Chapter 12. Security Issues

As Linux is a multi user system, you may get some trouble if you decide to install Wine and applications for system wide use.

Example: You gave a friend an account on your Linux system. Now you install Wine and mount your Windows partition to use some applications on it. As you have a Windows game, your friend wants to play too, you mount the partition globally readable, to give him access to that game, too. But did you want your friend and everyone else with access to your linux machine to start your banking software?

I will not tell you anything here about firewalling and other stuff. Please read the HOWTOs about that if your system has access to any other computer or to the Internet. And there are some very good books about security issues on Linux and Unix systems. But I want to give you some hints about things you should be aware of.

If you are the only human user on your system, you may mount your Windows partition accessible only for you. If you do not have your own group, you may create it (Debian Linux has a default to create a unique group for each user). If you have such a group on your own, you may mount dos partition with this entry in your fstab:

Example 12-1. Fstab Entry for Dos Drive

/dev/hda2 /dos msdos defaults,user,noexec,gid=1001,uid=1001,umask=027 0 2

Please change gid (group id) and uid (user id) according too your system!!!

If you want to add other users to your group, and you do not want them to have access to that drive, change the umask to "077".

For additional information read "man fstab" and "man mount".

If you do not have a drive with Windows applications and you want to install some on your Linux system, you may install your personal applications in your home directory as described above and make the directory available only for you (see "man chmod"). It may be a good idea to make the win directory rwx owner and no one else and set the sticky bit on it ("chmod +s ~/win").

In spite of all that, be aware that everyone with root access is able to read, delete, execute and change any file in your home directory!

I should say something about the "device" entries in the configuration files. Adding any "device"-entry means to give raw device access to the drive or directory. It may be useful for formatting floppy disks with dos format or a cd writer, but if you give raw device access to ext2fs formatted drives, they may get damaged.