Community Articles
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Cloudera Community
- :
- Support
- :
- Community Articles
- :
- Authentication and Authorization on Linux OS
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Authentication and Authorization on Linux OS
Apache Ranger
Created on 02-21-2018 11:32 PM
The two most important aspect of security is
1. Authentication
2. Authorization
Authentication : the process of ascertaining that somebody really is who he claims to be. (who are you)
Authorization : the process of verifying that you can access to something. (Are you allowed to access the resource)
Lets take example of a user logging into a Linux machine (ssh / terminal login). One needs to authenticate himself username and password thus verifying he is the person who he claims to be . The same user might not be authorized to access a file as he dosent have enough permissions to read/write on the file.
The idea can be extended to even other services like, one can login (authenticate ) into booking.com if he has a profile, but is not authroized to change the prices of the flights, only admins are allowed to do that. Hence authentication and authorization play a key role in determining the security aspects of a service.
Lets see How authentication and authorization are implemented in Linux OS.
The three main important file from security perspective are
1. /etc/passwd
2. /etc/groups
3. /etc/shadow
username : x : uid : gid : user info : home dir : shell to use.
Things to know :
1. x denotes the encrypted password is saved into /etc/shadow file.
2. gid present here is the primary group id of the user. A user can be part of multiple groups, but the one present in the /etc/passwd is his primary group
An excerpt from /etc/groups
group name : password : gid : group List
Things to know
1. password is generally not used , but we can have password for a group too.
2. The group list refers to the list of user names. These user have these groups as the secondary group.
lets Look at the various relationship that exists 1. Every group has a group id. 2. Every user has a user id 3. In linux its not possible to have user without a group id.(by default when a user is created , it has a group with same name) 4. A user can have one primary group and multiple secondary groups. 5. A group can have multiple users. 6. Authentication is done based on username and password. 7. Authorization is done based on groups as unix follow POSIX permission for user : group : others
1. sudo adduser user: adds a user with the groupname as user name. In Linux a user cannot exist without a group.
2. id username : uid=1001(foobar) gid=1001(foobar) groups=1001(foobar), 4201(security) to get groups of a user (/etc/passwd has this info). For uid foobar, group foobar (gid 1001) is the primary group, security(4201) is the secondary group
3. groups username: gets all the user than belong to this group (/etc/groups has this info)
4. To change primary group of a user use : sudo usermod -g Username groupname
5. getent passwd and getent groups can also be used to lookup the info, it also provides the source from where the info is looked from.
The Linux OS security architecture is very restrictive. The various aspects are
1. A user cannot exist without a group.
2. A group can exist without a user.
3. A file can only have usernames and groups which are part of the Linux OS (Local or Remote service)
4. A file ownership can never be changed to a non existent user ( Create a file and try chown XXXXXX fileName ).
5. Linux is applying authorization policy not only during reading the file but also while creating the file.
7. In linux system there can be no resource which is being handled by a random user which the OS is not aware of.
Authorization in Linux
Linux is a clone of UNIX, the multi-user operating system which can be accessed by many users simultaneously. Linux can also be used in mainframes and servers without any modifications. But this raises security concerns as an unsolicited or malign user can corrupt, change or remove crucial data. For effective security, Linux divides authorization into 2 levels.
Ownership of Linux files
Every file and directory on your Unix/Linux system is assigned 3 types of owner, given below.
User
A user is the owner of the file. By default, the person who created a file becomes its owner. Hence, a user is also sometimes called an owner.
Group
A user- group can contain multiple users. All users belonging to a group will have the same Linux group permissions access to the file. Suppose you have a project where a number of people require access to a file. Instead of manually assigning permissions to each user, you could add all users to a group, and assign group permission to file such that only this group members and no one else can read or modify the files.
Other
Any other user who has access to a file. This person has neither created the file, nor he belongs to a usergroup who could own the file. Practically, it means everybody else. Hence, when you set the permission for others, it is also referred as set permissions for the world.
Now, the big question arises how does Linux distinguish between these three user types so that a user ‘A’ cannot affect a file which contains some other user ‘B’s’ vital information/data. It is like you do not want your colleague, who works on your Linux computer, to view your images. This is where Permissions set in, and they define user behavior.
Permissions
Every file and directory in your UNIX/Linux system has following 3 permissions defined for all the 3 owners discussed above.
- Read: This permission give you the authority to open and read a file. Read permission on a directory gives you the ability to lists its content.
- Write: The write permission gives you the authority to modify the contents of a file. The write permission on a directory gives you the authority to add, remove and rename files stored in the directory. Consider a scenario where you have to write permission on file but do not have write permission on the directory where the file is stored. You will be able to modify the file contents. But you will not be able to rename, move or remove the file from the directory.
- Execute: In Windows, an executable program usually has an extension «.exe» and which you can easily run. In Unix/Linux, you cannot run a program unless the execute permission is set. If the execute permission is not set, you might still be able to see/modify the program code(provided read & write permissions are set), but not run it.
Updated: May 29, 2021
You May Also Enjoy
Arrangement
Equipped with the subject matter for your argument or speech, after having determined the issue at hand, thought out appropriate supporting arguments drawn f.
Sources of proof
Know the areas where you must hunt for, and track down what you are trying to find. Once you have surrounded the entire place with the nets of your though.
On persuasive speech: Marcus Tullius Cicero
The nature of eloquent and persuasive speech has been fiercely debated. Is rhetoric an art or a skill? Does it require natural ability, or can it be aquired .
The next best thing
“You do what you can for as long as you can, and when you finally can’t, you do the next best thing. You back up but you don’t give up.”