% CST8177 Assignment 09 - CentOS: sudo, Sysadmin account, User and Group Management % Todd Kelley, Ian! D. Allen – – [www.idallen.com] % Winter 2014 - January to April 2014 - Updated Wed Apr 2 05:32:31 EDT 2014 Due Date and Deliverables ========================= > **Do not print this assignment on paper!** > > - On paper, you will miss updates, corrections, and hints added to the > online version. > - On paper, you cannot follow any of the [hyperlink URLs] that lead you > to hints and course notes relevant to answering a question. > - On paper, scrolling text boxes will be cut off and not print properly. - **Due Date**: `23h59 (11:59pm) Saturday March 29, 2014 (end of Week 11)` - Late assignments or wrong file names may not be marked. Please be accurate and punctual. - **Available online** - Version 1 – 06:00 March 20, 2014 - Version 2 – 19:00 March 26, 2014 – clarified wording and formatting - Version 3 – 15:00 March 27, 2014 – clarified wording and formatting - **Prerequisites** - [CST8207 GNU/Linux Operating Systems I] - All [Class Notes] since the beginning of term. - Completed [CentOS Virtual Machine] virtual machine installation (done in a previous assignment). - An ability to **READ ALL THE WORDS** to work effectively. - **Deliverables** 1. Modifications to your [CentOS Virtual Machine] as given in this assignment. - **Do not delete any assignment work from your [CentOS Virtual Machine] until after the term is over!** 2. One text file uploaded to Blackboard according to the steps in the [Checking Program] section below. 3. Directory structure and files created and left for marking on the [Course Linux Server] (**CLS**).\ **Do not delete any assignment work from the CLS until after the term is over!** Purpose of this Assignment ========================== > **Do not print this assignment on paper!** On paper, you cannot follow any > of the hyperlink URLs that lead you to hints and course notes relevant to > answering a question. This assignment is based on your weekly [Class Notes]. 1. Review account administration commands from last term. 2. Set up a systems administration account for your [CentOS Virtual Machine] 3. Perform user management operations on your [CentOS Virtual Machine] 4. Perform group management operations on your [CentOS Virtual Machine] Introduction and Overview ========================= This is an overview of how you are expected to complete this assignment. Read all the words before you start working. > Do not print this assignment on paper. On paper, you cannot follow any of > the hyperlink URLs that lead you to hints and course notes relevant to > answering a question. 1. Complete the readings in your weekly [Class Notes]. 2. Complete the **Tasks** listed below, in order. 3. Verify your own work before running the **Checking Program**. 4. Run the **Checking Program** to help you find errors. 5. Submit the output of the **Checking Program** to Blackboard before the due date. 6. **READ ALL THE WORDS** to work effectively and not waste time. You will create file system structure in your CLS home directory containing various directories and files. You will also make changes in your own Linux Virtual Machine running Centos 6.5. You can use the **Checking Program** to check your work as you do the tasks. You can check your work with the checking program as often as you like before you submit your final mark. **Some task sections below require you to finish the whole section before running the checking program; you may not always be able to run the checking program successfully after every single task step.** When you are finished the tasks, leave the files and directories in place on both the CLS and your own Linux Virtual Machine as part of your deliverables. **Do not delete any assignment work until after the term is over!** Assignments may be re-marked at any time on the CLS; you must have your term work available on the CLS right until term end. > Since I also do manual marking of student assignments, your final mark may > not be the same as the mark submitted using the current version of the > [Checking Program]. I do not guarantee that any version of the [Checking > Program] will find all the errors in your work. Complete your assignments > according to the specifications, not according to the incomplete set of > mistakes detected by the [Checking Program]. Searching the course notes -------------------------- The previous term’s course notes are available on the Internet here: [CST8207 GNU/Linux Operating Systems I]. All the notes files are also on the CLS. You can learn about how to read and search these files using the command line on the CLS under the heading *Copies of the CST8207 course notes* near the bottom of the page [Course Linux Server]. The current CST8177 term notes are searchable there, too! The CLS Source Directory ------------------------ All references to the “Source Directory” below are to the CLS directory `~idallen/cst8177/14w/assignment09/` and that name starts with a *tilde* character followed by a userid with no intervening slash. The leading tilde indicates to the shell that the pathname starts with the HOME directory of the account `idallen` (seven letters). You do not have permission to list the names of all the files in the Source Directory, but you can access any files whose names you already know. Review of CST8207 account management ------------------------------------ Review your work from [CST8207 GNU/Linux Operating Systems I]: - In this assignment you will need to remember how to use: `passwd, useradd, userdel, groupadd, gpasswd, usermod, chown, chgrp, chmod, chsh` - [Modes and Permissions] - [Modes and Permissions assignment] - [Users and Groups] - [Users and Groups assignment] Tasks ===== - Do the following tasks in order, from top to bottom. - Pay attention as to which tasks must be done in your own [CentOS Virtual Machine] and which must be done in your account on the [Course Linux Server]. - Tasks done on your own [CentOS Virtual Machine] require you to run a marking program in that Virtual machine. That marking program will transfer marking data from the VM to the CLS for marking. - Your instructor will mark on the due date the work transferred to account on the CLS. Leave all your work on the CLS and do not modify it. - **Do not delete any assignment work from the CLS until after the course is over.