Differences between revisions 21 and 22
Revision 21 as of 2015-05-06 11:25:58
Size: 13135
Editor: MarioBar
Comment:
Revision 22 as of 2017-10-01 19:54:44
Size: 13130
Editor: ?umlaeute
Comment: fixed syntax error
Deletions are marked like this. Additions are marked like this.
Line 171: Line 171:
 * '''sync''': The shell of user sync is /bin/sync. Thus, if its password is set to something easy to guess (such as ""), anyone can sync the system at the console even if they have don't have an account.  * '''sync''': The shell of user sync is /bin/sync. Thus, if its password is set to something easy to guess (such as ""), anyone can sync the system at the console even if they don't have an account.

Introduction

This page list the different system groups used on a debian system. System groups are special purpose groups used for system operation like backup, maintenance or for granting access to hardware. They are the low gid of the system group database.

Description

fuse

Description

Filesystem in Userspace (FUSE) is a filesystem that allows non-privileged users to create their own file systems without editing the kernel code. This is achieved by running the file system code in user space, while the FUSE module only provides a "bridge" to the actual kernel interfaces.

Fuse could be used in order to write virtual filesystem like for instance a wikibased filesystem.

Users are allowed to use fuse if they could read and write to /dev/fuse ie they are in group fuse on debian system. Starting with Debian 8 (Jessie) this group is not required anymore.

Permissions

/dev/fuse crw-rw---- root fuse 

Security implications

Fuse could lead to local dos for instance creating file a la /dev/null with random content. Moreover they are past problem in the fuse kernel code that lead to dos.

Filesystem created by fuse are not visible by other user including root in order to avoid dos. For instance an user that create an infinite depth filesystem in order to fool updatedb.

More Information

wikipedia fuse web site

rdma

Description

From Roland Dreier

RDMA stands for "remote direct memory access," and it is a type of high performance networking implemented by ?InfiniBand and some 10 GbE adapters. Part of RDMA is "kernel bypass," which allows userspace process direct access to hardware registers to reduce latency and CPU overhead in performing RDMA operations. wikipedia has a more complete overview.

Permissions

/dev/infiniband/rdma_cm crw-rw---- root rdma

Security implications

Users that are running high-performance jobs would need access to these device nodes; it makes sense to me that administrators would not necessarily want to allow all users to have direct access to do things that might interfere with other jobs on a high-performance network. Even though in theory it is safe for anyone to use rdma due to kernel protection.

Also, RDMA often requires increasing the amount of locked memory allowed in /etc/security/limits.conf, and doing that by group "rdma" is convenient as well.

More information

wikipedia Roland Dreier answer on unbuntu

Other System Groups

Groups without an associated user

The following groups grant privileges to their members.

  • lp (LP): Members of this group can enable and use printers. (The user lp is not used anymore.)

  • lpadmin (LPADMIN): Allows members to manage printers and pending jobs sent by other users.

  • scanner : Members of this group can enable and use scanners.

  • adm: Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.

  • systemd-journal: Since Debian 8 (Jessie), members of this group can use the command journalctl and read log files of systemd (in /var/log/journal).

  • plugdev: Allows members to mount (only with the options nodev and nosuid, for security reasons) and umount removable devices through pmount.

  • netdev: Members of this group can manage network interfaces through the network manager and wicd.

  • cdrom: This group can be used locally to give a set of users access to a CDROM drive and other optical drives.

  • floppy: This group can be used locally to give a set of users access to a floppy drive and other removable (non-optical) drives (like USB flash drives). Starting with Debian 8 (Jessie) it is not used anymore for USB and flash memories.

  • tape: This group can be used locally to give a set of users access to a tape drive.

  • audio: This group can be used locally to give a set of users access to an audio device (the soundcard or a microphone).

  • video: This group can be used locally to give a set of users access to a video device (like the framebuffer, the videocard or a webcam).

  • sudo: Members of this group can execute any command with sudo or pkexec. (See the default configuration in /etc/sudoers)

  • tty: TTY devices are owned by this group. This is used by write and wall to enable them to write to other people's TTYs, but it is not intended to be used directly.

  • staff: Allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may "override" the executables in /bin and /usr/bin with the same name). Compare with group "adm", which is more related to monitoring/security.

  • shadow: /etc/shadow is readable by this group. Some programs that need to be able to access the file are SETGID shadow.

  • utmp: This group can write to /var/run/utmp and similar files. Programs that need to be able to write to it are SETGID utmp.

  • disk: Raw access to disks. Mostly equivalent to root access.

  • kmem: /dev/mem and /dev/port are readable by this group. This is mostly a BSD relic, but any programs that need direct read access to the system's memory can thus be made SETGID kmem. /dev/kmem, that has given the name to this group, was also readable by this group, but is currently disabled by default for security reasons.

  • dialout: Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc.

