Linux security

ASSOC. PROF. DR. MARY AGOYI

 Introduction to user

⚫ The whoami command tells you your username.

⚫ The who command will give you information about who is logged on the system.

⚫ With who am i the who command will display only the line pointing to your current
session

⚫ The w command shows you who is logged on and what they are doing

⚫ The id command will give you your user id, primary group id, and a list of the groups that
you belong to

⚫ The su command allows a user to run a shell as another user.

 Introduction to su command
⚫ The su command allows you to become root, when you know the
root password
⚫ When no username is provided to su or su -, the command will
assume root is the target.
⚫ The su command allows a user to run a shell as another user.
− You need to know the password of the user you want to substitute to, unless your are logged in as root.
The root user can become any existing user without knowing that user's password.

− To become another user and also get the target user's environment, issue the su - command followed
by the target username.
 Introduction to ROOT account

⚫ The all-powerful administrator account on a Unix or Linux system is

the root account. If you're logged in as the root user, you can do
anything you want to do to that system.
⚫ However, always logging in as the root user can present a whole
load of security problems. For example
− Make it easier for you to accidentally perform an action that causes damage
to the system
− Make it easier for someone else to perform an action that causes damage
to the system
 Case Study

⚫ Imagine if you were the head Linux administrator at ABC Organization, and the only way to allow
users to perform admin tasks was to give them all the root password. What would happen if one
of those users were to leave the company?

⚫ You wouldn't want that person to still have the ability to log in to the systems, so you'd have to
change the password and distribute the new one to all of the other users. And what if you just
want users to have admin privileges only for certain tasks, instead of having full root privileges?

⚫ What we need is a mechanism that allows users to perform administrative tasks without incurring
the risk of having them always log on as the root user, and that would also allow users to have
only the admin privileges they really need to perform a certain job. In Linux and Unix,

⚫ This mechanism in the form of the sudo utility.

 Introduction to sudo

⚫ The sudo program allows a user to start a program with the

credentials of another user.
⚫ Before this works, the system administrator has to set up the /etc/sudoers
file. This can be useful to delegate administrative tasks to another user
(without giving the root password).

⚫ A huge advantage that Unix and Linux operating systems have

over Windows is that Unix and Linux do a much better job of
keeping privileged administrative accounts separated from
normal user accounts.
 The advantages of using sudo

⚫ Assign certain users full administrative privileges, while assigning other users only the privileges
they need to perform tasks that are directly related to their respective jobs.

⚫ Allow users to perform administrative tasks by entering their own normal user passwords so
that you don't have to distribute the root password to everybody and his brother.

⚫ Make it harder for intruders to break into your systems. If you implement sudo and disable the
root user account, would-be intruders won't know which account to attack because they won't
know which one has admin privileges.

⚫ Create sudo policies that you can deploy across an entire enterprise network, even if that
network has a mix of Unix, BSD, and Linux machines.

⚫ Improve your auditing capabilities because you'll be able to see what users are doing with their
admin privileges.
 User Management

 User management on Linux can be done in 3 complementary ways

1. Graphical tools – Good for novice Linux user

2. Command line tools -Server administrators – for this course
 useradd, usermod, gpasswd, passwd

3. Edit the local configuration files directly - Do not attempt this as a

novice on production systems
 useradd

− sudo useradd -m -d /home/mary -c "mary agoyi“-s /bin/bash

Mary

− m creates the home directory.

− d specifies the home directory.
− c creates the description
− s specifies Mary's default shell. (Without the -s, Debian/Ubuntu
would assign to Mary the /bin/sh shell.)
 Userdel and usermod

 You can delete user with userdel command

▪ userdel -r Mary
 The -r option of userdel will also remove the home directory.
 You can modify the properties of a user with the usermod command.
▪ usermod -c 'wizard' harry
 This example uses usermod to change the description of the user harry
 /etc/passwd

⚫ The local user database on Linux (and on most Unixes) is

/etc/passwd.
⚫ The /etc/passwd file specifies the login shell for the user
⚫ Type the following in the terminal
− head -1 /etc/passwd
− tail -1 /etc/passwd
 Exercise