** - **READ ALL THE WORDS!** and do not skip steps. Set Up – The Base Directory on the CLS -------------------------------------- 1. Do a [Remote Login] to the [Course Linux Server] (**CLS**) from any existing computer, using the host name appropriate for whether you are on-campus or off-campus. 2. Create the CLS directory `~/CST8177-14W/Assignments/assignment09` 3. Create the `check` symbolic link needed to run the **Checking Program**, as described in the section [Part II - Check and Submit] below. Run [Part II - Check and Submit] to verify your work so far. CentOS: Snapshot ---------------- 0. Complete your [CentOS Virtual Machine] Installation and Verification. - Make sure it passes the checks for disk sizes and package counts. - Complete the critical system administration tasks required in [Assignment #08]. 1. Before you begin this assignment, create a snapshot of your [CentOS Virtual Machine]. - Enter a comment explaining where and when you took this snapshot. - You can restore back to this snapshot if anything goes wrong. CentOS: Creating a `sudoers` group ---------------------------------- > We will create a special `sudoers` group. The `sudo` command will be > configured to permit any account in this group to become the `root` user > and run any command with full privileges. 1. Login to your [CentOS Virtual Machine] as the `root` user (the only user). 2. Create a special group for users who will be permitted to use the `sudo` command, as follows: a. In the CentOS `man groupadd` manual page: - Read (RTFM) about the Red Hat `-r` *system group* option. - The `login.defs` file mentioned there is in the `/etc/` directory. - The variables mentioned in the `man` page are not actually defined in the file – looks like a bug in CentOS. - The `gid` field for a *system group* will be less than the value of `GID_MIN` found in the file. Look up the value. b. Create a new *system group account* called `sudoers` - Make sure the group is created as a **system group**: is the value of the `gid` field less than `GID_MIN`? c. Check you work: make sure the new group appears in the group file. If it is not there, get help. - Is the value of the `gid` field less than `GID_MIN`? 3. Enable `sudo` to use the new `sudoers` group, as follows: a. Make a backup of `/etc/sudoers` (for example, `/etc/sudoers.bak`) - Always preserve the mode and time of files you copy! b. Edit the `sudoers` file with the `visudo` command (which will use the Small `vi` editor, not `vim` . - Refer to the course notes on how to use an editor other than `vi` with this command: `EDITOR=vim visudo` c. Search for the line `# %wheel ALL=(ALL) ALL` - Read the line directly above it to see what this line does. d. Following the model of the commented-out line for the group `wheel`, create a new line (and a comment above it) that allows anyone in the `sudoers` group to run all commands. (You will yank and put two lines and edit one of the two lines you put.) e. Ensure there is no comment character `#` at the front of the line from the previous step. The line must start with `%` followed by the new group name (*not* `wheel`). f. Save the `/etc/sudoers` file and quit the editor. 4. Do a file difference between your backup file `/etc/sudoers.bak` and the new `/etc/sudoers` file. Make sure that the only changes you see are the ones you intended to make. If not, restore the file (or restore a previous snapshot) and make the changes again. - Exactly two lines should be added to `/etc/sudoers` - Make sure this finds exactly one line: `grep '^%sudoers' /etc/sudoers` Run the **Fetch** and [Checking Program] to verify your work so far. CentOS: Creating a System Administrator Account ----------------------------------------------- In this section you will create your own system administration account on your CentOS VM. This personal account can be customized for you. All work is done on your [CentOS Virtual Machine]. > Do not add extensive customization to the `root` account on a system, since > such customization may not suit all `root` users of the system and may > break automated programs that need to become the `root` user. > > Leave the `root` account on your [CentOS Virtual Machine] alone. > > References to man pages below will be to **CentOS** man pages, not **CLS** > man pages. Since **CentOS** Linux and **Ubuntu** Linux are different > distributions, they sometimes have different documentation and programs. Review [Users and Groups]: - The CentOS `useradd` command creates a new account, storing information about the account in the `/etc/passwd` file and about the account groups in the `/etc/group` file. It also creates a HOME directory for the account and places standard start-up files into it. - The `passwd` command sets a password for an account, storing the password in the *shadow* password file named `/etc/shadow`. An account cannot be used until a password has been set. Group passwords (rarely used) are stored in the *shadow* group file `/etc/gshadow`. 1. Take a VMware snapshot that you can return to if things go wrong. - Enter a snapshot comment explaining where and when you took this snapshot. 2. If necessary, login to your [CentOS Virtual Machine] as the `root` user (the only user). 