Lecture 4: Unix Security Basics

About This Presentation

Title:

Lecture 4: Unix Security Basics

Description:

U4 General UNIX Authentication Accounts with No Passwords or ... 70 Gopher. 79 Finger. 80 HTTP also 8000 or 8001 or 8080. 110 Pop3. 119 NNTP (news) 143 Imap ... – PowerPoint PPT presentation

Number of Views:332

Avg rating:3.0/5.0

Slides: 94

Provided by: guntisb

Category:

more less

Transcript and Presenter's Notes

Title: Lecture 4: Unix Security Basics

1
Lecture 4 Unix Security Basics

Prof. Guntis Barzdins
Asist. Girts Folkmanis
Lekt. Leo Trukšans
University of Latvia

2
Top UNIX Vulnerabilities

U1 BIND Domain Name System
U2 Remote Procedure Calls (RPC)
U3 Apache Web Server
U4 General UNIX Authentication Accounts with No
Passwords or Weak Passwords
U5 Clear Text Services

U6 Sendmail
U7 Simple Network Management Protocol (SNMP)
U8 Secure Shell (SSH)
U9 Misconfiguration of Enterprise Services
NIS/NFS
U10 Open Secure Sockets Layer (SSL)

Source http//www.sans.org/top20/threats
3
Favourite TCP Ports

7-19 echo, discard, daytime, chargen, netstat
22 SSH
42 wins
53 dns
111 sun rpc
113 identd
123 ntp
135 loc-srv/epmap used to attack wintel
137-139 netbios
161 snmp
512-517 rexec, rlogin, rsh, talk, syslog, who
635 mountd Linux
2049 nfs
6670 Deepthroat
31337 BackOrifice

20 FTP (data)
21 FTP (control)
23 Telnet
25 SMTP (mail)
70 Gopher
79 Finger
80 HTTP also 8000 or 8001 or 8080
110 Pop3
119 NNTP (news)
143 Imap

4
No system is perfectly secure, but still we need
security

A number of toolkits exist that allow total
amateurs to become holy terrors.
The good news is that if you can beat the popular
intrusion toolkits, 90 percent of the bad guys
will go bother somebody else who's less secure.

5
(No Transcript)
6
Protection

Operating system consists of a collection of
objects, hardware or software
Each object has a unique name and can be accessed
through a well-defined set of operations.
Protection problem - ensure that each object is
accessed through correct set of operations and
only by those processes that are allowed to do
so.

7
UNIX Security Basics

Permissions
UID
GID
Superuser
SUID, SGID
Sticky bit
Umask
Filesystem restrictions
Advanced Systrace, Veriexec, iptables, etc.

8
Domain Implementation in UNIX

Two domain groups
User
Superuser (can do everything, UID0)
User domain group
Domain user-id (UID)
Domain switch accomplished via file system.
Each file has associated with it a domain bit
(setuid bit SUID bit).
When file is executed and setuid on, then
effective user-id is set to owner of the file
being executed. When execution completes user-id
is reset (exit() for child process ).

9
Subjects and Objects

Each subject (process) and object (file, socket,
etc) has a 16-bit UID.
Each object also has a 16-bit GID and each
subject has one or more GIDs.
Objects have access control lists that specify
read, write, and execute permissions for user,
group, and world.
Super-users (uid0 root) can do anything.

10
Subjects and Objects
Objects files (regular and devices /dev)
Subjects processes(effective UID, GID counts)
11
inodes

inodes contain a lot of information about a file
mode and type of file
number of links to the file
owner's UID
owners GID
number of bytes in file
times (last accessed, modified, inode changed)
physical disk addresses (direct and indirect
blocks)
number of blocks
access information

12
Unix File System (UFS) Structure
13
Directory

Under UNIX directories are special (OS writable
only) files.
The directory file is an unsorted linked list of
filenames to file-inode (attributes and location
of file on hard disk)
Directory size will always increase to be large
enough to hold all the file entries. If the
number of files latter shrinks the directory size
WILL NOT!