  • dip: The group's name stands for "Dial-up IP", and membership in dip allows you to use tools like ppp, dip, wvdial, etc. to dial up a connection. The users in this group cannot configure the modem, but may run the programs that make use of it.

  • fax: Allows members to use fax software to send / receive faxes.

  • voice: Voicemail, useful for systems that use modems as answering machines.

  • users: While Debian systems use the private user group system by default (each user has their own group), some prefer to use a more traditional group system, in which each user is a member of this group.

  • wheel: This group can be created to alter the functionality of the module pam_wheel in /etc/pam.d/su to restrict the execution of su. If this group does not exists only members of root (usually root itself) are affected. By default this group does not exist and all the configurations with pam_wheel are commented in /etc/pam.d/su. See the page about the wheel_pam module for more information.

  • src: This group was used to manage the source code of the system, including files in /usr/src. It is not used anymore.

Add a user to a group

With root privileges:

# adduser user group

It will take effect on the next login. To print the groups the user is in (without root privileges):

$ groups

Security implications

The group disk can be very dangerous, since hard drives in /dev/sd* and /dev/hd* can be read and written bypassing any file system and any partition, allowing a normal user to disclose, alter and destroy both the partitions and the data of such drives without root privileges. Users should never belong to this group.

To manage removable drives without root privileges, you have to use the groups cdrom for optical drives. Optical drives can usually be mounted in according to the rules in /etc/fstab, but for other removable drives the group plugdev may be more practical. Starting with Debian 8 (Jessie) you need root privileges to format USB and flash memories, because their devices in /dev/ do not belong to the group floppy anymore.

The group kmem is able to read the content of the system memory, potentially disclosing data belonging to other processes.

The users of the group shadow group can read the content of /etc/shadow and /etc/gshadow, containing the hashes of the passwords of other users and groups.

Only admins should belong to the group sudo, because they could execute any command with sudo/pkexec and their own password. Custom rules can be written in /etc/sudoers (through visudo) for any group and any user, in order to allow only a more restricted set of commands to be executed with root privileges. And polkit can be customized too.

The users of the group staff can install executables in /usr/local/bin and /usr/local/sbin without root privileges. By default /usr/local/bin is in the PATH variable of every user, so that the binaries in /usr/local/bin can be executed without having to write their paths. In addition if an executable is created in /usr/local/bin with the same name of one in /usr/bin (or /bin), the former will be executed every time that its path is not specified.

Groups with an associated user

The following groups are not intended to be used directly by other users.

  • root: Root is (typically) the superuser.

  • daemon: Some unprivileged daemons that need to write to files on disk run as daemon.daemon (e.g., portmap, atd, probably others). Daemons that don't need to own any files can run as nobody.nogroup instead, and more complex or security conscious daemons run as dedicated users. The daemon user is also handy for locally installed daemons.

  • games: Many games are SETGID to games so they can write their high score files. This is explained in policy.

  • man: The man program (sometimes) runs as user man, so it can write cat pages to /var/cache/man.

  • mail: Mailboxes in /var/mail are owned by group mail, as explained in policy. The user and group are used for other purposes by various MTA's as well.

  • news: Various news servers and other associated programs (such as suck) use user and group news in various ways. Files in the news spool are often owned by user and group news. Programs such as inews that can be used to post news are typically SETGID news.

  • proxy: Like daemon, this user and group is used by some daemons (specifically, proxy daemons) that don't have dedicated user id's and that need to own files. For example, group proxy is used by pdnsd, and squid runs as user proxy.

  • postgres: Postgresql databases are owned by this user and group. All files in /var/lib/postgresql are owned by this user to enforce proper security.

  • www-data: Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers, including log files, will be owned by www-data.

  • backup: So backup/restore responsibilities can be locally delegated to someone without full root permissions.

  • list: Mailing list archives and data are owned by this user and group. Some mailing list programs may run as this user as well.

  • irc: Used by irc daemons. A statically allocated user is needed only because of a bug in ircd, which SETUID()s itself to a given UID on startup.

  • sync: The shell of user sync is /bin/sync. Thus, if its password is set to something easy to guess (such as ""), anyone can sync the system at the console even if they don't have an account.

  • uucp: The uucp user and group is used by the UUCP subsystem. It owns spool and configuration files. Users in the uucp group may run uucico.

  • operator: Operator was (historically) the only 'user' account that could login remotely.

  • bin: maintained for historic reasons.

  • sys: same as with bin.

  • nogroup (user: nobody): Daemons that need not own any files run as user nobody and group nogroup. Thus, no files on a system should be owned by this user or group.

More information

Securing Debian HowTo - FAQ n. 12.1.12.1


Page Copyright

License

GPLv2 or later at your option

Authors

Bastien Roucaries , Mario Bar

see DebianWiki/LicencingTerms for info about wiki content copyright.



CategorySystemSecurity