Information Technology Reference
In-Depth Information
Introduction
This chapter covers system security and file permissions. System security
addresses controlling access to the system by use of passwords and restrict-
ing/monitoring the use of the administrative user accounts. The file permis-
sions section addresses controlling the access to the data in files by using
both basic and extended access controls.
System Security
Unix system security is based on controlling access to files (programs and
data). Access is controlled by defining user and group accounts and granting
these accounts different levels of file access. The user accounts are protected
by passwords.
Administrative accounts are given access to system data and tools that allow
them to perform system maintenance. These include accounts such as
root
,
sys
,
bin
, and
adm
.
Several account administration files are used to store the information associ-
ated with user and group accounts, such as account name and password.
The Superuser (Root) Account
The root, or superuser, account is a special administrative account that pro-
vides the ultimate in terms of access to data and services, as it can override
any file permissions on the system. To enforce good system security, access
to the superuser account must be restricted and monitored as closely as pos-
sible. Solaris 9 provides several capabilities that support this activity such as
restricting where root can log in and recording root usage.
Restricting and Monitoring the Superuser Account
Logging into the system as root can be restricted to the console. That is, the
root account cannot log in remotely but is allowed only from the system con-
sole. This restriction can be enforced by the following entry in the
/etc/default/login
file:
CONSOLE=/dev/console
By default, the root account is restricted. To disable this feature, edit the
/etc/default/login
file and put the shell comment character (
#
) at the
beginning of the entry.