3. Make sure you have configured the `sudoers` group in the previous section. - Search for the `sudoers` group name in the system group file. 4. Create a *system administrator* account as follows: a. In the CentOS `man useradd` manual page: - Read the `SYNOPSIS` and note where the **LOGIN** name must be used on the `useradd` command line. - Read about the `--comment` option and following argument used to define your *full name*. The (quoted) full name argument must immediately follow the option on the command line. See below. - Read about the Red Hat `-r` *system account* option and how using it will require you to use the `-m` option as well. Remember that. - Read about the `-m` option. You must use this, too. - You will need to use all three of these options correctly. - The variables mentioned in the `man` page under `-r` are not actually defined in the given file – looks like a bug in CentOS. - The `uid` field for a *system account* will be less than the value of `UID_MIN` found in the file. Look up the value. b. Following the **SYNOPSIS** syntax given in the `useradd` man page, add a new **system account** with the following settings: - **LOGIN**: Use your eight-character College/Blackboard/CLS username. - **COMMENT**: Copy and paste the exact text used for the fifth field of your own account line in `/etc/passwd` on the CLS: - The fifth field in `/etc/passwd` is called the **GECOS** field or **user’s name or comment** field. - The text you must copy and paste from the CLS and use as a comment field on CentOS is in the form: “*Firstname* *Lastname* `- CST8177-14W-4NN`” where *Firstname* and *Lastname* are *your* name and *4NN* is your own three-digit lab section number. - Warning: Spaces are shell meta-characters. - Copy and paste all this information from your GECOS entry in the CLS password file to be the (quoted) argument immediately following the `--comment` option. - Make sure the account is created as a **system account** with no password expiry. - Use the option to create the HOME directory at the same time. c. After creating your account with `useradd`, verify it: - Search for the newly created account line in the password file: - Make sure it has the correct **GECOS/comment/name** field that should be a copy of the same field on the CLS. - To be a system account, the userid number for the account must be less than `UID_MIN`. - Run `id abcd0001` where *abcd0001* is your new account name. - Verify that the `uid` and `gid` are less than `UID_MIN`, indicating a system account. d. Make sure the newly created account also has a HOME directory created in the file system. Note that some default hidden files have been put into the HOME directory, copied from the directory `/etc/skel/`. As system admin, you can put custom files in this directory that will be given to all accounts crated using `useradd`. e. If you didn’t succeed in creating the account and HOME directory correctly, with the correct comment (GECOS) and correct `uid` field, you may restore your snapshot and try again, or delete the account using `userdel -r` and try again. 5. Adjust the permissions of the new account HOME directory, if necessary, as follows: a. Set the permissions (mode) of the new HOME directory for your new account such that: - The owner (that is, you) can do everything - The group can search but not read or write - Other users can do nothing (no permissions) 6. Set a password for your new sysadmin account, as follows: a. Review the section “Choose a hard-to-guess password” in `man passwd`. b. Assign your new account a strong password that you can [remember]. - Make sure you assign the password to the **new** account; do not change your `root` account password. RTFM Warning: If you do not type the *username* argument to the password command, you are changing the password of the account that you are signed in with (i.e. the `root` account!). Do **not** change your `root` password! Change the password of your new non-root account. 7. Enable `sudo` for the new account, as follows: a. Review the CentOS `man gpasswd` manual page. b. Use a command to add your new account to the `sudoers` group. (Do not edit the group file! Use the correct system command.) c. Check you work: make sure your account name appears beside the new group name in the group file and in the group shadow file. If not, get help. d. Run `id abcd0001` where *abcd0001* is your account name. - Verify that the account has the `sudoers` group listed. 8. Test your new account’s ability to use `sudo`, as follows. (You can do this on the VMware console or via an SSH login.) a. Log out from the `root` account. b. Log in to your new system admin account. c. Look at `man sudo`, or search the course notes, for how to “gain `root` privileges” when you are a sudoer. d. Obtain `root` privileges using the `sudo` command to start a `root` privilege shell: - Use the `-i` option to set a correct `root` `PATH` that includes system administration paths such as `/sbin`. - Your shell prompt should change from `$` to include the `#` character that indicates `root` privileges. e. If the previous step was unsuccessful, check the following: - Did you type your **own** password (not `root`’s) when prompted by the `sudo` command? Use your own password with `sudo`. - Is your sysadmin (non-`root`) user in the `sudoers` group? - Is there a line in the `/etc/sudoers` file that allows anyone in the `sudoers` group to run all commands? (Check your work.) f. When `sudo` works, type `whoami` or `id` to confirm that you are the `root` user and are in the `root` group. g. Type `pwd`. If you are still in your sysadmin HOME directory, you didn’t use the correct `sudo` option to do a full login. Try again. Using the right option will have you change to `root` and also change to the HOME directory of `root` (that is not under `/home`). h. You must not proceed until you are able to obtain `root` shell privileges as your sysadmin (non-`root`) user, because you are about to disallow `root` logins. i. You may remove `/etc/sudoers.bak` if everything is working correctly. Run the **Fetch** and [Checking Program] to verify your work so far. CentOS: Prevent `root` logins ----------------------------- > Many systems increase security by making it impossible to become the `root` > user directly using a `root` account password, forcing people to first > login with their own account name and only then use `sudo` to execute > privileged commands. 1. Log in to your new system administration account, if necessary, and obtain `root` shell privileges using the `sudo` command, if necessary. - Your shell prompt should change from `$` to include the `#` character that indicates `root` privileges. - Make sure you have the full `root` `PATH` that includes `/sbin` 2. Type `whoami` or `id` to confirm that you are the `root` user. 3. Take a VMware snapshot that you can return to if things go wrong. - Enter a comment explaining where and when you took this snapshot. 