Linux Security Fundamentals

This article will cover the basic principals behind Linux security. As with any secure system, fundamental Linux security is achieved with user authentication and file permissions. This article will discuss the basics of user and group management, as well as file permissions.

Creating User Accounts

User accounts are created by making entries in the /etc/passwd file. In early versions of Unix, administrators would manually add lines to this file whenever a new user account was required. Since that time, many utilities to ease this process have been developed, with the most common being the [useradd] command. Recent distributions of Linux include the linuxconf utility, a GUI tool that mimics the functionality of Windows’ User Manager. Most distributions also include the text version of linuxconf.

Here are some common parameters for the [useradd] command:

-u: User ID number to use, similar to a SID. Any user with a user ID number of 0 is considered root. Generally system users have this number set greater than 500. If you do not provide this value, it will default to an incrementing number greater than 500.

-g: Group the user belongs to. Linux recognizes a primary group membership. Although you can belong to many groups, when you create a file, your primary group is set as the group owner of the file. If you omit this value, Linux will automatically create a group with the same name as the user and set that group as the primary group.

-G: Additional group memberships, comma separated

-s: Preferred logon shell. Provide this value as a path to the shell. For example, a C programmer might have a shell value of /bin/csh

-d: Path to users’ home directory, if other than /home. The home directory is created as a copy of /etc/skel, if it exists. Any files or scripts in this directory are automatically copied to the new users’ home.

-e: Expiration date on account, if any

All of these parameters are optional. The general syntax is as follows:

useradd -s value username

Each parameter is separated by a space, and the last value is the name of the user. Parameters take the default value when they are not provided. Default values for the [useradd] command are stored in the /etc/default/useradd file. Any modifications to this file affect future executions of the [useradd] command. You can directly modify this file with a tool such as vi, or you can run the [useradd] command with the –D option. This switch will interpret any information you provide as default values, and will write those values to the useradd file.

Before a user can log on a password value must be set. To do this use the [passwd] command. When a regular user runs this command they must adhere to strict security rules governing passwords. In order for Linux to accept the password, it must be at least 6 characters long, not be based on any variation of a dictionary word, and contain multi-case characters, with at least one special character or number.

The modern passwd utility works though the Linux-PAM API.

Exploring Your Linux System

This article focuses becoming familiar with a standard Linux Installation, and covers tasks such as logging on, exploring the file system, and accessing system resources, such as your CD-ROM drive. It also discusses basic console commands and the use of vi.

Logging on

Linux requires that every user be identified by a username and password. During most installation programs, you have the option of creating user accounts, which can be used to log onto the system. You can also log on as root, using the password you specified during setup. If you log on as root, be very careful as root has unlimited, unrestricted access to the system. A mistyped command can cause serious damage, for that reason it is recommended that you log on as a regular user whenever possible.

Once you have logged on, you can end your session by typing [exit]. This will log you off the system.

Linux differentiates between root users and regular users by changing the console prompt. If you are logged on as a regular user the console prompt will display the [$] symbol. When logged on as root, the [#] symbol is presented.

If you are logging on using Telnet, you may notice that Linux will not allow you to directly log on as root. This is a security measure, and a can be bypassed by logging on as a regular user, and switching to root. Once you have logged on, enter [su -] at the console. You will be prompted for the root password, and then authenticated as root. Note the following regarding the Switch User command:

  • If you do not include the dash (-), you will only inherit the context of root, not the environment.
  • To switch back to your own account, type [exit], not su again. Switching back to your own account will mean you have logged on as you switched to root switched to you, essentially 3 consoles.
  • You can switch to any user on the system.

Tip – If you did not create any users when you installed Linux, you can quickly create a user named joe, with default settings, by typing [useradd joe] at any console prompt. You will not be able to log on as joe until you set a password on the account. Do this by typing [passwd joe] and entering a password.

Linux Fundamentals

In this article I will cover some general technical concepts that relate to Linux. You will need this information to understand and perform an installation, which I will cover in the next article. This article covers some of the major terms used in Linux, as well as the fundamentals of how the system operates. Finally I discuss partitioning and formatting of file systems.

Linux is a different than Windows, and therefore a lot of the terminology changes as well. Listed below are some terms that you must know to effectively learn Linux, along with a general definition of each.

Unix: Refers to a classification of operating system, not a specific version or vendor’s operating system. Sun Solaris, SCO Unix, FreeBSD, and Linux are all types of Unix.

Linux: A specific implementation of Unix, written using open source code and protected under the GPL.

Distribution: A specific vendors implementation of Linux. Consists of the core Linux kernel and a collection of utilities and applications provided by the vendor. Many distributions also contain an implementation of XWindows.

XWindows: The common name for XFree86.

XFree86: A series of programming models and libraries that are used to provide a GUI desktop that runs on Linux. Gnome and KDE are all built on the XFree86 model. A desktop consists of two things – the window manager which provides for the operation of the GUI, and the desktop environment, which is a collection of GUI based tools and provides a look and feel. Gnome and several others use SawFish as the Window manager, KDE provides it’s own, called KWM.

Kernel: The core of Linux. The Kernel controls access to the processor and controls the execution of processes on the computer. The kernel is a single file, usually stored in the /boot folder and can be upgraded independently of the Operating System. All distributions of Linux use the same Kernel.

Root: The “super-user” account. All Linux systems have a root user account that has unlimited access to the systems resources. It can also refer to the root of the file system, denoted by “/”.

Daemon: A service that runs on a Unix computer. Daemons typically listen to a TCP/IP port for network requests and then respond. Servers are collections of daemons. Some examples of daemons include named (Name Daemon or DNS), telnetd (Telnet Daemon), inetd (Internet Daemon), and httpd (Web Server Daemon).

Process: An instance of an application that runs on a Unix computer. A server that provides HTTP services and Telnet services has a process for both httpd and telnetd.

Shell: A command interpreter, commonly accessible through a text terminal (command prompt). Different shells have different capabilities and limitations. Some examples include the Bourne Shell (sh), the Bourne Again Shell (bash), the Korn Shell (ksh) and the C Shell (tcsh). Most Linux distributions install multiple shells, with bash being the shell activated by default. You can activate another shell by typing it’s name, assuming it’s installed.

Shell Script: A series of shell commands saved in a file. Similar to a Batch file in DOS, but with more functionality. Commands available in Shell Scripts are dependant on the shell they are written in. The C Shell allows C language code to be written in Shell Scripts, while bash is limited to basic conditional logic and file manipulation. Many of the core functions on a Linux system are nothing more than complex shell scripts.

Open Source: Applications that are open source make the source code freely available for modification and redistribution by anyone. Open source code is protected by the GPL.

GPL: General Protection License – mandates that open source code may be freely modified and redistributed provided that all modifications to code are distributed as well. This means that if an organization used open source code in an application, although they many resell the application for profit, they must also provide the source code of the application at no charge.