Advanced Linux User Management: Privileges, Resource Limits, and More
If you are looking to better manage Linux environments, this guide explains essential concepts and security practices for advanced user management.
Linux serves as the foundation for various critical technologies used by enterprises and other users. That means it is essential for system administrators and professionals to understand advanced user management. This Linux knowledge is vital for maintaining security, optimizing resources, and ensuring operational efficiency.
In this article, I will delve into the intricacies of advanced Linux user management and outline the steps for managing well-orchestrated Linux environments.
The Linux Environment: Considerations
A major difference between Linux and Windows is the sheer number of Linux variants available. Within a company, one may even encounter multiple flavors or distributions of Linux in use based on what different teams prefer. Each Linux server has a local database of users and groups, and the replication of files across these servers can complicate user management.
With security in mind, organizations must have strict control over the root user and root access. In practice, this usually means using the sudo (Substitute User Do) command. Consequently, system administrations are responsible for building and maintaining sudoers files. In contrast, in Windows environments, user authentication is often handled by Active Directory, using Kerberos.
In Linux, the proper use of sudo is critical, especially when dealing with file replication across many systems. When managing multiple servers and configuring them across a cloud environment, it’s common to use Infrastructure as Code (IaC).
Introduction to Linux User Management
I will introduce several key concepts here under their respective subheadings.
User privileges and permissions
Let’s begin with the fundamentals of user privilege and permissions – an essential security concept in Linux. Managing the privileges and permissions of user accounts is typically one of the first tasks for an administrator to do. A basic principle in user security is to always follow the “Least Privilege Rule.”
By exercising control over user accounts, you ensure that each user is assigned only one username, ID, password, home directory, and so forth.
Privileged access management
Privileged access management (PAM) is a security practice related to what actions a user can take once they are logged into an account with privileged access. PAM is a key piece of advanced user management. In the cybersecurity industry, many vendors offer PAM offerings tailored to the needs of businesses.
PAM usually falls under the umbrella of identity and access management (IAM). The core objective of implementing IAM, and by extension, user management, is to ensure that once a digital identity is established, it is consistently monitored, maintained, and modified as necessary.
There are two primary categories of IT accounts (depending on the system, there may be a third): standard accounts and privileged accounts. Standard accounts are used for performing day-to-day tasks and operations, while privileged accounts are meant for root or privileged access. Privileged accounts should be distinctly separate from standard accounts.
Privileged access workstations
The security practice of privileged access workstations (PAW) categorizes workstations into three types:
Power Workstations (administration with root or escalated privileges);
Data Workstations (servers); and
User Workstations (for standard users).
The idea behind PAW is to have a separate machine exclusively used for performing privileged tasks, often referred to as the “administration/root machine.” This approach works well with Active Directory, especially in Windows environments where Kerberos is the authentication system.
The root account
All Linux operating systems have a common vulnerability: the root account. The root account grants the highest level of control, making it extremely important to protect root access. Unlike other accounts, there is no safety net with the root account. Even superusers can accidentally delete critical system files.
When an application is executed under the root account, it inherits full root privileges. If the executed application has any security vulnerability, it can potentially open the door for attackers to gain access to the system.
Resource limits and quotas
Resource management using quotas is a technique for preventing resource starvation and ensuring resource availability. To set limits on user processes, you can use the ulimit command, which gives you control over the memory, CPU usage, and the number of open file descriptors.
For control over system-wide resource limits and quotas, you can use a text or code editor like Nano to edit the /etc/security/limits.conf file. In Figure 1, you can see an example where I have used the cat command to view the contents of the /etc/security/limits.conf file.
image001_14
Figure 1. The output of the sudo cat /etc/security/limits.conf file. You can use a text or code editor to open this file for configuration.
image002_10
Figure 2. Here is the /etc/security/limits.conf file opened in Nano, ready for editing. In Nano, use Ctrl + O to save your changes and Ctrl + X to close the file after making changes.
User Roles and Responsibilities
In any organization, understanding user roles and their associated responsibilities is a must for systems management. As an organization scales up, this understanding becomes even more important.
Role-Based Access Control (RBAC) is widely accepted as an excellent method for granting permissions and resource access. RBAC classifies users into roles based on their specific job functions. Using RBAC ensures that users are granted access to only resources relevant to their roles, thereby reducing security risks while also simplifying user management.
Additionally, it’s important to understand the security principle of Separation of Duties. When practiced, Separation of Duties prevents any single user from having excessive control over the system. This principle is particularly valuable in Linux environments, which often involve users with diverse responsibilities – e.g., regular users, system administrators, and application managers.
Centralized Authentication With LDAP
LDAP, which stands for Lightweight Directory Access Protocol, is the most widely used method for centralized administration and management of organizations. Organizations that use LDAP are of all sizes, spanning the globe.
LDAP simplifies user administration by centralizing and replicating user information across the entire system and network. It communicates over DNS port 53, making it a powerful tool for centralizing user management and authentication. LDAP directories store information in a hierarchical structure, facilitating user management and reducing redundancy.
While the intricacies and implementation details of LDAP are beyond the scope of this article, it’s important to note that there is an open-source implementation called Open-LDAP available for Linux systems.
