Linux for Newbie(Part 4.2)

Linux for Newbie(Part 4.2)

2 Users, passwords, file permissions, and security

2.1 Home directories, root, adding users

The (almost) only place on the harddrive that normal users (non-root) can write to is their home directory, which is /home/user_login_name .
This "home" directory is for all user files: settings, program configuration files, documents, data, netscape cache, mail, etc. As a user, you can create subdirectories under your home directory to keep yourself organized. Other users cannot read your files or write to your home directory unless you give them permission to do so.
Normal users can also see, read and execute many other files on the system (besides their home directory), but they normally cannot modify or remove them.
The "root" (also called "super user") is a special administrative account that has the power to modify any file on the system. It is not a good idea to habitually work on your system as root--your mistakes can cost you dearly. Set up and use a normal user account for everyday work for yourself, another user account for your son, and yet another for your wife. The root account is the only account that exists on Linux after the initial installation.
A user account can be created by root using, for example:
adduser joe
passwd joe
[type the password for the user joe]
Root can change any user’s password, although s/he cannot read it. [Passwords are encrypted using a one-way encryption algorithm and only this encrypted version is stored on the system, in the file /etc/passwd, the "open" version is never stored. When you login, the password you type is encrypted again using the same one-way algorithm and compared with the already encrypted version stored in the file /etc/passwd (older systems) or /etc/shadow (newer systems) .]
The separation of the administrator and user makes Linux systems secure and robust--it even makes viruses under Linux difficult (the programs that a user runs can write only to his/her own directories, and therfore cannot affect the vital parts of the operating system).
It is customary that the user changes his/her password immediately after the first login, for example:
passwd
(current) UNIX password: pass_OLD New UNIX password: pass_NEW Retype New UNIX password: pass_NEW
In reality, the password will not appear on the screen as you type it (for security reasons).

2.2 About password security

Weak passwords are probably the most common source of security problems. Even at home, you may expose yourself to trouble if somebody is able to hack your computer when you browse the Internet and read your files. Here are some examples of hazardous passwords:
- no password (possible!);
- the word "password" (wow, this one is really weak!);
- your first or last name or your user login name;
- name of your wife (husband), daughter, girlfriend, dog, etc.;
- name of your company, department, workgroup, etc.;
- date of your birth;
- password written in the calendar on your desk or on the side of your computer;
- any word which is in the dictionary (the dictionary does not contain so many words as it might seem, a skillful hacker can set up a program to try them all);
- a password which you also use in an insecure public place, for example an Internet store or a mailing list.
A good password is relatively long (minimum 6 letter), contains a mixture of letters (upper and lower case, if possible) and numbers, and is changed quite regularly (8 weeks?).
The system administrator can set the password policy through the utility included in this configuration program (run as root):
linuxconf
under the menu "user account"-"policies"-"password & account policies".
Also make sure that any file that contains a password (e.g.,
/root/.kde/share/config/kppprc) has proper secure permissions so that it cannot be read by anybody. Most likely you want:
chmod 600 kppprc

2.3a I forgot the root password

Even if I never forget any passwords, I would still study this issue in detail because it can give me a hint on how my mother might be reading my ICQ chats history :-)
First method. The easiest way to solve your "forgoten root password" problem is to boot your Linux in the single-user mode, namely at the "lilo"prompt (during bootup) type:
linux single
This will make you "root" without asking for password. Now, being root, you may change the root password using this command (no knowledge of the old password required):
passwd
If it strikes you as insecure, that’s because no computer system is secure if other people have physical access to your hardware. Nevertheless, I did not like the "linux single" hole on my home computer and plugged it by adding the following lines to my /etc/lilo.conf file (at the end of the "image=" section):
password="my_password" restricted
[This "lilo" password is required when, at the LILO prompt during bootup, somebody enters the word "linux" with any parameter (normal bootup without any parameters will still be possible without a password).] For the changes to /etc/lilo.conf to take effect, I must re-run the command lilo . Since my lilo password is not encrypted, I must make /etc/lilo.confreadable only for root:
chmod 600 /etc/lilo.conf
Second Method. Another way to solve the "lost-root-password" problem is to boot your computer from the Linux boot diskette, find your Linux root partition on the hard drive, mount it, and edit the file /etc/passwd. (I can do it because after booting from the floppy, I become root without being asked for a password.) In the password file, I erase the encrypted password for root, so it is empty. For example, the /etc/passwd entry for root may look like this:
root:abcdefghijklm:0:0:root:/root:/bin/bash
The "abcdefghijklm" is a 13 character encrypted password (actually, it is a 2 character "salt" used for encryption and a 11-character encrypted password). I would change this line to:
root::0:0:root:/root:/bin/bash
Now, the root account has no password, so I can reboot the computer and, at the login prompt, type "root" and for password just press ENTER (empty, no password). After a successful login, I immediately set the password for root using the command:
passwd
The above applies to traditonal UNIX and RH5.2 password files. In newer systems (e.g., RH6.0 and RH6.1), a more secure setup is used which utilizes a shadow password file. In this case, the file /etc/passwd contains just an "x" in the field where encrypted password used to be traditionally stored. The encrypted password is stored in the file /etc/shadow . [This increases the security because of the different permissions on the files: the file /etc/passwd can be read by anybody but /etc/shadow cannot. Additionally, the shadow password system allows passwords longer than 8 characters, and adds extra goodies like password expiry policy, etc.] As root, you can manipulate the file /etc/shadow as you would /etc/passwd .
To make the "floppy access" to my system a little bit more difficult, I considered running a computer without a floppy drive :-) Unfortunately, Linux CDs are bootable these days. I set up my boot sequence (in the BIOS setup) so that the system boot from the hard drive before floppy and CDROM are tried, and added an "administrative" password on changes to the BIOS settings. Still, I worry that these BIOS passwords are so easily crackable and also one could remove my harddrive and connect it to another computer for reading :-) . I am considering an "encrypted file system" which is now available on Linux, but considering all the trouble associated with it, perhaps I will settle on locking my room :-) . If all this sound paranoid to you, it probably is--it just illustrates the point there is little computer security, even under Linux, if the potential cracker has physcial access to your hardware.