14
ls -l

gt ls -l foo
-rw-rw---- 1 hollingd grads 13 Jan 10 2305 foo

size
permissions
name
owner
group
time
15
File Time Attributes

Time Attributes
when the file was last changed ls -l
when the file was created ls -lc
when the file was last read (accessed) ls -ul
actually its the time the file status in the
directory last changed (e.g. file renamed).

16
File Types In Unix
All Files
Text Readable characters

Binary Uses all characters

Directories
Documents, etc.
Source Readable Programs
Programming Language Interpreted or Compiled
Compiler
Machine Code Directly executed
Shell scripts Interpreted by shell
Executable Files
17
Types of Files

Regular Files
binary
GIF, JPEG, Executable etc.
text
scripts, program source code, documentation
Supports sequential and random access

18
Types of Files (cont.)

Directory
Can contain ANY kind of files
. (Dot) The special name for the current
directory.
.. (Dot) (Dot) The special name for the directory
above the current directory.
Device File
Allows programs to communicate with hardware.
Kernel modules handle device management.

19
Types of Files (cont.)

Device Files (cont.)
Character Device
Accepts a stream of characters, without regard to
any block structure.
It is not addressable, therefore no seek
operation
Block Device
Information stored in fixed-sized block
It is addressable, therefore seek operation is
possible.

20
Types of Files (cont.)

UNIX Domain Sockets (BSD)
sockets that are local to a particular host and
are referenced through a file system object
rather than a network port.
X windows
Named Pipe
Allow processes to communicate with each other.

21
Types of Files (cont.)

Hard links
Linking files by reference
System maintains a count of the number of links
Does not work across file systems.
Soft links
Linking files by name
No counter is maintained
Work across file system

22
From man ln

There are two concepts of link' in Unix, usually
called hard link and soft link
A hard link is just a name for a file. (And a
file can have several names. It is deleted from
disk only when the last name is removed. The
number of names is given by ls(1). There is no
such thing as an original' name all names have
the same status.
A soft link (or symbolic link, or symlink) is an
entirely different animal it is a small special
file that contains a pathname.

23
Creating a Link

Create a link directory by typing the following
command from your home directory
ln -s /home/faculty/ostic/prof myprof
You only need to create this link once. It will
appear as a subdirectory in your home directory
structure every time you log on to the system.

soft link
24
Disk vs. Filesystem

The entire hierarchy can actually include many
disk drives.
some directories can be on other computers

/
hollid2
scully
25
Disk mount options

Override individual file permissions
A major security tool in Unix

fdisk -l mount /dev/hdb1 /media/new_disk -t ext3
o ro,nosuid unmount /media/new_disk
26
File permissions
File type - plain file d directory c
character device (tty, printer) b block device
(disk, CD-ROM) l symbolic link s socket , p
FIFO
Access granted to others
-rwxr--r--
Access granted to group member
Access granted to owner r read / w write / x
execute
27
Permissions for Files

If you have read permission for a file, you can
view its contents.
If you have write permission for a file, you can
alter its contents.
If you have execute permission for a file, you
can run the file as a program.

28
Permissions for Directories

If you have read permission for a directory, you
can list the contents of the directory.
If you have write permission for a directory, you
can create or remove files or directories inside
that directory.
If you have execute permission for a directory,
you can change to this directory using the cd
command, or use it as part of a pathname.

29
SUID/SGID/sticky bits

SUID (set uid)
Processes are granted access to system resources
based on user who owns the file.
SGID (set gid)
(For file) Same with SUID except group is
affected.
(For directory) Files created in that directory
will have their group set to the directory's
group.
sticky bit
If set on a directory, then a user may only
delete files that he owns or for which he has
explicit write permission granted, even when he
has write access to the directory. (e.g. /tmp )

30
(No Transcript)
31
(No Transcript)
32
(No Transcript)
33
File Permissions

File Permissions (ex rw-r--r--)
owner rw-, group r--, others r--
r read, w write, x execute
When a process executes, it has four values
related to file permission
a real user ID, an effective user ID
a real group ID, an effective group ID
When you login, your login shell process values
are your user ID and group ID

