Root User security management policies and practices in Linux, Part 1: Permission overview and Security Access

LinuxRoot User (Root) Permission Overview
Root is a super administrator user account in Linux and Unix systems. This account has the supreme power of the entire system and can operate on all objects. Therefore, many hackers intrude into the system, generally, the permission must be elevated to the root permission. In Windows, you can add your illegal account to the Administrators user group. In comparison with Windows, Administrator is a super Administrator Account in the Windows NT kernel SYSTEM and has high-level permissions. The SYSTEM user group can be understood as the permissions of the computer SYSTEM itself and can operate on all objects, perform operations on all processes.
Therefore, if the root permission is not effectively controlled, the system security will be greatly threatened once the user abused or illegally obtained the permission. This article describes the Security usage and management methods of the permission in detail with specific commands.
AnalysisRootPrivilege acquisition
Overview
Generally, you can log on with the root user name or obtain the root permission by giving the su command and the root password. Recently, sudo has taken over the classic technology that grants root privileges. After using sudo, you can log on with your username, give a sudo command, and provide your own password (non-root password) to obtain the root permission.
When a common user executes a privileged command in a graphical environment, the system prompts the user to enter the root password or user password, depending on how the system is set. Some releases lock the root account by not assigning a root password. In these systems, the root permission cannot be obtained by providing the root password. Fedora/RHEL assigns a root password when installing the system so that these technologies can be used from the very beginning.
During installation, some systems (non-Fedora/RHEL) Lock the root account by not providing the root password. This setting prevents anyone from logging on with a root account (unless the system is in single-user mode ). However, the root user name in the first line of the/etc/passwd file indicates that there is a root account. This account/user has files (execute the ls-l/bin command) and run the process (execute the ps-ef command to see the output column on the left ). This root account is the key to Linux operating.
After correct settings, The sudo utility allows you to run commands like the root user. The phrase "use root privileges" in this article emphasizes that, although the user does not log on as root, the user has special privileges when using sudo.
The following list describes how to obtain or grant root privileges. Some of these technologies require the root account password. Similarly, if the root account is locked, you cannot use these technologies unless you unbind the root account (set the root password ). Other technologies rely on setting sudoers files for root privileges. If you do not set this file in this way, you cannot use these technologies unless you set the sudoers file.

• When the system enters the single-user/rescue mode, the login user name is root.
• When you log on with your username, you can use the su (substitute user: replace user) command. After the root password is provided, it will run with the root permission.
• The sudo utility allows the specified user to run the selected command with the root privilege, and they all log on with their own. You can set sudo to allow specific users to execute specific tasks that require the root privilege without granting these users the root privilege to the entire system.
• Once the system is started and runs in multi-user mode, you can log on as the root user. After the root password is provided, it will run as the root privilege.
• Some programs require a password (the password or root password depends on the command and system configuration) when starting the program ). When a password is provided, the program runs with the root privilege. When you exit the program, it stops running as a privileged user. This setting prevents logon without the root privilege.
• Any user can create a setuid (Set User ID) file. The setuid program runs on behalf of the file owner and has all the access privileges of the owner. When the root privilege is used, you can change the permissions of the root object to setuid. When a common user executes a file owned by the root account and has the setuid permission, the program has the valid root privilege. In other words, the program can do anything that the root privilege can do but the general program cannot. User privileges will not change. Therefore, after the program is run, the privileges of all users are the same as those before the program starts. The setuid programs owned by root are very powerful and extremely dangerous to system security, which is why the system contains very few such programs. Examples of the setuid program owned by the root user include passwd, at, and crontab.

