unix securitybasics - sigmanetguntis/unix/unixpermissions.pdf · 2020. 10. 14. · suid / sgid /...

UNIX Security Basics

Operētājsistēma UNIX (DatZ6007)Pasniedzēji: prof. Guntis Bārzdiņš, doc. Normunds Grūzītis

Līdzautori: Ģirts Folkmanis, Juris Krūmiņš, Kristaps Džonsons, Leo Trukšāns, Artūrs Lavrenovs

Latvijas Universitāte

w A mechanism for controlling the access of processes to the resources defined by the computer system

w A computer system is a collection of:n Processesn Objects

l Hardware objects: CPU, memory, disks, printers, etc.l Software objects: files, incl. programs, sockets, I/O devices, etc.

w A process operates within a protection domainn The domain specifies resources that the process may access

Protection

http://www.cs.jhu.edu/~yairamir/cs418/os9/sld001.htm


w Domain is a set of access rightsw Access rights:

n The ability to execute an operation on an objectn

Protection


D1

D2 D3


UNIX Security Basics

w Permissionsw UID, GIDw Superuserw SUID, SGIDw Sticky bitw Umaskw Filesystem restrictionsw Advanced: Systrace, Veriexec, iptables, etc.

Domain implementation in UNIXw Two domain groups:

n A user, identified by a user ID (UID)n The superuser (can do everything, UID=0, root)

w Processes are executed in the domain of their users:n Domain = UIDn Domain switch possible – accomplished via the file system

l Each file has permission bits for the owner, group and worldl Each file has a domain bit (the SETUID or SUID bit)

w When a program is executed and SUID=on, the effective UID is set to the owner of the file being executed

w When execution completes, the effective UID is reset

Subjects and Objects in UNIX

wEach subject (process) and object (file) has a 16-bit UIDn Each object also has one 16-bit GIDn Each subject has one or more GIDs

wObjects have access control lists that specify read (r), write (w) and execute (x) permissions for owner (u), group (g) and world (o)

wAccess control lists are not checked for the superuser

Access Matrix in UNIX

if UID GID else

UID Owner permissionsGID-defaultGID-other

Group permissions

elseWorld

permissions

Objects = files (regular, devices, sockets)

Subj

ects

=pr

oces

ses

(effe

ctive

UID

, GID

)

I-nodesw Contain a lot of information about a file

n file typen file moden number of hard linksn owner's UIDn owner’s GIDn number of bytes in the filen timestamps (last accessed, modified; i-node changed)n physical disk addresses (direct and indirect blocks)n number of blocksn no path or filename

-rwxr--r--

File permissions

File type- : regular filed : directoryc : character device (tty, printer)b : block device (disk, CD-ROM)l : symbolic links : socket=, p : FIFO

Access granted to ownerr : read / w : write / x : execute

Access granted togroup member

Access granted toothers

Example file protection modes

w If you have the read permission for a file, you can view its content

w If you have the write permission for a file, you can alter its content

w If you have the execute permission for a file, you can run the file as a program

Permissions: regular files

w If you have the read permission, you can list the files in the directory

w If you have the write permission, you can add or remove files inside the directory

w If you have the execute permission, you can change to this [working] directory with the cd command, and you can use it as part of a pathname

Permissions: directories

File Permissions

w When a process executes, it has 4 values related to file permissionsn The real UID / The effective UIDn The real GID / The effective GID

w After login, your login shell process UID/GID is your realUID/GIDn All processes that the shell forks off inherit shell’s UID & GIDn All files they create also get these values

Real UIDs

w The UID of the user who executed the programaffects what the program can do

w For example, the UID of /usr/bin/vi is root:n $ ls -l /usr/bin/vilrwxrwxrwx 1 root root 20 Apr 13 ...

w Running vi, the user can edit only those files that she has access to

Effective UID and GID

w The real UID depends on who executes the process, not who owns the executablen However, a user can run e.g. passwd (owned by root) and

update the /etc/passwd file (owned by root) – how?

w Two special file permissionsn “set user ID” (SUID) and “set group ID” (SGID)n When an executable with the SUID permission is executed, the

process’ effective UID becomes that of executablel The real UID is unaffected and is checked by the program

