Key Terms
Exercises
4.1. Managing User Accounts
In this exercise, you use the SMC to add new users to your system, lock user accounts, and set up password aging.
Estimated time: 20 minutes
1. | After the SMC GUI appears, use the SMC to add the following list of users:
Login Password UID Pri GID Secondary GID
user3 trng 1003 10 14
user4 trng 1004 10 14
user5 trng 1005 10
locked1 (lock accnt) 1006 10
nopass1 (no password) 1008 10 | 2. | Log out.
| 3. | Try logging in as the user locked1.
|
4.2. User Initialization Files
In this exercise, you work with user initialization files.
Estimated time: 20 minutes
1. | Use the vi editor to edit the /etc/skel/local.profile file by adding the following entries and setting the following variables:
EDITOR=/usr/bin/vi; export EDITOR
PATH=$PATH:/usr/lib/lp; export EDITOR | 2. | Use the SMC to create a new user called user9 that uses the Korn shell. Log in as user9 and verify that all the variables you set in /etc/skel/local.profile are set correctly in the user's environment by typing the following:
| 3. | Create a .profile file for user9 that includes two aliases and sets the primary prompt to display the current working directory. Use the vi editor to add the following three lines to the .profile file that is located in user9's home directory:
alias del='rm -i'
alias hi='echo hello'
PS1=\$PWD' $' | 4. | Log out and log back in as the same user to verify that the .profile file works. Do you have a new shell prompt?
| 5. | Verify that your new aliases are defined by typing the following:
| 6. | Log out and log back in again as root.
| 7. | Use useradd to create a new user named user10, specify the Korn shell as the default shell, and assign the password trng:
# useradd -u 1010 -g 10 -d /export/home/user10 -m \
-s /bin/ksh -c "Solaris Student" user10
# passwd user10
New Passwd:
Re-enter new passwd: | 8. | Log out and log back in as user10. Record the list of initialization files in your home directory by issuing the ls -la command. Which of these files is the same as /etc/skel/local.profile?
| 9. | Copy /etc/skel/local.profile to .profile.
| 10. | Log out and log back in as user10. Verify that the variables set in the .profile file for user9 are also set in user10's login (PATH and EDITOR). Are they correct?
|
4.3. Monitoring Users
In this exercise, you use the various utilities to monitor users who are accessing your system.
Estimated time: 5 minutes
1. | Log in as root.
| 2. | Create a file called loginlog in the /var/adm directory and set the file permission to 600:
cd /var/adm
touch loginlog
chmod 600 loginlog | 3. | Log out and log back in. Do not log in using the CDE; log in using the command line.
| 4. | Enter root after the login prompt and supply an incorrect password. Do this five times. After the fifth attempt, log in as root using the correct password and examine the /var/adm/loginlog file:
| 5. | Use the finger command to display information about the user named user9:
finger user9
finger -m user9 | 6. | User the finger command to display information about a user on another system:
finger user9@<hostname>
finger -m user9@<hostname> | 7. | Use the last command to display user and reboot activity.
| 8. | Use the logins command to obtain information about the user9 login account:
|
4.4. File Access
In this exercise, you use Unix permissions to control file access by allowing/disallowing access to files and directories.
Estimated time: 20 minutes
1. | Log in as user9.
| 2. | Enter the umask command to determine your current umask value:
If the umask is not 002, change it by entering the following:
| 3. | Create a file called file1 in your home directory:
| 4. | Enter ls -l to see the default permission that was assigned to the file1 file.
| 5. | | 6. | Create a file named file2 and look at the default permission value:
| 7. | Create a new user called newuser:
useradd -u 3001 -g 10 -d /export/home/user20 -m \
-s /bin/ksh -c "Temporary User" user20 | 8. | Set the password for user20:
| 9. | Log out and log back in as user9. You are placed in your home directory, /export/home/user9.
| 10. | Create a new file named file10 and list the permissions:
| 11. | Use chmod to set the UID permissions on file10 and list the permissions:
| 12. | Use chmod to set the UID and GID permissions on file10, and then display the permissions:
What changes?
| 13. | Use chmod to remove all execute permissions from file10, and then display the new permissions:
| 14. | List the directory permissions on /tmp:
Note that the sticky bit is set on /tmp.
| 15. | As user9, change to the /tmp directory and create a file called file1:
cd /tmp
touch file1
ls -l
Note the permissions on the file. They should be 644 ( rw-r---r--).
| 16. | Become user20, and in the /tmp directory, remove the file named file1:
su user20
cd /tmp
rm file1
What message do you receive?
| 17. | Exit the current shell to return to being user9. Change to the user9 home directory and set the ACL on file10 so that user20 has read and write permissions on the file:
exit
cd $HOME
setfacl -m user:user20:6 file10 | 18. | List the file permissions on file10 by issuing ls -l. Note the +, which indicates that an ACL is set on the file.
| 19. | List the ACL entry on file10 as follows:
| 20. | Remove the ACL from file10 as follows :
setfacl -d u:user20 file10 |
4.5. Restricting Root Access
In this exercise, you make changes to the system to restrict root logins.
