Friday, April 29, 2016

[Quick Tips: Root Password]: Reset Your Forgotten Root Password On RHEL 7

Reset Your Forgotten Root Password On RHEL 7


Sometimes you forget stuff like meetings, seminars,passwords etc. I do. But forgetting a password to a Servers with no easy way to reset it while locked outRedhat servers is one of such systems. If you forget the root password to your RHEL 7 SERVERS, it’s almost virtually impossible to reset it while you’re locked out.
Here i Discuss an easy way to reset password in RHEL 7 servers or  Centos 7

Interrupt the boot process in order to gain access to a system.for this press the arrow keys in keyboard

At the boot menu, press e to edit the existing kernel . Then, go to the kernel line (the line starting with linux16) .
Then add the statement rd.break at the end as shown below:
Then press Ctrl-x to start the boot process
Then mount the /sysroot/ in read/write mode. By default it mount as a read only mode.
Then execute the chroot command on the /sysroot partition

Now Change the root password by using the passwd command
Then execte the command as like below
Enjoy with new password.


Posted by at No comments:
Labels: , ,

[Quick Tips: Passwd]: Password Management in Linux by using passwd command

Password Management in Linux by using passwd command




A password(commonly knows as passwd in linux) is an unspaced sequence of characters used to determine that a computer user requesting access to a computer system is really that particular user. Typically, users of a multiuser or securely protected single-user system claim a unique name (called a user ID) that can be generally known. In order to verify that someone entering that user ID really is that person, a second identification, the password, known only to that person and to the system itself, is entered by the user. Most networks require that end users change their passwords on a periodic basis.

passwd command

The passwd command is used to create and change the password of a user account. A normal user can run passwd to change their own password, and a system administrator (the superuser ROOT) can use passwd to change another user’s password, or define how that account’s password can be used or changed.

PASSWD SYNTAX
 
passwd [OPTION] [USER]
Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only)
-l, --lock lock the named account (root only)
-u, --unlock unlock the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration
 (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes 
disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)

Change the password for Normal user

When you logged in as non-root user like user1 in my case and run passwd command then it will reset password of logged in user.
 
[user1@localhost ~]$ passwd
Changing password for user user1.
Changing password for user1.
(current) UNIX password:
New password:
Retype new password:
passwd: 
all authentication tokens updated successfully.

When you logged in as root user and run passwd command then it will reset the root password by default and if you specify the user-name after passwd command then it will change the password of that particular user.

Display Password Status Information

To display password status information of a user , use -S option in passwd command.
[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 0 99999 7 -1 (Password set, SHA512 crypt.) 
 
In the above output first field shows the user name and second field shows Password status ( PS = Password Set , LK = Password locked , NP = No Password ), third field shows when the password was changed and last & fourth field shows minimum age, maximum age, warning period, and inactivity period for the password.

we can display password status information for all users at a time by using the option –Sa
root@localhost:~# passwd -Sa

Removing Password of a User

we can remove the password for particular user by using option -d
[root@localhost ~]# passwd -d user1 Removing password for user user1. passwd: Success [root@localhost ~]#

Lock the password of System User

Use ‘-l‘ option in passwd command to lock a user’s password, it will add “!” at starting of user’s password. A User can’t Change it’s password when his/her password is locked.
[root@localhost ~]# passwd -l user1 Locking password for user user1. passwd: Success

Unlock User’s Password using -u option

use -u option to unlock the user accounts locked by passwd -l option
[root@localhost ~]# passwd -u user1 Unlocking password for user user1. passwd: Success

Setting inactive days using -i option

use -i option along with  passwd command to set inactive days for a system user. This will come into the picture when password of user  expired and user didn’t change its password in ‘n‘ number of days ( i.e 7 days in my case)  then after that user will not able to login.
[root@localhost ~]# passwd -i 7 user1 Adjusting aging data for user user1. passwd: Success [root@localhost ~]# passwd -S user1 user1 PS 2016-04-21 0 99999 7 7 (Password set, SHA512 crypt.) [root@localhost ~]#

Setting Minimum No.of Days to Change Password using passwd -n option

Using the option -n along with passwd command we can set the minimum number of days to change the password. A value of zero shows that user can change it’s password in any time.
[root@localhost ~]# passwd -n 90 user1 Adjusting aging data for user user1. passwd: Success [root@localhost ~]# passwd -S user1 user1 PS 2016-04-21 90 99999 7 7 (Password set, SHA512 crypt.) [root@localhost ~]#

