Chapter 2

Account, Security, and

Access Control

Course : Network and System Admin || Prepared By:

20 10/9/2025
Gizachew T.
The Three A's of Security
The AAA framework is the cornerstone of access control.
• Authentication (Who are you?)
• Verifying the identity of a user or process.
• Examples: Password, Fingerprint, Security Token.
• Authorization (What are you allowed to do?)
• Determining what resources a user can access and what actions they can perform.
• Examples: Can you read this file? Can you install software?
• Accounting (What did you do?)
• Tracking user activity and resource consumption.
• Examples: Logging logins/logouts, commands entered, files accessed.

You must Authenticate before you can Authorize, and you should Account for both.

Course : Network and System Admin || Prepared By:

10/9/2025 21
Gizachew T.
User and Group Concepts: The Foundation

• Users
• Every person and process is a user.
• Identified by a Username (e.g., alice) and a numeric User ID (UID).
• The superuser root always has UID 0. This account has unlimited privileges.
• Groups
 A collection of users. Used to simplify permission management.
 Identified by a Groupname (e.g., developers) and a numeric Group ID (GID).
 Users have a primary group and can be members of many supplementary
groups.

• Why Groups? Instead of granting permissions to 100 users individually,

grant them to a single group and add all 100 users to it.

Course : Network and System Admin || Prepared By:

10/9/2025 22
Gizachew T.
The Configuration Files: /etc/passwd((World-readable user database)

• /etc/passwd (World-readable user database)

• Format: username:x:UID:GID:GECOS:/home/dir:/bin/shell
• Example: alice:x:1001:1001:Alice Doe,,,:/home/alice:/bin/bash
• The x indicates the password is stored elsewhere.
 username (alice): User's login name
 X: Password placeholder - indicates password is stored in /etc/shadow
 UID (1001): User ID - numeric user identifier: 0 = root (superuser), 1-999 = system
accounts, 1000+ = regular users
 GID (1001): Primary Group ID - numeric group identifier
 GECOS (Alice Doe,,,): User information Often contains only full name
 /home/dir (/home/alice): Home directory path, User's default working directory after login
 /bin/shell (/bin/bash): Login shell executable path
Course : Network and System Admin || Prepared By:
10/9/2025 23
Gizachew T.
The Configuration Files: /etc/shadow((Secure user password & aging info - root only)

• /etc/shadow (Secure user password & aging info - root only)

• This file contains the sensitive password and account aging information. It
isreadable only by the root user to enhance security. Stores encrypted
passwords andenforces password policies.
• Format: username:encrypted_password:last_change:min_age:max
_age:warn:inactive:expire
• Example: alice:$y$j9T$F8J...Kf1:1[Link]
• username (alice): The user's login name. Must match a username in /etc/passwd.
• encrypted_password ($y$j9T$F8J...Kf1): The user's encrypted password.
• last_change (19677): The date the password was last changed

Course : Network and System Admin || Prepared By:

10/9/2025 24
Gizachew T.
Cont'd....

 min_age (0):The minimum number of days that must pass before the user can
change their password again. A value of 0 means it can be changed at any time.
 max_age (90): The maximum number of days the password is valid.
 warn (7):The number of days before password expiration that the user will start
seeing a warning message
 inactive (14): The number of days after the password has expired that the account
will be disabled if the user doesn't log in and change it.
 Expire: The absolute date when the account will be disabled
 Reserved: A field reserved for future use. It is always empty.

Course : Network and System Admin || Prepared By:

10/9/2025 25
Gizachew T.
The Configuration Files: /etc/group

• /etc/group (Group database): This file defines the groups on the system and
which users are members of them.
• Format: group_name:x:GID:member_list
• Example: developers:x:1005:alice,bob,charlie
• group_name (developers): The name of the group.
• X: Historically, this field stored the group's password. The x indicates that a
group password exists in the shadow file.
• GID (1005): The Group IDentification number. The system uses this number
to identify the group.
• member_list (alice,bob,charlie): A comma-separated list of usernames that
are members of this group for secondary membership.

Course : Network and System Admin || Prepared By:

10/9/2025 26
Gizachew T.
The User Private Group (UPG) Scheme

• What is it? The UPG scheme creates a dedicated, private group for each user with the same
name as the username and the same GID as the UID.
• How it Works:
• When you create user alice, the system also creates a group called alice with GID 1001.
• This becomes Alice's primary group.
• Any file Alice creates is owned by user: alice and group: alice.
• Why is it Awesome?
• Security: Isolates users' files from each other by default.
• Collaboration: To let bob edit a file in Alice's directory, you only need to change the file's group
to sharedgroup and give that group rw permissions. Alice's primary group remains private.
• This is the default on most modern Linux distributions (Red Hat, Debian, Ubuntu).

Course : Network and System Admin || Prepared By:

10/9/2025 27
Gizachew T.
User Administration: Creating Accounts

User Management: useradd and groupadd

• useradd - The fundamental command to add a user.
• sudo useradd [options] username
• Common Options:
• -m or --create-home: Create the user's home directory (e.g., /home/username). ALWAYS USE THIS.
• -c "Comment": Full name or description (goes in GECOS field).
• -G supplementary_groups: Add user to additional groups. e.g., -G developers,audio
• -s /bin/bash: Set the user's login shell.
• Example:
sudo useradd -m -c "Alice Doe" -G developers -s /bin/bash alice
• groupadd - Create a new group.
• sudo groupadd groupname
• Example: sudo groupadd developers

Course : Network and System Admin || Prepared By:

