Where is the usr bin Nologin file used?

Information

There are a number of accounts provided with Debian that are used to manage applications and are not intended to provide an interactive shell.

Rationale:

It is important to make sure that accounts that are not being used by regular users are prevented from being used to provide an interactive shell. By default, Debian sets the password field for these accounts to an invalid string, but it is also recommended that the shell field in the password file be set to /usr/sbin/nologin. Some built-in accounts use /bin/false which is also acceptable. This prevents the account from potentially being used to run any commands.

Solution

Set the shell for any accounts returned by the audit script to /usr/sbin/nologin:

# usermod -s /usr/sbin/nologin <user>

# passwd -l <user>

The following script will automatically set all user shells required to /usr/sbin/nologin and lock the sync, shutdown, and halt users:

#!/bin/bash

for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do
if [ $user != 'root' ]; then
usermod -L $user
if [ $user != 'sync' ] && [ $user != 'shutdown' ] && [ $user != 'halt' ]; then
usermod -s /usr/sbin/nologin $user
fi
fi
done

Finding the owner of file¶

We use the ls -l command to find the owner, and group of a file or directory.

In the above example, fedora is the name of the owner and group both. The first value talks about who can access this file (we will learn about this in a while.)

/etc/passwd file¶

/etc/passwd contains all the users available in the system. This is a plain text file (this means you can view the information by using cat command.)

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-timesync:x:999:998:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:998:995::/var/lib/chrony:/sbin/nologin
systemd-coredump:x:994:994:systemd Core Dumper:/:/sbin/nologin
fedora:x:1000:1000:Fedora:/home/fedora:/bin/bash
polkitd:x:993:993:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin

Each line has seven entries separated by :.

username:password:uid:gid:gecos:/home/dirname:shell

FIELD	MEANING
username	the username
password	the password of the user
uid	Numeric user id
gid	Numeric group id of user
gecos	arbitary field
/home/dirname	Home directory of the user
shell \| Which shell to use for the user

You’ll see accounts with /sbin/nologin as their shell. These are generally accounts for various services, which are not supposed to be used by a normal human user; (which is why, no shell is needed.)

The actual user passwords are stored in an encrypted form in /etc/shadow file, with only the root user having access to this file.

$ ls -l /etc/shadow
----------. 1 root root 2213 Jun 22 15:20 /etc/shadow

If you want to know more about the current user, use the id command.

$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Details about groups¶

Group details are stored inside the /etc/group file. Each user has one primary group, and zero or more supplementary groups.

wheel group¶

If your user is part of the wheel group, then it has sudo access. If you remember the Fedora Installer, it actually gives you the option to mark a new user to be part of the wheel group during installation.

Becoming superuser¶

Have you noticed the silent command sudo in front of many commands in the lab before? We use that sudo command to become root user temporarily. The root user is also known as the superuser of the system, it has all the access power to change anything on the system. It is the administrator account of any Linux system.

Try the following command.

Now, you will find the id* command worked as root instead of your regular user.

If you want to become root user for more than one command, then use the following command, and provide the root password to the input.

Important

To be able to use sudo command, you must have your user mentioned in the /etc/sudoers file. The best way to edit the file is to use visudo command as root user.

Important

Read the man pages of su and sudo command.

Adding a new user¶

The useradd command adds a new user to the system. As you can well guess, this command has to execute as root, otherwise anyone can add random user accounts in the system. The following command adds a new user babai to the system.

In Fedora, the initial user you create gets the uid 1000.

Changing user passwords¶

The passwd command helps to change any user password.

$ sudo passwd babai
Changing password for user babai.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Modifying existing user details¶

The usermod command can help to modify an existing user. You can use the same command to lock user account in the system.

$ sudo usermod -L babai
$ su - babai
Password:
su: Authentication failure
$ sudo usermod -U babai

The last command in the above example unlocks the user account.

Deleting a user¶

We use the userdel command to delete a user from the system.

Adding a new group¶

The groupadd command adds a new group. You can also pass the group id as an option. In the following example we are adding a new group called firejumpers.

$ sudo groupadd -g 4001 firejumpers

Adding new group to an user¶

We can use usermod command to add any extra group to any of our system user. In the following example, we are adding firejumpers group to our vagrant user.

$ sudo usermod -aG firejumpers vagrant

Important

It is important to use -a flag to the usermod command. Without the -a flag usermod command will delete all the existing groups of the user. With usermod -a we append the user to the supplemental groups. And -G flag specifies the new list of supplementary GROUPS. Therefore with usermond -aG we append the new list of supplementary groups to the user’s existing group/groups.

What folder contains the time zone template files in Linux?

The timezone information files used by tzset(3) are typically found under a directory with a name like /usr/share/zoneinfo. These files use the format described in Internet RFC 8536.

Which of the following are involved in bootstrapping Linux?

It is involved in six different steps:.

Loading the code and initializing the kernel..

Detecting the Devices and configuring them..

Creating spontaneous system processes..

Operator intervention (manual boot only).

Execution of system startup scripts..

Multiuser operation..

Which file does the Nohup command place in the script output by default?

Nohup command prevents the process from receiving this signal upon closing or exiting the terminal/shell. Once a job is started or executed using the nohup command, stdin will not be available to the user and nohup. out file is used as the default file for stdout and stderr.

Which of the following can override the settings in the ~/ SSH config file?

The settings in this configuration file provide system defaults. They can be overridden by the user's ssh configuration in ~/. ssh/config file or by command-line options.