simple commands and the process itself is simple, but again, I've never done this before and wanted to share what I've learned...someone out there will learn from my experience.