Skip to content
  • linux
  • users and security
  • local security

Understanding Linux Security

User Accounts

Section titled “User Accounts”
  • The Linux kernel allows properly authenticated users to access files and applications.
  • While each user is identified by a unique integer (the user id or UID), a separate database associates a username with each UID.
  • Upon account creation, new user information is added to the user database and the user’s home directory must be created and populated with some essential files.
  • Command line programs such as useradd and userdel as well as GUI tools are used for creating and removing accounts.

For each user, the following seven fields are maintained in the /etc/passwd file:

Field NameDetailsRemarks
UsernameUser login nameShould be between 1 and 32 characters long
PasswordUser password (or the character x if the password is stored in the /etc/shadow file) in encrypted formatIs never shown in Linux when it is being typed; this stops prying eyes
User ID (UID)Every user must have a user id (UID)UID 0 is reserved for root user. UIDs 1-99 are reserved for other predefined accounts. UIDs 100-999 are reserved for system accounts and groups. Normal users have UIDs of 1000 or greater
Group ID (GID)The primary Group ID (GID); Group Identification Number stored in the /etc/group fileIs covered in detail in the chapter on Processes
User InfoThis field is optional and allows insertion of extra information about the user such as their nameFor example: Rufus T. Firefly
Home DirectoryThe absolute path location of user’s home directoryFor example: /home/rtfirefly
ShellThe absolute location of a user’s default shellFor example: /bin/bash

Types of Accounts

Section titled “Types of Accounts”

By default, Linux distinguishes between several account types in order to isolate processes and workloads. Linux has four types of accounts:

  • root

  • System

  • Normal

  • Network

  • For a safe working environment, it is advised to grant the minimum privileges possible and necessary to accounts, and remove inactive accounts.

  • The last utility, which shows the last time each user logged into the system, can be used to help identify potentially inactive accounts which are candidates for system removal.

Understanding the root Account

Section titled “Understanding the root Account”
  • root is the most privileged account on a Linux/UNIX system. This account has the ability to carry out all facets of system administration, including adding accounts, changing user passwords, examining log files, installing software, etc. It has no security restrictions imposed upon it.
  • When you are signed in as, or acting as root, the shell prompt displays #

When Are root Privileges Required?

Section titled “When Are root Privileges Required?”

Operations Requiring root Privileges

Section titled “Operations Requiring root Privileges”

Root privileges are required to perform operations such as:

  • Creating, removing and managing user accounts
  • Managing software packages
  • Removing or modifying system files
  • Restarting system services.

Operations Not Requiring root Privileges

Section titled “Operations Not Requiring root Privileges”
  • A regular account user can perform some operations requiring special permissions; however, the system configuration must allow such abilities to be exercised.
  • SUID (Set owner User ID upon execution - similar to the Windows “run as” feature) is a special kind of file permission given to a file.
  • Use of SUID provides temporary permissions to a user to run a program with the permissions of the file owner (which may be root) instead of the permissions held by the user.
Operations that do not require root privilegeExamples
Running a network clientSharing a file over the network
Using devices such as printersPrinting over the network
Operations on files that the user has proper permissions to accessAccessing files that you have access to or sharing data over the network
Running SUID-root applicationsExecuting programs such as passwd

sudo, Process Isolation, Limiting Hardware Access and Keeping System Current

Section titled “sudo, Process Isolation, Limiting Hardware Access and Keeping System Current”

Comparing sudo and su

Section titled “Comparing sudo and su”

  • In Linux you can use either su or sudo to temporarily grant root access to a normal user. However, these methods are actually quite different.

    susudo
    When elevating privilege, you need to enter the root password. Giving the root password to a normal user should never, ever be done.When elevating privilege, you need to enter the user’s password and not the root password.
    Once a user elevates to the root account using su, the user can do anything that the root user can do for as long as the user wants, without being asked again for a password.Offers more features and is considered more secure and more configurable. Exactly what the user is allowed to do can be precisely controlled and limited. By default the user will either always have to keep giving their password to do further operations with sudo, or can avoid doing so for a configurable time interval.
    The command has limited logging features.The command has detailed logging features.

sudo Features

Section titled “sudo Features”

  • sudo has the ability to keep track of unsuccessful attempts at gaining root access.

  • Users’ authorization for using sudo is based on configuration information stored in the /etc/sudoers file and in the /etc/sudoers.d directory.

  • A message such as the following would appear in a system log file (usually /var/log/secure) when trying to execute sudo for badperson without successfully authenticating the user:

    badperson : user NOT in sudoers ; TTY=pts/4 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/tail secure

The sudoers File

Section titled “The sudoers File”

  • Whenever sudo is invoked, a trigger will look at /etc/sudoers and the files in /etc/sudoers.d to determine if the user has the right to use sudo and what the scope of their privilege is. Unknown user requests and requests to do operations not allowed to the user even with sudo are reported. The basic structure of entries in these files is:

    who where = (as_whom) what

  • /etc/sudoers contains a lot of documentation in it about how to customize. Most Linux distributions now prefer you add a file in the directory /etc/sudoers.d with a name the same as the user. This file contains the individual user’s sudo configuration, and one should leave the master configuration file untouched except for changes that affect all users.

