Mastering Linux Security and Hardening
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Configuring default expiry data for useradd for Red Hat or CentOS only

The /etc/default/useradd file has the rest of the default settings. In this case, we'll look at the one from the CentOS machine:

Ubuntu also has the useradd configuration file, but it doesn't work. No matter how you configure it, the Ubuntu version of useradd just won't read it. So, the write-up about this file only applies to Red Hat or CentOS. 
# useradd defaults file
GROUP=100
HOME=/home 
INACTIVE=-1 
EXPIRE= 
SHELL=/bin/bash 
SKEL=/etc/skel 
CREATE_MAIL_SPOOL=yes

The EXPIRE= line sets the default expiration date for new user accounts. By default, there is no default expiration date. INACTIVE=-1 means that user accounts won't be automatically locked out after the users' passwords expire. If we set this to a positive number, then any new users will have that many days to change an expired password before the account gets locked. To change the defaults in the useradd file, you can either hand-edit the file or use useradd -D with the appropriate option switch for the item that you want to change. For example, to set a default expiration date of December 31, 2023, the command would be as follows:

sudo useradd -D -e 2023-12-31

To see the new configuration, you can either open the useradd file or just do sudo useradd -D:

[donnie@localhost ~]$ sudo useradd -D
 GROUP=100
 HOME=/home
 INACTIVE=-1
 EXPIRE=2023-12-31
 SHELL=/bin/bash
 SKEL=/etc/skel
 CREATE_MAIL_SPOOL=yes
 [donnie@localhost ~]$

You've now set it so that any new user accounts that get created will have the same expiration date. You can do the same thing with either the INACTIVE setting or the SHELL setting:

sudo useradd -D -f 5
 sudo useradd -D -s /bin/zsh

 [donnie@localhost ~]$ sudo useradd -D
 GROUP=100
 HOME=/home
 INACTIVE=5
 EXPIRE=2019-12-31
 SHELL=/bin/zsh
 SKEL=/etc/skel
 CREATE_MAIL_SPOOL=yes
 [donnie@localhost ~]$

Now, any new user accounts that get created will have the Zsh shell set as the default shell and will have to have expired passwords changed within five days to prevent having the account automatically locked out.

useradd doesn't do any safety checks to ensure that the default shell that you've assigned is installed on the system. In our case, Zsh isn't installed, but useradd will still allow you to create accounts with Zsh as the default shell.

So, just how useful is this useradd configuration feature in real life? Probably not that much, unless you need to create a whole bunch of user accounts at once with the same settings. Even so, a savvy admin would just automate the process with a shell script, rather than messing around with this configuration file.

本周热推:
Python进阶编程:编写更高效、优雅的Python代码代码精进之路:从码农到工匠剑指Offer(专项突破版):数据结构与算法名企面试题精讲UG 12.0数控编程实例教程Java并发编程之美
上一章目录下一章