Linux User and Group Management Security Best Practices

This guide explores how to manage Linux users and groups for better system security.

Grant Knoetze, Contributor

September 22, 2023

9 Min Read
keylock in a blue digital space
Alamy

Managing users and groups is an important aspect of the overall security of your Linux systems.

This guide will provide you with everything to know about handling user and group permissions, setting password policies, and managing file system quotas. Additionally, we will cover security best practices, such as enforcing a strong password policy, implementing two-factor authentication, and adhering to the principle of least privilege.

Key Aspects of Linux User and Group Management Security

The secure management of Linux users and groups has several important concepts at its core. Let’s go through some of these concepts here.

Group accounts

In Linux, groups are essentially collections of user accounts that share the same permissions and access to certain information. Using groups can be an effective way of implementing Role-Based Access Control (RBAC).

The proper management of group accounts is key to user and group security. As such, it’s critical to monitor and oversee group accounts. In large-scale environments, automation can assist with managing group accounts, but continuous monitoring remains crucial.

Passwords

Your password policy should enforce the use of complex passwords, aligning with best practices for user account security within your organization. If you have a Privileged Access Workstation or Privileged Access Management solution in place, then all key concepts, including password management, should be integrated into the workflow.

Group password permissions

Group password permissions pose an inherent security problem in Linux since they allow more than one person to know a password. However, group password permissions can also serve as a useful tool to permit cooperation among users. To administer group password permissions, you can use the gpasswd command.

Directory and file permissions

Managing access to files and folders on the system is a fundamental aspect of Linux administration security. For a thorough overview of this topic, you can read a previous article of mine: Mastering File Permissions in Linux.

Sudo access

Sudo access grants limited administrative access to users. You can find the complete list of users with sudo access in the /etc/sudoers file. The sudoers file itself is protected and requires sudo permissions to be accessed. In Figure 1, you can see how I used the cat command to display the contents of the /etc/sudoers file.

Showing the output of the sudo cat /etc/sudoers file

image001_15

Figure 1. The output of the sudo cat /etc/sudoers file command. The /etc/sudoers file can be modified using your favorite Linux text or code editor (mine is Nano).

File system quotas

File system quotas are an important feature, built into the Linux kernel. You can manage quotas locally or remotely using the quota command.

If the quota command is not already installed, you can install it using sudo apt install quota for Debian-based distributions or sudo yum install quota for Red Hat-based distributions.

Quotas determine the storage space required to support user activities and operations. They are also used to establish limitations on both the number of files a user can create on a system and the amount of disk space that a user or group can access within a file system. Failing to set quotas can lead to users consuming excessive disk space, potentially creating problems for the organization and other users.

Understand the /etc/passwd File and the /etc/shadow File

The /etc/passwd file is where user information is stored in Linux. When you examine this file, the presence of an x character in the respective field indicates that an encrypted password is stored in the /etc/shadow file. It’s highly recommended to use shadow access and password management in Linux environments.

The /etc/passwd file contains many fields. I have previously run through these in another article, which you can find here: Advanced Linux User Management: Privileges, Resource Limits, and More.

Enforcing Strong Password Policies

Enforcing strong password policies is an essential security practice, so let’s run through the basics.

Password validity period

One key aspect of enforcing password policies is the password validity period, which requires users to periodically change their passwords according to established procedures and guidelines.

You can modify the configuration file for password attributes and policies using any text or code editor you like. To do this, simply open the /etc/login.defs file, and follow the steps shown in Figure 2, Figure 3, and Figure 4.  In Figure 4, you can see the PASS_MAX_DAYS section attribute.

Showing the outputs of the file to the terminal

image002_11

Figure 2. This is the output of the /etc/login.defs file to the terminal.

Showing the /etc/login.defs file about to be opened in Nano

image003_14

Figure 3. Use a code or text editor (e.g., Nano) from the command line to modify the file.

Showing the /etc/login.defs file open for modification in Nano

image004_8

Figure 4. Modify the /etc/login.defs file to change the password validity period or another attribute.

Password complexity

Passwords should be complex, consisting of a combination of uppercase and lowercase letters, numbers, special characters, etc., arranged randomly. It’s recommended that users create passwords that are between 12 and 15 characters in length.

The use of Pluggable Authentication Modules (PAM) in Linux is a good way to achieve password complexity. In Figure 5, I demonstrate the installation of a PAM library package on my Ubuntu distro using the sudo apt install libpam-pwquality command. It’s important to note that there are many paid and open-source PAM options available in Linux. I am just demonstrating one.

Showing how to import the PAM library package

image005_9

Figure 5. Importing the PAM library package.

Once installed, navigate to the /etc/pam. d/common-password file, as can be seen in Figure 6. In this file, you can modify a few fields to help enforce password requirements such as minimum length and complexity.

Showing the /etc/pam.d/common-password file ready for configuration in Nano

image006_6

Figure 6. The /etc/pam.d/common-password file is ready for configuration in Nano.

Implementing Two-Factor Authentication

The implementation of two-factor authentication (2FA) can take various forms, with varying levels of security. The least secure method involves using cellular communication to send a Simple Message Service message as a second stage of authentication.

A more secure option is to use an application like Google Authenticator or Microsoft Authenticator. However, even this method can be vulnerable to determined attackers who use phishing pages to trick victims.

The most secure form of 2FA is to use a FIDO physical security key. In IT, there is a saying, “Two is one and one is none,” when it comes to backups, and the same principle applies here. It’s recommended to have at least two physical keys because if you lose your key, you will lose access to your accounts. Personally, I have three physical FIDO security keys at all times.

Implementing the Principle of Least Privilege

Simply put, it's a best practice for users to initially log in with the lowest level of privileges. They should only switch to elevated privileges when they need to perform an administrative task and then immediately switch back to a regular user account.

This approach has evolved into the Privileged Access Workstation concept, which divides an organization's computer systems into three groups: Power (administrator), Data (servers), and Workstations (users). The idea behind this is to have a dedicated machine specifically for administrative tasks that a system administrator can log into, perform an administrative task, and then log out. Servers are meant for data- and server-related tasks. Standard user workstations should never be used for administrative purposes. Standard users should not have any administrative access.

In the Linux environment, we use the sudo tool/command, which provides greater flexibility in assigning limited administrative tasks to specific users while maintaining security.

Final Thoughts

User and group management should be part of a comprehensive defense-in-depth strategy. Administrators must stay up to date with the latest best practices for securing users and groups both locally and remotely. Luckily, the flexibility and power of Linux offer a wide range of options, tools, and commands to assist with managing user and group security effectively.

Frequently Asked Questions (FAQ)

Q: What is user security?

A: User security is a practice that involves the management of user passwords, privilege levels, access to resources, and other aspects. Typically, user authorization is established through Role-Based Access Control, which grants users access to certain resources based on their designated role. Users are expected to comply with password policies, which can include having to periodically change passwords and using suitably complex passwords. Additionally, the implementation of two-factor authentication further strengthens user security.

Q: What is group security?

A: In Linux, groups are sets of user accounts that share access to the same resources. Groups can also have group passwords. Groups are a great way of granting access to resources based on a user’s role or function. However, it’s important to be aware that having multiple users with access to group passwords can increase the risk of passwords being lost or stolen. As such, groups need to be managed.

Fortunately, Linux offers plenty of options in the open-source market for applications and tools that support group management. Additionally, the Linux operating system itself includes built-in commands and tools that can sufficiently manage users and groups without the need for extra downloads. In cases where a command or tool needs to be downloaded, it can be done easily through the terminal.

ITPro Today Linux Resources

About the Author

Grant Knoetze

Contributor

Grant Knoetze is a cybersecurity analyst with a special interest in DFIR, programming languages, incident response, red-teaming, and malware analysis. His full-time job includes teaching and instructing in various topics from basic Linux all the way through to malware incident response, and other advanced topics. He is also a speaker at various conferences worldwide.

www.grantknoetze.com

https://github.com/Grant-Knoetze

https://www.linkedin.com/in/grant-knoetze-563b0b1b6/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like