Linux Security Fundamentals

This article will cover the basic principals behind Linux security. As with any secure system, fundamental Linux security is achieved with user authentication and file permissions. This article will discuss the basics of user and group management, as well as file permissions.

Creating User Accounts

User accounts are created by making entries in the /etc/passwd file. In early versions of Unix, administrators would manually add lines to this file whenever a new user account was required. Since that time, many utilities to ease this process have been developed, with the most common being the [useradd] command. Recent distributions of Linux include the linuxconf utility, a GUI tool that mimics the functionality of Windows’ User Manager. Most distributions also include the text version of linuxconf.

Here are some common parameters for the [useradd] command:

-u: User ID number to use, similar to a SID. Any user with a user ID number of 0 is considered root. Generally system users have this number set greater than 500. If you do not provide this value, it will default to an incrementing number greater than 500.

-g: Group the user belongs to. Linux recognizes a primary group membership. Although you can belong to many groups, when you create a file, your primary group is set as the group owner of the file. If you omit this value, Linux will automatically create a group with the same name as the user and set that group as the primary group.

-G: Additional group memberships, comma separated

-s: Preferred logon shell. Provide this value as a path to the shell. For example, a C programmer might have a shell value of /bin/csh

-d: Path to users’ home directory, if other than /home. The home directory is created as a copy of /etc/skel, if it exists. Any files or scripts in this directory are automatically copied to the new users’ home.

-e: Expiration date on account, if any

All of these parameters are optional. The general syntax is as follows:

useradd -s value username

Each parameter is separated by a space, and the last value is the name of the user. Parameters take the default value when they are not provided. Default values for the [useradd] command are stored in the /etc/default/useradd file. Any modifications to this file affect future executions of the [useradd] command. You can directly modify this file with a tool such as vi, or you can run the [useradd] command with the –D option. This switch will interpret any information you provide as default values, and will write those values to the useradd file.

Before a user can log on a password value must be set. To do this use the [passwd] command. When a regular user runs this command they must adhere to strict security rules governing passwords. In order for Linux to accept the password, it must be at least 6 characters long, not be based on any variation of a dictionary word, and contain multi-case characters, with at least one special character or number.

The modern passwd utility works though the Linux-PAM API.