3.6. Security and Users

SUSE LINUX Documentation Chapter 3. System Configuration with YaST / 3.6. Security and Users
	3.5. Network Services		3.7. System

A basic aspect of Linux is its multiuser capability. Consequently, several users can work independently on the same Linux system. Each user has a user account identified by a login name and a personal password for logging in to the system. All users have their own home directories where personal files and configurations are stored.

3.6.1. User Management

Create and edit users with ‘User Management’. It provides an overview of users in the system, including NIS and LDAP users if requested. If you are part of an extensive network, click ‘Set Filter’ to list all users categorically (for example, root or NIS users). You can also customize filter settings by clicking ‘Customize Filter’.

To add new users, click ‘Add’ and enter the appropriate data. Complete the addition by clicking ‘Accept’. The new user can immediately log in using the newly created login name and password.

Disable user login with the corresponding option. Fine-tune user profiles in ‘Details’. Here, manually set the user ID, home directory, default login shell, and assign the new user to specific groups. Configure the validity of the password in ‘Password Settings’. Click ‘Accept’ to save all changes.

To delete a user, select the user from the list and click ‘Delete’. Then mark whether to delete the home directory and click ‘Yes’ to confirm.

For advanced user administration, use ‘Expert Options’ to define the default settings for the creation of new users. Select the user authentication method (such as NIS, LDAP, Kerberos, or Samba), login settings (only with KDM or GDM), and the algorithm for password encryption. ‘Default for New Users’ and ‘Password Encryption’ apply only to local users. ‘Authentication and User Sources’ provides a configuration overview and the option to configure the client. Advanced client configuration is also possible using this module. After accepting the configuration, return to the initial configuration overview. Click ‘Write Changes Now’ if you want to save all changes without exiting the configuration module.

Figure 3.6. User Management

3.6.2. Group Management

To create and edit groups, select ‘Group Management’ or click ‘Groups’ in the user administration module. Both dialogs have the same functionality, allowing you to create, edit, or delete groups.

The module gives an overview of all groups. As in the user management dialog, change filter settings by clicking ‘Set Filter’.

To add a group, click ‘Add’ and fill in the appropriate data. Select group members from the list by checking the corresponding box. Clicking ‘Accept’ to create the group. To edit a group, select the group to edit from the list and click ‘Edit’. Make all necessary changes then save them with ‘Accept’. To delete a group, simply select it from the list and click ‘Delete’.

Click ‘Expert Options’ for advanced group management. Find more about these options in Section 3.6.1, “User Management”.

3.6.3. Local Security

To apply a set of security settings to your entire system, use ‘Local Security’. These settings include security for booting, login, passwords, user creating, and file permissions. SUSE Linux offers three preconfigured security sets: ‘Home Workstation’, ‘Networked Workstation’, and ‘Networked Server’. Modify the defaults with ‘Details’. To create your own scheme, use ‘Custom Settings’.

The detailed or custom settings include:

‘Password Settings’

To have new passwords checked by the system for security before they are accepted, click ‘Check New Passwords’ and ‘Test for Complicated Passwords’. Set the minimum password length for newly created users. Define the period for which the password should be valid and how many days in advance an expiration alert should be issued when the user logs in to the text console.

‘Boot Settings’

Set how the key combination Ctrl-Alt-Del should be interpreted by selecting the desired action. Normally, this combination, when entered in the text console, causes the system to reboot. Do not modify this setting unless your machine or server is publicly accessible and you are afraid someone could carry out this action without authorization. If you select ‘Stop’, this key combination causes the system to shut down. With ‘Ignore’, this key combination is ignored.

If you use the KDE login manager (KDM), set permissions for shutting down the system in ‘Shutdown Behavior of KDM’. Give permission to ‘Only root’ (the system administrator), ‘All Users’, ‘Nobody’, or ‘Local Users’. If ‘Nobody’ is selected, the system can only be shut down from the text console.

‘Login Settings’

Typically, following a failed login attempt, there is a waiting period lasting a few seconds before another login is possible. This makes it more difficult for password sniffers to log in. Optionally activate ‘Record Successful Login Attempts’ and ‘Allow Remote Graphical Login’. If you suspect someone is trying to discover your password, check the entries in the system log files in /var/log. To grant other users access to your graphical login screen over the network, enable ‘Allow Remote Graphical Login’. Because this access possibility represents a potential security risk, it is inactive by default.

‘User Addition’

Every user has a numerical and an alphabetical user ID. The correlation between these is established using the file /etc/passwd and should be as unique as possible. Using the data in this screen, define the range of numbers assigned to the numerical part of the user ID when a new user is added. A minimum of 500 is suitable for users. Automatically generated system users start with 1000. Proceed in the same way with the group ID settings.

‘Miscellaneous Settings’

To use predefined file permission settings, select ‘Easy’, ‘Secure’, or ‘Paranoid’. ‘Easy’ should be sufficient for most users. The setting ‘Paranoid’ is extremely restrictive and can serve as the basic level of operation for custom settings. If you select ‘Paranoid’, remember that some programs might not work correctly or even at all, because users no longer have permission to access certain files.

Also set which user should launch the updatedb program, if installed. This program, which automatically runs on a daily basis or after booting, generates a database (locatedb) in which the location of each file on your computer is stored. If you select ‘Nobody’, any user can find only the paths in the database that can be seen by any other (unprivileged) user. If root is selected, all local files are indexed, because the user root, as superuser, may access all directories. Make sure that the options ‘Current Directory in root's Path’ and ‘Current Directory in Path of Regular Users’ are deactivated. Only advanced users should consider using these options because these settings may pose a significant security risk if used incorrectly. To have some control over the system even if it crashes, click ‘Enable Magic SysRq Keys’.

Click ‘Finish’ to complete your security configuration.

3.6.4. Firewall

SuSEfirewall2 can protect your machine against attacks from the Internet. Configure it with ‘Firewall’. Find detailed information about SuSEfirewall2 in Section 23.1, “Masquerading and Firewalls” (↑Reference).

	Automatic Activation of the Firewall
YaST automatically starts a firewall with suitable settings on every configured network interface. Start this module only if you want to reconfigure the firewall with custom settings or deactivate it.