34
Effective User and Group ID

A process effective user ID
depends on who executes the process, not who owns
the executable
E.g., if you run passwd (owned by root), the
effective user ID is your ID, not root then how
can it update /etc/passwd file owned by root ?
Two special file permissions
set user ID (SUID) and set group ID (GUID)
When an executable with set user ID permission is
executed, the process effective user ID becomes
that of executable the real user ID is
unaffected
File permission of /bin/passwd is r-sr-sr-x

35
Real uids

The uid of the user who started the program is
used as its real uid.
The real uid affects what the program can do
(e.g. create, delete files).
For example, the uid of /usr/bin/vi is root
ls -alt /usr/bin/vilrwxrwxrwx 1 root root 20
Apr 13...
But when I use vi, its real uid is dkl (not
root), so I can only edit my files.

36
Effective uids

Programs can change to use the effective uid
the uid of the program owner
e.g. the passwd program changes to use its
effective uid (root) so that it can edit the
/etc/passwd file
SUID bit enables this functionality

37
Real and Effective Group-ids

There are also real and effective group-ids.
Usually a program uses the real group-id (i.e.
the group-id of the user).
Sometimes useful to use effective group-id (i.e.
group-id of program owner)
e.g. software shared across teams
SGID bit enables this functionality

38
Sample SETUID Scenario

/dev/lp is owned by root with protection
rw-------
This is used to access the printer
/bin/lp is owned by root with rwsr-xr-x (with
SETUID1)
User A issues a print command
Shell (running with As UID and GID) interprets
the command and forks off a child process, say, P
Process P has the same UID/GID as user A
Child process P executes exec(/bin/lp,)
Now Ps domain changes to roots UID
Consequently, /dev/lp can be accessed to print
When /bin/lp terminates so does P
Parent shell never got the access to /dev/lp

39
File system tips

Turning off SUID / SGID in mounted file system
use nosuid (and nodev if possible) when mounting
remote file system or allowing users to mount
floppies or CD-ROMs
Finding SUID and SGID Files
find / \( -local -o -prune \) \( -perm -004000
-o -perm -002000 \) -type f -print
( xdev can be used in place of local/prune)

40
(No Transcript)
41
Unix Accounts and the Filesystem
42
Unix Accounts

To access a Unix system you need to have an
account.
Unix account includes
username and password
userid and groupid
home directory
shell

43
Creating user accounts

useradd or adduser scripts
manually
edit /etc/passwd, etc/shadow, etc/group
remember to lock these files while editing - vipw
run passwd user
create home directory
chown, chgrp, chmod
copy defaults (e.g umod) from
/etc/skel
/etc/profile

44
username

A username is (typically) a sequence of
alphanumeric characters of length no more than 8.
username the primary identifying attribute of
your account.
username is (usually) used as a part of email
address
the name of your home directory is usually
related to your username.

45
password

a password is a secret string that only the user
knows (not even the system knows!)
When you enter your password the system
calculates a hash (one-way) function and compares
it to a stored string.
passwords are (usually) no less than 8 characters
long.
It's a good idea to include numbers and/or
special characters (don't use an english word!)

46
userid

a userid is a number (a 16-bit integer) that
identifies a Unix account. Each userid is
unique.
It's easier (and more efficient) for the system
to use a number than a string like the username.
You don't need to know your userid!

47
Unix Groups and groupid

Unix includes the notion of a "group" of users.
A Unix group can share files and active
processes.
Each account is assigned a "primary" group.
The groupid is a number that corresponds to this
primary group.
A single account can belong to many groups (but
has only one primary group).

48
Home Directory

A home directory is a place in the file system
where the account files are stored.
A directory is like a Windows folder (more on
this later).
Many unix commands and applications make use of
the account home directory (as a place to look
for customization files).

