Authentication : the process of ascertaining that somebody really is who he claims to be. (who are you) Authorization : the process of verifying that you can access to something. (Are you allowed to access the resource)
Lets take example of a user logging into a Linux machine (ssh / terminal login). One needs to authenticate himself username and password thus verifying he is the person who he claims to be . The same user might not be authorized to access a file as he dosent have enough permissions to read/write on the file.
The idea can be extended to even other services like, one can login (authenticate ) into booking.com if he has a profile, but is not authroized to change the prices of the flights, only admins are allowed to do that. Hence authentication and authorization play a key role in determining the security aspects of a service.
Lets see How authentication and authorization are implemented in Linux OS.
The three main important file from security perspective are 1. /etc/passwd 2. /etc/groups 3. /etc/shadow
username : x : uid : gid : user info : home dir : shell to use.
Things to know : 1. x denotes the encrypted password is saved into /etc/shadow file. 2. gid present here is the primary group id of the user. A user can be part of multiple groups, but the one present in the /etc/passwd is his primary group
An excerpt from /etc/groups
group name : password : gid : group List
Things to know 1. password is generally not used , but we can have password for a group too. 2. The group list refers to the list of user names. These user have these groups as the secondary group.
lets Look at the various relationship that exists
1. Every group has a group id.
2. Every user has a user id
3. In linux its not possible to have user without a group id.(by default when a user is created , it has a group with same name)
4. A user can have one primary group and multiple secondary groups.
5. A group can have multiple users.
6. Authentication is done based on username and password.
7. Authorization is done based on groups as unix follow POSIX permission for user : group : others
1. sudo adduser user: adds a user with the groupname as user name. In Linux a user cannot exist without a group.
2. id username : uid=1001(foobar) gid=1001(foobar) groups=1001(foobar), 4201(security) to get groups of a user (/etc/passwd has this info). For uid foobar, group foobar (gid 1001) is the primary group, security(4201) is the secondary group
3. groups username: gets all the user than belong to this group (/etc/groups has this info)
4. To change primary group of a user use : sudo usermod -g Username groupname
5. getent passwd and getent groups can also be used to lookup the info, it also provides the source from where the info is looked from.
The Linux OS security architecture is very restrictive. The various aspects are 1. A user cannot exist without a group. 2. A group can exist without a user. 3. A file can only have usernames and groups which are part of the Linux OS (Local or Remote service) 4. A file ownership can never be changed to a non existent user ( Create a file and try chown XXXXXX fileName ). 5. Linux is applying authorization policy not only during reading the file but also while creating the file. 7. In linux system there can be no resource which is being handled by a random user which the OS is not aware of.