Two classes of login accounts are found under Trusted IRIX/CMW: user accounts and administrative accounts. The administrative accounts are root (the system administrator) and auditor (the auditor). All other accounts are ordinary user accounts. Administrative accounts are discussed in the section “Planning Your System Administration” in Chapter 2. This chapter discusses the appropriate use and management of user accounts.
User accounts are both the first line of defense of a trusted system and potentially the weakest link in that system. Every user account can break system security if it is not managed well, and every user account can be used to enforce system security. The way your user accounts are managed is crucial to a successful secure system.
Users must have ready access to the files and resources they need to perform their work. If this access is not available or is inconvenient, users circumvent the security policies and create threats to system security. However, users should also not be allowed access to unnecessary files and resources, because this is a security threat in itself.
Guidelines for effective secure management of user accounts are explained in this chapter. Procedures for administering user accounts and user groups are also presented.
This chapter includes the following sections:
The following sections give guidelines and instructions for creating user accounts:
Guidelines for User Accounts
Creating User Accounts
Removing a User
Changing Clearance Information
Guidelines for user accounts are listed below:
Always use a different account name and user ID number for each user on your system. Each account should represent only one person, for accountability.
Never assign a login name that begins with a number. Some networks do not interpret these login names correctly.
Always choose unique user identification names for your users. For example, the login name steveb is a better choice than user001. A login name and the other information associated with an account should always be readily associated with the person who owns that account. It is generally possible to find distinguishing personal characteristics to differentiate between two or more users with similar names.
Include the user's full name and some personal identification, such as job title and phone number, in the comment field of the /etc/passwd file. Be careful, however, not to include classified information in the /etc/passwd file.
When you create user accounts, be certain that the user's environment is properly initialized for security. For example, in the .profile or .cshrc files, set the user's umask to 077. This initializes the default DAC permissions to allow the user to access only those files he or she creates.
In the .profile or .cshrc files, set the PATH environment variable to include only those directories that the user is allowed to access. Also, in the PATH variable, make certain that the user's home directory is searched last, after the system directories, for commands. This guards against some forms of Trojan Horse attack. Do not include any temporary or public directories in the PATH, such as /tmp.
If possible, place a copy of the security policy in each account.
When you remove a user account, first make a backup tape of all files in the home directory belonging to that account.
When you remove a user account, assign new owners to any files on the system still owned by the removed user.
This section gives directions on creating user accounts . Before beginning the process, choose the user's login name, user ID number, allowable security labels (or label ranges), and any administrative roles.
On a trusted system, shadow passwords (/etc/shadow) are always used; see the pwconv(1) man page. When MAC is installed, every user must have an entry in /etc/clearance. All of these databases, except /etc/passwd, are protected from perusal by nonprivileged users.
It is important to follow the procedures exactly as they are specified in this guide. These procedures often involve manipulating sensitive system access files. Failure to follow the exact procedures listed here could leave your system without the designed security protections.
The Trusted IRIX/CMW system has an administrative account (root) and auditor account (auditor). Do not change these accounts.
New user accounts must be created by the system administrator (running at dblow). Adding a user requires these steps:
Create a passwd file entry and a home directory for the user.
Create entries in the /etc/shadow, /etc/clearance, and /etc/capability files for the user and use chlabel to set the MAC label on the user's home directory.
To create the /etc/passwd file entry, perform these steps:
Enter the command:
vi /etc/passwd |
Add a line with the new user's information of this form:
username:*:UID:GID:Comments:home-dir:default-shell |
Here is an example line:
jeffz:*:1998:50:Sample User:/usr/people/jeffz:/bin/csh |
To create the user's home directory, perform these steps:
Use the cd command to change to the /usr/people directory.
Use the mkdir command to make a home directory for your new user. Give the directory the same name as the new user.
Use the chown and chgrp commands to change the ownership of the new directory to the new user.
If your new user is using the C shell (/bin/csh), copy the files /etc/stdcshrc and /etc/stdlogin to the new directory, naming them .cshrc and .login.
To edit the /etc/clearance, /etc/capability, and /etc/shadow files, perform these steps:
Add an entry to the /etc/clearance file according to the format described below. The example shows /etc/clearance entries for an auditor (audry), two system administrators (andy and amy), and an operator (oswald). Andy is also allowed to be an operator. All of these users do “real” work on the system except for andy, who is a full-time system administrator. Everyone but andy is cleared for userlow, which is their default label:
audry:userlow:dbadmin userlow amy:userlow:dblow userlow andy:dblow:dblow msenhigh/mintlow userlow oswald:userlow:msenhigh/mintlow userlow |
Add an entry to the /etc/capability file according to the format described below. The following are /etc/capability entries for a number of users. Note that the dbadmin account has a master capability that includes all defined capabilities:
auditor:CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_KILL+eip dbadmin:all=:all= ernie:all=:CAP_FOWNER,CAP_SETFCAP+eip bert:CAP_FOWNER |
An /etc/capability file entry includes the account name and the capabilities associated with that account in a comma-separated list.