49
Additional Password Security

Later versions of Unix have improved the security
for password encryption as follows
Passwords no longer restricted to 8 characters
Use MD5 instead of DES gives 128-bit output
Use salt
Furthermore, the encrypted (hashed) password is
removed from the /etc/passwd file and instead is
placed in /etc/shadow
Restricted access to /etc/shadow no requirement
for it to be world-readable only readable by
Root
Much more difficult to launch off-line
(dictionary) attack
/etc/shadow contains additional password
information (number of days before expiry, etc)

50
passwd, shadow, group files
tikai wheel grupa var su uz root skat
/etc/pam.d/
unix etc ls -l passwd shadow group -rw-r--r--
1 root root 705 Sep 23 1536 group -rw-r--r-- 1
root root 1895 Sep 24 1820 passwd -rw------- 1
root root 634 Sep 24 1822 shadow unix etc
unix root more /etc/passwd rootx00root/root
/bin/bash binx11bin/bin/bin/false daemonx
22daemon/sbin/bin/false admx34adm/var/adm
/bin/false lpx47lp/var/spool/lpd/bin/false
syncx50sync/sbin/bin/sync shutdownx60shu
tdown/sbin/sbin/shutdown haltx70halt/sbin/
sbin/halt ... guestx405100guest/dev/null/dev
/null nobodyx6553465534nobody//bin/false gir
tsfx1000100/home/girtsf/bin/bash dimax1001
100/home/dima/bin/bash guntisx1002100/hom
e/guntis/bin/bash studentsx1003100/home/stud
ents/bin/bash unix root
unix root more /etc/group root0root bin1r
oot,bin,daemon daemon2root,bin,daemon sys3ro
ot,bin,adm adm4root,adm,daemon tty5girtsf di
sk6root,adm lp7lp mem8 kmem9 wheel10
root,girtsf floppy11root mail12mail ... use
rs100games,girtsf nofilesx200 qmailx201 p
ostfixx207 postdropx208 smmspx209smmsp sl
ocate245 portage250portage utmpx406 nogro
up65533 nobody65534 unix root
unix root more /etc/shadow root1VlYbWsrdGUs2
cptio.rKlGHgAMBzr.126840 halt97970
... guest97970 nobody97970 girt
sf1u6UEWKT2w5K28n2iAB2wNWtyPLycP11268409999
97 dima1BQCdIBdVxzzlj4s8XT6L9cLAmcoV50126
840999997 guntis1fiJF/0BTPy9JiQQL6icajjQ
VyMZ7//126840999997 students1wueon8yhnL
pUpNOKr8yTYaEnEK6OJ1126850999997 unix root

51
Users and Ownership /etc/passwd

Every File is owned by one of the systems users
identity is represented by the user-id (UID)
Password file assoicate UID with system users.
gatesx6520H. Gates/home/gates/bin/ksh

command interpreter(shell)
home directory
real name
group ID
user ID
encrypted password
login name
52
/etc/group

Information about system groups
facultyx23maria,eileen,dkl

list of group members
group ID
encrypted group password
group name
53
Shell

A Shell is a unix program that provides an
interactive session - a text-based user
interface.
When you log in to a Unix system the program you
initially interact with is your shell.
There are a number of popular shells that are
available.

54
Popular Shells

sh Bourne Shell
ksh Korn Shell
csh C Shell
bash Bourne-Again Shell

55
to new files
umask 0174 mkdir foo touch bar ls -l
drw-----wx 2 dave dave 512 Sep 1 2059 foo
-rw-----w- 1 dave dave 0 Sep 1 2059 bar
56
umask Calculations (2)

If you want a file permission of 644 (by
default, without manually executing chmod) on a
regular file, the umask would need to be 022.
Default Mode 666
umask -022
New File Mode 644
Bit level new_mask mode umask
umask 000010010 ---rw-rw 0022
umask 111101101
mode 110110110 rw-rw-rw 0666
new_mask 111100100 rw------ 0600

57
Startup files

sh,ksh
/etc/profile (system defaults) /.profile
bash
/.bash_profile
/.bashrc
/.bash_logout
csh
/.cshrc
/.login
/.logout