2.3b I forgot my user password.

If a regular (non-root) user forgets his/her password, this is not a problem since root can change any password. For example (as root):
passwd barbara
will prompt for a new password for the user "barbara" (no knowledge of old password required). If a user (non-root) wants to change his/her password, s/he will be asked for the old password first. (This is a security feature so nobody changes your password if you left your terminal unattended. )
If you need to temporarily disable any user account, there is no need to change his/her password. Just put an asterisk "*" at the begining of the password field (before the encryped password) in the file /etc/passwd or /etc/shadow . The "*" means that no login is permitted for this account. When you want to restore the account, you just erase the star and the user account is back in operation, with its old password.

2.4 I have file permission problems. How do file ownership and permissions work?

Linux (the same as UNIX) is a secure, multiuser operating system, and this creates a level a complexity with "files permissions". Trouble with file permissions can lead to unexpected and nasty problems. Understanding file permissions is of uttermost importance to be able to administer any multiuser operating system (be it UNIX, WinNT, or Linux). My advice would be: learn the system of Linux (or any UNIX) file permission conventions, you will not regret it.
The permission conventions are the same for normal files and directories, so whatever is said about files below, applies also to directories. It is also important to remember that lower level directories (and the files the directories contain) inherit the permissions of their parents. Therefore don’t expect to have any permissions to the subdirectory (or a file residing in it) if you don’t have any to the parent.
File owners. Each file belongs to an owner (typically a login name) and to a group. The owner is typically the person who created (or copied) the file. The group often consists of one person--the owner, and has the name identical to that of the owner, but it does not need to be so. A file can be removed (erased) only the owner of the file, or a member of the group that owns the file, or the root. Yet other users may be able to modify or erase the content of the file if they are given the permission to do so--read on. The owner and group that owns the file will be shown in the output from the ls
-l command (="list in the long format"). For example, the command:
ls -l junk
produced this output on my screen:
-rwx------ 1 yogin inca 27 Apr 24 14:12 junk
This shows the file "junk", belonging to the owner "yogin" and to the group "inca".
The ownership of a file can be changed using the commands chown (change owner) and chgrp (change group), which are normally executed by root:
chown peter junk chgrp peter junk ls -l junk
After executing the above 3 lines, the command ls-l junk produces this output on my screen:
-rwx------ 1 peter peter 27 Apr 25 20:27 junk
Changing the file ownership comes handy if you move/copy files around as root for use by other users. At the end of your housekeeping you typically want to hand-in the file ownership to the proper user.
File permissions . Now, an owner of a file can make the file accessible in three modes: read (r), write (w) and execute (x) to three classes of users: owner (u), members of the group (g), others on the system (o). You can check the current access permissions using:
ls -l filename
If the file is accessible to all users (owner, group, others) in all three modes (read, write, execute) it will show:
-rwxrwxrwx
Skip the first "-" (it shows "d" for directories, "-" for normal files, "l" for links, "c" for character devices, "b" for block devices). After this initial character, the first triplet shows the file permission for the owner of the file, the second triplet whows the permissions for the group that owns the file, the third triplet shows the permissions for other users. A "no" permission is shown as "-". Here is an output from the ls -l command on a file that is owned by root, for which the owner (root) has all permissions, but the group and other can only read and execute:
drwxr-xr-x 2 root root 21504 Apr 24 19:27 dev
The first letter "d" shows that the file is actually a directory.
You can change the permissions on the file which you own using the command chmod (="change mode"). For example, this command will add the permission to read the file "junk" to all (=user+group+others):
chmod a+r junk
In the command above, instead of "a" (="all"), I could have used "u", "g" or "o" (="user", "group" or "others"). Instead of "+" (="add the permission"), I could have used "-" or "=" ("remove the permission" or "set the permission"). Instead of "r" (="read permission"), I could have used "w" or "x" ("write permission" or "execute permission").
For example, this command will remove the permission to execute the file "junk" from others:
chmod o-x junk