Because the setuid program owned by root allows people who do not know the root password to gain the root privilege without using sudo, they are attractive targets of malicious users. In addition, programming errors that cause normal program crashes can be changed to a root vulnerability in the setuid program. The system should have as few programs as possible. By mounting a file system with the nosuid option, you can disable the setuid program at the file system level. You can also use SELinux to disable the setuid program.
It is worth noting that do not allow root access on the Internet. It is the default Fedora/RHEL policy to prohibit users from logging on as root over the network. The/etc/securetty file must contain the names of all devices whose users wish to log on as root. However, you can use ssh to log on as root over the network. Because the ssh installed in Fedora/RHEL does not follow the instructions in securetty or access. conf. In addition, in/etc/ssh/sshd_config, Fedora/RHEL sets PermitRootLogin to yes (default) to allow root users to log on via ssh. To make the system more secure, change PermitRootLogin to no.
Use Su Obtain Root Privilege
When Fedora/RHEL is installed, the user assigns a password to the root account. Therefore, you can use su to obtain the root privilege without further settings.
The su tool can generate a shell or execute a program with the specified user (including root) Identity and privilege:

• The user name follows su on the command line. If you use the root privilege or know the user's password, then you will have the identity of the user.
• When executing a su command without parameters, su generates a shell with the root privilege (the root password must be provided) by default.

When the su command is executed to use the root privilege, the su generates a new shell and displays the # prompt. You can terminate this shell: Press Control-D or execute the exit command to return to the normal state (the previous shell and prompt ). The su command without any parameters will change the user and group ID, but the change to the environment is minimal. For example, the PATH value does not change after the su command is executed. The user, group id, and associated group displayed by the ID utility. In the following example, the information starting from context involves SELinux:

$ Pwd /Home/sam $ Echo $ PATH /Usr/local/bin:/usr/local/sbin:/usr/sbin:/home/sam/bin $ Id Uid = 500 (sam) gid = 500 (sam) groups = 500 (sam) context = unconfined_u :... $ Su Password: # Pwd /Home/sam # Echo $ PATH /Usr/local/bin:/usr/local/sbin:/usr/sbin:/home/sam/bin # Id Uid = 0 (root) gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys ), 4 (adm )... # Exit Exit $

 
When you run the su-Command (you can replace the hyphen with-l or -- login), su provides a root logon shell, as if you were logged on as root. Not only does the shell user and group ID match the root user, but the environment is also the same as when logging on as the root user. Log on to the shell and run the corresponding Startup file before the prompt is displayed. The working directory is also set to the same working directory as the root user. The PATH is also set as if you are logged on as a root user. It usually contains the/sbin and/usr/sbin Directories Before/bin and/usr/bin.

$ Su- Password: # Pwd /Root # Echo $ PATH /Usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

 
You can use su with the-c option to run a command with the root privilege. After the command is executed, it is returned to the original shell. In the following example, Sam tries to set the system clock as his identity (non-privileged user. After Sam inputs date, the date utility displays an error message. Below is an extended version of the date entered by Sam. When he uses su to run date to set the system clock, su will prompt him to enter the password, he enters the root password, and then the command is successful. Quotation marks are necessary because su-c executes this command as a single parameter.

$ Date 12281448 Date: cannot set date: Operation not permitted Tue Dec 28 14:48:00 PST 2010   $ Su-c "date 12281448" Password: Tue Dec 28 14:48:00 PST 2010

 
The following example first shows that Sam is not allowed to terminate the process. However, with the use of the su-c and root passwords, Sam can terminate the process with the root privilege.

$ Kill-15 4982 -Bash: kill: (4982)-Operation not permitted $ Su-c "kill-15 4982" Password: $

 
The last example combines-and-c options to show how to run a command using the root privilege in the root environment:

$ Su-c pwd Password: /Home/sam $ Su-c pwd Password: /Root Www.2cto.com

 
When the root privilege is used, the fewer directories saved in the PATH, the more likely it is to use the root privilege to execute an untrusted program. If possible, only the default directories such as/sbin and/usr/sbin are retained in the root PATH. Do not include the working directory in the PATH (for example:. Or: anywhere in the PATH, or: as the last element in the PATH ).
Use Sudo Obtain Root Privilege
Using sudo instead of root accounts for system management has many advantages:

