|
7.9 Security and Users
A basic aspect of Linux is its multiuser capability. Consequently,
several users can work independently on the same Linux system. Each user
has a user account identified by a login name and a personal password for
logging in to the system. All users have their own home directories where
personal files and configurations are stored.
7.9.1 User Management
Create and edit users with . It
provides an overview of users in the system, including NIS, LDAP,
Samba, and Kerberos users if requested.
If you are part of an extensive network, click
to list all users categorically (for example,
root or NIS users). You can also customize
filter settings by clicking .
To add new users, click
and enter the appropriate data. Complete the
addition by clicking
. The new user
can immediately log in using the newly created login name and password.
HINT: Autologin
If you are the only user of your system, you can configure autologin.
Autologin automatically logs a user into the system after it starts.
To activate autologin, select the user from the list of users and click
. Then choose
and
click .
Disable user login with the corresponding option.
Fine-tune user profiles in . Here, manually set
the user ID, home directory, default
login shell, and assign the new user to specific groups.
Configure the validity of the password in .
Click to save all changes.
To delete a user, select the user from the list and click
.
Then mark whether to delete the home directory and click
to confirm.
For advanced user administration, use to define the default settings for the creation of new
users. Select the user authentication method (such as NIS, LDAP, Kerberos, or
Samba), login settings (only with KDM or GDM),
and the algorithm for password encryption. and
apply only to local users.
provides a configuration
overview and the option to configure the client. Advanced
client configuration is also possible using this module. After accepting
the
configuration, return to the initial configuration overview.
Click to save all changes
without exiting
the configuration module.
7.9.2 Group Management
To create and edit groups, select or
click in the user administration module. Both
dialogs
have the same functionality, allowing you to create, edit, or delete
groups.
The module gives an overview of all groups. As in the user management
dialog, change filter settings by clicking .
To add a group,
click and fill in the appropriate data. Select group
members from the list by checking the corresponding
box. Click to create the group. To edit a group,
select the group to edit from the list and click
. Make
all necessary changes then save them with .
To delete a group, simply select it from the list and click
.
Click
for advanced group management. Find more
about these options in Section 7.9.1,
User Management.
7.9.3 Local Security
To apply a set of security settings to your entire system, use
. These settings include security for
booting, login, passwords, user creation, and file permissions.
SUSE Linux Enterprise offers three preconfigured security sets: , , and
. Modify the defaults with
. To create your own scheme, use
.
The detailed or custom settings include:
-
-
To have new passwords checked by the system for security before they are
accepted, click and
. Set the minimum
password length for newly created users. Define the
period for which the password should be valid and how many days in
advance an expiration alert should be issued when the user logs in to
the text console.
-
-
Set how the key combination Ctrl
Alt Del should be
interpreted by selecting the desired action. Normally, this
combination, when entered in the text console, causes the system to
reboot. Do not modify this setting unless
your machine or server is publicly accessible and you are afraid
someone could carry out this action without authorization. If you
select , this key combination causes the
system to shut down. With , this key
combination is ignored.
If you use the KDE login manager (KDM), set permissions for shutting
down the system in . Give
permission to (the system administrator), , , or . If is selected, the system
can only be shut down from the text console.
-
-
Typically, following a failed login attempt, there is a waiting
period lasting a few seconds before another login is possible. This
makes it more difficult for password sniffers to log in. Optionally
activate and
. If you suspect
someone is trying to discover your password, check the entries in the
system log files in /var/log. To grant other users
access to your graphical login screen over the network, enable
.
Because this access possibility represents a potential security risk,
it is inactive by default.
-
-
Every user has a numerical and an alphabetical user ID. The
correlation between these is established using the file
/etc/passwd and should be as unique as possible.
Using the data in this screen, define the range of numbers assigned
to the numerical part of the user ID when a new user is added. A
minimum of 500 is suitable for users. Automatically generated
system users start with 1000. Proceed in the same way with the
group ID settings.
-
-
To use predefined file permission settings, select
,
, or .
should be sufficient for most users.
The setting
is extremely restrictive and can serve as the basic level of
operation for custom settings. If you select
, remember that some programs might
not work correctly or even at all, because users no longer have
permission to access certain files.
Also set which user should launch the
updatedb program, if installed.
This program, which automatically runs on a daily basis or after
booting, generates a database (locatedb) in which the location of
each file on your computer is stored. If you select
, any user can find only the paths in the
database that can be seen by any other (unprivileged) user. If
root is selected, all local
files are indexed, because the user
root, as superuser, may
access all directories. Make sure that the options
and
are
deactivated. Only advanced users should consider using these options
because
these settings may pose a significant security risk if used incorrectly.
To have some control over the system even if it crashes, click
.
Click to complete your security configuration.
7.9.4 Firewall
SuSEfirewall2 can
protect your machine against attacks from the Internet. Configure it with
. Find detailed
information about SuSEfirewall2 in Section 38.0,
Masquerading and Firewalls.
HINT: Automatic Activation of the Firewall
YaST automatically starts a firewall with suitable settings on every
configured network interface. Start this module only if you
want to reconfigure the firewall with custom settings or deactivate it.
|
|