Estimated time: 10 minutes
1. | Try to log in to your system as root from a remote system. If the /etc/default/login file has not been modified from its default settings, you should not be able to log in.
| 2. | Log in to your system from the console as root.
| 3. | Use vi to edit the file /etc/default/login, adding a pound sign ( #) at the beginning of the following line:
| 4. | Try to log in to your system as root from a remote system. Does it work?
| 5. | Now try to open an FTP connection from a remote system:
| 6. | When you are prompted with a login name, try to get in as root. If the /etc/ftpusers file has not been modified from its default settings, you get a Login Incorrect message and are not able to log in.
| 7. | Remove root from the /etc/ftpusers files. Does the FTP session work now?
| 8. | Disallow all FTP connections using the inetadm command as follows:
| 9. | Try to connect from a remote system via FTP .
|
Exam Questions
| 1. | What is the maximum length of a username?
| | 2. | UID 0 is typically which of the following?
| | 3. | How many groups can a user belong to?
| | 4. | When you add a new user account via the Add User Wizard, which of the following options are not available for setting the password? (Select the two best answers.)
| The password is cleared until first login.
|
| |
| |
| Have the system generate a password.
|
| | 5. | What is the best way to delete a login but retain the user's files?
| Delete the login but deselect the Delete Home Directory check box.
|
| Change the password on the login.
|
| Change the UID of the login.
|
| Delete the login, but don't delete files by using the rm command.
|
| | 6. | Which of the following is not a default user initialization file?
| | 7. | Which directory contains the Solaris default initialization files?
| | 8. | What is the proper syntax to set the default path in the Korn shell?
| PATH=</dirname1>:</dirname2>:</dirname3>:.; export PATH
|
| setenv path =(</dirname1> </dirname2> /dirname3>.)
|
| set path =(</dirname1> </dirname2> </dirname3>.)
|
| setenv PATH </dirname1>:</dirname2>:</dirname3>
|
| | 9. | What is the proper syntax to set the default path in the C shell?
| set path = (</dirname1> </dirname2> </dirname3>.)
|
| PATH=</dirname1:/dirname2>:</dirname3>:.; export PATH
|
| setenv path =(</dirname1> </dirname2> </dirname3>.)
|
| set path=</dirname1> </dirname2> </dirname3>.
|
| | 10. | Which of the following files contains encrypted password information?
| | 11. | What is the sitewide initialization file for the Korn shell called?
| | 12. | What is the sitewide initialization file for the C shell called?
| | 13. | What is the maximum UID number in Solaris 10?
| | 14. | What can you do if CONSOLE= is included in the /etc/default/login file?
| Log in as root from the network and console.
|
| Log in as a regular user and then use su to become root.
|
| Log in as root from the console but not from the network.
|
| Log in as root from the network but not from the console.
|
| | 15. | Which of the following are functions of the /etc/group file? (Select the two best answers.)
| Assigns users to secondary groups
|
| Assigns a name to a group ID number
|
| Provides a special group for su privileges
|
| Specifies which users can access network resources, such as printers
|
| | 16. | You are a system administrator and suspect that one of your users has repeatedly tried to use su to gain root privileges. Which of the following files would you look at to see if your suspicion is correct?
| | 17. | What effect does the sticky bit have if it is set on the /tmp directory as drwxrwxrwt 2 sys sys 512 May 26 11:02 /tmp?
| It permits superuser access only.
|
| It prohibits all read-write permissions.
|
| It allows only the owner to remove and rename his or her files.
|
| It is a security risk because any user can delete another user's files.
|
| | 18. | Which of the following files controls the default policy on password aging?
| | 19. | Which of the following do not make secure passwords?
| |
| |
| Words with numbers or symbols
|
| |
| | 20. | Which of the following makes a secure password?
| A combination of six or more letters
|
| Your name forward, backward, or jumbled
|
| Keyboard patterns (such as asdfgh)
|
| Any word in the dictionary
|
| | 21. | Password aging and encryption are stored in which of the following files?
| | 22. | On file permissions, what does the w in the example -rwxr-xr-x mean?
| Write privileges for the owner
|
| Write privileges for the owner and group
|
| Write privileges for everyone
|
| Write privileges for root only
|
| | 23. | What command is used to change read, write, and execute permissions on a file?
| | 24. | When a user creates a file or directory, which of the following controls the default file permissions assigned to the file or directory?
| | 25. | To what does a umask value of 022 set the default permissions on a directory?