Add an entry to the /etc/shadow file according to the format described below. The following are /etc/shadow entries for two users:
root:kEXFeXFTPoxE bill:6k/7KCFRPNVXg,z/ |
An /etc/shadow file entry includes the user's account name and encrypted password, separated by a colon (:). When you add an entry, you need only add the account name and a colon; the passwd utility encrypts and enters the password.
When changing the labels for the new user, follow these steps:
Use the chlabel command to change the label of the files in the directory to the lowest allowable label of the new user. You must use the lowest allowable label so the user can access those files without regard to his or her login label.
Use the chlabel command to change the label of the new directory to the lowest allowable label of the new user. You must use the lowest label or the user cannot find his or her home directory when logging in at the lowest label.
Additionally, the system administrator should set a password for the new user, using the following commands:
passwd jeffz |
and
passwd -f jeffz |
The first command creates a password for jeffz. This password must be selected by the system administrator and told to the new user. The second command forces the new user to change the password at the first login.
When a user has finished all use of a secure system, that user's account should be closed quickly. It is the system administrator's concern that unauthorized users not be allowed on the system, and he or she needs to be informed at once when a user leaves or ceases to use the system. The system administrator should replace each of the following with the string "*INVALID*": the former user's encrypted password field (in /etc/shadow), both capability lists in /etc/capability, and both clearance fields in /etc/clearance. The entries in the files should not be removed. The system administrator should also check for crontabs, at jobs, or print jobs the former user may have queued.
Once the user is removed, check all system files and change ownership of any files on the system that are owned by the defunct user account. If the user had access to other accounts, change the passwords on those accounts immediately. Also, remove the user's name from all groups on the system.
The security clearance information assigned to a user may be changed by the system administrator by updating the appropriate entry in the /etc/clearance file.
If the user's new security clearance includes all of his or her old labels, that user may remain logged on to the system and active while the clearance is updated.
On a trusted system, you typically have one or more confidential projects at any given time. Also typically, the users working on those projects need to share files and resources. To accommodate this need, you can create user groups . DAC provides a set of permissions for a file owner's group, as well as for the owner of the file and the whole user community.
Trusted IRIX/CMW provides for multiple concurrent groups. That is, a particular user can be a member of any number of groups, or even of all groups on your system. When you log in, your group ID is set to the group ID in your entry in the passwd file. To change to a different group, use the newgroup command.
Group your users based on their common needs. Put all the users on a given project in the same group. All members of a group acquire the group ID in addition to their user ID when they log in. Using the DAC permissions and appropriately defined Mandatory Access Control (MAC) permissions, it is possible to give each member of a project team complete access to necessary files and exclude other users from confidential files.
Guidelines for user groups are as follows:
Place users working on the same project or who have similar needs in a group. Consider, for example, a group of data entry clerks. Users with similar needs may work on different projects, but they all need similar tools and resources.
Add a group at the same time you add each new project to your system.
Assign each group a unique and readily identifiable group name. For example, motordev is a better name than group001.
Never begin a group name with a number, because this can be misinterpreted by the system.
The file /etc/group maintains a list of the valid groups and their members. It is possible to edit the /etc/passwd file and change the ID number of a given group. No checking is done between these two files, and the system administrator must make certain that all user IDs and group IDs given in these files are correct.
Run the pwck program frequently to check your system for potential problems in the /etc/password file.
It is sometimes desirable to create a group containing only a single user who is performing specialized work.
To add a group , the system administrator logs in at the label dblow and performs the following steps:
Enter the command:
su dbadmin |
Enter the command:
vi group |
Add a line for the new group in this form:
groupname:*:username,username,username |
Exit vi and the dbadmin account.
When a group has no more users, or a project group has finished all work, the group should be nullified. You should not, however, remove a group entirely, because the possibility exists that the same group name or ID number might be reused, creating a security hazard. To remove a group , edit the group file in the same way as to add a group, and remove all usernames from the entry for the defunct group. This way, the group is effectively removed, but the entry remains and so cannot be reused.
At your convenience, search through the system and find files that are owned by the defunct group and change their ownership to another group or remove them.