• When running sudo, you only need to remember one password, instead of the root password.
• The sudo utility records all the commands it executes. If an error occurs, this log can be used for system auditing to trace the operation.
• The sudo utility records the users who execute the sudo command. On a system with multiple administrators, this log tells users who have executed the sudo command. Without sudo, you cannot know which user uses the root privilege to execute a command.
• The sudo utility implements more fine-grained security policies than the su and root accounts. The use of sudo allows specific users to execute specific commands, but the use of classic root account settings cannot.
• Using sudo makes it more difficult for malicious users to gain access to the system. When there is an unlocked root account, a malicious user will first know the account name she wants to crack. When the root account is locked, the user has to determine the user name and password before entering the system.
• Managing the root password of many systems is challenging. If you do not write them down (and store them in a safe place), it is difficult to remember the passwords of each system and it takes a lot of time to retrieve the passwords. With sudo, even full root shell access makes it easier to obtain root privileges on a large number of systems and track users who have root privileges on each system-such tasks.

Some users question that sudo is not as secure as su. Because they all rely on passwords, they share the same strengths and weaknesses. If the password is broken, the system will be compromised. However, if sudo allows the user password to execute a task to be cracked, the system will not be at risk as a whole. Therefore, if used properly, The sudo permission structure is more fine-grained to make it safer than su.
To set the system, using sudo may not always be the best and safe way. In a system used by a single user, there is no big difference between using sudo and using the su and root passwords carefully. In contrast, on systems with multiple users, especially on system networks with central management, sudo can set more security than su.
In the/etc/sudoers file, the following lines allow the members of the wheel group to use sudo for root privileges:

% Wheel ALL = (ALL) ALL

 
If you comment out this line (in versions earlier than RHEL and Fedora15), use the root privilege and use mongodo to delete the leading hash mark (#) so that members of the wheel group can obtain the root privilege.
Next, run the usermod-a and usermod-G wheel commands with the root privilege to add the username granted the root privilege to the wheel group. In the following example, use sam to replace the user name.

# Usermod-a-G wheel sam # Grep wheel/etc/group Wheel: x: 10: root, sam

 
By default, when running for the first time, sudo requires a password (not the root password ). The timestamp set by sudo. After the password is provided, based on the timestamp, sudo will not prompt you to enter the password again within five minutes.
In the following example, Sam tries to set the system clock as his identity (non-privileged user. The date utility displays an error message, followed by an extended version of the date entered by Sam. When he uses sudo to run date to set the system clock, sudo prompts him to enter his password, and then the command is successful.

$ Date 01121500 Date: cannot set date: Operation not permitted Wed Jan 12 15:00:00 PST 2011   $ Sudo date 01121500 [Sudo] password for sam: Wed Jan 12 15:00:00 PST 2011

 
Next, Sam uses sudo to uninstall the file system. Because the command was executed within five minutes of the previous sudo command, no password is required:

$ Sudo umount/music $

 
Sam now uses the-l option to check which command sudo allows to run. Because the sudoers file is set according to the previous "quick Settings" explanation, it is allowed to run any command by any user.

$ Sudo-l

 
User sam may run the following command on this host:

(ALL) ALL

 
You can grant root privileges to edit a file, including the following:

• When the-e option is used or used as sudoedit, sudo uses the root privilege to edit the file named after its parameters. By default, sudo uses the vi editor.
• Any user who runs commands with the root privilege can use the-e option. To grant other users the root privilege to edit any file, you must specify in the sudoers file that the user can execute the sudoedit command.
• Call the editor in this way and run it with the least privilege in the user environment. The sudo utility copies the file to be edited as a temporary file of the user for the first time. If the file does not exist, sudo creates a new file for the user. Once the user edits the file, sudo copies it back to its original location (and restores it to its original permissions ).

