Some security mechanisms of Linux

Linux is a Unix-like operating system which can be used for free and transmitted freely. Based on POSIX and UNIX, Linux is a multi-user, multi-tasking, multi-threading and multi-CPU operating system. In fact, Linux can support 32-bit and 64-bit hardware and run major UNIX tools, applications and network protocols. Linux inherits UNIX’s design idea which is focused on network, so it is a multi-user network operating system with stable performance. Developed in 1991, October 5, Linux has many different versions, which are all using Linux kernel. Strictly speaking, the word Linux only stands for Linux kernel, but in fact, it has been used to describe the whole operating system which is based on Linux kernel and using all kinds of tools and databases of GNU project. With high compatibility, Linux can be installed in various computer hardware devices, such as mobile phones, tablet computers, routers, video game consoles, desktop computers, mainframes and supercomputers.

Security mechanisms of Linux and their specific functions
After years of development, the functions of Linux are constantly enhanced and the security mechanisms of Linux are gradually improved as well. According to TCSEC evaluation criteria, the security level of Linux has already reached C2. Now, let’s take a look at the existing security mechanisms of Linux and their specific functions.

  • PAM mechanism: PAM (Pluggable Authentication Modules) mechanism is a set of shared libraries, aiming to provide a framework and a set of programming interfaces and send the certification work from programmer to administrator. PAM mechanism allows administrators to choose a suitable authentication method from a variety of them, so it can change the local authentication method without recompiling and re-certificating related applications.
  • Specific functions of PAM mechanism:
    Encrypt password (including all algorithms except for DES).
    Limit users’ resources in order to prevent DOS attacks.
    Allow random Shadow password.
    Restrict specific users to log in from a designated location at a specified time.
    Introduce the concept of “client plug-in agents” so as to support machines in C/S applications, making machine certification possible.
    PAM mechanism provides convenience to the development of more effective authentication methods. On this basis, new authentication methods, such as smart cards and fingerprint recognition can be easily developed to replace conventional username plus password authentication method.

  • TCFS: as one kind of encryption file system, TCFS (Transparent Cryptographic File System) is one of the most useful security mechanisms of Linux. Actually, there are many encryption file systems in current Linux: CFS, TCFS, CRYPTFS, etc. TCFS is tightly integrated by encryption services and file systems, making users unable to feel the file encryption process. TCFS will not modify the data structure of file systems and the semantics of user-access confidential files and the backup and restoration remain unchanged.

Specific functions of TCFS:
TCFS is able to make confidential files unreadable for the following users:
Other users apart from legitimate owners.
Eavesdroppers on the communication line between users and the remote file systems.
Super users of file system server.
As for legitimate users, there is almost no difference between the access of confidential files and that of common files.