System Security C HAPTER 20 401 20 SYSTEM SECURITY Most of the time, though, data is not just destroyed. A more common problem is that the data is captured. This could be actual company secrets or system configuration files. It is very im- portant to keep an eye on the system files. It is also a good idea to occasionally search for pro- grams that have suid or sgid capability. It might be wise to search for suid and sgid files when the system is first installed. Then, later searches can be compared to this initial list. suid and sgid Many people talk about suid (set user ID) and sgid (set group ID) without really understand- ing them. The concept behind these powerful, yet dangerous, tools is that a program (not a script) is set so that it is run as the owner or group set for the program, not the person running the program. For example, say you have a program with suid set, and its owner is root. Anyone running the program runs that program with the permissions of the owner instead of his or her own permissions. The passwd command is a good example of this. The file /etc/passwd is writable by root, and readable by everyone. The passwd program has suid turned on. Therefore, anyone can run the passwd program and change their password. Because the program is running as the user root, not the actual user, the /etc/passwd file can be written to. The same concept holds true for sgid. Instead of the program running with the permissions and authority of the group associated with the person calling the program, the program is run with the permissions and authority of the group that is associated with the program. How to Find suid and sgid Files The find command once again comes in handy. With the following command, you can search the entire system looking for programs with their suid or sgid turned on: find / -perm -200 -o -perm -400 -print It is probably best to run the preceding find command when you first load a system, saving its output to a file readable only by root. Future searches can be performed and compared to this “clean” list of suid and sgid files. This will ensure that only the files that are supposed to have these permissions really do. Setting suid and sgid The set user ID and set group ID can be powerful tools for giving users the ability to perform tasks without the other problems that could arise with the user having the actual permissions of that group or user. However, these can be dangerous tools as well. When considering changing the permissions on a file to be either suid or sgid, keep in mind these two things: ■ Use the lowest permissions needed to accomplish the task. ■ Watch for back doors. Using the lowest permissions means not giving a file an suid of root if at all possible. Often, a less privileged person can be configured to do the task. The same goes for sgid. Many times setting the group to the appropriate non-sys group will accomplish the same task while limit- ing other potential problems. Dealing with Others P ART V 402 Back doors come in many forms. A program that allows a shell is a back door. A program that has multiple entrances and exits are back doors. Keep in mind that if a user can run an suid program set to root and the program contains a back door (the user can get out of the program to a prompt without actually exiting the program), then the system keeps the effective user ID as what the program is set to (root), and the user now has root permissions. With that said, how do you set a file to have the effective user be the owner of the file, or the effective group be the group of the file, instead of running as the user ID or the user’s group ID of the person invoking the file? The permissions are added with the chmod command, as follows: chmod u+s file(s) chmod g+s file(s) The first example sets suid for the file(s) listed. The second example sets sgid to the file(s) listed. Remember, suid sets the effective ID of the process to the owner associated with the file, and sgid sets the effective group’s ID of the process to the group associated with the file. These cannot be set on nonexecutables. File and Directory Permissions As stated in the introduction to this chapter, file and directory permissions are the basics for providing security on a system. These, along with the authentication system, provide the basis for all security. Unfortunately, many people do not know what permissions on directories mean, or they assume they mean the same thing they do on files. The following section describes the permissions on files; after that, the permissions on directories are described. Files The permissions for files are split into three different sections: the owner of the file, the group associated with the file, and everyone else (the world). Each section has its own set of file per- missions. These permissions provide the ability to read, write, and execute (or, of course, to deny the same). These permissions are called a file’s filemode. Filemodes are set with the chmod command. There are two ways to specify the permissions of the object. You can use the numeric coding system or the letter coding system. Using the letter coding system, the three sections are re- ferred to as u for user, g for group, and o for other or a for all three. There are three basic types of permissions: r for read, w for write, and x for execute. Combinations of r, w, and x with the three groups provide the permissions for files. In the following example, the owner of the file has read, write, and execute permissions, while everyone else has read access only: shell:/home/dpitts$ ls -l test -rwxr r 1 dpitts users 22 Sep 15 00:49 test The command ls -l tells the computer to give you a long (-l) listing (ls) of the file (test). The resulting line is shown in the second code line, and it tells you a number of things about System Security C HAPTER 20 403 20 SYSTEM SECURITY the file. First, it