Instead of letters, one can also use numbers to specify the permissions. To understand how it works look at this:
read=4
write=2
exectute=1
The total permission for a class of users is the sum of the three. Thus:
1 = execute only (seems unusual)
2 = write only (seems unusual)
3 = write and execute (seems unusual)
4 = read only (common)
5 = read and execute (common)
6 = read and write (common)
7 = read, write and execute (common).
The permission for all the three classes of users (owner, group, others) is obtained by gluing the three digits together one by one. For example, the command
chmod 770 junk
will give the owner and his/her group the completto of permissions, but no permissions to others. The command:
chmod 666 junk
gives all three classes of users (owner, group, others) the permissions to read and write (but not execute) the example file named "junk". Please note the "666". It is quite often used and, at least for one person I know, it is a proof that Linux (any UNIX for that matter) is a work of the devil >:-0. This command:
chmod 411 junk
would give the owner the permission to read only, and the group and others to execute only. This one does not seem useful, but might be funny, at least for those North American Linux users who dial 411 (telephone number) for directory assistance. Mail me if you can think of any other funny permissions (maybe 007?).
The numerical way of representing file permissions is called "octal" because the numbers have base 8 (the decimal system’s base is 10). The highest digit in the octal system is 7 (octal system has eight digits: 0 to 7, analogous to decimal system having ten digits: 0 to 9). The octal representation is really a convenient notation for the binary represention of file permissions, where each permission is flagged as "set" or "denied" with a one or zero and the total is represented as a string of zeroes and ones, as in this diagram:
user class: owner group others example permissions: rwx rw- r-absent permissions: --- --x -wx binary representation of the permissions: 111 110 100 octal representation of the binary: 7 6 4
Default file permissions with umask. When a new file is created, it is given default permissions. On my system, these are:
-rw-r--r-
This means that files created by a user can be read and written to be the user, but only read by his/her group and others. Still, on my default RH5.2 system, users cannot read the files in the other users’ home directories because the permissions on the home directories is:
drwx-----
I can check the default file permissions given to my newly created files using: umask -S
(The option "-S" stands for "symbolic" and tells umask to display the permissions in a easy-to-read form.)
I can change the default file permissions for newly created files using a command like:
umask u=rwx,g=,o=
which will give the owner all the permissions on newly created files, and no permission to the group and others.
Using numbers to set default permissions with umask is more tricky. The number shows the permissions that you take away for users (opposite to chmod). Thus:
umask 000
will give full permissions to everybody on newly created files. The next example gives full permissions to the owner, none for everybody else (perhaps that’s what one may want): umask 077

2.5 My mp3 player chokes. The sound is kind of interrupted (how to set suid).

The MP3 player might not be given enough processor power (it requires a lot of it). It could be that your system is lousy. Or you might be running too many cpu-intensive programs at the same time. Or, most likely, you may need to run the player with a higher priority. (The priority of a program can be set with the command nice -- see man niceorinfo nice). Try to run the player as root--programs run by root are given higher priority than those run by normal users. If this solves the problem, set the "suid" on the executable so all users are given the "effective user id" of root when running it, for example:
chmod a+s x11amp
will do the trick for the xamplifier program. The output from
ls -l x11amp
on my computer is now:
-rwsr-sr-x 1 root root 319172 Mar 13 1998 x11amp
The first "s" indicates that the substitute-user-id (suid) bit is set. The second "s" indicates that the substitute-group-id (sgid) is also set. Thus anybody who executes x11amp is given the effective user id of the program owner and effective group id of the owner group, which in the example above is the user "root" and the group "root".
Setting the suid for a program could possibly become a security hole in your system. This is unlikely the case on a closed home network and when setting suid for a program origin of which is well traceable. However, even at home, I wouldn’t suid a piece of code origin of which is uncertain, even if the setup instructions urged me to do so.
Some programs do however require suid for proper functioning, for example kppp (the popular modem "ppp" conection utility under the KDE graphical-user-interface desktop).