10 User Environment & Local Computer security in GNU/Linux

Mr. Hardik Joshi

epgp books

 

Introduction

 

As we are aware that Linux supports multiuser, at the same time more than one user can work concurrently into the system. Linux provides the facility to create multiple users and classify them into groups. Linux organizes the users into groups, groups are collections of accounts where certain permissions can be shared among users. The list of groups and their members are stored in a file /etc/group file. By default, every user has its own primary or default group. When a user logs into the system, the user gets all permissions assigned to their primary group and all other groups that a user belongs to. A user can belong to one or more groups.

 

All Linux users are assigned a user ID(uid) which is unique. The groups also have unique IDs (gid). These IDs are integer numbers and start from zero (0). Most of the users ID start either from 500 (Fedora family) or from 1000(other distributions). The uid and gid can be seen in the file /etc/passwd or /etc/group files.

 

who command

 

The command “who” can be used to list online users, those users who are currently logged on to the system. Few options of the “who” command are listed in following table

As shown in figure 1, the who command lists users who are online. Each line indicates the terminals from where the user has logged in. So, if a user logs in from multiple terminals, the output of who command will display multiple records. In addition to the username, who command lists the login time and the IP address from which the user has logged in.

 

Now let us study the format of /etc/passwd file in which the details of users created within the system are stored. This file contains details that are separated by ‘:’ sign. Each line of the file represents a user. The file stores details like username, uid, gid, alias of username, default login directory and default shell. When a user logs onto the system, he logs onto a default directory (say /home/user) and he uses a default shell. The /etc/passwd file contains list of all users who are created within the system. Each user has a single entry in this file.

 

Figure 2: Snapshot of /etc/passwd file

Let us understand the line containing “Demo” in figure 2. The user name is Demo whose UID=502 and GID=502. When the user “Demo” logs onto the system, he is placed in /home/Demo directory and the user gets bash shell to interact with the system. Let us take another case of user “hardik”, where the UID and GID are different. Since the user “hardik” belongs to more than one group, we can see that UID and GID need not be equal. If we want to know the group to which user “hardik” belongs to, we can view the content of /etc/groups file.

Figure 3 illustrates the content of /etc/group file. The /etc/group file lists the groups created within the system. The output of /etc/group file signifies that the Demo group has GID 502 and no other user belongs to this group except the Demo user. While, the group “faculty” has another user “hardik” as a member of “faculty” group supply username as an argument to the id command, it shows the details of the username supplied to the command. The syntax of id command can be:

 

User Management

 

In this section, we will learn how to create users, how to modify/delete the users existing in the system and how to set password to the user. In Linux, the users can be classified into following categories:

  • Normal users
  • Root user (super user)
  • System user
  • Network user

A super user has maximum privileges of the system. Generally, administrator tasks are performed by a super user. It is always advisable not to use the super user account for normal use of the system. A super user has privileges to create groups and create other users. A normal user can deal with tasks like sharing of files over network, printing of files, etc. Depending on the services offered by Linux, a user can further be classified as a system user or network user. In this module, our focus will be to understand how a normal user can perform tasks of a super user with proper authentication. Root privileges are required to perform following task:

  • Create/Manager users
  • Install or remove software packages
  • Remove or modify system files (config files of /etc direcroty)
  • Start/Stop/Restart system services (httpd, vsftp, etc.)

When we logon to the system, we would be working as a normal user. A normal user gets ‘$’ prompt, while the super user gets ‘#’ prompt. When a super user logs in, we call it root access. Below is the command to transit from normal user to super user:

 

 

We can modify the groups of a user, i.e. add a user to particular group or remove the user from some group using usermod command; we can also lock/unlock users using the usermod command.

 

The following are few commands to manage groups. We use groupadd command to create a group, groupmod to modify a group and groupdel to delete a group.

 

The following are few screenshots where we can see how the user is created and how we can assign a user to particular group.

Figure 4: User creation

Figure 5: Modifying a user

 

As shown in figure 5, a user student1 is added to the students group. It is to be noted that the group name “students” already existed before typing the usermod command.

 

Operations with root account

 

As we have discussed earlier, root account can be used to perform administrator level tasks. Linux provides two different ways to access root account, they are as follows:

  • Using su command
  • Using sudo command

It is advisable to use sudo command rather than su command since there are less risks associated if we use the sudo command. In f act, the sudo command is generally used to perform a single task while the su command can be used only when we wish to perform sequence of tasks that require root level access. The following table lists the difference between su and sudo command.

Let us take an example to understand the difference between su and sudo commands. Suppose, there is a requirement to create 100 users in a system, the system administrator can assign the task of user creation to some operator. Now, if he provides password of su to the operator, the operator may gain access to entire system and he can modify config files or can also delete user accounts. So, the solution is that the administrator will give privileges only to create users in root privileges. The administrator will configure sudoers file and will add the operator details such that the operator can perform useradd command as a super user and cannot perform any other command that requires su password. So, the operator will type following command to create users:

The above notation signifies that who(username) will be allowed to access from were(network id) the specific command that requires su privileges. It further says, that the user will be identified as whom (which group) and what kind of command can be performed.

