Linuxsec3e PPT ch04
Linuxsec3e PPT ch04
Linuxsec3e PPT ch04
User Privileges
and Permissions
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Explain user account management, The shadow password suite
configure file permissions and
User and group privileges and
filesystem settings, enforce
permissions
encryption, and secure Linux
services. Pluggable authentication modules
(PAMs) and the polkit package
Network user verification tools
Best practices for user privileges
and permissions
The Shadow Password Suite (1 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Essential system functionality relies on them, including the pluggable authentication
modules (PAMs) system, and all interactive logins.
Other critical files for giving permission include the passwd and group files.
The Shadow Password Suite (2 of 2)
/etc/passwd /etc/shadow
Contains basic information for Adds detailed password
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
each user account information to users defined in
Defines users configured on the the /etc/passwd file
local system Password is modified by a
salted hash, normally using the
/etc/group
MD5 algorithm
Contains basic information for
each group account /etc/gshadow
Defines groups configured on Is analogous to /etc/shadow file
the local system except for groups
/etc/login.defs Security-Related Directives for New Users
and Groups (1 of 2)
DIRECTIVE DESCRIPTION
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Failed login attempts are collected in the binary /var/log/faillog
FAILLOG_ENAB
file.
Successful logins are collected in a log file defined by
LOG_OK_LOGINS
/etc/syslog.conf.
SYSLOG_SU_ENAB Uses of the su command are logged.
DIRECTIVE DESCRIPTION
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
PASS_MAX_DAYS Maximum number of days a password can be used.
COMMAND DESCRIPTION
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
useradd Adds users to the shadow password suite based on defaults in
/etc/login.defs except when modified by useradd command options.
usermod Modifies user settings in the shadow password suite.
userdel Deletes users. By itself, the command retains the user home directory.
groupadd Creates a new group.
groupmod Modifies group information.
groupdel Deletes an existing group.
groups Lists group membership of the current user.
chage Revises aging information for a user’s password.
Available User Privileges
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Permissions in question support access to hardware such as:
Modems
Sound cards
Printers
Scanners
Ubuntu user privileges to special hardware are implemented through group
memberships
Ubuntu groups listed in /etc/group
Ubuntu groups described in Users Settings tool, accessible with users-admin
command
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Group Listing in the Ubuntu Users Settings Tool
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Adding Users to Groups
Groups with Special Permissions for Users (1 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
plugdev Access external storage devices automatically
admin Administer the system
lpadmin Configure printers
dip Connect to the Internet using a modem
netdev Connect to wireless and Ethernet networks
adm Monitor system logs
fuse Mount user-space filesystems (FUSE)*
* FUSE is an acronym for Filesystems in USErspace.
Groups with Special Permissions for Users (2 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
fax Send and receive faxes
sambashare Share files with the local network
audio Use audio devices
cdrom Use CD-ROM drives
floppy Use floppy drives
dialout Use modems
tape Use tape drives
video Use video devices
Securing Groups of Users: User Private Group Scheme
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Every username has a primary group.
To identify the primary group, review the third and fourth fields in the
/etc/passwd file.
To verify group names, check the /etc/group file.
Linux distributions that don’t implement the user private group scheme may
assign all users to the same group.
Securing Groups of Users: Create a Special Group
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
1. Run the mkdir /home/special command to create the directory.
2. Create the group named project. For example, to create a group named
project with a GID of 100000, run the # groupadd -g 100000 project
command.
3. Assign users to the project group.
4. Set up appropriate ownership in the newly created directory.
5. Use the following command to set up special octal permissions on the
directory: # chmod 2770 /home/special
The su and sg Commands (1 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
You can use the su command by itself to log in from a regular account into the
root administrative account. You will be prompted for the root password.
You can use the su command to log into a different account. For example, if
you have the password of the user named adelle, you can log into his or her
account with the following command:
$ su - adelle
You assume the identity of the adelle user or group until you log out.
The su and sg Commands (2 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
For example, if you have a regular account named adelle and have the group
password for a group named project, you can use the sg command to access
that directory. The following command would copy the noted file from user
adelle’s home directory to the project directory:
$ sg project -c ꞌcp /home/adelle/mycontribution.doc
/home/projectꞌ
Because the root administrative password is all-powerful for a system, it should
be shared with as few people as possible.
That’s one reason for the sudo command, covered next.
The sudo Command
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
With sudo, an authorized user need only enter their own regular password to
run configured administrative commands.
Ubuntu distributions don’t have a root administrative password; Ubuntu disables
logins to the root account.
The first user on an Ubuntu system is given membership in the admin group.
A regular user who is a member of the admin group can run administrative
commands with full privileges (if that group is appropriately configured in
/etc/sudoers).
