2.9. Security and Users

2.9. Security and Users
	Chapter 2. System Configuration with YaST

A basic aspect of Linux is its multiuser capability. Consequently, several users can work independently on the same Linux system. Each user has a user account identified by a login name and a personal password for logging in to the system. All users have their own home directories where personal files and configurations are stored.

2.9.1. User Management

Create and edit users with Security and Users+User Management. It provides an overview of users in the system, including NIS, LDAP, Samba, and Kerberos users if requested. If you are part of an extensive network, click Set Filter to list all users categorically (for example, root or NIS users). You can also customize filter settings by clicking Customize Filter.

To add new users, click Add and enter the appropriate data. Complete the addition by clicking Accept. The new user can immediately log in using the newly created login name and password.

	Autologin
If you are the only user of your system, you can configure autologin. Autologin automatically logs a user into the system after it starts. To activate autologin, select the user from the list of users and click Login Settings. Then choose Autologin and click OK.

Disable user login with the corresponding option. Fine-tune user profiles in Details. Here, manually set the user ID, home directory, default login shell, and assign the new user to specific groups. Configure the validity of the password in Password Settings. Click Accept to save all changes.

To delete a user, select the user from the list and click Delete. Then mark whether to delete the home directory and click Yes to confirm.

For advanced user administration, use Expert Options to define the default settings for the creation of new users. Select the user authentication method (such as NIS, LDAP, Kerberos, or Samba), login settings (only with KDM or GDM), and the algorithm for password encryption. Default for New Users and Password Encryption apply only to local users. Authentication and User Sources provides a configuration overview and the option to configure the client. Advanced client configuration is also possible using this module. After accepting the configuration, return to the initial configuration overview. Click Write Changes Now to save all changes without exiting the configuration module.

2.9.2. Group Management

To create and edit groups, select Security and Users+Group Management or click Groups in the user administration module. Both dialogs have the same functionality, allowing you to create, edit, or delete groups.

The module gives an overview of all groups. As in the user management dialog, change filter settings by clicking Set Filter.

To add a group, click Add and fill in the appropriate data. Select group members from the list by checking the corresponding box. Click Accept to create the group. To edit a group, select the group to edit from the list and click Edit. Make all necessary changes then save them with Accept. To delete a group, simply select it from the list and click Delete.

Click Expert Options for advanced group management. Find more about these options in Section 2.9.1, “User Management”.

2.9.3. Local Security

To apply a set of security settings to your entire system, use Security and Users+Local Security. These settings include security for booting, login, passwords, user creation, and file permissions. SUSE Linux offers three preconfigured security sets: Home Workstation, Networked Workstation, and Networked Server. Modify the defaults with Details. To create your own scheme, use Custom Settings.

The detailed or custom settings include:

Password Settings

To have new passwords checked by the system for security before they are accepted, click Check New Passwords and Test for Complicated Passwords. Set the minimum password length for newly created users. Define the period for which the password should be valid and how many days in advance an expiration alert should be issued when the user logs in to the text console.

Boot Settings

Set how the key combination Ctrl-Alt-Del should be interpreted by selecting the desired action. Normally, this combination, when entered in the text console, causes the system to reboot. Do not modify this setting unless your machine or server is publicly accessible and you are afraid someone could carry out this action without authorization. If you select Stop, this key combination causes the system to shut down. With Ignore, this key combination is ignored.

If you use the KDE login manager (KDM), set permissions for shutting down the system in Shutdown Behavior of KDM. Give permission to Only root (the system administrator), All Users, Nobody, or Local Users. If Nobody is selected, the system can only be shut down from the text console.

Login Settings

Typically, following a failed login attempt, there is a waiting period lasting a few seconds before another login is possible. This makes it more difficult for password sniffers to log in. Optionally activate Record Successful Login Attempts and Allow Remote Graphical Login. If you suspect someone is trying to discover your password, check the entries in the system log files in /var/log. To grant other users access to your graphical login screen over the network, enable Allow Remote Graphical Login. Because this access possibility represents a potential security risk, it is inactive by default.

User Addition

Every user has a numerical and an alphabetical user ID. The correlation between these is established using the file /etc/passwd and should be as unique as possible. Using the data in this screen, define the range of numbers assigned to the numerical part of the user ID when a new user is added. A minimum of 500 is suitable for users. Automatically generated system users start with 1000. Proceed in the same way with the group ID settings.

Miscellaneous Settings

To use predefined file permission settings, select Easy, Secure, or Paranoid. Easy should be sufficient for most users. The setting Paranoid is extremely restrictive and can serve as the basic level of operation for custom settings. If you select Paranoid, remember that some programs might not work correctly or even at all, because users no longer have permission to access certain files.

Also set which user should launch the updatedb program, if installed. This program, which automatically runs on a daily basis or after booting, generates a database (locatedb) in which the location of each file on your computer is stored. If you select Nobody, any user can find only the paths in the database that can be seen by any other (unprivileged) user. If root is selected, all local files are indexed, because the user root, as superuser, may access all directories. Make sure that the options Current Directory in root's Path and Current Directory in Path of Regular Users are deactivated. Only advanced users should consider using these options because these settings may pose a significant security risk if used incorrectly. To have some control over the system even if it crashes, click Enable Magic SysRq Keys.

Click Finish to complete your security configuration.

2.9.4. Firewall

SuSEfirewall2 can protect your machine against attacks from the Internet. Configure it with Security and Users+Firewall.

	Automatic Activation of the Firewall
YaST automatically starts a firewall with suitable settings on every configured network interface. Start this module only if you want to reconfigure the firewall with custom settings or deactivate it.


2.8. AppArmor		2.10. Miscellaneous