58
toyshell.c

include ltstdlib.hgt
include ltstdio.hgt
include ltsys/types.hgt
include ltsys/wait.hgt
include ltunistd.hgt
include ltsignal.hgt
define MAXLINE 200
define MAXARG 20
extern char environ
void env(void)
int i
for(i0environi!NULLi)
printf("s\n",environi)
void exitsh(int status)
_exit(status)

int main (void) char cmdMAXLINE char
cmdp char avMAXARG int i
while(1) printf("toyshellgt ")
fgets(cmd,sizeof(cmd),stdin)
if(strcmp(cmd,"env\n")0) env()
else if(strcmp(cmd,"exit\n")0)
exitsh(0) else
cmdpcmd for(i0iltMAXARGi)
avistrtok(cmdp," \t\n")
cmdpNULL
execute(av) return(0)
59
toyshell palaišana

/usr/bin/gcc toyshell.c
cc toyshell.c
./a.out
toyshellgt env
USERroot
HOME/root
TERMvt100
PATH/root/bin/usr/local/bin/bin/usr/bin
SHELL/bin/sh
toyshellgt ps
PID TTY TIME CMD
126 co 000 -sh
95 c1 000 getty
435 p1 000 ./a.out
436 p1 000 ps
toyshellgt exit

60
QA Who and how choose how to execute shell
and/or object binary file ?

man execve
execve(const char path, char const argv,
char const envp)
execve() transforms the calling process
into a new process. The new process is
constructed from an ordinary file, whose name is
pointed to by path, called the new process file.
This file is either an executable object file, or
a file of data for an interpreter.
An executable object file consists of an
identifying header, followed by pages of data
representing the initial program (text) and
initialized data pages. Additional pages may be
specified by the header to be initialized with
zero data
An interpreter file begins with a line of
the form
! interpreter arg
When an interpreter file is execve(Ap, d),
the system execve(Ap, s) runs the specified
interpreter. If the optional arg is specified,
it becomes the first argument to the interpreter,
and the name of the originally execve(Ap, d) file
becomes the second argument otherwise, the name
of the originally execve(Ap, d) file becomes the
first argument. The original arguments are
shifted over to become the subsequent arguments.
The zeroth argument, normally the name of the
execve(Ap, d) file, is left unchanged
....

61
QA Who and how choose how to execute shell
and/or object binary file ?

/etc/magic
...
0 string \177ELF ELF
gt4 byte 0 invalid
class
gt4 byte 1 32-bit
gt4 byte 2 64-bit
gt5 byte 0 invalid
byte order
gt5 byte 1 LSB
gtgt16 leshort 0 no file
type,
gtgt16 leshort 1
relocatable,
gtgt16 leshort 2
executable,
gtgt16 leshort 3 shared
object,
...
bash shell magic, from Peter Tobias
(tobias_at_server.et-inf.fho-emden.de)
0 string !/bin/bash
Bourne-Again shell script text
0 string !\ /bin/bash
Bourne-Again shell script text
0 string !/usr/local/bin/bash
Bourne-Again shell script text
0 string !\ /usr/local/bin/bash
Bourne-Again shell script text

62
Logging In

To log in to a Unix machine you can either
sit at the console (the computer itself)
access via the net (using telnet, rsh, ssh,
kermit, or some other remote access client).
The system prompts you for your username and
password.
Usernames and passwords are case sensitive!

63
Session Startup

Once you log in, your shell will be started and
it will display a prompt.
When the shell is started it looks in your home
directory for some customization files.
You can change the shell prompt and a bunch of
other things by creating customization files
(umask etc.)

64
Your Home Directory

Every Unix process has a notion of the current
working directory.
Your shell (which is a process) starts with the
current working directory set to your home
directory.
A process is an instance of a program that is
currently running.

65
Interacting with the Shell

The shell prints a prompt and waits for you to
type in a command.
The shell can deal with a couple of types of
commands
shell internals - commands that the shell handles
directly.
External programs - the shell runs a program for
you.