1. Sudo su

2. head -2 /etc/passwd

3. tail -2 /etc/passwd

4. sudo useradd -m -d /home/harry -c “Harry Porter“-s /bin/bash Harry

5. tail -2 /etc/passwd

6. sudo usermod –c ‘books’ Harry

7. tail -2 /etc/passwd
 Exercise (continue)

1. sudo usermod –d /home/books Harry

2. tail -2 /etc/passwd

3. sudo userdel –r Harry

4. tail -2 /etc/passwd

5. Can you write your observations

 Home Directories

 The easiest way to create a home directory is to supply the -m option with
useradd
 A less easy way is to create a home directory manually with mkdir which also
requires setting the owner and the permissions on the directory with chmod
and chown
▪ mkdir /home/brown
▪ chown brown:brown /home/brown
▪ chmod 700 /home/brown
▪ ls - ld /home/brown/
▪ To delete home directory
▪ userdel -r brown
 Chmod command

 Permissions
▪ Read(r) – 4
▪ write(w) – 2
▪ execute(x) – 1
 Access class
▪ Owner /user
▪ Group
▪ Others
For example
chmod 744 filename -
 /etc/skel/

 The /etc/skel/ directory contains some (usually hidden) files that contain
profile settings and default values for applications.
 /etc/skel/ serves as a default home directory and as a default user profile
 When using useradd the -m option, the /etc/skel/ directory is copied to
the newly created home directory.
 Create a file named welcome.txt and make sure every new user will see
this file in their home directory.
▪ echo Hello > /etc/skel/welcome.txt
 Run as root user
▪ ls - la /etc/skel/
 /etc/shadow

 User passwords are encrypted and kept in /etc/shadow.

 The /etc/shadow file is read-only and can only be read by root.
▪ tail -4 /etc/shadow
 Passwd command

 Passwords of users can be set with the passwd command.

▪ Passwd Mary
 Users will have to provide their old password before twice entering the
new one
 The passwd tool will do some basic verification to prevent users from using
too simple passwords.
 The root user does not have to follow these rules (there will be a warning
though).
 The root user also does not have to provide the old password before
entering the new password twice
 Passwd command(cont.)

 Passwords are stored in an encrypted format. This encryption is done by

the crypt function.
 The easiest and recommended way to add a user with a password to the
system is to add the user with the useradd -m user command, and then set
the user's password with passwd. For example
▪ useradd -m Mary
▪ passwd Mary
 Passwd encryption with openssl

 To generate an encrypted password with the openssl passwd command.

 For example
▪ useradd -m Mary
▪ openssl passwd Mary
 To create users with a password, you need to use the -p option of useradd,
but that option requires an encrypted password. For example
▪ useradd -m -p $(openssl passwd basket) Mary
 chage

The chage command can be used

 to set an expiration date for a user account (-E)
 To set a minimum (-m) and maximum (-M) password age,
 To set a password expiration date,
 To set the number of warning days before the password expiration date.
 The -l option of chage will list these settings for a user.
▪ chage -l Mary
 /etc/sudoers

 The sudo policy file is the /etc/sudoers

 Always edit sudoers with the command, sudo visudo
 To add users to an admin group
 User_Alias ADMINS = jsmith, mmike
 To give members of the user alias full sudo power
 ADMINS ALL=(ALL) ALL

 To add a visudo entry for just a single user

 mary ALL=(ALL) ALL
 For ease of management, it's best to go with either a user group or a user alias
 User Aliases

 You can create user aliases for several purposes

 BACKUPADMINS user alias for backup administrators
 WEBADMINS user alias for web server administrators
 For example
 User_Alias SOFTWAREADMINS = vicky, Cleopatra
 Note that vicky and cloepatra cannot perform any task until you assign some duties to the user_alias


 Command Aliases

 You can create command aliases for several purposes

 One of these examples just happens to be SOFTWARE, which contains the commands that an
admin would need to either install or remove software or to update the system.
 For example
 Cmnd_Alias SOFTWARE = /bin/dpkg, /usr/bin/update, /usr/bin/apt

 The SOFTWARE command alias can be assign to the SOFTWAREADMINS user alias:
 SOFTWAREADMINS ALL=(ALL) SOFTWARE
 Vicky and Cleopatra, as members of the SOFTWAREADMINS user alias, can now run the
 dpkg, update, and apt commands with root privileges