  • You should edit any of these configuration files by using visudo, which ensures that only one person is editing the file at a time, has the proper permissions, and refuses to write out the file and exit if there are syntax errors in the changes made. The editing can be accomplished by doing a command such as the following ones:

    # visudo /etc/sudoers

    # visudo -f /etc/sudoers.d/student

  • The actual specific editor invoked will depend on the setting of your EDITOR environment variable.

Command Logging

Section titled “Command Logging”

By default, sudo commands and any failures are logged in /var/log/auth.log under the Debian distribution family, and in /var/log/messages and/or /var/log/secure on other systems.

This is an important safeguard to allow for tracking and accountability of sudo use. A typical entry of the message contains:

  • Calling username
  • Terminal info
  • Working directory
  • User account invoked
  • Command with arguments.

Process Isolation

Section titled “Process Isolation”
  • Linux is considered to be more secure than many other operating systems because processes are naturally isolated from each other.
  • One process normally cannot access the resources of another process, even when that process is running with the same user privileges. Linux thus makes it difficult (though certainly not impossible) for viruses and security exploits to access and attack random resources on a system.
  • More recent additional security mechanisms that limit risks even further include:
    • Control Groups (cgroups): Allows system administrators to group processes and associate finite resources to each cgroup.
    • Containers: Makes it possible to run multiple isolated Linux systems (containers) on a single system by relying on cgroups.
    • Virtualization: Hardware is emulated in such a way that not only processes can be isolated, but entire systems are run simultaneously as isolated and insulated guests (virtual machines) on one physical host.

Hardware Device Access

Section titled “Hardware Device Access”
  • Linux limits user access to non-networking hardware devices in a manner that is extremely similar to regular file access.
  • Applications interact by engaging the filesystem layer (which is independent of the actual device or hardware the file resides on). This layer will then open a device special file (often called a device node) under the /dev directory that corresponds to the device being accessed. Each device special file has standard owner, group and world permission fields. Security is naturally enforced just as it is when standard files are accessed.

Working with Passwords

Section titled “Working with Passwords”

How Passwords Are Stored

Section titled “How Passwords Are Stored”
  • Originally, encrypted passwords were stored in the /etc/passwd file, which was readable by everyone. This made it rather easy for passwords to be cracked.
  • On modern systems, passwords are actually stored in an encrypted format in a secondary file named /etc/shadow. Only those with root access can read or modify this file.

Password Algorithm

Section titled “Password Algorithm”
  • Protecting passwords has become a crucial element of security.
  • Most Linux distributions rely on a modern password encryption algorithm called SHA-512 (Secure Hashing Algorithm 512 bits), developed by the U.S. National Security Agency (NSA) to encrypt passwords.
  • The SHA-512 algorithm is widely used for security applications and protocols.
  • These security applications and protocols include TLS, SSL, PHP, SSH, S/MIME and IPSec. SHA-512 is one of the most tested hashing algorithms.

Good Password Practices

Section titled “Good Password Practices”

IT professionals follow several good practices for securing the data and the password of every user.

  • Password aging is a method to ensure that users get prompts that remind them to create a new password after a specific period. This can ensure that passwords, if cracked, will only be usable for a limited amount of time. This feature is implemented using chage, which configures the password expiry information for a user.
  • Another method is to force users to set strong passwords using Pluggable Authentication Modules (PAM). PAM can be configured to automatically verify that a password created or modified using the passwd utility is sufficiently strong. PAM configuration is implemented using a library called pam_cracklib.so, which can also be replaced by pam_passwdqc.so to take advantage of more options.
  • One can also install password cracking programs, such as John The Ripper, to secure the password file and detect weak password entries. It is recommended that written authorization be obtained before installing such tools on any system that you do not own.

Securing the Boot Process and Hardware Resources

Section titled “Securing the Boot Process and Hardware Resources”

Requiring Boot Loader Passwords

Section titled “Requiring Boot Loader Passwords”
  • You can secure the boot process with a secure password to prevent someone from bypassing the user authentication step. This can work in conjunction with password protection for the BIOS.
  • Note that while using a bootloader password alone will stop a user from editing the bootloader configuration during the boot process, it will not prevent a user from booting from an alternative boot media such as optical disks or pen drives. Thus, it should be used with a BIOS password for full protection.
  • For the older GRUB 1 boot method, it was relatively easy to set a password for grub. However, for the GRUB 2 version, things became more complicated. However, you have more flexibility, and can take advantage of more advanced features, such as user-specific passwords (which can be their normal login ones).
  • Furthermore, you never edit grub.cfg directly; instead, you can modify the configuration files in /etc/grub.d and /etc/defaults/grub, and then run update-grub, or grub2-mkconfig and save the new configuration file.

Hardware Vulnerability

Section titled “Hardware Vulnerability”

When hardware is physically accessible, security can be compromised by:

  • Key logging: Recording the real time activity of a computer user including the keys they press. The captured data can either be stored locally or transmitted to remote machines.
  • Network sniffing: Capturing and viewing the network packet level data on your network.
  • Booting with a live or rescue disk
  • Remounting and modifying disk content.

The guidelines of security are:

  • Lock down workstations and servers.
  • Protect your network links such that it cannot be accessed by people you do not trust.
  • Protect your keyboards where passwords are entered to ensure the keyboards cannot be tampered with.
  • Ensure a password protects the BIOS in such a way that the system cannot be booted with a live or rescue DVD or USB key.