10/9/2025 28
Gizachew T.
User Administration: Modifying and Deleting

Modifying and Removing Accounts

• usermod - Modify an existing user account.
• sudo usermod [options] username
• Common Options:
• -aG groups: Append user to supplementary groups. The -a is critical to avoid removing them from
other groups!
• -L: Lock an account (disable login).
• -U: Unlock an account.
• -s /bin/bash: Change shell.
• Example: sudo usermod -aG audio alice (Adds Alice to the audio group without affecting her other
memberships).
• userdel - Delete a user account.
• sudo userdel username: Removes the user but leaves their home directory.
• sudo userdel -r username: Removes the user AND deletes their home directory and mail spool. USE
WITH CAUTION.
Course : Network and System Admin || Prepared By:
10/9/2025 29
Gizachew T.
Enforcing Password Security with chage
• The chage command: Used to view and change user password aging information stored
in /etc/shadow.
• Key Policies You Can Set:
• -M days: Maximum number of days a password is valid.
• -m days: Minimum number of days between password changes.
• -W days: Number of days before password expires that a warning is shown.
• -I days: Number of inactive days after password expiration before account is locked.
• -E date: Absolute expiration date when the account will be disabled.
Example:
sudo chage -M 90 -m 7 -W 7 alice
• "Alice must change her password every 90 days, can't change it again for 7 days, and gets a
warning 7 days before it expires."
View settings: sudo chage -l alice
Course : Network and System Admin || Prepared By:
10/9/2025 30
Gizachew T.
The Skeleton Directory (/etc/skel)
Standardizing User Environments: /etc/skel
• What is it? The /etc/skel directory contains skeleton files and directories.
• How it works: When you create a new user with the -m flag, the contents
of /etc/skel are copied into the new user's home directory.
• Common Contents:
• .bashrc - Default shell configuration and aliases.
• .profile / .bash_profile - Login shell configuration.
• .bash_logout - Commands to run on logout.
• Public directories (e.g., Desktop/, Downloads/, Public/) in GUI-based systems.
• Why it matters: It allows the system administrator to define a standard, pre-configured
environment for all new users. Want all users to have a specific alias or a README file? Put it
in /etc/skel.

Course : Network and System Admin || Prepared By:

10/9/2025 31
Gizachew T.
DAC Review: Ownership & Basic Permissions

Access Control Model #1: Discretionary Access Control (DAC)

• Core Idea: The owner of a file or directory has discretion (choice) over who can access it.
• Key Commands:
• chown: Change file owner and group.
• sudo chown alice:developers [Link]
• chgrp: Change only the group.
• chgrp developers [Link] (Owner can do this if they are a member of developers)
• chmod: Change permissions for user/group/other.
• chmod 775 shared_dir/ (Owner & group have full access, others can read and enter)
• Limitation of DAC: The owner can easily grant overly permissive access (e.g., chmod 777),
creating security risks.

10/9/2025 Course : Network and System Admin || Prepared By: Gizachew T. 32

Introducing RBAC: A More Robust Model

• Access Control Model #2: Role-Based Access Control (RBAC)

• Core Idea: Access is granted to roles (e.g., "Web Admin", "DB Analyst"), not individual users. Users are then
assigned to roles.
• Contrast with DAC:
• DAC: User-centric. "Alice owns this file and decides the rules."
• RBAC: Administrator-centric. "The 'Backup Operator' role has these permissions. Alice is a Backup Operator."
• sudo as a Simple Form of RBAC:
• sudo allows users to run commands as another user (usually root).
• It's configured in /etc/sudoers.
• You can grant a role (e.g., members of the developers group) the ability to run specific commands as root
without knowing the root password.
• Example Sudoers entry:
%developers ALL=(ALL) /usr/bin/systemctl restart nginx
• "Members of the developers group can run systemctl restart nginx as root on all hosts."

10/9/2025 Course : Network and System Admin || Prepared By: Gizachew T. 33

Implementing Disk Quotas - Concepts

Managing Disk Space: Implementing Quotas

• What are quotas? A system to limit the amount of disk space a user or group can consume.
• Why use them? To prevent a single user from accidentally or maliciously filling up the filesystem and causing a system-wide outage.
• Two Types of Limits:
• Hard Limit: Absolute maximum. The user cannot exceed this.
• Soft Limit: A grace limit. The user can exceed this for a temporary period (grace period).
• What can be limited?
• Block Limits: Disk space (in 1KB blocks or other units).
• Inode Limits: Number of files.
• Implementation Steps (Overview):
• Enable quota support in filesystem mount options (/etc/fstab).
• Remount the filesystem.
• Initialize quota database files (quotacheck).
• Turn on quotas (quotaon).
• Set quotas for users/groups (edquota).

Course : Network and System Admin || Prepared By:

10/9/2025 34
Gizachew T.
 Implementing Disk Quotas - Commands
1. Enable in /etc/fstab:
• Find the filesystem's entry and add usrquota,grpquota to the mount options.
• Example: UUID=... /home ext4 defaults,usrquota,grpquota 0 2
2. Initialize & Turn On:
• sudo quotacheck -cugm /home -> Creates quota database files (-c) for user and group (-ug)
on /home.
• sudo quotaon -v /home -> Turns quotas on for the filesystem.
3. Edit a User's Quota:
• sudo edquota -u username -> Opens a temp file to set block (space) and inode (file count)
limits.
• Example limits in the editor:
4. Reporting:
• sudo repquota -a -> Report summary for all filesystems with quotas.
• quota -v username -> User can check their own usage.

Course : Network and System Admin || Prepared By:

10/9/2025 35
Gizachew T.
 THANK YOU!

Course : Network and System Admin || Prepared By:

10/9/2025 36
Gizachew T.