Linuxsec3e PPT ch04

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 34

CHAPTER 4

User Privileges
and Permissions

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Explain user account management,  The shadow password suite
configure file permissions and
 User and group privileges and
filesystem settings, enforce
permissions
encryption, and secure Linux
services.  Pluggable authentication modules
(PAMs) and the polkit package
 Network user verification tools
 Best practices for user privileges
and permissions
The Shadow Password Suite (1 of 2)

 The files of the shadow password suite are fundamental to Linux.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Essential system functionality relies on them, including the pluggable authentication
modules (PAMs) system, and all interactive logins.
 Other critical files for giving permission include the passwd and group files.
The Shadow Password Suite (2 of 2)

 /etc/passwd  /etc/shadow
 Contains basic information for  Adds detailed password

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
each user account information to users defined in
 Defines users configured on the the /etc/passwd file
local system  Password is modified by a
salted hash, normally using the
 /etc/group
MD5 algorithm
 Contains basic information for
each group account  /etc/gshadow
 Defines groups configured on  Is analogous to /etc/shadow file
the local system except for groups
/etc/login.defs Security-Related Directives for New Users
and Groups (1 of 2)

DIRECTIVE DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Failed login attempts are collected in the binary /var/log/faillog
FAILLOG_ENAB
file.
Successful logins are collected in a log file defined by
LOG_OK_LOGINS
/etc/syslog.conf.
SYSLOG_SU_ENAB Uses of the su command are logged.

SYSLOG_SG_ENAB Uses of the sg command are logged.

FTMP_FILE Login failures collected in an associated file.


/etc/login.defs Security-Related Directives for New Users
and Groups (2 of 2)

DIRECTIVE DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
PASS_MAX_DAYS Maximum number of days a password can be used.

PASS_MIN_DAYS Minimum number of days a password must be retained.

PASS_MIN_LENGTH Minimum password length.

LOGIN_TIMEOUT Maximum time for a console login.


Shadow Password Suite Commands

COMMAND DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
useradd Adds users to the shadow password suite based on defaults in
/etc/login.defs except when modified by useradd command options.
usermod Modifies user settings in the shadow password suite.
userdel Deletes users. By itself, the command retains the user home directory.
groupadd Creates a new group.
groupmod Modifies group information.
groupdel Deletes an existing group.
groups Lists group membership of the current user.
chage Revises aging information for a user’s password.
Available User Privileges

 Privileges that users may want on regular workstations

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Permissions in question support access to hardware such as:
 Modems
 Sound cards
 Printers
 Scanners
 Ubuntu user privileges to special hardware are implemented through group
memberships
 Ubuntu groups listed in /etc/group
 Ubuntu groups described in Users Settings tool, accessible with users-admin
command
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Group Listing in the Ubuntu Users Settings Tool
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Adding Users to Groups
Groups with Special Permissions for Users (1 of 2)

GROUP NAME DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
plugdev Access external storage devices automatically
admin Administer the system
lpadmin Configure printers
dip Connect to the Internet using a modem
netdev Connect to wireless and Ethernet networks
adm Monitor system logs
fuse Mount user-space filesystems (FUSE)*
* FUSE is an acronym for Filesystems in USErspace.
Groups with Special Permissions for Users (2 of 2)

GROUP NAME DESCRIPTION

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
fax Send and receive faxes
sambashare Share files with the local network
audio Use audio devices
cdrom Use CD-ROM drives
floppy Use floppy drives
dialout Use modems
tape Use tape drives
video Use video devices
Securing Groups of Users: User Private Group Scheme

 Linux users are assigned to at least one group.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Every username has a primary group.
 To identify the primary group, review the third and fourth fields in the
/etc/passwd file.
 To verify group names, check the /etc/group file.
 Linux distributions that don’t implement the user private group scheme may
assign all users to the same group.
Securing Groups of Users: Create a Special Group

How to set up a /home/special directory for a series of users in a group named


project:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
1. Run the mkdir /home/special command to create the directory.
2. Create the group named project. For example, to create a group named
project with a GID of 100000, run the # groupadd -g 100000 project
command.
3. Assign users to the project group.
4. Set up appropriate ownership in the newly created directory.
5. Use the following command to set up special octal permissions on the
directory: # chmod 2770 /home/special
The su and sg Commands (1 of 2)

