Chapter 12. Controlling Access and Privileges

System security relies heavily on users or groups not being able to do more than they should, according to a common security policy. Most of the day-to-day changes concerned with controlling access and privileges revolves around properly using users and groups. (See Chapter 2 for more information on properly creating and configuring users and groups.)

However, many organizations using Red Hat Linux have particular guidelines or work environments that require tighter security or special configurations for enhanced or restricted access to applications or system devices. This section discusses a few ways you can tweak your system to provide an appropriate level of access and privileges for your users based on your situation.

Shadow Utilities

If you are in a multiuser environment and not using PAM or Kerberos, you should consider using Shadow Utilities (also known as shadow passwords) for the enhanced protection offered for your system's authentication files. During the installation of Red Hat Linux, shadow password protection for your system is enabled by default, as are MD5 passwords (an alternative and arguably more secure method of encrypting passwords for storage on your system).

Shadow passwords offer a few distinct advantages over the previous standard of storing passwords on UNIX and Linux systems, including:

The shadow-utils package contains a number of utilities that support:


There are some additional points of interest concerning these utilities:

  • The utilities will work properly whether shadowing is enabled or not.

  • The utilities have been slightly modified to support Red Hat's user private group scheme. For a description of the modifications, see the useradd man page. For more information on user private groups, turn to the section called User Private Groups in Chapter 2.

  • The adduser script has been replaced with a symbolic link to /usr/sbin/useradd.

  • The tools in the shadow-utils package are not Kerberos or LDAP enabled. New users will be local only. For more information on Kerberos and LDAP, see Chapter 9 and Chapter 4.