4. Lock the `root` account password using the correct option of the `passwd` command. 5. Confirm that the password field for the `root` account in the shadow file now has an exclamation mark `!` at the beginning, locking it. 6. Exit your current shell to release `root` privileges, so that you return to your system admin account and see a regular prompt (no `#` character). 7. Verify that you cannot use `su` to become `root` any more using the locked `root` account password. You must now always log in as your sysadmin account and use `sudo` to become `root`. Run the **Fetch** and [Checking Program] to verify your work so far. CentOS: Copy your files from the CLS to your CentOS VM account -------------------------------------------------------------- > Your new system admin account is missing the shell prompt, options, and > aliases of your account on the CLS. Let’s bring some selected files from > the CLS to your CentOS sysadmin account. 1. Log in to your new CentOS system administration account, if necessary. - Exit from the `root` shell, if you are running as `root`. 2. Type `whoami` or `id` to confirm that you are *not* running as `root`. - You should see your own userid. 3. Take a VMware snapshot that you can return to if things go wong. - Enter a comment explaining where and when you took this snapshot. 4. Copy your `.bashrc` and `.bash_profile` from your account on the CLS (the remote machine) to the HOME directory of your account on your CentOS VM (the local machine) with `scp`, as follows: a. Read about using the `scp` command in [Unix/Linux SCP Command]. b. Use the “preserves modification times” option to the `scp` command. c. Make sure you copy in the correct direction, or you will wipe out your files on the CLS! d. You may find it useful to create an alias in your accounts that always uses the “preserve” option when you type the `scp` command name. - You may already have a similar alias defined for the `cp` command. - Make sure you define and save the alias on both the CLS and CentOS. 5. Log out of CentOS and log back in as your sysadmin account to make your shell environment the same as it would be on the CLS. All the options and aliases should be the same on both machines now. 6. Move your `CST8177-14W` directory from the `root` HOME directory to your own account HOME directory and recursively set its owner and group to be your userid and group. Do not leave `root`-owned files in your account. > Advanced users can use `find` to find files with the wrong owner and send > those pathnames into `sudo` running `xargs` with `chown`. See [Find and > Xargs]. Run the **Fetch** and [Checking Program] to verify your work so far. CentOS: Creating a few new users “by hand” ------------------------------------------ > You will use the standard account management tools to create a few ordinary > (non-admin) accounts, just as you did last term. You will force password > expiry so that the users must change their passwords when they first log > in. 1. Log in to your new system administration account, if necessary, and obtain `root` shell privileges using the `sudo` command, if necessary. - Your shell prompt should change from `$` to include the `#` character that indicates `root` privileges. - Make sure you have the full `root` `PATH` that includes `/sbin` 2. Type `whoami` or `id` to confirm that you are the `root` user. 3. Take a VMware snapshot that you can return to if things go wong. - Enter a comment explaining where and when you took this snapshot. 4. Create three new users by running the appropriate command three times: a. **Usernames:** `user001`, `user002`, `user003` b. **Full Names (GECOS comment field):** `User One`, `User Two`, `User Three` c. Verify that the new accounts appear in the password file and that the HOME directories all exist. d. Note that the new accounts have been given default hidden files from the `/etc/skel/` directory. 5. Set different, good initial passwords for the three users. 6. Force these users to change their password upon first login. - Search the lecture slides for how to *force passwd change on login*. 7. Set their HOME directory permissions to be as follows: - the owner can do everything - group can search and read but not write - other users can do nothing (no permissions) Run the **Fetch** and [Checking Program] to verify your work so far. CentOS: Create many more users in bulk -------------------------------------- > Few organizations create users manually. The batch `newusers` command > (RTFM) can read a text file and create user accounts in bulk. In this > section, you will be creating a text file suitable for input to the > `newusers` command, then using `newusers` to quickly create almost a > hundred new accounts. 1. Log in to your new CentOS system administration account, if necessary. - Exit from the `root` shell, if you are running as `root`. 2. Type `whoami` or `id` to confirm that you are *not* running as `root`. 3. Take a VMware snapshot that you can return to if things go wong. - Enter a comment explaining where and when you took this snapshot. 4. On CentOS, make your own directory `~/CST8177-14W/Assignments/assignment09`, in which you will create the files and scripts resulting from the following tasks. (You already did this on the CLS; now do it here on CentOS.) 5. Copy the file `userlist.csv` from the [Source Directory] on the CLS to the above `assignment09` directory in your account on your CentOS machine. - Did you remember to preserve the time stamp on the file? Imagine that the `userlist.csv` file was given to you from the Human Resources department by someone who created it with a spreadsheet. Examine this file, and notice that it is in Colon-Separated-Value format. It is 98 lines: a header line and a *username* and a real name for each of 97 new users that need an account on your system. The file contains five fields, separated by colons (`:`). Read the header line to know what the five fields are. (A real spreadsheet export would be separated by commas, but we’re making it easier for you.) We need to create a text file suitable for batch input to the `newusers` command. Every line in the file we give to `newusers` must have the correct format: it must have the userid at the start and the seven colon-separated fields described at the top of the `newusers` man page. The file given to us only has five fields, and it has a poor password set for all the accounts. We need to fix this file before we can feed it to the `newsers` command. > **Note:** If you read *all the words* in this section before you start > working, you will save yourself some file copying by using one command > pipeline (no temporary files needed) instead. 