Security

Overview

Security should always be considered when installing, deploying, and using any type of computer system. Although a fresh installation of Ubuntu is relatively safe for immediate use, it is important to have a balanced understanding of system security posture based on how it will be used after deployment.

This chapter provides a general view of security-related topics as they pertain to Ubuntu Server, and outlines simple measures the user may employ to protect the server and network from any number of potential security threats.

User management

This is a critical part of maintaining a secure system. Ineffective user and privilege management often lead many systems into being compromised. Therefore, it’s important that the user understands how to protect the server through simple and effective user account management techniques.

Where is the root user?

Ubuntu developers made a deliberate decision to disable the administrative root account by default in all Ubuntu installations. This doesn’t mean that the root account has been deleted or that it may not be accessed. It merely has been given a password that matches no possible encrypted value, and therefore may not log in directly by itself.

Instead, users are encouraged to make use of the sudo command discussed in the third chapter of this book to carry out system administrative duties. This simple yet effective methodology provides accountability for all user actions, and gives the administrator granular control over which actions a user can perform with said privileges.

By default, the initial user provided during the Ubuntu Server installation process is a member of the group sudo, which is added to the file /etc/sudoers (also discussed in the third chapter of this book) as an authorized sudo user. If the user wishes to give any other account full root access through sudo, this account simply needs to be added to the sudo group.

Managing users and groups

Adding and deleting users

The process for managing local users is handled by the packages named adduser and deluser. The packages useradd and userdel are also available for this process. The following command allows you to add a user named student01 in the system.

Code Listing 53

When the previous command is used, Ubuntu asks for the password that will be assigned to the user. This password must be typed twice for Ubuntu Server to confirm it.

Adding the student01 User Account

The previous figure shows the output generated by the adduser command. After the user password is confirmed, Ubuntu asks for some values to update information for student01. For the purposes of this book, these data entries aren’t important, so each item is intentionally left blank. At the end, adduser asks about the accuracy of the data previously entered. The user must press Y to save the user account information.

The --quiet flag included in the adduser command tells Ubuntu that no info about the account creation process must be displayed when the account is created. After the student01 account is created, a directory named student01 is created within the /home directory, and all access permissions for the student01 user are automatically granted.

To delete a user account, the packages deluser or userdel can be used. The following command deletes the student01 account created previously with adduser.

Code Listing 54

Deleting an account in the previous way doesn’t remove its respective home folder. In this case, the user must do it manually.

To erase a user account and its respective home folder at the same time, the –remove-home flag must be included in the deluser command.

Code Listing 55

The previous command deletes the student01 account along with its respective home folder.

Adding and deleting groups

The addgroup and delgroup packages control the process of creating and deleting local groups. As for user management, there is also a set of packages named groupadd and groupdel. The user can type the following command to add a group named syncfusion.

Code Listing 56

Likewise, the delgroup package can be used to remove a group. The following command removes the syncfusion group previously created.

Code Listing 57

Adding a user to a group and removing a user from it

To assign a user to a local group, the adduser package can be used in the form adduser <username> <groupname>. The following example adds the user student01 to the local group syncfusion.

Code Listing 58

To remove a user from a local group, the deluser package can be used in the form deluser <username> <groupname>. The following command removes the user student01 from the local group syncfusion.

Code Listing 59

Displaying all user accounts

The command compgen with the –u flag is used to display all user accounts that exist in the server, like the following sample.

Code Listing 60

Displaying all local groups

To display all local groups in the server, the –g flag for the compgen command is used. The following sample lists all local groups belonging to the server.

Code Listing 61

Listing the users belonging to a group

The command members can be used to display a list of the users who belong to a given group. In order to use members, the user needs to install the members package by issuing the following command.

Code Listing 62

After the package is installed, the following command can be used to display a list with all the users who belong to the syncfusion group.

Code Listing 63

User profile security

As mentioned in the previous section, when a new user is created, the adduser package creates a brand new home directory named /home/username. Username corresponds to the name of the user that’s just been created. The default profile is modeled after the contents found in the /etc/skel directory, which includes all profile basics.

If the server will be home to multiple users, the server administrator should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read and execute permissions. This means that all users can browse and access the contents of the home directories belonging to other users. This may not be suitable for a secure environment.

The following command verifies the user’s home directory permissions, assuming ubuntu-user is the user logged in.

Code Listing 64

The output generated by the command looks like the following sample.

Code Listing 65

The first 10 characters of the output shown previously correspond to the permissions granted to the user’s home directory. As mentioned in Chapter 4, the three characters at the end show the permissions for “other” users in the system, or in other words, the world permissions. In this case, the r and x characters mean that read (r) and run (x) permissions are given to the world. The following command must be used to remove these permissions.

Code Listing 66

Now, “other” users have no access to the user’s home directory at all.

There’s a much more efficient approach to instructing the adduser package to never give permissions to the world when creating user home folders. This can be accomplished by editing the /etc/adduser.conf file and modifying the DIR_MODE variable, assigning it a value of 750. The nano editor can be used to modify this file.

Now, every time a user account is created, the home directory doesn’t give access permissions to the world (“other” users).

Password policies

Setting a strong password policy is one of the most important aspects for a secure environment to avoid security breaches. If any form of remote access is going to be offered to the system, it must adequately address minimum password complexity requirements, maximum password lifetimes, and frequent audits of the authentication systems.

Minimum password length

By default, Ubuntu requires a minimum password length of six characters. This value is controlled in the file /etc/pam.d/common-password, which is outlined in the following snippet.

Code Listing 67

Assuming that an eight-character minimum length is required for all user passwords, the variable minlen must be changed. This change is shown in the following sample.

Code Listing 68

Note: Basic password checks and minimum length rules do not apply to the administrator using sudo-level commands to set up a new user.