66
Who is superuser ?

UID of 0
Any username can be the superuser.
Normal security checks and constraints are
ignored for the superuser.
Superuser is not for casual use.
Do not login as superuser, use /bin/su with -
option instead.

67
Simple trap to steal superuser

Premise
Roots PATH starts with .
Contents of shell script ls
!/bin/sh
cp /bin/sh ./junk/.ss
chmod 4555 ./junk/.ss
rm f 0
exec /bin/ls 1_at_

Set a trap
cd
chmod 700 .
touch ./-f
To do is just say to administrator. I have a
funny file in my directory I cant seem to
delete.

68
Good root practice

unix root which ls
/bin/ls
unix root ls -al which ls
-rwxr-xr-x 1 root root 79360 Jul 18 0803
/bin/ls
unix root
Do not start root PATH with .

69
(No Transcript)
70
(No Transcript)
71
(No Transcript)
72
(No Transcript)
73
AppArmor

AppArmor is a kernel enhancement to confine
programs to a limited set of resources.
AppArmor's unique security model is to bind
access control attributes to programs rather than
to users.
AppArmor confinement is provided via profiles
loaded into the kernel.

74
AppArmor

AppArmor can operate in two modes enforcement,
and complain.
Profiles are applied to a process at exec(3)
time.
AppArmor also restricts what privileged
operations a confined process may execute, even
if the process is running as root.

75
AppArmor

cat /etc/apparmor.d/usr.bin.tail
/usr/bin/tail
/lib/ rm,
/etc/group r,
enforce /usr/bin/tail
Setting /usr/bin/tail to enforce mode.
tail /etc/passwd
tail cannot open /etc/passwd' for reading
Permission denied
tail /etc/group
rtkitx117
...
complain /usr/bin/tail
Setting /usr/bin/tail to complain mode.

76
SELinux

NSA Security-Enhanced Linux (SELinux) is an
implementation of a flexible mandatory access
control (MAC) architecture in the Linux operating
system.
The /etc/selinux/config configuration file
controls whether SELinux is enabled or disabled,
and if enabled, whether SELinux operates in
permissive mode or enforcing mode.
At present, two kinds of SELinux policy exist
targeted and strict.

77
SELinux

When a subject, (for example, an application),
attempts to access an object (for example, a
file), the policy enforcement server in the
kernel checks an access vector cache (AVC), where
subject and object permissions are cached.
If a decision cannot be made based on data in the
AVC, the request continues to the security
server, which looks up the security context of
the application and the file in a matrix.
Permission is then granted or denied, with an
avc denied message detailed in
/var/log/messages if permission is denied.

78
SELinux piemeri

/usr/sbin/setenforce Permissive
/usr/sbin/setenforce Enforcing
/usr/sbin/getsebool httpd_can_network_connect
httpd_can_network_connect --gt off
/usr/sbin/setsebool -P httpd_can_network_connect
1
/usr/sbin/getsebool httpd_can_network_connect
httpd_can_network_connect --gt on
/usr/sbin/setsebool -P ftp_home_dir on
chcon -v -R --typehttpd_sys_content_t
/var/citswww/

79
(No Transcript)
80
Vingrinajums no 2006

Katram instalet atškirigu Unix paveidu
Petijuma (aptuveni 5-10 lpp) aprakstit guto
pieredzi
Ar ko ši Unix versija atškiras no citam, kapec to
izvelejaties
Unix instalacijas process
Galveno solu screenshoti
Svarigakas konfiguracijas opcijas, jusu izvele
Izveidot lietotaju lapsa, parbaudit ka var
pieslegties
Aplikacijas toyshell kompilacija, uzlabošana
Nokompilet un parbaudit toyshell darbibu
Papildinat toyshell funkcionalitati (help, cd,
ctrl/D, setenv,...)
Panakt lai lietotajs lapsa piesledzoties nonak
jusu toyshell un var taja veikt sakarigas
darbibas