5. Create a new file called `userlist.newusers` based on `userlist.csv`, but make the following changes. a. Copy the `userlist.csv` file into the new file `userlist.newusers`. b. The first line in `userlist.csv` is a header line, not a user to be created; the first line must be deleted. Use a command to read the file, remove the first (header) line, and write a temporary output file. The temporary output file should be only 97 lines long. (**Hint:** What command shows the **last** 97 lines of a file? [Double Hint: That same command has a syntax to “print beginning with the Kth item from the start of each file” which allows you to skip the first line without knowing how many lines are in the file.]) c. Move the temporary output file to be the `userlist.newusers` file. - The file should now have only 97 lines in it. - Make sure the header line is gone. d. Use `sed` to read the new file and on every line insert the two colon characters that correspond to the location of the missing `pw_uid` and `pw_gid` fields needed by `newusers`, and write a temporary output file. For example, use `sed` to change this line: user066:password:User 066:/home/user066:/bin/bash to this line with two more colon characters in the right place: user066:password:::User 066:/home/user066:/bin/bash on all 97 lines. (This is a one-expression `sed` substitution.) (**Hint:** You can’t simply change a colon to three colons. Use some fixed context around your expression, to select the correct colon to change.) e. Move the temporary output file to be the `userlist.newusers` file. - Verify that every line now has seven colon-separated fields, with three colons right after the password field. - There should still be exactly 97 lines in the file. f. All the seven fields in the file are acceptable except the `pw_passwd` field that currently contains `password`, which is not a good default password for all these accounts. *RTFM* to see how the `pw_passwd` field is used by `newusers`. - Use `sed` to read the new file and on every line change the `pw_passwd` field from the dummy value `password` to a single, common password that all of these new users will get. You choose the new password. (This is not very secure, but it’s the best you can do without writing a more complex script.) - Do not choose any obvious password such as `password`. - To make this change, use an invocation of the `sed` command to read this file and change the word `password` to the password that you made up, redirecting the output of the `sed` command to a temporary output file. g. Move the temporary output file to be the `userlist.newusers` file. h. Verify that your output file is 97 lines (no header line) and the only field that has changed in each line is the new `password` field. - Every line should contain your new password in the `pw_passwd` field position. 6. Realize that the above three edits could be done as one three-command pipeline that reads the original `userlist.csv` file, and makes each of the above three changes using filters. With a pipeline, no temporary files are needed. - Write this three-command pipeline and when it is working, put it in a script named `convert_userlist.sh`. The script should read standard input and write standard output, so that you can type: $ userlist.newusers The script file will contain two or three commands (which might inclue `tail` and `sed` and maybe another `sed`) separated by pipe characters. (If you RTFM, you can combine the two `sed` commands into one `sed` command with two expressions, or perhaps even into one single expression that does both edits at the same time.) No file names are mentioned in the script, so that the script reads standard input and writes to standard output. 7. Verify that the `userlist.newusers` file contains 97 lines, seven fields per line, with good passwords. 8. Use `sudo` to run the `newusers` command with this file to create all of these 97 new users. 9. Make sure all the new users and HOME directories exist: - Should have account entries and HOME directories for `user001` through `user100` - Use pipelines to select and count the accounts in the password, group, and shadow files. Do they all exist? - Use pipelines to select and count the account HOME directories. Do they all exist? - Note that these accounts do *NOT* have hidden files copied from `/etc/skel/` in them. Only `useradd` copies these files. CentOS: Management of the bulk users ------------------------------------ > This reviews the account management commands you learned above and in your > previous term. Links to previous term notes and worksheets are given above > under [Review of CST8207 account management]. None of the items below > require you to text-edit any system files using a text editor. Actions can > be performed using the correct account management commands. Most account > management commands will require `root` permissions to run. 0. Make sure you have correctly followed all the above steps, including using the `newusers` command to create 97 accounts. Verify that you have created all the users and HOME directories for accounts `user001` through `user100` before continuing. 1. Use a system admin command to create a new group called `common`. - Do *NOT* edit the group file! Use the correct system admin command. - Do *NOT* make this a system group. It is a normal group. - Verify the change by looking in the group file. 2. Use a system admin command to add users `User 004` and `User 005` to the `common` group. - Do *NOT* edit the group file! Use the correct system admin command. - Verify the change by looking in the group file. 3. Create a directory called `/home/common` owned by your sysadmin user, and group-owned by the new `common` group. 