Scribd
Upload
27 views32 pages

Linux Security Basics: Users, Permissions, Authentication

The document outlines the basics of Linux security, covering user and group management, permissions and access control, running commands with privileges, and authentication methods. It details how to manage users and groups, the traditional permission model, access control lists (ACLs), and various mechanisms for executing commands with elevated privileges. Additionally, it discusses authentication processes, the storage of user information in /etc/passwd and /etc/shadow, and the importance of account locking and password security.

Uploaded by

umniatthamer0
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views32 pages

Linux Security Basics: Users, Permissions, Authentication

The document outlines the basics of Linux security, covering user and group management, permissions and access control, running commands with privileges, and authentication methods. It details how to manage users and groups, the traditional permission model, access control lists (ACLs), and various mechanisms for executing commands with elevated privileges. Additionally, it discusses authentication processes, the storage of user information in /etc/passwd and /etc/shadow, and the importance of account locking and password security.

Uploaded by

umniatthamer0
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

LINUX SECURITY

BASICS
Module 2
First Term 2025/2026
Faculty of Information Technology
Al Al-Bayt university
Outline

 Users and groups

 Permissions and access control


 Running commands with privilege

 Authentication
USER AND GROUP
Users

 In Linux, each user is assigned a unique user ID


 User ID is stored in /etc/password

 Find user ID
Add Users & Switch to Other Users

 Add users
 Directly add to /etc/password
 Use “adduser” command

 Switch to another user


Group

 Represent a group of users


 Assigning permissions based on group
 A user can belong to multiple groups
 A user’s primary group is in /etc/password
Which Group Does a User Belong To?
Group Management

How to add users


PERMISSIONS AND ACCESS CONTROL
Traditional Permission Model

 Types of access on files


 read (r): user can view the contents of the file
 write (w): user can change the contents of the file
 execute (x): user can execute or run the file if it is a program or script
 Types of access on directories
 read (r): user can list the contents of the directory (e.g., using ls)
 write (w): user can create files and sub-directories inside the directory
 execute (x): user can enter that directory (e.g., using cd)
File Permissions
Default File Permissions

 umask value: decides the default permissions for new files


 Example
Examples (umask)

When a file is created, the operating system starts


with default permissions and then applies the
umask to remove certain bits.

Formula:
Final permissions = Initial permissions AND
NOT(umask)

For ordinary files:


Initial = 0666 (read + write for everyone)
For directories:
Initial = 0777 (read + write + execute for everyone)
Access Control List

• An Access Control List (ACL) is an extension of the


traditional file permission system in Linux.
• It allows fine-grained control — you can assign specific
permissions to individual users or groups, not just the
owner, group, and others.
• ACLs coexist with the traditional rwx permission model

Field Meaning
# file: example The file for which ACLs are displayed.
# owner: seed The file owner.
# group: seed The file’s primary group.
user::rw- Owner has read and write permission.
group::rw- Group members have read and write permission.
other::r-- Everyone else has read-only permission.
ACL Commands

• ACLs (Access Control Lists) allow


you to grant permissions to specific
users or groups on top of the
standard owner / group /
other model.
• They provide fine-grained control
without changing file ownership.
• Use setfacl to assign or modify
access for specific users/groups.
• mask:: defines the upper limit of
all effective permissions.
• getfacl verifies existing entries.
• The “+” after the mode field signals
that extended ACLs exist.
RUNNING COMMAND WITH PRIVILEGE
Why
Three command mechanisms
 sudo
• Most common and recommended method.
• Controlled by /etc/sudoers and logs all actions.
• Temporary; privileges vanish after the command.
 Set-UID Programs
• Used for specific tasks needing persistent root rights.
• Example: /usr/bin/passwd edits /etc/shadow safely.
• Dangerous if misused — must validate all inputs and paths.
 POSIX Capabilities
• Introduced in modern Linux to divide root powers into smaller privileges.
• Example capabilities:
• CAP_NET_ADMIN – manage network interfaces
• CAP_SYS_TIME – change system clock
• CAP_CHOWN – change file ownership
Using sudo

 sudo: Super-user Do
 Run commands as a superuser
 A user must be authorized (/etc/sudoers)
 Here is how the seed user is allowed to run sudo
Getting Root Shell

 In Ubuntu 20.04, the root user account is locked


 Cannot log into the root account
 There are many ways to get a root shell
 sudo –s
 sudo bash
 sudo su
 It is not recommended to run commands using a root shell. Instead, use sudo to run
individual commands.
Running Command Using Another User

 Run command using another user (instead of root, default)


POSIX Capabilities

 Divide the root privilege into smaller privilege units


 Known as capabilities
 Use “man capabilities” to find all the capabilities
 Examples
Setting File Capabilities (1)

 Before

 Setting the capabilities


Setting File Capabilities (2)

 After
Case Study 1: Wireshark

 Wireshark
 Sniffing tool, needs privilege
 The graphic part is not privileged
 The sniffing part is done by dumpcap, privileged
 Instead of saying ‘sniffing needs root, so run the whole tool as root,’ they separated
the critical capture part (dumpcap) and gave it just two specific capabilities.
Case Study 2: ping

The ping program


 Uses raw socket
 Has the CAP_NET_RAW capability
AUTHENTICATION
Authentication Methods

 A process to verify a user’s identity


 Typical authentication methods
 based on something the user knows: password
 based on something the user has: ID card
 based on something the user is or does: fingerprint
 Multi-factor authentication
The Password File

• The file /etc/passwd stores basic user account information.


• Every user on a Linux system has an entry here — including system and
service accounts.
• Despite its name, passwords are no longer stored in this file (for
security reasons).
• Historically, passwords were kept here in hashed form, but that exposed them to
all users.
• Now, passwords are stored securely in /etc/shadow, which is readable only by
root.
First Command After Login

The last field of each entry


The Shadow File

 Store password, why not use /etc/password anymore?


 Structure for each entry
The Purpose of Salt

 Defeat brute-force attacks


 dictionary attack, rainbow table attack
 These 3 accounts have the same password
 What is a Salt?
 A salt is a short, randomly generated string that is unique for each user.
When you create a password, the system hashes:
 hash = H(password + salt)
Locking Account

 Sometimes system administrators need to temporarily disable or permanently block


a user account — without deleting it.
This is done by locking the account in /etc/shadow.
 When a Linux account is locked, the password field in /etc/shadow is replaced with
an invalid value (for example, ! or *).

You might also like