Using the sudo Command
Example: If your account is a member of the admin group, you could open the
second SATA drive on the local system for editing with the following command:
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
$ sudo /sbin/fdisk /dev/sdb
The first time such a trusted user prefaces an administrative command with the
sudo command, he or she will see the following response:
We trust you have received the usual lecture from the
local System Administrator. It usually boils down to these
three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Regular and Special Permissions (1 of 2)
Permissions
User: User who owns the file
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Group: Users in the group that owns the file
Other users: All other users
Regular permissions
Read
Write
Execute
Special permission
Extends executable permissions
Regular and Special Permissions (2 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
rights of the user owner of the file
Set group ID (SGID) bit
A special permission commonly applied to shared directories
Changes ownership of files added to a shared directory
Is frequently found on executable files intended to be run by groups
Sticky bit
Normally applied to shared directories
Allows any user to add files to and delete files from a shared directory
Does not change the ownership of files added to that directory
Tracking Access Through Logs (1 of 2)
Service daemons
syslogd
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
klogd
rsyslogd or sysklogd
Log messages are classified as auth or authpriv, known as facilities
Both transmit the same messages; authpriv facility is normally associated
with a more secure file
Tracking Access Through Logs (2 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
ng as the syslog implementation
rsyslog is default for Ubuntu and Red Hat
Authorization log files
cron script rotates logs weekly per /etc/logrotate.conf file
Linux systems configured in this way typically include several weeks of logs
Size of log files may be important; a big jump in the size of any log file indicates
increased activity
May be a result of user-based cron jobs that run more frequently; may also reflect a
large number of external login attempts
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Failed Remote Login Attempts
Pluggable Authentication Modules (PAMs)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Works as an additional layer of security for users
Many services and systems are PAM-aware
PAM configuration files found in the /etc/pam.d/ directory
To search applicable archives and review available PAM modules for a
distribution:
Red Hat–based system: yum search
Ubuntu system: apt-cache search libpam
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
PAM-Related Packages on Ubuntu
The Structure of a PAM Configuration File (1 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
module_type control_flag module_file (arguments)
PAM module types:
auth: Authenticates users by verifying passwords, group memberships, and even
Kerberos tickets. Also known as authentication management.
account: Checks the validity of the account based on expiration dates, time limits,
or configuration files with restricted users. Also known as account management.
password: Controls changes to user passwords. It may also control the number of
login attempts. Also known as password management.
session: Makes the connection work. It may mount appropriate directories and
send information to system logs. Also known as session management.
An implicit fifth module type, include, incorporates the configuration directives
from another file.
The Structure of a PAM Configuration File (2 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
proceeds to the next line in the file. If the module doesn’t work, the
authentication attempt fails. However, PAM proceeds to test the lines that
follow.
requisite: Indicates that the module in the current line must work before
PAM proceeds to the next line in the file. If the module doesn’t work, the
authentication attempt fails, and PAM does not proceed to the lines that follow.
sufficient: Assuming no previous required or requisite control flag has
failed, success in the sufficient flag means the request for access is approved.
optional: Is normally ignored unless no other control flags have returned
success or failure.
Authorizing Access with Polkit
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Is a way of solving the administrative permission problem in Linux
Is a framework to provide the higher-level function without having to have
the whole program gain administrative access
Is written with authentication agents and applications that use the
authentication agents
Uses an application programming interface (API) so applications can be written to
use the polkit
sudo and su commands work well for escalation of privileges on the command
line
Polkit allows for escalation of privileges to run graphical programs to avoid
running the entire program as root
Network User Verification Tools (1 of 3)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Network Information Service (NIS)
LDAP and NIS are directory services that use authentication databases.
Linux systems can also be configured on Microsoft-based authentication
systems.
Their usernames and passwords can be translated to Linux usernames and
passwords with a right plug-in.
Linux can be configured, using PAM, to authenticate users against an Microsoft
Active Directory server.
Network User Verification Tools (2 of 3)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
LDAP can also be used to authenticate users on Microsoft and Apple operating
systems.
LDAP supports encryption using Transport Layer Security (TLS).
Encryption requires a digital certificate. Without an encryption certificate, LDAP
would transmit passwords over a network in cleartext.
You can purchase a digital certificate from an official authority such as VeriSign,
Comodo, or GoDaddy.
Alternatively, you can create an unofficial digital certificate with the openssl
command. This is sometimes known as a self-signed certificate.
Network User Verification Tools (3 of 3)
NIS allows you to use the standard shadow password suite files as the
authentication database for the local network.
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
NIS transmits data, including password hashes, over the network without
encryption.
Any unauthorized user who gets hold of these password hashes can eventually
decrypt such passwords. It’s recommended that you avoid NIS.
Best Practices: User Privileges and Permissions (1 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
/etc/shadow and /etc/gshadow should be readable only by the root
administrative user.
Linux administrators need to know how to create, delete, and otherwise
manage user accounts from the command line.
The SUID, SGID, and sticky bits are special permissions that support different
kinds of access by regular users.
Linux provides a hierarchy of administrative privileges. Some administrative
privileges are tied to membership in certain Linux groups.
Linux system and kernel logs are stored in the /var/log/ directory.
Best Practices: User Privileges and Permissions (2 of 2)
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
The success or failure of the PAM module depends on the control flag that
applies.
The polkit regulates:
Access between the dbus system and components that you may want to
control in the graphical user interface (GUI)
Access to a variety of tools by user
Access by whether the user is local or remote
The two Linux-based authentication databases are NIS and LDAP.
Summary
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
User and group privileges and permissions
Pluggable authentication modules (PAMs) and the polkit package
Network user verification tools
Best practices for user privileges and permissions