Understanding Linux Security

Understanding Linux Security : /etc/passwd & /etc/shadow file

Security cycle

No system is complete without some form of security. There must be a mechanism available to protect files from unauthorized viewing or modification. The Linux system follows the Unix method of file permissions, allowing individual users and groups access to files based on a set of security settings for each file and directory.

Linux Security

Linux security

The core of the Linux security system is the user account . Each individual who accesses a Linux system should have a unique user account assigned. The permissions users have to objects on the system depend on the user account they log in with. User permissions are tracked using a user ID (often called a UID), which is assigned to an account when it’s created. The UID is a numerical value, unique for each user. However, you don’t log in to a Linux system using your UID. Instead, you use a login name . The login name is an alphanumeric text string of eight characters or fewer that the user uses to log in to the system (along with an associated password).

The Linux system uses special files and utilities to track and manage user accounts on the system.

The /etc/passwd File

The Linux system uses a special file to match the login name to a corresponding UID value. This file is the /etc/passwd file. The /etc/passwd file contains several pieces of information about the user. Here’s what a typical /etc/passwd file looks like on a Linux system:

 # cat /etc/passwd


The root user account is the administrator for the Linux system and is always assigned UID. As you can see, the Linux system creates lots of user accounts for various functions that aren’t actual users.

These are called system accounts . A system account is a special account that services running on the system use to gain access to resources on the system. All services that run in background mode need to be logged in to the Linux system under a system user account.

Before security became a big issue, these services often just logged in using the root user account. Unfortunately, if an unauthorized person broke into one of these services, he instantly gained access to the system as the root user. To prevent this, now just about every service that runs in background on a Linux server has its own user account to log in with. This way, if a troublemaker does compromise a service, he still can’t necessarily get access to the whole system.

Linux reserves UIDs below 500 for system accounts. Some services even require specific UIDs to work properly. When you create accounts for normal users, most Linux systems assign the first available UID starting at 500 (although this is not necessarily true for all Linux distributions). Probably noticed that the /etc/passwd file contains lots more than just the login name and UID for the user.

The fields of the /etc/passwd file contain the following information:

  • The login username
  • The password for the user
  • The numerical UID of the user account
  • The numerical group ID (GID) of the user account
  • A text description of the user account (called the comment field)
  • The location of the HOME directory for the user
  • The default shell for the user


sudo command – Linux



The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.

The basic format of the sudo command is as follows:

 sudo <command>

In the above example, <command> would be replaced by a command normally reserved for the root user, such as mount.

The sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user’s shell, not a root shell. This means the root shell can be completely disabled  in the Red Hat Enterprise Linux / CentOS / Fedora / Ubuntu.

Each successful authentication using the sudo is logged to the file /var/log/messages and the command issued along with the issuer’s username is logged to the file /var/log/secure. Should you require additional logging, use the pam_tty_audit module to enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth file:

 session required pam_tty_audit.so disable=<pattern> enable=<pattern>


where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the root user and disable it for all other users:

 session required pam_tty_audit.so disable=* enable=root


Another advantage of the sudo command is that an administrator can allow different users access to specific commands based on their needs. Administrators wanting to edit the sudo configuration file, /etc/sudoers, should use the visudo command.

To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:

mark ALL=(ALL) ALL

Above example states that the user, mark, can use sudo from any host and execute any command. The example below illustrates the granularity possible when configuring sudo:

 %users localhost=/sbin/shutdown -h now

This example states that any user can issue the command /sbin/shutdown -h now as long as it is issued from the console.


Important Points :

There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the /etc/sudoers configuration file using visudo as described above. Leaving the /etc/sudoers file in its default state gives every user in the wheel group unlimited root access.

By default, sudo stores the sudoer’s password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the /etc/sudoers file:

 Defaults    timestamp_timeout=<value>

where <value> is the desired timeout length in minutes. Setting the <value> to 0 causes sudo to require a password every time. If a sudoer’s account is compromised, an attacker can use sudo to open a new shell with administrative privileges:

 sudo /bin/bash

Opening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the /etc/sudoers file and never requiring the attacker to input a password for sudo again until the newly opened session is closed.

Data Manipulation Language (DML)

Data Manipulation Language (DML):


 Data Manipulation Language (DML) statements are used for managing data within tables. Some commands of DML are:

Some commands of DML are:

  • SELECT – retrieve data from the a database
  • INSERT – insert data into a table
  • UPDATE – updates existing data within a table
  • DELETE – deletes all records from a table, the space for the records remain
  • MERGE – UPSERT operation (insert or update)
  • CALL – call a PL/SQL or Java subprogram
  • LOCK TABLE – control concurrency


SELECT : The SELECT statement is used to form queries for extracting information out of the database.

SELECT <attribute>, ….., <attribute n> FROM <table name>;




Insert : The insert statement is used to add new row to a table.

INSERT INTO <table name> VALUES (<value 1>, … <value n>);



The inserted values must match the table structure exactly in the number of attributes and the data type of each attribute. Character type values are always enclosed in single quotes; number values are never in quotes; date values are often (but not always) in the format ‘yyyy-mm-dd’ (for example, ‘2006-11- 30’).


UPDATE : The update statement is used to change values that are already in a table.

UPDATE <table name> SET <attribute> = <expression> WHERE <condition>;



The update expression can be a constant, any computed value, or even the result of a SELECT statement that returns a single row and a single column.


DELETE : The delete statement deletes row(s) from a table.

DELETE FROM <table name> WHERE <condition>;



If the WHERE clause is omitted, then every row of the table is deleted that matches with the specified condition.

Apart from these statements, some statements are also used to control the transaction made by DML statements. The commands used for this purpose are called Transaction Control (TCL) statements. It allows statements to be grouped together into logical transactions. Some commands of TCL are:
  • COMMIT – save work done.
  • SAVEPOINT – identify a point in a transaction to which you can later roll back.
  • ROLLBACK – restore database to original since the last COMMIT.



1 2 3