Chapter 5. Authorization Controls
Authorization means deciding what a user may or may not do on a computer: for example, reading particular files, running particular programs, or connecting to particular network ports. Typically, permission is granted based on a credential such as a password or cryptographic key.
The superuser root, with uid 0, has full control over every file, directory, port, and dust particle on the computer. Therefore, your big, security-related authorization questions are:
Who has root privileges on my computer?
How are these privileges bestowed?
Most commonly, anyone knowing your root password has superuser powers, which are granted with the su command:
$ su
Password: *******
#This technique is probably fine for a single person with one computer. But if you’re a superuser on multiple machines, or if you have several superusers, things get more complicated. What if you want to give temporary or limited root privileges to a user? What if one of your superusers goes berserk: can you revoke his root privileges without impacting other superusers? If these tasks seem inconvenient or difficult, your system might benefit from additional infrastructure for authorization.
Here are some common infrastructures and our opinions of them:
- Sharing the root password
This is conceptually the simplest, but giving every superuser full access to everything is risky. Also, to revoke a rogue superuser’s access you must change the root password, which affects all other superusers. ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