tells you the permissions. Next, it tells you how many links the file has. It then tells you who owns the file ( dpitts) and what group is associated with the file (users). Follow- ing the ownership section, the date and timestamp for the last time the file was modified is given. Finally, the name of the file is listed ( test). The permissions are actually made up of four sections. The first section is a single character that identifies the type of object that is listed out. Check Table 20.1 to determine what the different options are for this field. Table 20.1. Object type identifier. Character Description - Plain file b Block special file c Character special file d Directory l Symbolic link p Named pipe s Socket Following the file type identifier are the three sets of permissions: rwx (owner), r (group), and r (other). NOTE A small explanation needs to be made as to what read, write, and execute actually mean. For files, a user who has read capability can see the contents of the file, a user who has write capability can write to it, and a user who has execute permission can execute the file. If the file to be executed is a script, then the user must have read and execute permissions to execute the file. If the file is a binary, then just the execute permission is required to execute the file. Directories The permissions on a directory are the same as those used by files: read, write, and execute. The actual permissions, though, mean different things. For a directory, read access pro- vides the ability to list the names of the files in the directory. It does not allow the other at- tributes to be seen (owner, group, size, and so on). Write access provides the ability to alter the directory contents. This means that the user could create and delete files in the directory. Finally, execute access lets the user make the directory the current directory. Dealing with Others P ART V 404 Table 20.2 summarizes the differences between the permissions for a file and those for a direc- tory. Table 20.2. File permissions versus directory permissions. Permission File Directory r View the contents Search the contents w Alter file contents Alter directory contents x Run executable file Make it the current directory Combinations of these permissions also allow certain tasks. For example, I already mentioned that it takes both read and execute permission to execute a script. This is because the shell must first read the file to see what to do with it. (Remember that #! /local/bin/perl tells it to ex- ecute the /local/bin/perl executable, passing the rest of the file to the executable.) There are other combinations that allow certain functionality. Table 20.3 describes the different combi- nations of permissions and what they mean, both for a file and for a directory. Table 20.3. Comparison of file and directory permission combinations. Permission File Directory Cannot do anything with it. Cannot access it or any of its subdirectories. r Can see the contents. Can see the contents. rw- Can see and alter the contents. Can see and alter the contents. rwx Can see and change the contents, Can list the contents, add or as well as execute the file. remove files, and make the direc- tory the current directory ( cd to it). r-x If a script, can execute it. Provides ability to change to Otherwise, provides read and directory and list contents, but execute permission. cannot delete or add files to directory. x Can execute if a binary. User can execute a binary that he or she already knows about. As stated, the permissions can also be manipulated with a numeric coding system. The basic concept is the same as the letter coding system. As a matter of fact, the permissions look exactly alike. The difference is the way the permissions are identified. The numeric system uses binary System Security C HAPTER 20 405 20 SYSTEM SECURITY counting to determine a value for each permission and sets them. Also, the find command can accept the permissions as an argument using the -perm option. In that case, the permissions must be given in their numeric form. With binary, you count from the right to the left. Therefore, if you look at a file, you can easily come up with its numeric coding system value. The following file has full permissions for the owner and read permissions for the group and the world: shell:/home/dpitts$ ls -la test -rwxr r 1 dpitts users 22 Sep 15 00:49 test This would be coded as 744. Table 20.4 explains how this number was achieved. Table 20.4. Numeric permissions. Permission Value Read 4 Write 2 Execute 1 Permissions use an additive process. Therefore, a person with read, write, and execute permis- sions to a file would have a 7 (4+2+1). Read and execute would have a value of 5. Remember, there are three sets of values, so each section would have its own value. Table 20.5 shows both the numeric system and the character system for the permissions. Table 20.5. Comparison of numeric and character permissions. Permission Numeric Character Read-only 4 r Write-only 2 -w- Execute-only 1 x Read and write 6 rw- Read and execute 5 r-x Read, write, and execute 7 rwx Permissions can be changed using the chmod command. With the numeric system, the chmod command must be given the value for all three fields. Therefore, to change a file to read, write, and execute by everyone, the following command would be issued: $ chmod 777 <filename> Dealing with Others P ART V 406 To perform the same task with the character system, the following command would be issued: $ chmod a+rwx <filename> Of course, more than one type of permission can be specified at one time. The following com- mand adds write access for the owner of the file, and adds read and execute access to the group and everyone else: $ chmod u+w,og+rx <filename> The advantage that the character system provides is that you do not have to know what the previous permissions