When there are several commands that need to run with the root privilege, it may be easier to generate a root shell. You only need to execute this command without having to type sudo before each command and exit from the shell. This technology will disrupt some of the built-in sudo protection, so be careful when using it. Remember to return it to a non-root shell as soon as possible. Use sudo-I to generate the root shell:

$ Pwd /Home/sam $ Sudo-I # Id Uid = 0 (root) gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys )... # Pwd /Root # Exit Logout $

 
In this example, sudo derives a root shell, which displays a # prompt reminding Sam that he is running with the root privilege. The id utility shows the identity of the user running the shell. The exit command (you can also use the Control-D combination) to terminate the root shell and return Sam to its normal state and its previous shell and prompt.
In the previous example, the pwd built-in command displays the modified environment created by the-I option. This option derives a root login shell (the same as the environment of the user logging on as the root) and executes the root Startup File. Before executing the sudo-I command, the pwd built-in command displays the/home/sam working directory as Sam. After executing the command, it displays/root (root main directory) for its working directory. Use the-s option to derive a root shell without modifying the environment. When a sudo with no options is called, it runs the specified command in an unmodified environment. To demonstrate this function, the following example calls sudo without the option to run pwd. When running in this way, the command's working directory will not change.

$ Pwd /Home/sam $ Sudo pwd /Home/sam

 
Although the sudo-derived shell executes ls with the root privilege, the user's non-privileged shell is running to redirect the output, and the user's shell has no permission to write to/root, therefore, the following command will fail.

$ Sudo ls>/root/ls. sam -Bash:/root/ls. sam: Permission denied

 
There are several ways to solve this problem. The simplest is to pass the entire command line to the shell running in sudo:

$ Sudo bash-c "ls>/root/ls. sam"

 
The bash-c option derives from a shell to execute the string behind the option and terminate it. The sudo utility runs the shell with the root privilege. This string must be referenced to prevent unauthorized shell from interpreting special characters. You can also use sudo-I to generate a root shell to execute this command, and then exit from the privileged shell.
You can use the command line option to control how sudo runs the command. The following is the syntax of the sudo command line:

Sudo [options] [command]

 
Options is one or more options, and command is the command to be executed. If the-u option is not available, sudo runs the command with the root privilege. The following are some common options. For a complete list, see The sudo manual page.

• -B: (background) Run command in the background.
• -E: (edit). With this option, command is a file name, not a command. This option enables sudo to edit the command file using the EDITOR named after SUDO_EDITOR, VISUAL, or EDITOR environment variables with the root privilege. The vi editor is used by default. You can also use the sudoedit utility without any options. With this technology, the editor will not run with the root privilege.
• -I :( initial login environment) is used to run root (or another user specified by-u) for the shell derived from root in/etc/passwd (or by another user) startup File, some exceptions (for example, do not change the TERM ). Do not include command.
• -K: (kill) reset the timestamp of the user running this command, which means that the user must enter his/her password the next time he runs sudo.
• -L :( list defaults) lists the parameters set by the preset row in the sudoers file. Do not include command.
• -L: (list commands) list commands that can be run by sudo users on the local system. Do not include command.
• -S: (shell) generates a new root (or another user specified by-u) shell specified in the/etc/passwd file. Similar to-I, but does not change the environment, do not include command.
• -U user: Run command with the user privilege. Without this option, sudo runs command with the root privilege.

Summary
The next article in this topic will discuss permission security and password management.
 
References
Learning

• Refer to root definition to learn about the concept of root permission.
• Read Introduction to sudo to understand the concept and usage of sudo.
• A simple tutorial on how to use sudo: Using sudo in Linux: a mini tutorial to help you get started with sudo quickly.
• In the developerWorks Linux area, find more references for Linux developers (including new Linux beginners) and refer to our most popular articles and tutorials.
• Read all Linux tips and Linux tutorials on developerWorks.
• Stay tuned to developerWorks technical events and network broadcasts.