Implementing Single Sign-On
Single Sign-On (SSO) simplifies authentication by allowing users to access multiple applications and systems with a single set of credentials. SSO can be implemented using various protocols, including Security Assertion Markup Language (or SAML) and OpenID Connect. SSO can also be integrated into centralized management systems, such as Microsoft Azure.
Securing User Accounts With Two-Factor Authentication
As part of a defense-in-depth strategy, the addition of an extra layer of security can impede potential attackers. This is where two-factor authentication (2FA) comes in.
There are several methods of implementing 2FA, with varying levels of security.
The least secure type of 2FA is using simple message service (SMS) over a cellular network. The SMS method is vulnerable to “SIM-jacking,” a technique commonly used by attackers due to the inherent vulnerabilities of cellular communication protocols.
A safer approach is application-based 2FA authentication, although determined attackers with the right tools can still create phishing pages to steal 2FA codes and compromise your defenses.
The most secure form of 2FA uses FIDO (Fast Identity Online) certified physical security keys. These keys are relatively cheap and easy to implement, offering strong protection when combined with solid password policies.
Auditing and Monitoring User Activities
Routine auditing of user activities should form part of standard operations. This practice provides valuable insights for threat hunting hypothesis and contributes to overall system security and compliance efforts.
In Linux systems, the auditd daemon (or service) logs events such as user logins, privilege escalations, and file access. These logs are typically stored in the /var/log directory. Additionally, you will find logs like syslog, which records system activity, and kernlog, which documents kernel events with elevated privileges.
Understand the /etc/passwd File
The /etc/passwd file stores critical login information about user accounts. It’s a plain text file that contains a list of the system’s accounts. Each entry within the /etc/passwd file has useful information, such as username, user ID, group ID, home directory, and shell. There is a field for the password associated with each account in the file, represented by an x character, indicating that an encrypted password exists in the /etc/shadow file.
Write access to the /etc/passwd file must be restricted to root users.
Within the /etc/passwd file, each user has an entry, as can be seen in Figure 1 and Figure 2. These entries are organized line by line, with each field separated by a colon (:). There are a total of seven fields:
Username: This field is between 1 and 32 characters long and is used for user logins.
Password: An x character indicates that the encrypted password is stored in the /etc/shadow file.
User ID (UID): Each user is assigned a unique user ID. User ID 0 (zero) is reserved for the root account, while UIDs 1 to 99 are reserved for other predefined accounts. UIDs 100 to 999, meanwhile, are reserved by the system for administrative and system accounts and groups.
Group ID (GID): This corresponds to the group ID stored in the /etc/group file.
User ID Information (GECOS): This command field allows administrators to add extra information about the user, such as the user’s full name, email address, etc.
Home Directory: This specifies the absolute path to the directory the user will be located when they log in.
Command/shell: This specifies the absolute path of the user’s default command or shell, such as /bin/bash.
Make sure to take advantage of /etc/shadow passwords.
Understand the /etc/sudoers File and sudo Privileges
The /etc/sudoers file is where information about users with sudo privileges is configured. To make changes to the file, you can use your favorite text or code editor (mine is Nano).
I have covered modification of the /etc/sudoers file in depth in a few other articles, but here are the steps for using Nano:
Open the file using Nano (sudo nano /etc/sudoers)
Make your modifications.
Use Ctrl + O to save changes.
To exit Nano, press Ctrl + X.
You may have to restart the system after certain changes have been made.
Final Thoughts
Advanced Linux user management can be made easier when you understand configuration files and have a solid grasp of Linux fundamentals, including basic commands. Building on this foundation, you can implement the best practices for authentication, as we’ve explored here, with a focus on prioritizing security.
To develop your understanding of Linux, you can refer to the Additional Resources and Links section at the end of this article.
Frequently Asked Questions (FAQ)
Q: What are privileges in Linux?
A: In Linux, privileges govern what system resources a user or group can access. There are three basic privileges in Linux: read (r), write (w), and execute (x).
Additionally, there are two key aspects related to Linux privileges: the root account, which has access to all resources, and sudo users, which have limited administrative access.
Q: What are resource limits in Linux?
A: Resource limits, also known as quotas in Linux, are restrictions placed on the resources (e.g., disk space) that a user or group has access to. The purpose of managing resource limits is to prevent resource starvation, ensure consistent performance, and maintain system reliability. You can use the ulimit command to manage resource limits in Linux.
Q: What are user roles in Linux?
A: In Linux, user roles refer to owner (the user who owns the file or folder), group (the group who owns the file or directory), and all other users (neither owner nor part of the group associated with the file or directory). These three categories are referred to using the letters u, g, and o, respectively.
Permissions for these roles are typically denoted using letters: r (read), w (write), and x (execute). You can use commands like chmod command to assign and modify these permissions. For a more detailed explanation of permissions, read this article: Mastering File Permissions in Linux.
Additional Resources and Links
Microsoft Documentation on PAW: https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-devices
Stanford University PAW: https://uit.stanford.edu/service/paw
FIDO Alliance: https://fidoalliance.org/
ITPro Today Linux resources
Visit my ITPro Today author page for a library of my Linux-related articles: https://www.itprotoday.com/author/Grant-Knoetze
About the Author
You May Also Like