 The su and sg commands allow users to assume the identity of others.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 You can use the su command by itself to log in from a regular account into the
root administrative account. You will be prompted for the root password.
 You can use the su command to log into a different account. For example, if
you have the password of the user named adelle, you can log into his or her
account with the following command:
$ su - adelle
 You assume the identity of the adelle user or group until you log out.
The su and sg Commands (2 of 2)

 The sg command allows a user to join a group on a temporary basis. It works


only if there’s a group password in the /etc/gshadow file.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 For example, if you have a regular account named adelle and have the group
password for a group named project, you can use the sg command to access
that directory. The following command would copy the noted file from user
adelle’s home directory to the project directory:
$ sg project -c ꞌcp /home/adelle/mycontribution.doc
/home/projectꞌ
 Because the root administrative password is all-powerful for a system, it should
be shared with as few people as possible.
 That’s one reason for the sudo command, covered next.
The sudo Command

 The Linux way to configure limited administrative permissions is based on the


sudo command, configured in the /etc/sudoers configuration file.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 With sudo, an authorized user need only enter their own regular password to
run configured administrative commands.
 Ubuntu distributions don’t have a root administrative password; Ubuntu disables
logins to the root account.
 The first user on an Ubuntu system is given membership in the admin group.
 A regular user who is a member of the admin group can run administrative
commands with full privileges (if that group is appropriately configured in
/etc/sudoers).
Using the sudo Command

 Example: If your account is a member of the admin group, you could open the
second SATA drive on the local system for editing with the following command:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
$ sudo /sbin/fdisk /dev/sdb
 The first time such a trusted user prefaces an administrative command with the
sudo command, he or she will see the following response:
We trust you have received the usual lecture from the
local System Administrator. It usually boils down to these
three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Regular and Special Permissions (1 of 2)

 Permissions
 User: User who owns the file

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Group: Users in the group that owns the file
 Other users: All other users
 Regular permissions
 Read
 Write
 Execute
 Special permission
 Extends executable permissions
Regular and Special Permissions (2 of 2)

 Set user ID (SUID) bit


 A special permission that allows others to execute the given file with the

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
rights of the user owner of the file
 Set group ID (SGID) bit
 A special permission commonly applied to shared directories
 Changes ownership of files added to a shared directory
 Is frequently found on executable files intended to be run by groups
 Sticky bit
 Normally applied to shared directories
 Allows any user to add files to and delete files from a shared directory
 Does not change the ownership of files added to that directory
Tracking Access Through Logs (1 of 2)

 Service daemons
 syslogd

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 klogd
 rsyslogd or sysklogd
 Log messages are classified as auth or authpriv, known as facilities
 Both transmit the same messages; authpriv facility is normally associated
with a more secure file
Tracking Access Through Logs (2 of 2)

 Authorization log options


 Depending on preference and the distribution default, either rsyslog or syslog-

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
ng as the syslog implementation
 rsyslog is default for Ubuntu and Red Hat
 Authorization log files
 cron script rotates logs weekly per /etc/logrotate.conf file
 Linux systems configured in this way typically include several weeks of logs
 Size of log files may be important; a big jump in the size of any log file indicates
increased activity
 May be a result of user-based cron jobs that run more frequently; may also reflect a
large number of external login attempts
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Failed Remote Login Attempts
Pluggable Authentication Modules (PAMs)

 Used primarily to regulate access to administrative tools and commands

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Works as an additional layer of security for users
 Many services and systems are PAM-aware
 PAM configuration files found in the /etc/pam.d/ directory
 To search applicable archives and review available PAM modules for a
distribution:
 Red Hat–based system: yum search
 Ubuntu system: apt-cache search libpam
Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
PAM-Related Packages on Ubuntu
The Structure of a PAM Configuration File (1 of 2)