4. Change the permissions on `/home/common` so that your sysadmin user can read/write/search, members of the `common` group can read/write/search, and it is not accessible in any way to other users. 5. Become `User 004` without using a password (using your sysadmin powers) and as that user, create a group-writeable file in the `common` group called `/home/common/README` containing the text `This common directory is for members of the common group`. - Note the permissions on the file when you create it. - Make sure you change *only* the group and group permissions of this file. - Do not remove *any existing permissions* on the file. - Exit from this `user004` shell to revert back to your superuser-self. 6. Become `User 005`, and ensure that as `user005` you can edit the file `/home/common/README` and change the text “`for members`” to “`for all members`”. - If you can’t edit and save this file, fix the group and group permissions. - Exit from this `user005` shell to revert back to your superuser-self. 7. Become `User 006` and ensure that as `user006` you have no access to the `/home/common/` directory. - Exit from this `user006` shell to revert back to your superuser-self. 8. Use a sysadmin command to change the “real name” (GECOS/comment field) of `User 005` to: `CommonUser 005` - Do *NOT* edit the file! Use the correct system admin command. - Verify the change by looking in the password file. 9. Lock the password for `User 006` and `User 007`. - Do *NOT* edit the file! Use the correct system admin command. - Verify the change by looking in the shadow file. 10. Change the shell for `User 008` and `User 009` to `/bin/sh`. - Do *NOT* edit the group file! Use the correct system admin command. - Verify the change by looking in the password file. 11. Use the correct command to delete the accounts for `User 010` and `User 011` without deleting their HOME directories. - Verify the change by looking in the password file. - Make sure their HOME directories still exist in the file system. (Note what `ls` tells you about the file owner now!) - The group entries for these accounts may also continue to exist. 12. Use the correct command to delete the `user010` and `user011` groups, if they are still present on your machine. - Do *not* edit the group file! Use the correct system command. - You may see an error about removing the shadow group entry, because the `newusers` command did not create shadow group entries. Ignore the error – the groups don’t exist in the group shadow file. 13. Delete the accounts for `User 012` and `User 013` using the option that also deletes the HOME directory at the same time. - Verify the change by looking in the password file. - Make sure their HOME directories are gone from the file system. - The group entries for these accounts will also be deleted. > None of the items above require you to text-edit any system files using a > text editor. Actions can be performed using the correct account management > commands. Most account management commands will require `root` permissions > to run. Do *not* text-edit the system files! Run the **Fetch** and [Checking Program] to verify your work so far. CentOS: Creating a `tar` archive backup and listing --------------------------------------------------- Review the common uses of the `tar` command in [Package Management] from last term. 1. As your sysadmin account, in your CentOS `Assignments` directory, create a compressed `tar` archive of your `assignment09` directory named `assignment09_`*YYYYMMDD*`.tgz` (no spaces), where *YYYYMMDD* is the date you created the archive backup. - Do *NOT* try to create an archive inside the same directory that you are saving into the archive! - The pathnames in the `tar` file must not include any parent directories of the `assignment09` directory you were asked to save. 2. Move the archive you just created into your `assignment09` directory. 3. Generate a verbose listing of your `tar` archive file, showing the contents of the archive including all the owners and date/time stamps, into file `tar_tvzf.txt` under your `assignment09` directory. Optional: Read the mouse-over text in this [`tar`-related comic] from the [XKCD] webcomic. Run the **Fetch** and [Checking Program] to verify your work so far. When you are done ----------------- That is all the tasks you need to do. Check your work a final time using the **Fetch** and [Checking Program] and save the output as described below. Submit your mark following the directions below. > Optional: Keeping your base [CentOS Virtual Machine] snapshot, remove any > intermediate snapshots you no longer require, to free up disk space. - Be > careful not to remove your current work! Checking, Marking, and Submitting your Work =========================================== **Summary:** Do some tasks, then run the **Fetch** and checking program to verify your work as you go. You can run the **Fetch** and checking program as often as you want. When you have the best mark, upload the marks file to Blackboard. > Since I also do manual marking of student assignments, your final mark may > not be the same as the mark submitted using the current version of the > [Checking Program]. I do not guarantee that any version of the [Checking > Program] will find all the errors in your work. Complete your assignments > according to the specifications, not according to the incomplete set of the > mistakes detected by the [Checking Program]. The checking program resides on the [Course Linux Server], but your work is on your [CentOS Virtual Machine]. There is a **Fetch** program that you must download and use on your CentOS Virtual Machine to copy information from your CentOS Virtual Machine to your account on the CLS so that the checking program can check it on the CLS. Once the **Fetch** program has fetched these files from your Virtual Machine to the CLS, you can run the checking program on the CLS to check what is saved in the files. When you make changes on your CentOS Virtual Machine, you need to run the **Fetch** program again on CentOS to update the saved files on the CLS. Simply running the checking program on the CLS will *not* update the saved files on the CLS. You must run the **Fetch** program on your CentOS VM when you make changes on your [CentOS Virtual Machine]. Part I - Fetch and Check ------------------------ Do all the following steps on your [CentOS Virtual Machine]. Read through the whole list before you start typing anything. An example of what to type is given below the descriptions that follow. Failure to **read all the words** will lock your account out of the CLS. 1. Log in to CentOS. Use your sysadmin non-`root` account (same userid as Blackboard) if you have created it, otherwise use the `root` account. 