Setting the  Warning days before password expire using passwd -w option

Using the option -w along with passwd can be used to set the warning days before the password expires.
[root@localhost ~]# passwd -w 30 user1 Adjusting aging data for user user1. passwd: Success [root@localhost ~]# chage -l user1 Last password change : Apr 21, 2016 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 90 Maximum number of days between password change : 99999 Number of days of warning before password expires : 30 [root@localhost ~]#
 
Posted by at No comments:
Labels: ,

Thursday, April 28, 2016

[Quick Tips: ACL & Disk Quota]: How to Set Access Control Lists (ACL’s) and Disk Quotas for Users and Groups

How to Set Access Control Lists (ACL’s) and Disk Quotas for Users and Groups

ACLs) are a feature of the Linux kernel that allows to define more fine-grained access rights for files and directories than those specified by regular ugo/rwx permissions.
For example, the standard ugo/rwx permissions does not allow to set different permissions for different individual users or groups. With ACLs this is relatively easy to do, as we will see in this article.

Checking File System Compatibility with ACLs

To ensure that your file systems are currently supporting ACLs, you should check that they have been mounted using the acl option. To do that, we will use tune2fs for ext2/3/4 file systems as indicated below. Replace /dev/sda1 with the device or file system you want to check:

# tune2fs -l /dev/sda1 | grep "Default mount options:"

Note: With XFS, Access Control Lists are supported out of the box.

In the following ext4 file system, we can see that ACLs have been enabled for /dev/xvda2:

# tune2fs -l /dev/xvda2 | grep "Default mount options:"
Check ACL Enabled on Linux Filesystem

Check ACL Enabled on Linux Filesystem

If the above command does not indicate that the file system has been mounted with support for ACLs, it is most likely due to the noacl option being present in /etc/fstab.

In that case, remove it, unmount the file system, and then mount it again, or simply reboot your system after saving the changes to /etc/fstab.

Introducing ACLs in Linux

To illustrate how ACLs work, we will use a group named developers and add users walterwhite and saulgoodman (yes, I am a Breaking Bad fan!) to it.:
# groupadd developers
# useradd walterwhite
# useradd saulgoodman
# usermod -a -G developers walterwhite
# usermod -a -G developers saulgoodman

Before we proceed, let’s verify that both users have been added to the developers group:
# id walterwhite
# id saulgoodman
Find User ID in Linux
Find User ID in Linux

Let’s now create a directory called test in /mnt, and a file named acl.txt inside (/mnt/test/acl.txt).

Then we will set the group owner to developers and change its default ugo/rwx permissions recursively to 770 (thus granting read, write, and execute permissions granted to both the owner and the group owner of the file):
# mkdir /mnt/test
# touch /mnt/test/acl.txt
# chgrp -R developers /mnt/test
# chmod -R 770 /mnt/test

As expected, you can write to /mnt/test/acl.txt as walterwhite or saulgoodman:
# su - walterwhite
# echo "My name is Walter White" > /mnt/test/acl.txt
# exit
# su - saulgoodman
# echo "My name is Saul Goodman" >> /mnt/test/acl.txt
# exit
Verify ACL Rules on Users

Verify ACL Rules on Users

So far so good. However, we will soon see a problem when we need to grant write access to /mnt/test/acl.txt for another user that is not in the developers group.

Standard ugo/rwx permissions would require that the new user be added to the developers group, but that would give him/her the same permissions over all the objects owned by the group. That is precisely where ACLs come in handy.

Setting ACL’s in Linux

There are two types of ACLs: access ACLs are (which are applied to a file or directory), and default (optional) ACLs, which can only be applied to a directory.

If files inside a directory where a default ACL has been set do not have a ACL of their own, they inherit the default ACL of their parent directory.

Let’s give user gacanepa read and write access to /mnt/test/acl.txt. Before doing that, let’s take a look at the current ACL settings in that directory with:
# getfacl /mnt/test/acl.txt

Then change the ACLs on the file, use u: followed by the username and :rw to indicate read / write permissions:
# setfacl -m u:gacanepa:rw /mnt/test/acl.txt

And run getfacl on the file again to compare. The following image shows the “Before” and “After”:
# getfacl /mnt/test/acl.txt
Set ACL on Linux Users
Set ACL on Linux Users

User gacanepa should now be able to write to the file. Switch to that user account and execute the following command to confirm:
# echo "My name is Gabriel Cánepa" >> /mnt/test/acl.txt

To set a default ACL to a directory (which its contents will inherit unless overwritten otherwise), add d: before the rule and specify a directory instead of a file name:
# setfacl -m d:o:r /mnt/test
# getfacl /mnt/test/

The ACL above will allow users not in the owner group to have read access to the future contents of the /mnt/test directory. Note the difference in the output of getfacl /mnt/test before and after the change:
Set Default ACL to Linux Directory
Set Default ACL to Linux Directory

To remove a specific ACL, replace -m in the commands above with -x. For example,
# setfacl -x d:o /mnt/test

Alternatively, you can also use the -b option to remove ALL ACLs in one step:
# setfacl -b /mnt/test

For more information and examples on the use of ACLs, please refer to chapter 10, section 2, of the openSUSE Security Guide (also available for download at no cost in PDF format).