SUID / SGID / Sticky bits

w SUID bitn Processes are granted access to system resources based on the user

who owns the file

w SGID bitn (For file) Analogous to SUID except the owner’s group is consideredn (For directory) Files created in that directory will have their group set to

the directory’s group

w Sticky bitn If set on a directory, a user may only remove files that she owns or for

which she has explicit write permission grantedl Even if she has write access to the directory (e.g. /tmp)

The login process revisited

w The login program (which is SETUID root) asks for a login name and a password

w It hashes the password and looks in /etc/passwd (i.e., in /etc/shadow) to see if the hashes match

w Login then calls setuid() and setgid() to give itself the user’s UID and GID

w Then it opens the keyboard for stdin (fd 0), screen for stdout(fd 1), and stderr (fd 2)

w Finally, it forks a shellw The subsequent processes inherit shell’s UID and GID

Another SETUID scenariow /dev/lp is owned by root with protection rw-------w /bin/lp is owned by root with rwsr-xr-x (SUID=1)w A user issues the lp commandw The shell (running with user’s UID and GID) forks a child process Pw Process P has the same UID and GID as the userw Process P calls exec(“/bin/lp”,…)w Domain of P changes to root’s UIDw Consequently, /dev/lp can be accessed to printw When /bin/lp terminates, so does Pw Parent (shell) never got access to /dev/lp

ls -l

> ls -l foo-rw-rw---- 1 collin grads 13 Jan 10 23:05 foo

permissionsowner group

size

date/time

name

ls -lals -lils -lh

? ?

File Time Attributes

w Time Attributes:n when the file was last changed ls -ln when the file was created* ls -lcn when the file was last read (accessed) ls -lu

* Actually, the time when the file status in the directory last changed (e.g. the file was renamed)

Binary filesText files

All Files

Directories

Machine code

Documents, etc.

[Shell] scripts

Executable files

Compiler

Images, etc.

Types of Files

Source code

Types of Files

w Regular filesn Binary

l GIF, JPEG, many executables, etc.n Text

l Scripts, other source code, documentation, etc.

n Supports sequential and random access

Types of Files (cont.)

w Directoriesn Can contain any kinds of files

. (Dot) The special name for the current directory

.. (Dot) (Dot) The special name for the directory above the current directory

w Device filesn Allows programs to communicate with hardwaren Kernel modules handle device management


w Device files (cont.)n Character devices

l Accepts a stream of characters, without regard to any block structure

l It is not addressable, therefore no seek operation

n Block devicel Information stored in fixed-sized blocksl It is addressable, therefore seek operation is possible


w UNIX domain sockets (BSD)n Sockets that are local to a particular host and are

referenced through a file system object instead of a network port

n IPC (e.g. within X windows)

w Named pipes (FIFO)n Another means for IPC

Types of Links

w Hard linksn Linking files by referencen File system maintains the count of the linksn Does not work across file systems

w Soft linksn Linking files by namen No counter is maintainedn Work across file system

stat

/home$ stat normundsg/

File: ‘normundsg/’

Size: 4096 Blocks: 8 IO Block: 4096 directory

Device: fd01h/64769d Inode: 131086 Links: 6

Access: (0755/drwxr-xr-x) Uid: (1001/normundsg) Gid: (1001/normundsg)

Access: 2018-10-04 17:23:59.429654928 +0000

Modify: 2018-09-24 12:20:02.494255000 +0000

Change: 2018-09-24 12:20:02.494255000 +0000

From “man ln”w A hard link is just a name for a file

n A file can have several namesn It is deleted from disk only when the last name is removedn The number of names is given by lsn There is no such thing as “original” name: all names have the

same status

w A soft link (or symbolic link / symlink) is an entirely different animal: it is a small special file that contains a pathname

macOS 10.14.3

$ ls -li /bin/{cp,mv,ln}12886337649 -rwxr-xr-x 1 root wheel 29024 Nov 30 2018 /bin/cp12886337675 -rwxr-xr-x 1 root wheel 19024 Nov 30 2018 /bin/ln12886337681 -rwxr-xr-x 1 root wheel 24240 Nov 30 2018 /bin/mv

$ ls -li /usr/bin/{*more,*less}12885598408 lrwxr-xr-x 1 root wheel 6 Dec 25 2018 /usr/bin/bzless -> bzmore12885598409 -rwxr-xr-x 1 root wheel 1259 Aug 18 2018 /usr/bin/bzmore12886338349 -rwxr-xr-x 1 root wheel 133856 Nov 30 2018 /usr/bin/less12886338461 -rwxr-xr-x 1 root wheel 133856 Nov 30 2018 /usr/bin/more12885599991 -rwxr-xr-x 2 root wheel 2080 Aug 18 2018 /usr/bin/zless12885599991 -rwxr-xr-x 2 root wheel 2080 Aug 18 2018 /usr/bin/zmore

Ubuntu 14.04

$ ls -li /bin/{gunzip,uncompress,less}28 -rwxr-xr-x 2 root root 2303 Jan 10 2014 /bin/gunzip64 -rwxr-xr-x 1 root root 153664 Jun 10 2013 /bin/less28 -rwxr-xr-x 2 root root 2303 Jan 10 2014 /bin/uncompress

$ ls -li /usr/bin/{*more,*less}3746 lrwxrwxrwx 1 root root 9 Jun 10 2013 /usr/bin/less -> /bin/less3990 -rwxr-xr-x 1 root root 1825 Feb 12 2014 /usr/bin/xzless4144 -rwxr-xr-x 1 root root 2168 Feb 12 2014 /usr/bin/xzmore

w Create a link directory by typing the following command from your home directory:

% ln -s /home/faculty/ostic/prof myprof

w You only need to create this link oncen It will appear as a subdirectory in your home directory

structure every time you log on to the system

soft link

Creating a Link

Directoriesw UNIX directories are special filesw The directory file is an unsorted linked list of filenames to inodes

n Filenames are stored in directory inodes, instead of file inodes

w Directory size will always increase to store all the file entriesn If the number of files latter shrinks the directory size will not (b-trees)

5 apples4 oranges5 aboli2 .7 .. ls -i

Directories

333

333

333

Disk vs. Filesystemw The entire hierarchy can actually include many

partitions and disk drivesn Some directories can be on other computers

/

bin etc users tmp usr

hollid2 scully

I-nodes are unique per partition/$ sudo find . -inum 28/sys/bus/platform/drivers/sys/kernel/debug/usb/bin/uncompress/bin/gunzip

/$ df -aFilesystem 1K-blocks Used Available Use% Mounted onsysfs 0 0 0 - /sysproc 0 0 0 - /procudev 16469516 12 16469504 1% /devdevpts 0 0 0 - /dev/ptstmpfs 3294944 364 3294580 1% /run/dev/vda1 51572348 11013180 38431348 23% /none 4 0 4 0% /sys/fs/cgroupnone 0 0 0 - /sys/fs/fuse/connectionsnone 0 0 0 - /sys/kernel/debugnone 0 0 0 - /sys/kernel/security

Disk mount options

w Override specific file permissionsw A major security tool in Unix

mount /dev/hdb1 /media/new_disk -t ext3 –o ro,nosuid

Options: nosuid, noexec, noowners, rdonly, etc.

File system security tips

w Turning off SUID / SGID in a mounted file systemn Use nosuid when mounting remote file system or

allowing users to mount floppies or CD-ROMs

w Finding SUID and SGID filesn sudo find / -perm /4000n sudo find / -perm /2000n sudo find / -perm /1000n sudo find / -perm /7000

System calls related to security

chmod() – the most heavily usedchown(), setuid(), setgid() – allowed only for the root

Changing File Mode

w Symbolic mode syntax vs. Absolute mode syntaxw chmod +x file

chmod -x filechmod u+x filechmod o-w file chmod ug+x filechmod ug+rwx file

w chmod 444 file / chmod =r filechmod 555 file / chmod =rx file

w Option –R for changing permissions recursively

to new files

$ umask 0174

$ mkdir foo

$ touch bar

$ ls -l

drw-----wx 2 dave dave 512 Sep 1 20:59 foo

-rw-----w- 1 dave dave 0 Sep 1 20:59 bar

umask: Calculations

w If you want a file permission of 644 (by default, without manually executing chmod) on a regularfile, the umask would need to be 022:

Default Mode 666umask -022New file mode 644

Unix user accounts

w To access a Unix system you need to have a user account

w Unix account includes:n username and passwordn UID and GIDn home directoryn shell

Creating user accounts

w useradd or adduser command / script

w Manuallyn Edit /etc/passwd, etc/shadow, etc/group

l Remember to lock these files while editing - vipwn Run “passwd [user]”n Create a home directory

l chown, chgrp, chmodl Copy defaults from

w /etc/skelw /etc/profile

Startup filessh,ksh: /etc/profile (system defaults) ~/.profile

bash:~/.bash_profile~/.bashrc~/.bash_logout

csh:~/.cshrc~/.login~/.logout

UID

w A unique number that identifies a UNIX account

w It is easier (and more efficient) for the kernel to use a number than a string like the username

w You do not need to know your UID

GID

w Unix includes the notion of a group of usersw A group can share files and active processesw Each account is assigned to one primary group

n A single account can belong to many groups

w The GID is a number that corresponds to the primary group

Home Directory

w A home directory is a place in the file system where the user account files are stored

n Owned by the user

w Many UNIX commands and applications make use of the home directory

n Configuration files, etc.

w More “recent” versions of Unix have improved the security for password encryption as follows:

n Passwords no longer restricted to 8 charactersn Use MD5 instead of DES; gives 128-bit outputn Use “salt”

w Furthermore, the encrypted (hashed) password is removed from the /etc/passwd file and instead is placed in /etc/shadow

n Restricted access to /etc/shadow – readable only by rootn Much more difficult to launch off-line / dictionary attackn /etc/shadow contains additional password information (number of days before

expiry, etc.)

Passwords

passwd, shadow, group

# more /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/bin/falsedaemon:x:2:2:daemon:/sbin:/bin/falseadm:x:3:4:adm:/var/adm:/bin/falselp:x:4:7:lp:/var/spool/lpd:/bin/falsehalt:x:7:0:halt:/sbin:/sbin/halt...guest:x:405:100:guest:/dev/null:/dev/nullnobody:x:65534:65534:nobody:/:/bin/falseguntis:x:1002:100::/home/guntis:/bin/bashstudents:x:1003:100::/home/students:/bin/bash

# more /etc/shadowroot:$1$VlYbWsrd$GUs2cptio.rKlGHgAMBzr.:12684:0:::::...guest:*:9797:0:::::nobody:*:9797:0:::::guntis:$1$fiJF/0BT$Py9JiQQL6icajjQVyMZ7//:12684:0:99999:7:::students:$1$wueon8yh$nLpUpNOKr8yTYaEnEK6OJ1:12685:0:99999:7:::

# ls -l passwd shadow group-rw-r--r-- 1 root root 705 Sep 23 15:36 group-rw-r--r-- 1 root root 1895 Sep 24 18:20 passwd-rw------- 1 root root 634 Sep 24 18:22 shadow

# more /etc/group root::0:rootbin::1:root,bin,daemondaemon::2:root,bin,daemonsys::3:root,bin,admadm::4:root,adm,daemondisk::6:root,admlp::7:lpmem::8:wheel::10:root,girtsfmail::12:mail...users::100:games,girtsfpostfix:x:207:smmsp:x:209:smmspslocate::245:utmp:x:406:nogroup::65533:nobody::65534:

Only the wheelgroup can suto root

Users: /etc/passwd

w Password file assoicates UID with system usersgates:x:65:20:H.Gates:/home/gates:/bin/bash

login name[encrypted password]

user IDgroup ID

“real” name

command interpreter(shell)home directory

w Information about system groupsfaculty:x:23:maria,eileen,dkl

group name

[encrypted group password]

group IDlist of group members

Groups: /etc/group

Appendix