2. Create a directory named `CST8177-14W/Assignments/assignment09` (use the same directory hierarchy as you already have in your own account on the CLS). If you have created your own sysadmin account already, create the above directory in the HOME of your sysadmin account, otherwise create it in the HOME directory of the `root` account. (This assignment will have you move it from the `root` account to your own sysadmin account anyway.) 3. Change to the above `assignment09` directory (on CentOS!). 4. As shown below, use `curl` to get a copy of the **Fetch** program from the given URL into a file named `do.sh`. Make sure you have a file named `do.sh` in your `assignment09` directory. You only need to download this *once* per assignment. 5. **Warning:** If you printed this page on paper, you may not be able to scroll right to read the whole web URL that you must pass to the `curl` program. [assignment09]$ url=http://teaching.idallen.com/cst8177/14w/notes/data/assignment09do.sh [assignment09]$ curl -A mozilla "$url" >do.sh [... make sure you scroll right to read the full web URL above ...] [... various download statistics print here ...] [assignment09]$ fgrep -i 'error' do.sh # make sure no errors (no output) [assignment09]$ head -n1 do.sh # make sure it's a shell script #!/bin/sh -u 5. Become the `root` user (if not already `root`) and, as shown below, use `sh` to run the `do.sh` script you just downloaded to CentOS as the `root` user with the `USER` environment variable set to your own CLS account userid. (Do not use *abcd0001*; use your own.) Make sure you run the script as the `root` user. 6. This **Fetch** program will connect from CentOS to the CLS using your account name in the `USER` variable. It will copy files from CentOS to your `assignment09` directory on the CLS. It will then run the checking program on the CLS to check your work. You will need to answer one question about your IP address, and then wait and type in your CLS password, as shown below. Your actions will look something like the following, running as the `root` user, but put your own userid in the `USER` variable not *abcd0001*: [root@abcd0001 assignment09]# whoami root # must be root [root@abcd0001 assignment09]# USER=abcd0001 sh do.sh # use your *own* userid *not* abcd0001 --------------------------------------------------------------------------- abcd0001: FETCH version 3. Connecting to CLS as USER='abcd0001' using ssh --------------------------------------------------------------------------- abcd0001: Use local Algonquin IP cst8177-alg.idallen.ca [y/N/?]? n abcd0001: Please wait; using ssh to connect to user 'abcd0001' on cst8177.idallen.ca ... *** COURSE LINUX SERVER *** abcd0001@cst8177.idallen.ca's password: # enter your CLS password --------------------------------------------------------------------------- idallen-ubuntu assignment09fetch_server.sh version 6 run by abcd0001. Please wait; collecting info from abcd0001 Virtual Machine --------------------------------------------------------------------------- VM files collected into CST8177-14W/Assignments/assignment09/abcd0001.tar.bz on CLS. Now running checking program for abcd0001 on CLS: [... checking program output appears here ...] ### Notes on the Fetch program - This **Fetch** program copies files and information from your CentOS virtual machine into a `tar` archive in your account under `assignment09` on the CLS and then runs the checking program on the CLS. If you only run the checking program on the CLS, it won’t update the files from your CentOS VM and it will just check the existing files saved under `assignment09` on the CLS. - The checking program is running on the CLS, not on your CentOS VM. At the start, the checking program will issue messages relevant to your account on the CLS (e.g. errors in your CLS `.bashrc` file or world-writable files on the CLS). These errors are on the CLS, not on your CentOS machine. Part II - Check and Submit -------------------------- When you are done with your assignment, you need to run the checking program one last time on the CLS (not from CentOS) and submit the output file, as follows: Do all this on the [Course Linux Server] when you are ready to submit: 1. There is a [Checking Program] named `assignment09check` in the [Source Directory] on the CLS. Create a [Symbolic Link] to this program named `check` under your new `assignment09` directory on the CLS so that you can easily run the program to check your work and assign your work a mark on the CLS. Note: You can create a symbolic link to this executable program but you do not have permission to read or copy the program file. 2. Execute the above “check” program on the CLS using its symbolic link. (Review the [Search Path] notes if you forget how to run a program by pathname from the command line.) This program will check your fetched CentOS work, assign you a mark, and display the output on your screen. (You may want to paginate the long output so you can read all of it.) Remember: The checking program does not fetch new files to the CLS from your CentOS VM. You must run the **Fetch** program on your CentOS VM to update the fetched files on the CLS so that the checking program can mark them on the CLS. You may run the “check” program as many times as you wish, to correct mistakes and get the best mark. **Some task sections require you to finish the whole section before running the checking program at the end; you may not always be able to run the checking program successfully after every single task step.