Password expiration

It’s very important to have a policy that gives a minimum and a maximum age to user passwords, forcing users to change them when they expire.

The following command shows the current status of a user account, where username corresponds to the name of the user account to be queried.

Code Listing 69

The following snippet is used to view the current status for the ubuntu-user account.

Code Listing 70

The output should look like the following:

Code Listing 71

In this case, there are no policies applied to the ubuntu-user account. The following is an example for setting expiration date (-E) to 03/31/2016, a minimum password age (-m) of five days, a maximum password age (-M) of 90 days, and a warning time period (-W) of 14 days before password expiration.

Code Listing 72

By editing /etc/login.defs, the password expiration policy can be set for all users in the system.

Code Listing 73

Changing the PASS_MAX_DAYS value forces all users to change their password when the number of days specified has been reached.

Managing file and directory permissions

Changing ownership

The chown command allows the user to change ownership for a file or directory. The syntax for this command is:

Code Listing 74

The following sample changes the ownership for the tested directory, assigning it to the student01 user.

Code Listing 75

To make sure that the sudo group and ubuntu-user account take ownership of the tested directory, the following command must be issued.

Code Listing 76

To check ownership and permissions for files and directories, the ls –l command (previously explained in Chapter 4, “Managing files and directories”) must be used.

Changing permissions

The chmod command is used to change file or folder permissions. The syntax for this command follows:

Code Listing 77

I described the kinds of permissions for a file or folder in Chapter 4. These kinds of permissions are read (r), write (w), and execute or run (x). I also explained that a dash (-) represents the absence of that kind of permission.

The previous way in which permissions are identified is known as alphabetic notation. This notation requires that all permissions be represented in that order, that is, read (r), write (w), and execute (x). If access for one or more of these permissions will be restricted, a dash (-) must be specified instead.

The permissions for a file or directory are given for the owner of the file or directory first, then the group owner, and finally other users (the world). This results in three groups of three values, as in the following example.

Code Listing 78

Disregarding the dash at the beginning of the entry in the previous example, the file adduser.conf has read (r) and write (w) permissions for the owner (rw-), read (r) permissions for the group owner (r--), and read (r) permissions for other users (r--). This entry was obtained using the ls –l command, which uses alphabetic notation.

There is another way to identify files or directories permissions, called octal notation. This method represents each permission category (owner, group owner, and others) by a number between 0 and 7. The following table matches the values for alphabetic notation with the octal notation.

Alphabetic and Octal Notation Equivalences

In accordance with the previous table, 0 represents no permissions at all, and 7 (the sum of 4 + 2 + 1) represents full read, write, and execute permissions for a category. So, three digits will be used to represent file or directory permissions granted to the owner, the group owner, and other users, in that order.

For the adduser.conf file entry shown previously, its permissions representation in octal notation would be 644. This is, read and write permissions (r + w = 4 + 2 = 6) for the owner, read permissions (r + - + - = 4 + 0 + 0 = 4) for the owner group and read permissions (r + - + - = 4 + 0 + 0 = 4) for other users.

The chmod command uses octal notation to change permissions. If the user wants to change permissions for the adduser.conf file, it needs to represent these permissions in octal notation first. The following sample grants the adduser.conf file full permissions for the owner, read permissions for the group owner, and restricts the access for other users.

Code Listing 79

Tip: When changing permissions, it must be considered that certain areas of the filesystem and certain processes require specific permissions to run properly. Inadequate permissions can lead to non-functioning applications or errors. On the other hand, overly permissive settings can be a security risk.

The chmod command can also use symbolic mode to change permissions. In this case, a plus (+) sign is used to add a permission, and a minus (-) sign is used to remove a permission. Also, an equal (=) sign can be used to set an exact combination for permissions.

The following sample removes write and execution permissions for user, group, and others from the adduser.conf file.

Code Listing 80

Permissions can be added or removed for a specific owner. In this case, the letters u, g, and o are used to specify user, group, and others, in that order. If the user wants to remove execution (x) permission from the file adduser.conf for others, the following sample can be used.

Code Listing 81

The following sample can be used to add write (w) permission to the file adduser.conf for the group owner.

Code Listing 82

Chapter summary

Security issues are very important when a computer system is being deployed. Ubuntu Server takes this into account and disables the root administrative account by default. This action helps users avoid accidents and possible system malfunction. Instead, Ubuntu Server encourages users to employ the sudo command, which grants elevated privileges to perform administrative duties, but at the same time provides accountability for all user actions.

Adding and deleting users or groups is another important task for keeping a system safe. To perform these actions, the commands adduser, deluser, addgroup, and delgroup are available. Along with these, it’s highly recommended to protect each user’s home directory from being accessed by other users. This can be accomplished using the chmod command to assign the value 750 to each directory’s permissions. Also, changing the value of the DIR_MODE variable located in the /etc/adduser.conf file to 750 will protect the home directory for each new user added to the system from other users’ access.

Password policies ensure that security breaches can be avoided the most when a system is deployed. Establishing a minimum password length can be controlled by the /etc/pam.d/common-password file by changing the value of the minlen variable. Also, the administrator can force each user to change passwords at regular intervals. This can be done by editing the /etc/login.defs file to change the value of the PASS_MAX_DAYS variable.

Finally, granting ownership and permissions to files and directories makes system security complete. The chown and chmod commands perform ownership and permissions-changing operations, in that order. Permissions can be identified with alphabetic notation, which uses the letters r, w, and x for read, write, and execute permissions. Also, octal notation can be used. This notation uses a series of values between 0 and 7 to represent the read (r = 4), write (w = 2), and execute (x = 1) permissions. A value of 0 means access is restricted.