| | 26. | To what does a umask value of 022 set the default permissions on a file?
| | 27. | What do the permissions dr-xr--r-- on a directory mean?
| Only the owner and group member can list files in this directory.
|
| Only the owner can open files in this directory.
|
| Neither read, write, nor execute privileges have been assigned.
|
| Only the owner can remove files in this directory.
|
| | 28. | What is the difference between chmod and umask?
| A chmod value can be set by individual users, whereas umask operates on the system level.
|
| chmod uses the sticky bit, and umask doesn't.
|
| umask permissions are stored in a directory rather than in files.
|
| umask changes the default permissions for every file and directory created in the future, whereas chmod works on a specific directory or file that already exists.
|
| | 29. | What does a restricted shell not allow the user to do?
| | 30. | To what can rsh refer?
| The default system shell or the remote shell command
|
| A combination of the Bourne and C shell or a restricted shell
|
| The variable used to limit the number of login attempts or a restricted shell
|
| A restricted shell or the remote shell command
|
| | 31. | Which of the following commands displays users who don't have passwords?
| | 32. | Which of the following files contains a list of trusted hosts for a remote system?
| | 33. | Which of the following files gives a specified user permission to log in remotely from the specified host without having to supply a password?
| | 34. | You can protect the superuser account on a system by restricting access to a specific device through what file?
| | 35. | Which of the following files lists all uses of the su command?
| | 36. | Which of the following makes specific checks and adjustments to system files and permissions to ensure system security?
| |
| |
| |
| The proper entry in the /etc/default/login file
|
| | 37. | Shell scripts that run setuid or setgid can be sufficiently secure.
| | 38. | Which of the following commands is used to set ACL entries on a file?
| | 39. | What does the plus sign (+) to the right of the permission mode field indicate (-rw-r-----+)?
| |
| |
| setuid permission has been set on the file.
|
| It sets group ID on execution.
|
| | 40. | Which of the following commands is used to delete an ACL?
| setfacl -d <acl-entry-list>
|
| |
| |
| |
| | 41. | Which of the following commands displays each user logged in and the active processes owned by each user?
| | 42. | Which of the following commands displays the time and date of the last reboot?
|
Answers to Exam Questions
| 1. | B. A user login name can contain two to eight uppercase characters (AZ) or lowercase characters (az) or digits (09), but no underscores or spaces. The first character must be a letter, and at least one character must be a lowercase letter. For more information, see the section "Adding User Accounts with the SMC." | | 2. | A. The UID for the root login is always 0. For more information, see the section "Securing Superuser Access." | | 3. | D. A user can belong to as many as 15 secondary groups. Added to the primary group, a user can belong to 16 total groups. For more information, see the section "Where User Account Information Is Stored." | | 4. | A, B, D. The password is cleared until first login is no longer an option in Solaris 10. You cannot lock an account via the Add User Wizard in the SMC. The SMC cannot automatically generate a password for a user account. For more information, see the section "Adding User Accounts with the SMC." | | 5. | A. When you delete a user account in the SMC, you deselect the Delete Home Directory check box to retain all the user's files. For more information, see the section "Deleting User Accounts with the SMC." | | 6. | D. The following are default user initialization files that are put into a user's home directory when the user's account is created: .cshrc, .login, and .profile. For more information, see the section "Customizing User Initialization Files." | | 7. | B. The /etc/skel directory contains the Solaris default initialization files. For more information, see the section "Customizing User Initialization Files." | | 8. | A. To set the default path in the Korn shell, you issue the following command: PATH=</dirname1>:</dirname2>:</dirname3>:.; export PATH. For more information, see the section "Setting Up Shell Initialization Files." | | 9. | A. To set the default path in the C shell, you issue the following command: set path = (</dirname1> </dirname2> </dirname3>.). For more information, see the section "Setting Up Shell Initialization Files." | | 10. | A. The /etc/shadow file contains the encrypted password information for each user account. For more information, see the section "Where User Account Information Is Stored." | | 11. | A. The sitewide initialization file for the Korn shell is /etc/profile. For more information, see the section "Setting Up Shell Initialization Files." | | 12. | A. The sitewide initialization file for the C shell is /etc/.login. For more information, see the section "Setting Up Shell Initialization Files." | | 13. | A. UID numbers for regular users should range from 100 to 60,000, but they can be as high as 2,147,483,647. For more information, see the section "Adding User Accounts with the SMC." | | 14. | B. In the /etc/default/login file, with no value defined for the variable CONSOLE, root cannot log in from anywherenot even the console. The only way to get in to the system as root is to first log in as a regular user and become root by issuing the su command. For more information, see the section "Restricting Root Access." | | 15. | A, B. The /etc/group file assigns users to secondary groups and assigns a name to a group ID number. For more information, see the section "Where User Account Information Is Stored." | | 16. | D. Whenever someone issues the su command to switch from a user and become root, this activity is logged