Home Page The Club Computers News Links Glossary EYAWTK
Before Amiga Background ICS OCS ECS AGA ??? PPC
U-Boot SLB Linux Amiga OS Dual Boot Motherboards Peripherals Other
Initialisation Installation Upgd Kernel About Linux Networking Printing MOL UAE
Introduction Security File System Editing Files Commands Miscellaneous

AmigaOne - Linux - About Linux - Security

This section introduces Linux Security and why you have to be aware of how it works.

Security is Mandatory
Most Amiga users have been used to an operating system where there is no apparent security, while MS Windows users know they have to log on but they seldom invoke file security, leaving it to default to "allow all". Under Linux, security is not an option. Linux provides basic user security, as explained below, but this can be augmented by the use of samba, which is an additional security package that is often installed as well and you will see referenced often, but the following discussions assume that samba is NOT running at this time.

Logging onto the system
When you log on to the system, either using the KDE login or thru a Shell, you must enter a user id and a password. These are verified against encrypted files stored on the system, and if they match you are allowed to log on. These files also contain other information about your user-id, including which Shell you should use and where your 'HOME' directory is located, which in turn contains files that store your configuration for the KDE desktop, and your operating profile. The profile contains things like your pathing information, i.e. which directories to look in for the various commands and programs, and miscellaneous environment variables pertaining to that user-id.

To see the results of this activity, open a shell (in Sarge this is referred to as Terminal Command Line at the top of the KDE window) and type env as shown below:

It is not the intent of this session to explain the meaning of these values, but if you scan through the output, you will probably be able to understand quite a bit without any explanation. Particularly important is the 'PATH=' statement, because determines which libraries you can run commands and programs from. If you attempt to run a command that is not in one of your 'pathed' directories you will told "command not found". Changing the 'PATH=' statement will not necessarily solve the issue unless you also have security rights as explained later.

'root' user
When you installed the system, it was under the auspices of the "root" user. This user is GOD on a Linux system and can do anything, so its powers are best used sparingly and only when absolutely necessary. During the install process you were given the option of creating another user for yourself. If you accepted that option, the installation process would create a user and a group for the user name specified, but if you decided not to at the time, you should do so as soon as possible. KDE under Debian Sarge will not permit you to log on as root user for security reasons. You must log on as another user and then switch to root, and there are several ways that you can do this, as follows:

  1. Open a shell and type su root
    - you will then be asked to enter the root password, and if entered correctly you have switched user to 'root'. The current directory will remain the same, as will all of the pathing information, so even though you now have the same execute privileges as root, you still can't execute 'root-only' commands because they do not exist in any of the libraries you are pathed to.

  2. Open a shell and type su -
    - you will then be asked to enter the root password, and if entered correctly you have switched user to 'root'. However, the current directory will now have changed to root's home directory, as will all of the pathing information, so now it is the same as logging on as the root user. If you were wanting to work in a particular directory, you will need to use cd to get back to that directory.

  3. KDE=Applications: System Tools > Root Terminal
    - you will then be asked to enter the root password, and if entered correctly a new Shell will open where you will be at your own home directory but with all of root's pathing information, and the same execute privileges as root.

It is a good idea to only use the root logon for administration purposes and not for routine activity.

Groups
It is important to understand that all users must be part of a group, so before you create a user you should know what group it is going to belong to. If you open a Shell window and type man group followed by <Enter>, you will see the instructions for using the "group" command, as follows:

Within the description (highlighted in orange), it tells you that groups are defined in a file called "/etc/group" along with a very brief explanation of the values you will find there.

Our next step is to display the contents of this file, and we can do this by typing cat /etc/group followed by <Enter>, as follows:

  As explained above, this file contains one entry for each group defined to the system, where the defined values for each group are separated by colons (:) as follows: group name

encrypted password

numerical group id

users within that group

Note that while the maximum length of a group name can be more than 8 alpha-numeric characters, only the first 8 characters are significant, so it a good idea to keep names at 8 characters or less, the first character must be alphabetic (not numeric), and they must all be lower case.

It should also be noted that the numerical group id must be unique. Values between 0 and 99 are typically reserved for system accounts, and by default user accounts either start at 100 or 1000.

The list shown to the left is the basic list of groups that are defined when Linux is installed. From the prompt you can see that it was executed by a user-id of "demo" and we have highlighted that user's group in orange.