Set Linux Disk Quotas on Users and Filesystems

Storage space is another resource that must be carefully used and monitored. To do that, quotas can be set on a file system basis, either for individual users or for groups.
Thus, a limit is placed on the disk usage allowed for a given user or a specific group, and you can rest assured that your disks will not be filled to capacity by a careless (or malintentioned) user.
The first thing you must do in order to enable quotas on a file system is to mount it with the usrquota or grpquota (for user and group quotas, respectively) options in /etc/fstab.

For example, let’s enable user-based quotas on /dev/vg00/vol_backups and group-based quotas on /dev/vg00/vol_projects.

Note that the UUID is used to identify each file system.
UUID=f6d1eba2-9aed-40ea-99ac-75f4be05c05a /home/projects ext4 defaults,grpquota 0 0
UUID=e1929239-5087-44b1-9396-53e09db6eb9e /home/backups ext4 defaults,usrquota 0 0

Unmount and remount both file systems:
# umount /home/projects
# umount /home/backups
# mount -o remount /home/projects
# mount -o remount /home/backups

Then check that the usrquota and grpquota options are present in the output of mount (see highlighted below):
# mount | grep vg00
Check Linux User Quota and Group Quota
Check Linux User Quota and Group Quota

Finally, run the following commands to initialize and enable quotas:
# quotacheck -avugc
# quotaon -vu /home/backups
# quotaon -vg /home/projects

That said, let’s now assign quotas to the username and group we mentioned earlier. You can later disable quotas with quotaoff.

Setting Linux Disk Quotas

Let’s begin by setting an ACL on /home/backups for user gacanepa, which will give him read, write, and execute permissions on that directory:
# setfacl -m u:gacanepa:rwx /home/backups/

Then with,
# edquota -u gacanepa

We will make the soft limit=900 and the hard limit=1000 blocks (1024 bytes/block * 1000 blocks = 1024000 bytes = 1 MB) of disk space usage.

We can also place a limit of 20 and 25 as soft and hard limites on the number of files this user can create.

The above command will launch the text editor ($EDITOR) with a temporary file where we can set the limits mentioned previously:
Linux Disk Quota For User
Linux Disk Quota For User

These settings will cause a warning to be shown to user gacanepa when he has either reached the 900-block or 20-inode limits for a default grace period of 7 days.

If the over-quota situation has not been eliminated by then (for example, by removing files), the soft limit will become the hard limit and this user will be prevented from using more storage space or creating more files.

To test, let’s have user gacanepa try to create an empty 2 MB file named test1 inside /home/backups:
# dd if=/dev/zero of=/home/backups/test1 bs=2M count=1
# ls -lh /home/backups/test1
Verify Linux User Quota on Disk
Verify Linux User Quota on Disk

As you can see, the write operation file fails due to the disk quota having been exceeded. Since only the first 1000 KB are written to disk, the result in this case will most likely be a corrupt file.

Similarly, you can create an ACL for the developers groups in order to give members of that group rwx access to /home/projects:
# setfacl -m g:developers:rwx /home/projects/

And set the quota limits with:
# edquota -g developers

Just like we did with user gacanepa earlier.

The grace period can be specified for any number of seconds, minutes, hours, days, weeks, or months by executing.
# edquota -t

and updating the values under Block grace period and Inode grace period.

As opposed to block or inode usage (which are set on an user or group-basis), the grace period is set system-wide.

 To report quotas, you can use quota -u [user] or quota -g [group] for a quick list or repquota -v [/path/to/filesystem] for a more detailed (verbose) and nicely formatted report.

Of course, you will want to replace [user], [group], and [/path/to/filesystem] with specific user / group names and file system you want to check.

Summary

In this article we have explained how to set Access Control Lists and disk quotas for users and groups. Using both, you will be able to manage permissions and disk usage more effectively.
If you want to learn more about quotas, you can refer to the Quota Mini-HowTo in The Linux Documentation Project.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)