 Each line in a PAM configuration file is set up in the following format:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
module_type control_flag module_file (arguments)
 PAM module types:
 auth: Authenticates users by verifying passwords, group memberships, and even
Kerberos tickets. Also known as authentication management.
 account: Checks the validity of the account based on expiration dates, time limits,
or configuration files with restricted users. Also known as account management.
 password: Controls changes to user passwords. It may also control the number of
login attempts. Also known as password management.
 session: Makes the connection work. It may mount appropriate directories and
send information to system logs. Also known as session management.
 An implicit fifth module type, include, incorporates the configuration directives
from another file.
The Structure of a PAM Configuration File (2 of 2)

 PAM control flags


 required: Indicates that the module in the current line must work before PAM

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
proceeds to the next line in the file. If the module doesn’t work, the
authentication attempt fails. However, PAM proceeds to test the lines that
follow.
 requisite: Indicates that the module in the current line must work before
PAM proceeds to the next line in the file. If the module doesn’t work, the
authentication attempt fails, and PAM does not proceed to the lines that follow.
 sufficient: Assuming no previous required or requisite control flag has
failed, success in the sufficient flag means the request for access is approved.
 optional: Is normally ignored unless no other control flags have returned
success or failure.
Authorizing Access with Polkit

 The polkit package:

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Is a way of solving the administrative permission problem in Linux
 Is a framework to provide the higher-level function without having to have
the whole program gain administrative access
 Is written with authentication agents and applications that use the
authentication agents
 Uses an application programming interface (API) so applications can be written to
use the polkit
 sudo and su commands work well for escalation of privileges on the command
line
 Polkit allows for escalation of privileges to run graphical programs to avoid
running the entire program as root
Network User Verification Tools (1 of 3)

 Linux includes two basic options for network-based authentication:


 Lightweight Directory Access Protocol (LDAP)

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Network Information Service (NIS)
 LDAP and NIS are directory services that use authentication databases.
 Linux systems can also be configured on Microsoft-based authentication
systems.
 Their usernames and passwords can be translated to Linux usernames and
passwords with a right plug-in.
 Linux can be configured, using PAM, to authenticate users against an Microsoft
Active Directory server.
Network User Verification Tools (2 of 3)

 If you’re configuring authentication on a network, LDAP may be the more


secure choice.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 LDAP can also be used to authenticate users on Microsoft and Apple operating
systems.
 LDAP supports encryption using Transport Layer Security (TLS).
 Encryption requires a digital certificate. Without an encryption certificate, LDAP
would transmit passwords over a network in cleartext.
 You can purchase a digital certificate from an official authority such as VeriSign,
Comodo, or GoDaddy.
 Alternatively, you can create an unofficial digital certificate with the openssl
command. This is sometimes known as a self-signed certificate.
Network User Verification Tools (3 of 3)

 NIS allows you to use the standard shadow password suite files as the
authentication database for the local network.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 NIS transmits data, including password hashes, over the network without
encryption.
 Any unauthorized user who gets hold of these password hashes can eventually
decrypt such passwords. It’s recommended that you avoid NIS.
Best Practices: User Privileges and Permissions (1 of 2)

 Protect the files of the shadow password suite.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 /etc/shadow and /etc/gshadow should be readable only by the root
administrative user.
 Linux administrators need to know how to create, delete, and otherwise
manage user accounts from the command line.
 The SUID, SGID, and sticky bits are special permissions that support different
kinds of access by regular users.
 Linux provides a hierarchy of administrative privileges. Some administrative
privileges are tied to membership in certain Linux groups.
 Linux system and kernel logs are stored in the /var/log/ directory.
Best Practices: User Privileges and Permissions (2 of 2)

 PAM modules are used to regulate access to administrative commands.

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The success or failure of the PAM module depends on the control flag that
applies.
 The polkit regulates:
 Access between the dbus system and components that you may want to
control in the graphical user interface (GUI)
 Access to a variety of tools by user
 Access by whether the user is local or remote
 The two Linux-based authentication databases are NIS and LDAP.
Summary

 The shadow password suite

Copyright © 2024 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 User and group privileges and permissions
 Pluggable authentication modules (PAMs) and the polkit package
 Network user verification tools
 Best practices for user privileges and permissions

You might also like