The find command is quite helpful and can be used for many purposes, such as before or during backup operations. See the section 'Using Backup Software' in Chapter 13, 'Backing Up.'
Note that the programs do not necessarily have to be removed from your system. If your users really do not need to use the program, you can remove execute permission of the program for anyone. You have to decide, as the root operator, whether your users are allowed to, for example, mount and unmount CD-ROMs or other media on your system. Although Linux-based operating systems can be set up to accommodate ease of use and convenience, allowing programs such as mount to be suid might not be the best security policy. Other candidates for suid permission change could include the chsh, at, and chage commands.
Managing Passwords
Passwords are an integral part of Linux security, and they are the most visible part to the user. In this section, you learn how to establish a minimal password policy for your system, where the passwords are stored, and how to manage passwords for your users.
An effective password policy is a fundamental part of a good system administration plan. The policy should cover the following:
> Allowed and forbidden passwords
> Frequency of mandated password changes
> Retrieval or replacement of lost or forgotten passwords
> Password handling by users
The Password File
The password file is /etc/passwd, and it is the database file for all users on the system. The format of each line is as follows:
The fields are self-explanatory except for the finger and mail. For that reason, it is commonly referred to as the gecos field can be changed with the cgfn (change finger) command.
Note that a colon separates all fields in the /etc/passwd file. If no information is available for a field, that field is empty, but all the colons remain.
If an asterisk appears in the password field, that user is not permitted to log on. Why does this feature exist? So that a user can be easily disabled and (possibly) reinstated later without having to be created all over again. The system administrator manually edits this field, which is the traditional UNIX way of accomplishing this task. Fedora provides improved functionality with the passwd -l command mentioned earlier.
Several services run as pseudo-users, usually with root permissions. These are the system, or logical, users mentioned previously. You would not want these accounts available for general login for security reasons, so they are assigned /sbin/nologin as their shell, which prohibits any logins from those 'users.'
A list of /etc/passwd reveals the following:
# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
...
gdm:x:42:42::/var/gdm:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
andrew:x:500:500:Andrew Hudson:/home/andrew:/bin/bash
Note that the password fields do not show a password, but contain an x because they are shadow passwords, a useful security enhancement to Linux, discussed in the following section.
Shadow Passwords
It is considered a security risk to keep any password in /etc/passwd because anyone with read access can run a cracking program on the file and obtain the passwords with little trouble. To avoid this risk, shadow passwords are used so that only an x appears in the password field of /etc/passwd; the real passwords are kept in /etc/shadow, a file that can be read by only the sysadmin (and PAM, the Pluggable Authentication Modules authentication manager; see the 'PAM Explained' sidebar for an explanation of PAM).
Special versions of the traditional password and login programs must be used to enable shadow passwords. Shadow passwords are automatically enabled during the installation phase of the operating system on Fedora systems.
Let's examine a listing of the shadow companion to /etc/passwd, the /etc/shadow file:
# cat /etc/shadow
root:*:13121:0:99999:7:::
daemon:*:13121:0:99999:7:::
bin:*:13121:0:99999:7:::
sys:*:13121:0:99999:7:::
sync:*:13121:0:99999:7:::
games:*:13121:0:99999:7:::
man:*:13121:0:99999:7:::
...
andrew:$1$z/9LTBHL$omt7QdYk.KJL7rwBiM0511:13121:0:99999:7:::
The fields are separated by colons and are, in order, the following:
> The user's login name.
> The encrypted password for the user.
> When the password was last changed, measured in the number of days since January 1, 1970. This date