are. You can selectively add or remove permissions without worrying about the rest. With the numeric system, each section of users must always be specified. The down- side of the character system is when complex changes are being made. Looking at the preced- ing example ( chmod u+w,og+rx <filename>), it might have been easier to use the numeric system and replace all those letters with three numbers: 755. How suid and sgid Fit into This Picture The special-purpose access modes suid and sgid add an extra character to the picture. Before looking at what a file looks like with the different special access modes, check Table 20.6 for the identifying characters for each of the modes and a reminder as to what they mean. Table 20.6. Special-purpose access modes. Code Name Meaning s suid Sets process user ID on execution s sgid Sets process group ID on execution suid and sgid are used on executables. Therefore, the code is placed where the code for the executable would normally go. The following file has suid set: $ ls -la test -rwsr r 1 dpitts users 22 Sep 15 00:49 test The difference between the suid being set and the sgid being set is the placement of the code. The same file with sgid active would look like this: $ ls -la test -rwxr-sr 1 dpitts users 22 Sep 15 00:49 test To set the suid with the character system, the following command would be executed: $ chmod u+s <filename> To set the sgid with the character system, the following command would be executed: $ chmod g+s <filename> System Security C HAPTER 20 407 20 SYSTEM SECURITY To set the suid and the sgid using the numeric system, use these two commands: $ chmod 2### <filename> $ chmod 4### <filename> In both instances, the ### is replaced with the rest of the values for the permissions. The addi- tive process is used to combine permissions; therefore, the following command would add suid and sgid to a file: $ chmod 6### <filename> NOTE A sticky bit is set using chmod 1### <filename>. If a sticky bit is set, the executable is kept in memory after it has finished executing. The display for a sticky bit is a t, placed in the last field of the permissions. Therefore, a file that has been set to 7777 would have the following permissions: -rwsrwsrwt. The Default Mode for a File or Directory The default mode for a file or directory is set with the umask. The umask uses the numeric system to define its value. To set the umask, you must first determine the value that you want the files to have. For example, a common file permission set is 644. The owner has read and write per- mission, and the rest of the world has read permission. After the value is determined, then it is subtracted from 777. Keeping the same example of 644, the value would be 133. This value is the umask value. Typically, this value is placed in a system file that is read when a user first logs on. After the value is set, all files created will set their permissions automatically using this value. Passwords—A Second Look The system stores the user’s encrypted password in the /etc/passwd file. If the system is using a shadow password system, the value placed in this field will be x. A value of * blocks login access to the account, as * is not a valid character for an encrypted field. This field should never be edited (after it is set up) by hand, but a program such as passwd should be used so that proper encryption takes place. If this field is changed by hand, the old password is no longer valid and, more than likely, will have to be changed by root. NOTE If the system is using a shadow password system, a separate file exists called /etc/shadow that contains passwords (encrypted, of course). Dealing with Others P ART V 408 A password is a secret set of characters set up by the user that is known only by the user. The system asks for the password, compares what is inputted to the known password, and, if there is a match, confirms that the user is who she says she is and lets her access the system. It cannot be said enough—do not write down your password! A person who has a user’s name and pass- word is, from the system’s perspective, that user, with all the rights and privileges thereof. Related WWW Sites Table 20.7 shows the more standard locations to find some of the tools discussed in this chap- ter. Other Web sites have these tools as well, but these were chosen because they will probably still be around when this book is published and you are looking for the information. Table 20.7. WWW sites for tools. Tool Address cops ftp://ftp.cert.org/pub/tools/cops crack ftp://ftp.cert.org/pub/tools/crack deslogin ftp://ftp.uu.net/pub/security/des findsuid.tar.Z ftp://isgate.is/pub/unix/sec8/findsuid.tar.Z finger daemon http://www.prz.tu-berlin.de/~leitner/fingerd.html freestone ftp.soscorp.com/pub/sos/freestone freestone ftp://ftp.cs.columbia.edu/pub/sos/freestone gabriel ftp://ftp.best.com/pub/lat ipfilter http://cheops.anu.edu.au/~avalon/ip-filter.html ipfirewall ftp://ftp.nebulus.net/pub/bsdi/security kerberos http://www.contrib.andrew.cmu.edu/usr/db74/kerberos.html merlin http://ciac.llnl.gov/ npasswd ftp://wuarchive.wustl.edu/usenet/comp.sources.unix/ volume25/npasswd obvious-pw.tar.Z ftp://isgate.is/pub/unix/sec7/obvious-pw.tar.Z opie ftp://ftp.nrl.navy.mil/pub/security/nrl-opie/ pcheck.tar.Z ftp://isgate.is/pub/unix/sec8/pcheck.tar.Z Plugslot Ltd http://www.var.org/~greg/PCPPSP.html rsaeuro ftp://ftp.ox.ac.uk/pub/crypto/misc/ rscan http://www.umbc.edu/rscan/ satan http://www.fish.com/satan Secure Telnet ftp://idea.sec.dsi.unimi.it/cert-it/stel.tar.gz System Security C HAPTER 20 409 20 SYSTEM SECURITY ssh http://www.cs.hut.fi/ssh/ tcp wrappers ftp://ftp.win.tue.nl/pub/security/ telnet (encrypted) ftp.tu-chemnitz.de/pub/Local/informatik/sec_tel_ftp/ tiger ftp://wuarchive.wustl.edu/packages/security/TAMU/ tis firewall toolkit ftp://ftp.tis.com/pub/firewalls/toolkit/ tripwire