in a file called /var/adm/sulog. The sulog file lists all uses of the su command, not only those used to switch from a user to superuser. The entries in this file show the date and time the command was entered, whether it was successful, the port from which the command was issued, and the name of the user and the switched identity. For more information, see the section "Monitoring Superuser Access." | | 17. | C. If the sticky bit is set on the /tmp directory as rwxrwxrwx, only the owner can remove and rename his or her files. For more information, see the section "Sticky Bits." | | 18. | B. The /etc/default/passwd file controls the default policy on password aging. For more information, see the section "Controlling System Access." | | 19. | D. Employee numbers are not secure passwords. For more information, see the section "Controlling System Access." | | 20. | A. You should ensure that passwords contain a combination of 68 letters, numbers, or special characters. For more information, see the section "Controlling System Access." | | 21. | B. Password encryption and password aging details are stored in the /etc/shadow file. For more information, see the section "Where User Account Information Is Stored." | | 22. | A. On files, the w in the first field of the permissions list designates write privileges for the owner. For more information, see the section "Controlling File Access." | | 23. | C. The chmod command changes access permissions on a file. You can use either symbolic mode (letters and symbols) or absolute mode (octal numbers) to change permissions on a file. For more information, see the section "Controlling File Access." | | 24. | C. When a user creates a file or directory, the umask value controls the default file permissions assigned to the file or directory. For more information, see the section "Controlling File Access." | | 25. | B. A umask value of 022 sets the default permission on a directory to 755 (rwxr-xr-x). For more information, see the section "Controlling File Access." | | 26. | A. A umask value of 022 sets the default permission on a file to 644 (rw-r--r--). For more information, see the section "Controlling File Access." | | 27. | B. The permissions r-xr--r-- on a directory allow only the owner to open files in that directory. For more information, see the section "Controlling File Access." | | 28. | D. umask changes the default permissions for every file and directory created in the future, whereas chmod works on a specific directory or file that already exists. For more information, see the section "Controlling File Access." | | 29. | A, B. A restricted shell does not allow the user to change directories or redirect output. For more information, see the section "Restricted Shells." | | 30. | D. rsh refers to either a restricted shell or the remote shell command. You should not confuse the restricted shell /usr/lib/rsh with the remote shell /usr/bin/rsh. When you specify a restricted shell, you should not include the following directories in the user's path/bin, /sbin, or /usr/bin. If you do include the m in the user's path, you will allow the user to start another shell (a nonrestricted shell). For more information, see the section "Restricted Shells." | | 31. | B. You use the logins -p command to display usernames that do not have passwords associated with them. For more information, see the section "Monitoring Users and System Usage." | | 32. | B. The /etc/hosts.equiv file contains a list of trusted hosts for a remote system, one per line. For more information, see the section "Trusted Hosts." | | 33. | A. The .rhosts file is the user equivalent of the /etc/hosts.equiv file. It contains a list of trusted hosts for a remote system, as well as a list of users. If a host/user combination is listed in this file, the specified user is granted permission to log in remotely from the specified host without having to supply a password. For more information, see the section "The .rhosts File." | | 34. | B. You can protect the superuser account on a system by restricting access to a specific device through the CONSOLE variable located in the /etc/default/login file. For more information, see the section "Restricting Root Access." | | 35. | D. The sulog file lists all uses of the su command, not only those that are used to switch a user to superuser. The entries in the sulog file show the date and time the command was entered, whether it was successful, the port from which the command was issued, and the name of the user and the switched identity. For more information, see the section "Monitoring Superuser Access." | | 36. | B. The Solaris 10 system software includes ASET, which helps you monitor and control system security by automatically performing tasks you would otherwise do manually. ASET performs seven tasks, making specific checks and adjustments to system files and permissions to ensure system security. For more information, see the section "ASET." | | 37. | B. Except for the executables that are shipped with the setuid bit set to root, you should disallow the use of setuid programs. For more information, see the section "The setuid and setgid Programs." | | 38. | A. You use the setfacl command to set ACL entries on a file or directory. For more information, see the section "Setting ACL Entries." | | 39. | A. The plus sign (+) to the right of the permission mode field (-rw-r-----+) indicates that the file has an ACL. For more information, see the section "Setting ACL Entries." | | 40. | A. You use the setacl -d command to delete an ACL on a file or directory. For more information, see the section "Setting ACL Entries." | | 41. | A. Use the whodo command to display each user logged in and the active processes owned by that user. For more information, see the section "The whodo Command." | | 42. | A. The who -b command displays the time and date of the last reboot. For more information, see the section "Checking Who Is Logged In." |
 |
