If you want to further secure your Linux machines, there's no place like home. Here's how to manage permissions and encrypt each user's home directory.
Linux. That's right, the platform of reliability, flexibility, and security. Even though you do gain significant amounts of security with the open source operating system, no computer is one hundred percent safe. Period. End of story. However, there are things you can do, even with Linux, to make your experience considerably more secure.
One often-forgotten area of Linux security is the home directory--otherwise known as ~/. Something to keep in mind, is that particular directory houses user data. In other words, this is the default directory where documents are stored. If this machine is used in a business environment, there could be sensitive information stored within.
Let's see what we can do to that home directory to make it more secure. We'll start with the easy tip first. I'll be demonstrating on a freshly installed Ubuntu 17.10 desktop.
One thing you must know is that, out of the box, users can read each other's files in their home directory. That's right, if you have a Linux machine with multiple users, those users can read one another's files (so long as they are housed within their home directory or child folders within the home directory). So if user jack has a file /home/jack/jacksfile, user olivia could read the contents of that file (although not write to it).
How do we prevent this? Actually it is quite simple. What we must do is change the permission of each user's home directory. For each user directory, execute the following command:
sudo chmod -R 700 /home/USER
Where USER is the actual username.
When a user attempts to either list the contents of a directory in that user's account (or read a file in that same directory), they will receive a permission denied error.
That's the easy way. Now let's take a look at a more complicated method of better security your user's home directory.
SEE: Securing Linux policy (Tech Pro Research)
During the installation of the platform, you will be asked if you want to encrypt each user's home directory. If you skip that during installation, worry not, you can do it post-install. Here's how.
The first thing you must do is install a couple of extra tools. Back at the terminal window, issue the following command:
sudo apt-get install ecryptfs-utils cryptsetup
The next step is to create a temporary account with admin privileges. To do this, open up the Settings app and search for Users. In the new window (Figure A), click the Unlock button and type your sudo password.
Next, click the Add User button and fill out the information for the new user (Figure B). Remember, this will be a temporary user, used only for the encryption of another user's home directory.
Once you've created the new user, close out the Settings window and log out of your current user. You'll then log into the temporary user account. From that new user, open up a terminal window and issue the following command to encrypt the user's home directory:
sudo ecryptfs-migrate-home -u USER
Where USER is the username whose home directory you want to encrypt. You will first be prompted for the temporary user's sudo password, followed by the password for the user whose home directory is being encrypted. The above command will not only encrypt the user's directory, it will also create a backup of the contents of that directory (in case of a problem).
This next step is vital. Before you reboot the system, you must do the following:
- Login as the user whose directory was just encrypted.
- Issue the command ecryptfs-unwrap-passphrase and record the randomly generated passphrase (you will be prompted for your user login password, in order for this to work).
- If swap space is being used on the system, you should also encrypt it with the command sudo ecryptfs-setup-swap
The backup, created by the ecryptfs-migrate-home command is found in /home and will be in the form of USER.XXX (where USER is the username and XXX is a random string of characters). Leave that in place, until you've rebooted a couple of time and verified the user can access all of their files. Once you've taken care of the above, reboot the system and then attempt to log in as the user whose home directory was just encrypted
SEE: 20 quick tips to make Linux networking easier (free PDF) (TechRepublic)
And that's it. Your home directory is encrypted. Repeat this process for all users who require encrypted home directories. Once you're finished, and have verified everyone can access their files and folders, you can delete the backups as well as the temporary user. Your encrypted home folders are good to go.
- How to install and use Uncomplicated Firewall in Ubuntu (TechRepublic)
- How to setup two-factor authentication for iCloud (TechRepublic)
- How to check SSD health in Linux (TechRepublic)
- How to find and use the Linux home directory (TechRepublic Video)
- Linus Torvalds says targeted fuzzing is improving Linux security (ZDNet)