Linux System Administration: A User's Guide

 in
An excerpt from our French chef's recently published book.

By the time you get this issue of Linux Journal, my new book, Linux System Administration: A User's Guide, will have hit the shelves. Because they are just so darn cool, the folks at Linux Journal have given me some space in this month's issue to give you a teaser from the book.

Being the kind of guy that I am, I ached over what to present while trying to keep it short. After all, there's so much to choose from. Setting up a scanner? A CD writer? Blocking unwanted access to your network? Printing? Backups? Sendmail tweaks? What? In the end, I decided to talk about something that doesn't get enough press in today's internet world, and that's good old-fashioned user security. What you are about to read is an excerpt from Chapter Seven of the book, “Users and Groups”. It is not the complete chapter, nor are all the pieces in order. “The chef has been sipping too much of his own wine”, you say? Not at all. In fact, like my alter ego, I wanted to use this space to give you a sample, a taste if you will, of what you might find in the pages of my new book. Think of it as nibbling from a buffet table. As Chef Marcel would say, Bon appétit!

Living in a Multiuser World

Linux is a multiuser operating system, meaning that one or more users can work on it at the same time. Every user is referenced by their user name. Each user name has a user ID (UID) associated with it and one or more groups. Like user names, group names are also represented by a numeric identifier, this time called a group ID (GID). A user's UID is unique as is a group's GID.

When it comes to your files and directories, security on a Linux system is defined by means of permissions, which directly relate to the user ID. Users are either administrative users or regular users. The chief administrative user is called root. A user's ID is used to decide what commands can be executed and what files can be read from or written to.

Each user ID also has a password associated with it. That password can and should be changed on a regular basis.

When Not to Use the Root User

The short answer here is that you should never use the root user unless you absolutely have to. The danger lies in the fact that the root user is virtually omnipotent on the system. A mistake can have serious implications that can wipe out your entire system. Unless you absolutely have to, it is best to work as a nonadministrative user. There are other reasons as well.

The first is security. Because the root user has access to everything, it makes sense that only those who really need to have access are given the root password. The fewer people who have access to root, the better. Let me give you a few good reasons for jealously guarding root access: it makes it easier to maintain security, it decreases the risk of dangerous code and errors do not (usually) have global implications. Yes, it is still possible for a nonroot user to do great damage to a system, but the risk is much, much smaller.

Checking the Password File

As if you didn't already have enough things to do, here's yet another job. On a regular basis, you should run a report to identify accounts or logins that have gone dormant. This is a nice way of saying “people who are gone and who are not coming back anytime soon”.

An earlier chapter of the book explains the finger command, which displays information relating to the last time an account was used. Try typing this command to list each user ID and to check the last login time. Note that the single quotes (just before the sort command and just before the pipe symbol) are actually back quotes (or back ticks). The back quote is usually found with the tilde (~) just under the Esc key on most keyboards.

finger 'sort /etc/passwd | cut -f1 -d":"' | grep -i log | more

The output of this command looks something like this:

Login: aeinstein                Name: A. Einstein
Never logged in.
Login: guitux                   Name: Tux the Penguin
Last login Mon Jan  8 14:54 (EST) on tty2
Login: halt                     Name: halt
Never logged in.
Login: lp                       Name: lp
Never logged in.
Login: mail                     Name: mail
Never logged in.
Login: mgag                     Name: Marcel Gagné
Last login Wed Mar  7 17:29 (EST) on 1 from website
Login: named                    Name: Named
Never logged in.
Login: natika                   Name: Natika the Cat
Warning: you must use your good judgment (an absolute requirement for system administration) on this one. Some of these accounts—sync and lp, for instance—are system accounts. It only makes sense that no one will have ever logged in through them. On the other hand, Mr. Einstein (at the top of the list) has never logged in either and his is certainly not an administrative login. It could be that this is a new account (and it is) or that you created an account for a user that never was used. In the latter case, you should probably get rid of that account.

Now, I used that example to give you a feel for your command-line prowess. However, I should tell you that there is a cleaner way to do this. Your Linux system comes with a handy little command called lastlog that does just this sort of thing:

[root@scigate /root]# lastlog | more
Username  Port  From              Latest
root      tty1                    Wed Mar  7 17:18:40
                                           -0500 2001
bin                               **Never logged in**
daemon                            **Never logged in**
adm                               **Never logged in**
lp                                **Never logged in**
sync                              **Never logged in**
shutdown                          **Never logged in**
mgagne    1     scigate           Wed Mar  7 17:29:55
                                           -0500 2001
postgres                          **Never logged in**
www                               **Never logged in**
natika    8     localhost.locald  Thu Dec  7 14:30:15
                                           -0500 2000
guitux    tty2                    Mon Jan  8 14:54:55
                                           -0500 2001

Geek trivia: you can't edit or modify this file, but the lastlog command information comes from the file /var/log/lastlog.

Here is another thing you should do. Every once in a while, run the command pwck. By default, it walks through your /etc/passwd and /etc/shadow files and does some basic integrity checks, such as making sure that the right number of fields are present and that each name is uniquely identified. For the group file, there is a companion command called grpck.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix