Linux Identity and Access Control

Linux Identity and Access Control

In Linux systems, Identity and Access Control (IAC) is at the core of security management. It ensures secure access to resources through users, groups, permissions, and advanced mechanisms such as SELinux, preventing unauthorized operations and data breaches. According to an OWASP report, access control vulnerabilities are the primary risk in web application security, which is equally important on Linux servers. Properly configuring identity and access control can significantly enhance system security, stability, and compliance.

1. Overview of Linux Identity and Access Control

1.1 What is Identity and Access Control?

Identity and Access Control (IAC) refers to the mechanisms by which a system identifies user identities and controls their access to resources. In Linux, it includes user authentication (verification) and authorization (access rights). Users are authenticated through usernames and passwords, and the system determines operations based on permissions.

Core Components:

  • User: System accounts, such as root or ordinary users.
  • Group: A collection of users that simplifies permission management.
  • Permission: Read (r), write (w), execute (x).
  • Advanced Mechanisms: SELinux, AppArmor, PAM.

Linux IAC is based on the DAC (Discretionary Access Control) and MAC (Mandatory Access Control) models to ensure security.

1.2 Importance of Identity and Access Control

IAC is the cornerstone of Linux security:

  • Security: Prevents intrusions and data breaches.
  • Compliance: Meets regulations such as GDPR, HIPAA, etc.
  • Resource Management: Limits user resource usage.
  • Auditing: Records access behavior.
  • Stability: Prevents crashes due to misoperations.

For example, in 2023, a company suffered a data breach due to incorrect permission configuration, resulting in millions of dollars in losses.

1.3 Typical Application Scenarios

  • Server Management: Restrict user access to /etc.
  • Web Applications: Apache runs as www-data.
  • Databases: MySQL user permission control.
  • Cloud Environments: IAM role management.
  • Development: Git repository permissions.

1.4 Challenges in Configuration

  • Complexity: Multi-user and multi-group configurations are prone to errors.
  • Permission Creep: Over-authorization leads to risks.
  • Advanced Mechanisms: SELinux configuration is steep.
  • Auditing: Log analysis is time-consuming.
  • Compatibility: Differences between distributions (e.g., Ubuntu vs CentOS).

1.5 Goals of Configuration

  • Least Privilege: Grant only necessary permissions.
  • Isolation: Resource isolation between users.
  • Automation: Scripted configuration.
  • Auditable: Record all access.
  • Efficiency: Optimize performance impact.

2. Linux User and Group Management

2.1 Principles of User Management

Linux users are managed through /etc/passwd and /etc/shadow. passwd stores usernames, UID, GID, home directories, etc.; shadow stores password hashes.

User Types:

  • root: UID 0, superuser.
  • System Users: UID 1-999, used for services.
  • Ordinary Users: UID 1000+.

Management Commands:

  • useradd: Create a user.
  • usermod: Modify a user.
  • userdel: Delete a user.
  • passwd: Set a password.

2.2 User Management Practices

2.2.1 Creating a User

sudo useradd -m -s /bin/bash -G sudo user1
sudo passwd user1
  • -m: Create a home directory.
  • -s: Specify shell.
  • -G: Add to group.

2.2.2 Modifying a User

sudo usermod -aG docker user1
sudo usermod -L user1  # Lock
sudo usermod -U user1  # Unlock

2.2.3 Deleting a User

sudo userdel -r user1  # Delete home directory

2.2.4 Viewing a User

id user1
cat /etc/passwd | grep user1

Best Practices:

  • Run services with the least privilege user.

  • Regularly audit user accounts:

    sudo lastlog
sudo last

2.3 Group Management

Groups are managed through /etc/group, simplifying permission assignments.

Group Types:

  • Primary Group: The default group when a user creates files.
  • Additional Group: A user can belong to multiple groups.

Management Commands:

  • groupadd: Create a group.
  • groupmod: Modify a group.
  • groupdel: Delete a group.

Practice:

sudo groupadd devgroup
sudo usermod -aG devgroup user1
sudo groupdel devgroup
id user1

Best Practices:

  • Use groups to manage shared resources, such as the /shared directory.
  • Limit root group members.

3. Linux File Permission Management

3.1 Permission Principles

Linux file permissions are based on user (u), group (g), and others (o), with permissions including read (r), write (w), and execute (x).

Permission Representation:

  • rwxr-xr-x: Owner rwx, group r-x, others r-x.

Special Permissions:

  • SUID (s): Runs with owner permissions when executed.
  • SGID (s): Runs with group permissions when executed.
  • Sticky (t): Only the owner can delete files in a directory.

umask: Default permission mask, umask 022 means new files are 644.

3.2 Permission Management Practices

3.2.1 chmod

chmod 755 /file  # rwxr-xr-x
chmod u+x /file  # Add execute for owner
chmod -R 755 /dir  # Recursive

3.2.2 chown/chgrp

sudo chown user1:group1 /file
sudo chgrp group1 /file
sudo chown -R user1:group1 /dir

3.3 umask Configuration

umask 022
echo "umask 022" >> ~/.bashrc

Best Practices:

  • Principle of least privilege: Files 644, directories 755.

  • Regular audits:

    find / -perm -4000 -o -perm -2000 2>/dev/null

4. Linux ACL (Access Control Lists)

4.1 ACL Principles

ACL extends basic permissions, supporting fine-grained control, such as setting permissions for specific users.

Enabling ACL:

  • Mount option: acl.

    sudo mount -o remount,acl /

4.2 ACL Management

  • setfacl: Set ACL.

    setfacl -m u:user1:rwx /file
setfacl -x u:user1 /file  # Remove
setfacl -R -m u:user1:rwx /dir  # Recursive

  • getfacl: View ACL.

    getfacl /file

Default ACL:

setfacl -d -m u:user1:rwx /dir

Best Practices: Use ACL to manage shared directories.

5. Linux Sudo and Su

5.1 Sudo Principles

Sudo allows ordinary users to execute commands with root privileges, configured through /etc/sudoers.

Configuration:

sudo visudo

Add:

user1 ALL=(ALL) NOPASSWD: /bin/ls

Usage:

sudo ls /root

5.2 Su Principles

Su switches user identities.

Usage:

su - user1
su - root

Sudo vs Su:

  • Sudo: Temporary permissions, audit logs.
  • Su: Complete switch.

Best Practices: Use sudo, avoid direct root login.

6. Linux PAM (Pluggable Authentication Modules)

6.1 PAM Principles

PAM is an authentication framework that supports modular configuration.

Configuration Files:

  • /etc/pam.d/sshd: SSH PAM configuration.

Modules:

  • pam_unix: Unix authentication.
  • pam_limits: Resource limits.
  • pam_nologin: Restrict login.

Configuration Example:

auth required pam_unix.so
account required pam_unix.so
session required pam_limits.so

Advanced: Custom PAM modules.

Best Practices: Use PAM to enhance authentication, such as MFA.

7. Linux SELinux and AppArmor

7.1 SELinux Principles

SELinux is a MAC system developed by NSA that controls access through context labels.

Modes:

  • Enforcing: Enforced.
  • Permissive: Logs but does not deny.
  • Disabled: Disabled.

Configuration:

sudo nano /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
sudo setenforce 1

Context Management:

ls -Z /var/www
sudo chcon -t httpd_sys_content_t /var/www/file
sudo semanage fcontext -a -t httpd_sys_content_t "/var/www(/.*)?"
sudo restorecon -R /var/www

Boolean Values:

getsebool -a | grep httpd
sudo setsebool -P httpd_can_network_connect on

Auditing:

sudo ausearch -m avc -ts recent
sudo sealert -a /var/log/audit/audit.log

Best Practices: Use targeted policies, enable gradually.

7.2 AppArmor Principles

AppArmor is a path-based MAC system.

Configuration:

sudo apt install apparmor apparmor-profiles
sudo aa-enforce /etc/apparmor.d/usr.sbin.mysqld
sudo aa-status

Custom Configuration Files:

sudo nano /etc/apparmor.d/myapp

Content:

#include <tunables/global>
/usr/bin/myapp {
    #include <abstractions/base>
    /var/myapp/** rw,
}
sudo apparmor_parser -r /etc/apparmor.d/myapp

Best Practices: Enable profiles for critical services.

8. Case Studies

8.1 Case 1: Web Server Permission Configuration

Scenario: Nginx cannot read the file. Diagnosis: Permission 600, not an nginx user. Solution:

sudo chown nginx:nginx /var/www/file
sudo chmod 644 /var/www/file

Result: Nginx accesses normally.

8.2 Case 2: Database User Permission Issue

Scenario: MySQL user cannot query. Diagnosis:

SHOW GRANTS FOR 'user'@'localhost';

Solution:

GRANT SELECT ON db.* TO 'user'@'localhost';
FLUSH PRIVILEGES;

Result: Query successful.

8.3 Case 3: SELinux Denied Access

Scenario: Apache cannot write files. Diagnosis:

sudo ausearch -m avc -ts recent

Solution:

sudo chcon -t httpd_sys_rw_content_t /var/www/file
sudo setsebool -P httpd_can_network_connect on

Result: Access normal.

9. Future Trends in Configuration Management

  • AI Assistance: Automatic detection of permission vulnerabilities.
  • Cloud IAM: AWS IAM roles.
  • Zero Trust: Dynamic access control.

10. Conclusion

Linux identity and access control is the cornerstone of security management. Through users, groups, permissions, ACLs, sudo, PAM, SELinux, and AppArmor, a robust defense system can be built.

Related posts

  1. NVIDIA Jetson Orin Series – SDK Manager Flashing Guide
  2. Research on the Chinese PCB (Printed Circuit Board) Market and Analysis of Listed Companies
  3. Using HttpClient in C# to Send POST and GET Requests to Call APIs
  4. Rust for Linux: Rust Kernel Policy
  5. Summary of Linux Server Hardware Information Queries and Daily Maintenance Commands
  6. Linus: “I Deleted Linux Because It Sucks!”
  7. One-Click Inspection of Linux Servers and Generation of HTML Reports
  8. Mastering the ‘Three Musketeers’ of Linux: A Detailed Guide to grep, sed, and awk
  9. Linux poll() Flowchart Architecture Diagram

Leave a Comment