From Fedora Project Wiki

(Imported from MoinMoin)
(121 intermediate revisions by 25 users not shown)
Line 1: Line 1:
This section highlights various security items from Fedora.
== Security Enhancements ==
[[Category:Docs Project]]
[[Category:Draft documentation]]
Fedora continues to improve its many proactive [ security features] .
[[Category:Documentation beats]]
=== Support for SHA-256 and SHA-512 passwords ===
The <code>glibc</code> package in Fedora 8 had [ support] for passwords using SHA-256 and SHA-512 hashing.  Previously, only DES and MD5 were available.  These tools have been extended in Fedora 9. Password hashing using the SHA-256 and SHA-512 hash functions is now supported.
To switch to SHA-256 or SHA-512 on an installed system, use <code>authconfig --passalgo=sha256 --update</code> or <code>authconfig --passalgo=sha512 --update</code>.  Alternatively, use the <code>authconfig-gtk</code> GUI tool to configure the hashing method.  Existing user accounts will not be affected until their passwords are changed.
SHA-512 is used by default on newly installed systems.  Other algorithms can be configured only for kickstart installations, by using the <code>--passalgo</code> or <code>--enablemd5</code> options for the kickstart <code>auth</code> command. If your installation does not use kickstart, use <code>authconfig</code> as described above, and then change the root user password, and passwords for other users created after installation.
New options now appear in <code>libuser</code>, <code>pam</code>, and <code>shadow-utils</code> to support these password hashing algorithms.  Running <code>authconfig</code> configures all these options automatically, so it is not necessary to modify them manually.
* New values for the <code>crypt_style</code> option, and the new options <code>hash_rounds_min</code>, and <code>hash_rounds_max</code>, are now supported in the <code>[defaults] </code> section of <code>/etc/libuser.conf</code>. Refer to the <code>libuser.conf(5)</code> man page for details.
* New options, <code>sha256</code>, <code>sha512</code>, and <code>rounds</code>, are now supported by the <code>pam_unix</code> PAM module. Refer to the <code>pam_unix(8)</code> man page for details.
* New options, <code>ENCRYPT_METHOD</code>, <code>SHA_CRYPT_MIN_ROUNDS</code>, and <code>SHA_CRYPT_MAX_ROUNDS</code>, are now supported in <code>/etc/login.defs</code>. Refer to the <code>login.defs(5)</code> man page for details. Corresponding options were added to <code>chpasswd(8)</code> and <code>newusers(8)</code>.
=== FORTIFY_SOURCE extended to cover more functions ===
[[Security/Features#FORTIFY_SOURCE| FORTIFY_SOURCE]] protection now covers <code>asprintf</code>, <code>dprintf</code>, <code>vasprintf</code>, <code>vdprintf</code>, <code>obstack_printf</code> and <code>obstack_vprintf</code>. This improvement is particularly useful for applications that use the <code>glib2</code> library, as several of its functions use <code>vasprintf</code>.
=== SELinux Enhancements ===
Different roles are now available, to allow finer-grained access control:
* <code>guest_t</code> does not allow running setuid binaries, making network connections, or using a GUI.
* <code>xguest_t</code> disallows network access except for HTTP via a Web browser, and no setuid binaries.
* <code>user_t</code> is ideal for office users: prevents becoming root via setuid applications.
* <code>staff_t</code> is same as <code>user_t</code>, except that root access via <code>sudo</code> is allowed.
* <code>unconfined_t</code> provides full access, the same as when not using SELinux.
As well, browser plug-ins wrapped with <code>nspluginwrapper</code>, which is the default, now run confined.
=== Default Firewall Behavior ===
In Fedora 9, the default firewall behavior has changed. There are no default ports open, except for SSH (22), which is opened by '''Anaconda'''.
=== General Information ===
A general introduction to the many proactive security features in Fedora, current status, and policies is available at

Latest revision as of 01:33, 20 September 2016

DocsProject Header docTeam1.png

Beat Closed on Wiki
Work on beats has now moved to git at If you have changes or additions, please contact the docs team via #fedora-docs,, or with the release-notes BZ component.