ftp://wuarchive.wustl.edu/packages/security/tripwire/ xp-beta ftp://ftp.mri.co.jp/pub/Xp-BETA/ xroute ftp://ftp.x.org/contrib/utilities/ Summary Security is only as good as the users’ willingness to follow the policies. This is, on many systems and in many companies, where the contention comes in. The users just want to get their job done. The administrators want to keep the undesirables out of the system. The corporate management wants to keep the corporate secrets secret. Security is, in many ways, the hardest area to get users to cooperate, but is, in fact, the most important. Users who write down or share passwords, poorly written software, and maliciousness are the biggest security problems. For the administrator in charge of the system, the only advice that can be offered is this: The best user will only follow the policies that you follow. If you have poor security habits, they will be passed along. On the other hand, people generally rise to the minimum level they see exhibited or see as expected. It is the job of the administrator to go beyond the call of duty and gently point out improvements while at the same time fighting the dragons at the back gate trying to get into the system. Tool Address [...]... program by Linux as positional parameters The positional parameters have special names provided by the system The first parameter is stored in a variable called 1 (number 1) and can be accessed by using $1 within the program The second parameter is stored in a variable called 2 and can be accessed by using $2 within the program, and so on It is possible to omit one or more of the higher numbered positional... so with a shell program or shell script A shell program is a series of Linux commands and utilities that have been put into a file using a text editor When you execute a shell program, each command is interpreted and executed by Linux, one after the other You can write shell programs and execute them like any other command under Linux You can also execute other shell programs from within a shell program... Output redirection operator Input redirection operator Command substitution (the backquote or backtick—the key above the Tab key) Output redirection operator (to append to a file) Lists a range of characters Means all characters a through z Means characters a or z Executes the file filename Delimiter between two words < ` >> [ ] [a-z] [a,z] filename Space There are a few special characters that deserve... 06 | 6) echo “Month is June”;; 07 | 7) echo “Month is July”;; 08 | 8) echo “Month is August”;; 09 | 9) echo “Month is September”;; 10) echo “Month is October”;; 11) echo “Month is November”;; 12) echo “Month is December”;; *) echo “Invalid parameter”;; esac It is important that you end the statements under each condition with a double semicolon (;;) If you do not do that, then the statements under the... such as vi, and then execute the file Here is a list of what is contained in a sample file created for this purpose, myenv: alias ll ‘ls –l’ alias dir ‘ls’ alias copy ‘cp’ myenv can be executed in a variety of ways under Linux You can make myenv executable by using the chmod command as follows, and then execute it as you would any other native Linux command: chmod +x myenv This turns on the executable... shell program SHELL PROGRAMMING You must ensure that the first line in your shell program starts with a pound sign (#) The pound sign tells the shell that the line is a comment Following the pound sign, you must have an exclamation point (!), which tells the shell to run the command following the exclamation point and to use the rest of the file as input for that command This is common practice for all... SHELL PROGRAMMING If two strings are not equal in size, the system will pad the shorter string with trailing spaces for comparison That is, if string1 has value of abc and that of string2 is ab, then for comparison purposes, string2 will be padded with trailing spaces—that is, it will have a value of ab 421 422 Dealing with Others PART V else echo “number1 is not less than number2” fi if [ number1... the variable name by a $ (dollar sign) That is, if the variable name is var, you can access the variable by using $var Shell Programming CHAPTER 21 If you want to assign the value of var to the variable lcount, you can do that as follows: Environment lcount=$var pdksh set lcount = $var tcsh and bash Positional Parameters It is possible to write a shell script that takes a number of parameters at the... An example is a function that displays the name of the month or an error message if you pass a month number Here is the example, in pdksh and bash: Displaymonth() { case $1 in 01 | 1) echo “Month is January”;; 02 | 2) echo “Month is February”;; 03 | 3) echo “Month is March”;; 04 | 4) echo “Month is April”;; 05 | 5) echo “Month is May”;; 06 | 6) echo “Month is June”;; 07 | 7) echo “Month is July”;;... learned how to write a shell program Shell programs can be used to write programs that can be used to do simple things such as setting a number of aliases when you log on as well as complicated things such as customizing your shell environment IN THIS PART s Automating Tasks 4 37 s C and C++ Programming s Perl Programming 455 4 87 s tcl and tk Programming s Motif Programming 529 s gawk Programming 499 545 . a sticky bit is a t, placed in the last field of the permissions. Therefore, a file that has been set to 77 77 would have the following permissions: -rwsrwsrwt. The Default Mode for a File or Directory The. it is subtracted from 77 7. Keeping the same example of 644, the value would be 133. This value is the umask value. Typically, this value is placed in a system file that is read when a user. of four sections. The first section is a single character that identifies the type of object that is listed out. Check Table 20.1 to determine what the different options are for this field. Table 20.1.