Linux and Security



 

 


User Accounts

Now that you have logged in to the computer you are ready to work. Before you actually get to work, however, there are a few things that you should know about your user account. Some knowledge of user accounts and file permissions will make it much less frustrating for you as you do your work.

Access and Security

User accounts are used in the Linux world to provide you access to the computer. But even more importantly, they are used to keep out people who should not have access to the computer and the network, and to keep valid users from interfering with each others usage of the computer. You would not want someone else to be able to delete or modify your files, for example, and the security features provided by logging in to different accounts prevents other users from doing anything to damage your files.

Protecting the network and the data stored on the network is based on the user accounts created by the Linux system administrator. A user cannot access any resources on a Linux system without logging on with an account ID and password. The administrator creates an account for each authorized user and assigns an initial password.

File Permissions and Ownership

File permissions and file ownership are another aspect of security provided by Linux, and they are related to your user account. Each file and directory on a Linux system has an owner and a set of access permissions. Unless the ownership and permissions are set correctly, users cannot access their files.

Although a detailed explanation of access permissions is beyond the scope of this book it is important to understand a bit about them in the context of your own account and your ability to work with files.

File Permissions

Figure 1: The file browser showing file permissions and ownership.

You can use the Konquerer file browser to view file permissions and ownership. I will cover much more about using Konqueror as a file browser in another chapter. Figure 1 shows some of the files in my home directory. I have used the Details view which shows a lot of information about the file including its permissions and ownership.

You can see that the files in Figure 1 are owned by dboth, and have a group ownership of dboth. There are three categories of permissions, each category providing (r)ead, (w)rite, and e(x)ecute access to the file. The permission categories are (u)ser, (g)roup, and (o)ther.

User

Group

Other

rwx

rwx

rwx

Table 1 File permissions by category of user.

In Figure 1, the (u)ser dboth owns the file Davids.SIG which is an email signature file. The permissions for the (u)ser are rw- which means that dboth can read and write this file.

The group access permissions are r– which means that members of the group dboth can read this file but not modify – write – it. The details of the reason for this group ownership scheme which was introduced by Red Hat Linux for security purposes are beyond the scope of this book. Suffice it to say that, in general, group ownership of files means that you can share files with other users in the same group. If a file has a group ownership of author, for example, and Fred and David are both members of the authors group, both David and Fred can read and write (modify) the file.

The “other” category access permissions are r– which allows other users – those that are not you and that are not members of the group that owns the file – can read but not write the file. This allows other users to look at the file’s contents but not to change it.

This is a data file rather than an executable program so there is no x permission set. An executable file might have the permissions rwxrwxr– so that the user and group can read, write and execute the file, but others can only view its contents.

If you are unable to read or to modify a file it is most likely due to the fact that the file’s permissions are restricting you from doing so. Check the file’s permissions, and if you think you should have access to the file, contact your system administrator to change them for you or to add your account to a group that does have the correct permissions for you to access the file.

Your Account

By virtue of logging in using your account ID and password, you are granted access to read and write files that are located in your home directory because you are the owner of those files. You can create new files and directories in your home directory and modify them as you see fit.

Your account does not provide you enough rights to access other user’s home directories let alone view or modify the files located there. Your account does not have sufficient rights to alter any important system files, although you may be able to see them and view the contents of some of them.

There is a common practice to create account IDs using the first letter of your first name and your last name. Thus the person Jo User would have an ID of juser. Notice that it is also common practice for the ID to be all lower case. Case is important in Linux, so the ID JUser is not the same as juser.

Your Home Directory

Your home directory is where files that belong to you are stored. Another word for directory is folder.

When you create files in your home directory or in any of the subdirectories in your home directory, they are created with the appropriate ownership and permissions to allow you to read and write them. This should allow you to create new documents and spreadsheets and so on, and then to be able to modify them as needed and store them beck to the disk after they have been modified.

You can also use the file browser to change the permissions of the files in your home directory, but we recommend that you do not do so unless you have a very good reason to do so and know exactly why you are doing it.

For more information, see Chapter 5 which discusses files and directories in much more detail. For now, this is all we need to get started.

Special Accounts – root

Your Linux computer has many accounts even if no other human actually uses your computer on a regular basis. Most of those accounts are used by Linux when it performs particular functions. One of those accounts is that of root. The root account is present on all Linux computers and it allows the person logged in as root to read, change and delete any file on the computer regardless of who owns the files. The root account is restricted by file permissions, but root can change the permission of any file on the computer.

The root account can do anything and everything on a Linux computer. The only person who normally has the root password to a Linux computer is the system administrator.