OPS245 Lab 3: Difference between revisions

From Littlesvr Wiki
Jump to navigation Jump to search
No edit summary
Line 22: Line 22:
== The password ==
== The password ==


Linux users no longer have their hashed password stored in the passwd file. At one point the available computing power increased so much that the one-way hash could be reversed by brute force, therefore any user on the system could theoretically get any other user's password. To avoid this problem: the password hashes were moved to the <code>/etc/shadow</code> file which regular users don't have access to:
Linux users no longer have their hashed password stored in the <code>/etc/passwd</code> file. At one point the available computing power increased so much that the one-way hash could be reversed by brute force, therefore any user on the system could theoretically get any other user's password. To avoid this problem: the password hashes were moved to the <code>/etc/shadow</code> file which regular users don't have access to:


[[File:shadowFile.png|800px|border|center]]
[[File:shadowFile.png|800px|border|center]]


The long string of random-looking characters is not the password, it's a password hash. The idea with a hash is that you can convert some plain text into the hash, but you cannot convert the hash back into the plain text. You might think of it as encrypting something with no key to decrypt it, but it's a different process: a hash is a fixed size, and the data can be a million times larger than the hash - so it would be nonsensical to try and reverse the hashing process.
The long string of random-looking characters is not the password, it's a hash of the password. The idea with a hash is that you can convert some plain text into the hash, but you cannot convert the hash back into the plain text. You might think of it as encrypting something with no key to decrypt it, but it's a different process: a hash is a fixed size, and the data can be a million times larger than the hash - so it would be nonsensical to try and reverse the hashing process. That's why these days most services won't let you retrieve a forgotten password: it's simply not there to be retrieved, you have to reset it.


== Home directories ==
== Home directories ==


You're probably used to the idea that your user's home directory is <code>/home/yourusername</code>. That is typical for regular users, but there are other types of user:
* '''Regular users'''' home directories are '''/home/username'''. That is typical for regular users, but there are other types of user:


* The '''root user''''s home directory is '''/root'''. This is because traditionally the /home directory was on a storage device which was mounted (i.e. connected) at a later stage of the boot process. And if something went wrong with the boot process: having access to root's files was helpful for fixing booting problems.
* The '''root user''''s home directory is '''/root'''. This is because traditionally the /home directory was on a storage device which was mounted (i.e. connected) at a later stage of the boot process. And if something went wrong with the boot process: having access to root's files was helpful for fixing booting problems.
*
*Services often have a home directory set to where they store data by default. For example the '''www-data''' user (the Apache web server runs as this user) stores web content in '''/var/www''' by default - and that's that user's home directory. For services the default home directory is mostly meaningless, they never use the $HOME environment variable.
Technically a valid user does not need to have any write access to their home directory. You could create a user with <nowiki><code>/</code></nowiki> for a home directory - and that user would work just fine, except it couldn't write any files in their home directory.

Revision as of 11:38, 27 January 2023

!!!THIS LAB IS NOT READY YET!!!

In this lab we'll look at the simplest types of user management on a Linux system.

What's a user

  • Look at the contents of the /etc/passwd file:
PasswdFile.png

Every line in that file is a user. Two of them you have used explicitly: root and your own username.

Each line is made of several fields, delimited by a colon. The same as a comma-separated value file (CSV) but separated by colons instead of commas. The fields are:

  • The username (e.g. asmith15)
  • A field that's no longer used, in the distant past it was the user's password
  • The UID (user ID) - a unique number identifying the user. The system uses these numbers to determine who owns which files and processes.
  • The GID (group ID) - the number identifying the user's primary group. Every user on a Linux system is a member of at least one group. It can be a member of other groups as well, but that membership is specified in the /etc/group file.
  • A comment - an unstructured string of text, usually used to store a user's full name.
  • The user's home directory. It's a sort of default directory for each user. You'll have noticed that it's the directory your shell is in when you log in, and it's what ~ and $HOME are set to.
  • The user's login shell. You would have only ever used Bash, but there are several other shells which some people prefer. The differences mostly matter only to advanced users.

The password

Linux users no longer have their hashed password stored in the /etc/passwd file. At one point the available computing power increased so much that the one-way hash could be reversed by brute force, therefore any user on the system could theoretically get any other user's password. To avoid this problem: the password hashes were moved to the /etc/shadow file which regular users don't have access to:

ShadowFile.png

The long string of random-looking characters is not the password, it's a hash of the password. The idea with a hash is that you can convert some plain text into the hash, but you cannot convert the hash back into the plain text. You might think of it as encrypting something with no key to decrypt it, but it's a different process: a hash is a fixed size, and the data can be a million times larger than the hash - so it would be nonsensical to try and reverse the hashing process. That's why these days most services won't let you retrieve a forgotten password: it's simply not there to be retrieved, you have to reset it.

Home directories

  • Regular users' home directories are /home/username. That is typical for regular users, but there are other types of user:
  • The root user's home directory is /root. This is because traditionally the /home directory was on a storage device which was mounted (i.e. connected) at a later stage of the boot process. And if something went wrong with the boot process: having access to root's files was helpful for fixing booting problems.
  • Services often have a home directory set to where they store data by default. For example the www-data user (the Apache web server runs as this user) stores web content in /var/www by default - and that's that user's home directory. For services the default home directory is mostly meaningless, they never use the $HOME environment variable.

Technically a valid user does not need to have any write access to their home directory. You could create a user with <code>/</code> for a home directory - and that user would work just fine, except it couldn't write any files in their home directory.