** 3. When you are done with checking this assignment, and you like what you see on your screen, **redirect** the output of the [Checking Program] into the text file `assignment09.txt` under your `assignment09` directory on the CLS. Use the *exact* name `assignment09.txt` in your `assignment09` directory. Case (upper/lower case letters) matters. Be absolutely accurate, as if your marks depended on it. Do not edit the file. - Make sure the file actually contains the output of the checking program! - The last text line of the file should begin with: `YOUR MARK for` - Really! **MAKE SURE THE FILE HAS YOUR MARKS IN IT!** 4. Transfer the above `assignment09.txt` file from the CLS to your local computer and verify that the file still contains all the output from the checking program. Do not edit this file! No empty files, please! Edited or damaged files will not be marked. You may want to refer to your [File Transfer] notes. - Make sure the file actually contains the output of the checking program! - The last text line of the file should begin with: `YOUR MARK for` - Really! **MAKE SURE THE FILE HAS YOUR MARKS IN IT!** 5. Upload the `assignment09.txt` file under the correct Assignment area on Blackboard (with the exact correct name) before the due date. Upload the file via the **assignment09** “Upload Assignment” facility in Blackboard: click on the underlined **assignment09** link in Blackboard. Use “**Attach File**” and “**Submit**” to upload your plain text file. No word-processor documents. Do not send email. Use only “Attach File”. Do not enter any text into the **Submission** or **Comments** boxes on Blackboard; I do not read them. Use only the “**Attach File**” section followed by the **Submit** button. If you need to comment on any assignment submission, send me [email]. You can upload the file more than once; I only look at the most recent. You must upload the file with the correct name; you cannot correct the name as you upload it to Blackboard. 6. **Verify that Blackboard has received your submission**: After using the *Submit* button, you will see a page titled *Review Submission History* that will show all your submissions. a) Verify that your latest submission has the correct 16-character, lower-case file name beside the *Attached Files* heading. b) The *Submission Field* and *Student Comments* headings must be **empty**. (I do not read them.) c) **Save a screen capture** showing the uploaded file name. If there is an upload missing, you will need this to prove that you uploaded the file. (Blackboard has never lost a file.) You will also see the *Review Submission History* page any time you already have an assignment attempt uploaded and you click on the underlined **assignment09** link. You cannot delete an assignment attempt, but you can always upload a new version. I only mark the latest version. 7. Your instructor may also mark files in your directory in your CLS account after the due date. Leave everything there on the CLS. **Do not delete any assignment work from the CLS until after the term is over!** - I do not accept any assignment submissions by email. Use only the Blackboard *Attach File*. No word processor documents. Plain Text only. - Use the *exact* file name given above. Upload only one single file of Linux-format plain text, not HTML, not RTF, not MSWord. No fonts, no word-processing. Linux plain text only. - **NO EMAIL, WORD PROCESSOR, PDF, RTF, or HTML DOCUMENTS ACCEPTED.** - No marks are awarded for submitting under the wrong assignment number or for using the wrong file name. Use the exact 16-character, lower-case name given above. - WARNING: Some inattentive students don’t read all these words. Don’t make that mistake! Be exact. **READ ALL THE WORDS. OH PLEASE, PLEASE, PLEASE READ ALL THE WORDS!** -- | Todd Kelley and | Ian! D. Allen - idallen@idallen.ca - Ottawa, Ontario, Canada | Home Page: http://idallen.com/ Contact Improv: http://contactimprov.ca/ | College professor (Free/Libre GNU+Linux) at: http://teaching.idallen.com/ | Defend digital freedom: http://eff.org/ and have fun: http://fools.ca/ [Plain Text] - plain text version of this page in [Pandoc Markdown] format [www.idallen.com]: http://www.idallen.com/ [hyperlink URLs]: indexcgi.cgi#XImportant_Notes__alphabetical_order_ [CST8207 GNU/Linux Operating Systems I]: ../../../cst8207/13f [Class Notes]: indexcgi.cgi [CentOS Virtual Machine]: ../../../cst8207/14w/notes/000_centos_install.html [Checking Program]: #checking-marking-and-submitting-your-work [Course Linux Server]: ../../../cst8207/14w/notes/070_course_linux_server.html [Modes and Permissions]: ../../../cst8207/14w/notes/500_permissions.html [Modes and Permissions assignment]: ../../../cst8207/14w/notes/assignment10.html [Users and Groups]: ../../../cst8207/14w/notes/700_users_and_groups.html [Users and Groups assignment]: ../../../cst8207/13f/notes/assignment12.html [Remote Login]: ../../../cst8207/14w/notes/110_remote_login.html [Part II - Check and Submit]: #part-ii---check-and-submit [Assignment #08]: assignment08.html [remember]: http://xkcd.com/936/ [Unix/Linux SCP Command]: ../../../cst8207/14w/notes/015_file_transfer.html#unixlinuxosx-copy-a-file-from-a-remote-machine-to-the-local-machine [Find and Xargs]: ../../../cst8207/14w/notes/185_find_and_xargs.html [Source Directory]: #the-cls-source-directory [Review of CST8207 account management]: #review-of-cst8207-account-management [Package Management]: ../../../cst8207/14w/notes/520_package_management.html [`tar`-related comic]: http://xkcd.net/1168/ [XKCD]: http://xkcd.com/ [Symbolic Link]: ../../../cst8207/14w/notes/460_symbolic_links.html [Search Path]: ../../../cst8207/14w/notes/400_search_path.html [File Transfer]: ../../../cst8207/14w/notes/015_file_transfer.html [email]: mailto:idallen@idallen.ca [Plain Text]: assignment09.txt [Pandoc Markdown]: http://johnmacfarlane.net/pandoc/