 

Whenever a user tries to access sudo command, the activity is logged into the system. So, whenever a normal user accesses sudo to acquire root privileges temporarily, the action is saved as log file. In case of misuse, we can check who tried what kind of commands by looking at the log file.

 

Access to sudo command and failures are logged into files like

  • /var/log/auth.log (Debian systems)
  • /var/log/messages
  • /var/log/secure

A typical message entry will contain:

  • Date, time and host name
  • Calling username
  • Terminal info
  • Working directory
  • User account invoked
  • Command with arguments

Figure 6:Entry into a log file

 

The above entry in figure 6 shows that a user “Demo” issued sudo command to access useradd command. Since the sudoers file is very important, it can be accessed by issuing “visudo” command under root privileges.

 

Environment Variables

 

An environment variable is a named quantity that holds character string. Environment variable contains information that can be accessed by the shell (such as bash) and can be used by one or more applications. Some of the environment variables can be defined by user and some of them are pre-set (built-in) that is provided by the system. The values of environment variables can be accessed by typing set, env or export commands. The set command may behave in a different manner depending on the state of our system. The content of these variables is as follows:

Few Environment Variables

 

Let us see study environment variables that are useful for system administration. HOME is an environment variable that represents the home directory of the user. When we issue the following command , it displays the home (default) directory of the user.

 

$ echo $HOME

 

PATH is another environment variable that stores the path of directories that contain executable programs. It is an ordered list of path that is scanned to locate the program/commands when executed by the user. Each directory stored in the path is separated by colon sign(:). The following command displays the value stored in PATH variable

 

$echo $PATH

 

We can add our home directory in the PATH variable by issuing the following command

  $PATH=$PATH:/home/<user>

$echo $PATH

 

PS1 Variable is abbreviation of Prompt Statement and is used to customize the prompt string. PS1 is the primary prompt variable and it controls how the command prompt looks like The following special characters can be included in PS1 :

  • \u – User name
  • \h – Host name
  • \w – Current working directory
  • \! – History number of this command
  • \d – Date

The environment variable SHELL points to the user’s default command shell (the program that is handling whatever you type in a command window, usually bash) and contains the full pathname to the shell:

 

$ echo $SHELL

/bin/bash

$

 

Startup Files

 

When a user logs onto the system (shell prompt), the startup files execute automatically (generally bash) . The startup files are used to customize the users environment. It can be used to perform the following tasks:

  • Define command line shortcuts or aliases
  • Setting up of the prompt
  • Setting up default text editor
  • Setting up the PATH variable to execute custom commands

Order of the Startup Files

 

When we first login to Linux, the /etc/profile is accessed and evaluated, after which the following files are searched (if they exist) in the listed order:

  1. ~/.bash_profile
  2. ~/.bash_login
  3. ~/.profile

If the Linux login shell comes across the first file, it ignores the rest of the file. Which means that if it finds ~/.bash_profile, it ignores ~/.bash_login and ~/.profile. Different distributions may use different startup files.

 

Let us summarize the key concepts covered in this module

  • Concept of users and groups.
  • User management and related commands.
  • User environment and environment variables.
  • Commands for root access like su and sudo.
you can view video on User Environment & Local Computer security in GNU/Linux

References

  1. Tom. Adelstein and Bill. Lubanovic. 2007. Linux system administration, O’Reilly.
  2. Sam R. Alapati. 2016. Modern Linux Administration How to Become a Cutting-edge Linux Administrator., Oreilly & Associates Inc.
  3. Kirk. Bauer. 2003. Automating UNIX and Linux administration, Apress.
  4. Richard Blum. 2008. Linux command line and shell scripting bible, Wiley Pub.
  5. M. Carling, Stephen. Degler, and James. Dennis. 2000. Linux system administration, New Riders.
  6. Chuck. Easttom and Serge N. Palladino. 2012. Essential Linux administration : a comprehensive guide for beginners, Course Technology/Cengage Learning.
  7. Richard Fox. Linux with operating system concepts,
  8. Aeleen. Frisch. 2002. Essential system administration, O’Reilly.
  9. el. . . Linux system administration : a user’s guide, Addison-Wesley.
  10. Juliet. Kemp. 2009. Linux system administration recipes : a problem-solution approach, Apress.
  11. Olaf. Kirch and Terry. Dawson. 2000. Linux network administrator’s guide, O’Reilly.
  12. Olaf. Kirch and Terry. Dawson. 2000. Linux network administrator’s guide, O’Reilly.
  13. Mark (Mark F… Komarinski, Cary. Collett, and Inc. Red Hat. 2000. Red Hat Linux administration handbook, Prentice Hall PTR.
  14. Chris Negus. Linux bible,
  15. Roderick W. Smith. 2007. Linux administrator street smarts : a real world guide to Linux certification skills, John Wiley.
  16. Wale Soyinka. Linux administration : a beginner’s guide,
  17. Vicki. Stanfield and Roderick W. Smith. 2002. Linux system administration, Sybex.
  18. Nicholas. Wells. 2000. Guide to Linux installation and administration, Course Technology, Thomson Learning.
  19. Matt. Welsh, Matthias Kalle. Dalheimer, Terry. Dawson, and Lar. Kaufman. 2003. Running Linux, O’Reilly.