To add a new group, you can use the groupadd command while logged on as 'root', e.g.

groupadd groupname. If you wish you can specify the numerical group id, or you can let it default to the next available number.

(If you want to know more about groupadd, type man groupadd followed by <Enter>)

Users
The next topic we need to look at is about users. These are a little more complex than groups, and we can't get any clues using "man" like we did for groups. However, we can start by looking at the definitions within a file called "/etc/passwd" by typing cat /etc/passwd as follows:

Like the groups file, this file contains one entry for each user defined to the system, where the defined values for each user are separated by colons (:) as follows: username - note that while the maximum length of a user name can be more than 8 alpha-numeric characters, only the first 8 characters are significant, so it a good idea to keep names at 8 characters or less, the first character must be alphabetic (not numeric), and they must all be lower case.

encrypted password - basically exactly what it says so always shows "x" instead

numerical user id - a unique number for each user. Values between 0 and 99 are typically reserved for system accounts, and by default user accounts either start at 100 or 1000.

default numerical group id - while a user can belong to many groups, this is the numerical group id for the default group for the user.

comments - any comment can go in this value, but it would generally be the full user name or some other descriptive information.

home directory - this value contains the name of the absolute path for the default directory that will be used to store files for this user.

command - this value contains the absolute path of a command to be executed when the user logs in, and typically this is a shell.

If we look at the entry highlighted in orange above, we can see that username "demo" has a numeric user id of "1000", a default numerical group id of "1000" (which if we go back to the previous example corresponds to the group name of "demo"), a comment of "Debian User", a home directory of "/home/demo" and a command of "/bin/bash" which means this user will execute the bash shell when they log in. You may like to look at some of the other definitions as well.

To add a new user, you can use the useradd command while logged on as 'root', for example:

useradd wally If this command was used, then a user called wally would be created with default group of users. It would also define that his home directory would be '/home/wally' but it would not create the directory - you have to do that manually, and make sure that it has the correct user and group access rights. For that we need to introduce several new commands, for example:

  cd /home change directory to /home
  mkdir wally create a new directory for wally
  chown wally wally give wally ownership rights to the wally directory
  chgrp users wally give users group rights to the wally directory

The next step is to set the user's password using the passwd command, for example:

passwd wally

Alternatively you could specify a different default group in the useradd command, for example:

useradd -g demo wally If this command was used, then a user called wally would be created with default group of demo.

The important thing to remember though, is that in addition to the default group, wally can belong to any number of groups, for example:

usermod -G audio,cdrom wally If this command was used, wally would retain the access rights of the default group of demo, plus he would acquire the access rights for the audio and cdrom groups as well.

(If you want to know more about useradd or usermod, type man useradd or man usermod followed by <Enter>)

Working with Groups and Users
While the groupadd, useradd and related commands (groupmod, usermod, groupdel, userdel, etc) can be used from a shell when logged on as 'root' user, it's much easier to work with groups and users using the KDE User Manager, but the way the program is invoked is very important. Assuming you have logged on to KDE with a 'non-root userid', let's look at three options:

  1. KDE=Applications: Debian Menu > Apps > System > KDE User Manager
    - this will open User Manager with 'non-root userid' rights, so the first thing you will see is 'Error opening /etc/shadow for reading'. Click on 'OK'. The program will open with magenta text and orange select bar, indicating that you are in read-only mode, and even though all of the update commands still appear to be usable, no updates will occur.

  2. Open a shell and type su -, enter the root password, and then type kuser
    - the program will open with purple text and dark-blue select bar, indicating that you are in update mode. There are two tabs - Users and Groups. Double-click on the highlighted user/group to view or edit the details. Clicking on Help or pressing F1 will give you access to the KUser Handbook.

  3. KDE=Applications: System Tools > Run as different user
    - this will open a 'Run program' requester with provision to specify a program name and the user name under which you want that program to run. In this case type kuser in the 'Run:' box and root in the 'As user:' box and click on 'OK'. It will then ask you to enter root's password and click on 'OK'. You now have the same functionality as the previous example.

  4. If you make changes, you must save them before you exit, although you will be prompted if you don't.

    The next aspect we need to understand is the Linux Filesystem.

    Disclaimer: Amiga Auckland have prepared the above information for the use of its members based on our experiences and as such is subject to revision at any time. Amiga Auckland cannot guarantee any of the information and cannot be held accountable for any issues that may result from using it.


Copyright 2005 Amiga Auckland Inc. All rights reserved.
Revised: September 25, 2005.