Table of Contents
SliTaz and System Security
Security Policy
SliTaz has given a lot of consideration to system security. Applications are tested for many months before being included in the distribution. At boot time, a minimum of services are launched by the rc scripts. For a complete lists of daemons enabled, you can look at the RUN_DAEMONS variable in the /etc/rcS.conf configuration file:
$ cat /etc/rcS.conf | grep RUN_DAEMONS
To view the actual processes, their PID and memory usage, you can use the 'ps' command or the 'htop' utility:
$ ps $ htop
Root - The system administrator
In a GNU/Linux system, the root user is the system administrator. root has all the rights to the system files and that of the users. It is advisable never to log in as root by using the command su followed by the password to obtain absolute rights over the system. Never log in as root and surf the internet for example. This allows you to create a double barrier in the case of an attack or intrusion after a download and makes it harder for a cracker to take control of your machine - first he must crack your password and then crack the root password of the system administrator.
A GNU/Linux system has secured at least two users, one to work and another to administer, configure or update the system (root). It's also advisable to entrust the administration of the system to a person.
Passwords
By default the SliTaz user tux doesn't have a password and the system administrator root comes with the password (root). You can easily change these by using the passwd command:
$ passwd # passwd
Busybox
The file busybox.conf configures the applets and their respective rights. On the SliTaz LiveCD the commands: su, passwd, loadkmap, mount, reboot and halt can be initiated by all users - the owner and group of these commands is root (* = ssx root.root). The busybox.conf file is readable by root, using the rights 600. Note that the passwd command will not allow users to change their own password if it is not ssx.
LightTPD web server
On SliTaz the LightTPD web server is enabled by default at system startup, if you don't intend to use SliTaz in a server environment, you can safely disable it by removing it from the RUN_DAEMONS variable in the /etc/rcS.conf configuration file or to stop it manually:
# /etc/init.d/lighttpd stop
SSH Server
This small section is a compliment to the Secure SHell (SSH) page. On SliTaz the Dropbear SSH server is not run by default, we must add it to the variable RUN_DAEMONS in the configuration file /etc/rcS.conf for it to be enabled at system boot. Or to start the server manually:
# /etc/init.d/dropbear start
By default, Dropbear is launched with the following options:
-w Disallow root logins. -g Disallow logins for root password.
You can add new options by editing the daemons configuration file: /etc/daemons.conf. For all options, you can type: dropbear -h.
Pscan - Ports scanner
Pscan is a small utility of the Busybox project that scans the ports of your machine. You can use pscan to scan the localhost or a remote host using the name or IP address of the machine. Pscan will test all the ports from 1 - 1024 by default and list those that are open, their protocol and associated service (ssh, www, etc):
$ pscan localhost