"Multi-user system." What does that sound like to you? Obviously, it implies that the computer in question was designed for more than one user. If you think about it a moment longer, it implies having to log in, and having an "account" on the machine. It implies making sure the machine recognizes you as someone who has a right to be there.
But most of my readers know that I am aiming at the desktop user of a computer not shared with others. That misses the point. There is a special power in the multi-user system -- the power to protect.
We've all heard countless times of someone "hacking" -- or more accurately, "cracking" -- into a commercial computer system and taking over control of it. We get the impression of secret knowledge of how to make the system obey. They go on the Internet and send secret messages to these commercial systems until they find a way to take control. If they have physical access to the system, or some part of it, it's even easier. Most folks who have used ordinary home PCs might think, "Hey, that's easy. Just turn it on and start clicking the mouse and typing stuff."
On a commercial system, it's not that simple. Those systems are designed for mulitple users, and many people will have accounts, and have to log on and so forth. The various users will have differing levels of power over the system. Some can read mail and not much else. Others can use powerful software to play with information data bases and such. One, or perhaps two, will have special permission to do anything they want. These last are usually the "Systems Admin," the "IT worker," or something similar.
On your home PC, chances are if you bought it with the system installed and working, you have that special power. You can install what you want, uninstall, change settings, and so forth. That is, if you know how. If not, you are at the mercy of any program that knows how to install itself. That's how people get viruses and other bad things on their computers.
As the only user, you have the power to run any program you like. You are your own Systems Admin. And any program you run has your power, your permission, to make drastic changes in your system, whether you understand them or not. Even if you have a modern home PC with the latest Windows XP operating system, you still normally run as the "Super User" -- the one with all the power. You might give your kids an account, and log out so that they have to log in, and use it with less power. You will if you are smart. That way, they can't download something that appeals to them and ruin your system, because it happens to have a virus in it, or something equally bad.
What if you, as the Super User, download and open your mail. If you open an attachment, it has your power to run, if it's a program. By now, I hope you've heard enough times not to open attachments to your email. Well, there are plenty of viruses that don't wait for you to open them. As soon as they are on your system, they take control. This is especially true if you use the bundled email client.
Or if you are surfing the Net, and stop at some new website you've never heard of, you can pick up viruses that way, too. Some programs are written to assume you have said "OK" and do their thing. So if you are the Super User, they have your power to completely change the system, to wipe your hard drive, and so forth. Again, this is especially true if you use the bundled web browser.
Maybe it's not such a good idea to run as Super User. So you give yourself an account, and use it for the most part, so that all you can mess up is your personal stuff, not the whole machine. Good for you!
The problem is, you are probably running a system that is still wide open to viruses and crackers. That's because the whole thing is built in such a way that it's convenient. Convenient is not bothering to lock your doors when you leave the house, or it's driving through a high-crime neighborhood because it's shorter, or it's leaving the keys in your car so you'll always know where to find them. Your store-bought home PC is just that wide open, by design. You don't have to know any special tricks; you just turn it on and use it. So any program you, as your less-powerful user, run on that system still accesses the very heart of your computer system, in a way that is terribly insecure. Even partially fixing this is a tangle of obscure settings, normally left insecure by default.
So any user that your computer recognizes can still destroy it. That's because the files all have permissions built into them. Those permissions allow just about any user with a proper identity to run with almost as much power as the Super User, and sometimes equal power. So why did they bother to make it seem like a genuine multi-user system? Convenience. And maybe -- just maybe -- to deceive you and give a false sense of security. That way, you won't worry about it; you'll just use the sytem and all the stuff they sell extra to go with it.
What a tough job it would be trying to go through your entire system changing permissions so that it was more secure! And then the system might not work, because the whole thing was designed to be convenient, not secure. That is, even if you knew what you were doing changing permissions.
The more you learn about computer security and protecting from viruses and crackers, the more you realize that what comes installed on most computers -- Windows -- is wide open to attack, and always will be. Open Source computer systems are designed from the start with security in mind. If you give yourself a user account, you know that you can get all your normal work done, but you cannot destroy the system. The permissions on files are far more complex, yes, but that's because complexity is what works. Convenience is an invitation to disaster in today's world.
On Open Source systems, everything is a file. Memorize that. Even your mouse and keyboard are treated as files. That way, the system can control who does what. Initially, the whole system is owned by the Super User, called "root" -- get used to that term. Root can do anything with anything on the system. Somebody has to have the final say, and root is it.
There are other users on the system that are actually part of the system itself. We give them various nicknames based on what they do. Finally, there are ordinary users. You will be required to give yourself a user account so that you protect the system from dumb mistakes. A simple typo can destroy the whole thing.
There are also groups on the system. A part of every user's identity is the list of groups to which they belong. It allows for a complex and powerful structure for controlling who gets to do what. Since complicated permission schemes are not really a concern for the stand-alone home system, it's more important to note that you will have to make sure your user account has membership in all the right groups. On some Open Source systems, that's pretty much automatic when you install the system. On others, you have to do it manually.
If you create a file, you own that file. You are the owner. You can decide who gets to see that file, who gets to write in that file. If your file can do work (a program or a script) you can decide who gets to make it work. Some files are nobody else's business, and you should lock them up. Only root can still read, write and use everything on the computer, no matter who owns and what permissions they set.
These permissions really work. Consider this: while you are online surfing the Net, it's possible for someone on another computer to try and talk directly to your machine without you knowing it. It's very difficult on a true multi-user system, because they don't have an account, and the computer knows they are working from outside. You may have set things up to prevent that, like a firewall, but let's say they discover a way to do it. At first, they have only your power, as a regular user, because you own the connection. What can they destroy? Your personal files in your personal part of the system. None of the rest of the computer is disturbed. They have whatever permissions you have, and no more.
It's just vaguely possible they could crack the root account, and get root's power, but that has become extremely difficult these days. Open Source systems are designed from the start to be very difficult to break into, because the permissions really work. Without getting the password for root, they are unlikely to do much. Trashing your personal files might be a hassle, or even ruin your job if you no backups, but it can't ruin your system. Most crackers and virus writers aren't interested in personal files, anyway.
It's very difficult to write viruses that really work in Linux, and even more difficult if you are running some kind of Unix. If you use a dialup connection, and run a firewall, your system is almost impossible to crack from the outside. You will lose the convenience of being able to do all the nifty things with regular home PCs, especially on the Internet. In exchange for a little inconvenience, and at the cost of learning more about your computer, you gain security that is as good as it gets.
[ Go up to Free and Open Source
Software ]
[ Lesson 2 --> ]
Ed Hurst
17 October 2003; updated 02 March 2004
COPYRIGHT NOTICE: People of honor need no copyright laws; they are only too happy to give credit where credit is due. Others will ignore copyright laws whenever they please. If you are of the latter, please note what Moses said about dishonorable behavior -- "be sure your sin will find you out" (Numbers 32:23)