Protecting the Root Account

Previous page
Table of content
Next page

The root account is one of the greatest vulnerabilities of Linux and Unix operating systems because the root account is all-powerful: root can create, read, modify, and delete any file in the system or enable or disable any resource or service. Because the root account is so powerful, the default protection for the accounta simple passwordshould be considered inadequate in most cases.

Fortunately, a relatively simple change to the security surrounding the root account can greatly increase the overall security of your Linux system. The change in question is the use of the wheel group to protect the su command. The wheel group is a special group whose members, by convention, are the only users given access to the su command on most Unix systems.

Enabling the wheel Group

You already learned that the su command can be called from the command line by a normal user to allow the user to take on the root identity to perform system administration tasks. This capability is convenient, but it is also dangerous: If a malicious user can call su repeatedly, he or she might eventually be able to guess the root password, thereby gaining unrestricted access to the entire system.

SUID and SGID Illustrated

The su command provides an excellent illustration of the power and danger of SUID and SGID permissions.

The su command works because, by default, it is owned by the root user and is an SUID executable. This means that when it is called, it behaves as though it were called by the root userthereby giving the program access to protected resources, such as those needed to change identities. To illustrate, try looking at a long directory listing of the su program:

 [root@workstatino20 you]# ls -l /bin/su -rwsr-xr-x  1 root   root    19092 Jul 31 07:34 /bin/su [root@workstation20 you]#


By convention and tradition, secured Unix systems use a special group called wheel to identify an elite group of system administrators who have access to the su command. All other users are prevented from calling it. To give the wheel group teeth, you must do two things:

  1. Add to the wheel group at least one user who has administration privileges because he or she can call su.

  2. Change the group ownership and permissions of the su program to restrict access to members of the wheel group.

Adding Users to wheel

To add a user to the wheel group at the command line, use the gpasswd command with the -a option, passing the name of the user to add and the group to add the user to (in this case, wheel) as arguments:

 [root@workstation20 you]# gpasswd -a you wheel [root@workstation20 you]#

Adding Users to wheel

You can also use the Fedora Core 4 User Manager tool discussed in "Managing Accounts" in Chapter 29, "Desktop System Administration," to add users to the wheel group if you are uncomfortable with command-line tools.


If you want to give other users administration privileges, add them to the wheel group now as well. Only members of the wheel group will be able to call su when you are done with the following sections.

Changing Ownership and Permissions of su

After you add members to the wheel group as desired, change the ownership of the su command from root.root (user root, group root) to root.wheel (user root, group wheel) using the chmod command. Using this command, you can restrict execute permissions to members of the wheel group, removing public execute permissions entirely:

 [root@workstation20 you]# chown root.wheel /bin/su [root@workstation20 you]#

Now that you have added administrators to the wheel group as desired and changed the ownership of su to root.wheel, assign the following permissions to su:

  • Owner (root) read, write, and SUID execute

  • Group (wheel) read and execute

  • No permissions for nonowner, nongroup members

Using the numeric mode of the chmod command, you can assign these permissions by supplying the numeric code 4750 as an argument to chmod, followed by the file whose permissions you want to change, /bin/su:

 [root@workstation20 you]# chmod 4750 /bin/su [root@workstation20 you]# ls -l /bin/su -rwsr-x---  1 root   wheel    19092 Jul 31 07:34 /bin/su [root@workstation20 you]#

The su command is now protected from all normal users. When users who are not members of the special administrative wheel group try to access the su command, permission is denied:

 [jane@workstation20 jane]$ su bash: /bin/su: Permission denied [jane@workstation20 jane]$


    Previous page
    Table of content
    Next page
    SAMS Teach Yourself Red Hat(r) Fedora(tm) 4 Linux(r) All in One
    Cisco ASA and PIX Firewall Handbook
    ISBN: N/A
    EAN: 2147483647
    Year: 2006
    Pages: 311
    Authors: David Hucaby
    BUY ON AMAZON
    Qshell for iSeries
    CISSP Exam Cram 2
    C++ GUI Programming with Qt 3
    Competency-Based Human Resource Management
    Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
    HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy