unix security
play

Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk - PowerPoint PPT Presentation

Jan 07, 2024 •245 likes •641 views

Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1 Agenda A short history of Unix Login and user accounts access control Instances of general security principles Audit configuration

  1. Unix Security Cunsheng Ding HKUST, Hong Kong, CHINA cding@cs.ust.hk C. Ding - COMP4631 - L19 1

  2. Agenda • A short history of Unix • Login and user accounts • access control • Instances of general security principles • Audit configuration and management C. Ding - COMP4631 - L19 2

  3. A Brief History • Originated in 1969 and early 70’s as a prototype in Bell Labs (part of AT&T). • In 1973 Unix was rewritten in C and successfully ported. • AT&T freely gave away Unix in source to many universities, most notably to UC Berkeley. • 1993 first release of Unix-like OS, called Linux. C. Ding - COMP4631 - L19 3

  4. What is Unix • Multi-user, multi-process operating system. • Hierarchical file system. • Consistent byte-oriented access to files and devices. C. Ding - COMP4631 - L19 4

  5. Login and User Account C. Ding - COMP4631 - L19 5

  6. Login • identification + authentication : = (username, password) • password length : 8 characters • password protection : encrypted with Crypt(3), and stored in /etc/passwd file. C. Ding - COMP4631 - L19 6

  7. Format of the Password File • Format: Username: encrypted password: user ID: Group ID: ID string: home directory: login shell • ID string = user’s full name • User ID and group ID = explained later. • Login shell: the Unix shell available to the user after successful login. C. Ding - COMP4631 - L19 7

  8. Format of the Password File ctd. • Displaying the password file: cat /etc/passwd dieter:RT.QsZEEsxT92:100026:53:Dieter Gollman:/ home/staff/dieter:usr/local/bin/bash • When the password field is empty, the user does not need a password for login. • If the password field starts with an asterisk, the user cannot login, because such values cannot be the results of F (cleartext password). Account disable C. Ding - COMP4631 - L19 8

  9. Other Issues • Passwd(1): change password by supplying old one twice • Shadow password file: in security-conscious versions of Unix, it is stored in /.secure/ etc/passwd • Expiry date and control of old password: set • Root login: can be restricted to terminals nominated in /etc/ttys C. Ding - COMP4631 - L19 9

  10. Users and Superusers • Users by user name , up to 8 characters • Users by user ID (UID) internally, a 16-bit number • UIDs are linked to user names in /etc/ passwd . • Unix does not distinguish between users having the same UID. C. Ding - COMP4631 - L19 10

  11. Daemon stands for D isk a nd E xecution Mon itor. A daemon is a long-running background process that answers requests for services. Special User IDs • -2 nobody • Superuser has UID 0, and the name root. • 0 root • The root account is • 1 daemon used by the operating • 2 uucp system for essential • 3 bin tasks like login, • 4 games recording the audit log, or access to I/O • 9 audit devices. Nobody account is for NFS (network file system) anonymous connections and configuring anonymous FTP C. Ding - COMP4631 - L19 11

  12. Special User IDs • Almost all security checks are turned off for the superuser. • The root account performs also certain administrative tasks. • The systems manager should not use root as his personal account. • When necessary, changing to root can be requested by typing /bin/su without specifying a user name. C. Ding - COMP4631 - L19 12

  13. Superuser and Protections • Remark: The superuser can do almost everything. • Remark: Every precaution has to be taken to control access to superuser status. • Question: How? C. Ding - COMP4631 - L19 13

  14. Control of Access to Superuser Status • The files /etc/passwd and /etc/group have to be write-protected. [UID => 0 in /etc/passwd] • Record all su attempts in the audit log together with the user (account) who issued the command. • Separate the duties of the system manager, e.g., by having special users like uucp or daemon to deal with networking. If one of these special users is compromised, not all is lost. C. Ding - COMP4631 - L19 14

  15. Groups • Fact: Users belong to one or more groups. • Why? Collecting users in groups is a convenient basis for access control decisions. • Example: put all users allowed to access email in a group called mail . • Primary group: contains every user. The group ID (GID) of the primary group is stored in /etc/passwd . C. Ding - COMP4631 - L19 15

  16. Set UserID and Set GroupID • Question: If /etc/passwd is read-only, how can you change your password? • Answer: controlled invocation, Set UserID Program (SUID). • Remark: temporarily take on the UID of the owner of the password file. (i.e., root) C. Ding - COMP4631 - L19 16

  17. Access Control C. Ding - COMP4631 - L19 17

  18. Tree Structure for files and directories / homes cding papers comp364 comp271 dingcv.txt Public_html C. Ding - COMP4631 - L19 18

  19. Access Control:Unix File Structure • Each directory contains [“ls –a” gives all] – a pointer to itself, the file ‘.’ – a pointer to its parent directory, the file ‘ .. ’ • Each file – has an owner, usually the user who created the file; – belongs to a group (its owner’s or directory’s group). • A newly created file belongs either to its creator’s group or its directory’s group. C. Ding - COMP4631 - L19 19

  20. Access Control:Unix File Structure • Each file entry in FIELDS in inode relevant to security the directory is a • mode : type of file access pointer to a data rights structure, inode. • uid : user who owns the – use “ls –l” to find file • gid : group which owns • Fields in the inode file that are relevant • mtime: modification time to access control. • block count: size of file C. Ding - COMP4631 - L19 20

  21. Fields in inode (part 1) Inspect a directory with command ls -l -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 d.tex drwx------ 2 dieter staff 512 Oct 25 17:44 ads/ • The 1st character gives the type of file. ‘ - ’ a file, ‘ d ’ a directory. • The next nine characters give the file permission (to be discussed later). C. Ding - COMP4631 - L19 21

  22. Fields in inode (part 2) -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 d.tex drwx------ 2 dieter staff 512 Oct 25 17:44 ads/ • The following numerical field is the link counter , counting the number of links (pointers) to the file. • The next two fields are the name of the owner and the group of the file. C. Ding - COMP4631 - L19 22

  23. Fields in inode (part 3) -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 d.tex drwx------ 2 dieter staff 512 Oct 25 17:44 ads/ • The next integer is the size of the file in bytes. • The date and time is mtime, the time of the last modification. • The last entry is the name of the file. The ‘/’ after ads indicates a directory. C. Ding - COMP4631 - L19 23

  24. Fields in inode : File Permissions -rw-r--r-- 1 dieter staff 1617 Oct 28 11:01 d.tex drwx------ 2 dieter staff 512 Oct 25 17:44 ads/ • The permission bits are grouped in three triples that define read, write and execute access for owner , group , and other . • ‘-’ indicates no grant of right. • The uid , gid tell who own the file. C. Ding - COMP4631 - L19 24

  25. Changing Permissions with chmod by owner or superuser only Absolute mode • chmod [-R] absolute file – specify the value for all permission bits – Symbolic mode • will not introduced here. For details, see, Dieter – Gollmann, Computer Security, Wiley, 1999. [page 91] C. Ding - COMP4631 - L19 25

  26. Changing Permissions with chmod in Absolute Mode • The file permissions are specified directly by an octal number. • Example: 6=110 4=100, 7=111 – chmod 644 = 110100100 = rw-r--r-- – chmod 777 = 111111111 = rwxrwxrwx – chmod 755 = 111101101 = rwxr-xr-x • The option -R applies the specified change recursively to all subdirectories of the current directory. C. Ding - COMP4631 - L19 26

  27. Default Permissions (1) • Unix utilities (e.g., editors or compilers): – 666 when creating a new file – 777 when creating a new program • Adjust the permissions by umask, specifying the rights that should be withheld. – umask 777 denies every access – umask 000 does not add any further restriction. C. Ding - COMP4631 - L19 27

  28. Default Permissions (2) Sensitive Default Settings • 022 all for owner , r and x for group and other . [for programs] • 077 all for owner , no for group and other . • umask value is in /etc/profile • actual default permission is computed as: default ^ umask = 666 ^ 077 = 600 A^B = A and [not(B)] AND NOT C. Ding - COMP4631 - L19 28

  29. Instances of General Security Principles C. Ding - COMP4631 - L19 29

  30. Deleting Files (1) • Question: If we remove (delete) a file from the file system, does it still exist in some form? • Remark: We have to talk about how a file was constructed! C. Ding - COMP4631 - L19 30

  31. Deleting Files (2) • Two types of copying: cp , link and ln • cp: identical but independent file owned by the user running cp . • link, ln: only create a new file name with a pointer to the original file and increase the link counter of the original file. C. Ding - COMP4631 - L19 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix security model. See how general security principles are implemented in an actual

733 views • 59 slides
Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or-

Crash Course in Unix For more info check out the Unix man pages -or- http://www.cs.rpi.edu/~hollingd/unix -or- Unix in a Nutshell (an OReilly book). 1 Unix Accounts To access a Unix system you need to have an account . Unix

1.05k views • 84 slides
Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for

Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for

Introduction to Computer Security UNIX Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Genesis: UNIX vs. MULTICS MULTICS (Multiplexed Information and Computing Service) a high-availability, modular, multi-component

480 views • 35 slides
Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

1/19/2010 Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix: tak, the Whitehead Scientific Linux server t k th Whit h d S i tifi Li most important/useful commands & Apply

259 views • 8 slides
Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 7: 1 Security.di.unimi.it/sicurezza1516/ Chapter 7: Unix Security Chapter 7: 2 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix

667 views • 62 slides
Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future

Todays topics Unix history Unix philosophy Unix standards Unix future Future classes Unix history The Unix family of operating systems have been in existence since around 1969. Most folks agree the system that Ken

1.13k views • 57 slides
Why We Should Take a Second What do we learn from Look at Access Control in Unix this?

Why We Should Take a Second What do we learn from Look at Access Control in Unix this?

Introduction A model for Unix Why We Should Take a Second What do we learn from Look at Access Control in Unix this? Concluding remarks Jason Crampton Information Security Group Royal Holloway, University of London NordSec 2008

590 views • 27 slides
CS-527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Unix security model Table of Contents Unix

463 views • 28 slides
Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory

Advanced UNIX CIS 218 Advanced UNIX Director ies again CIS 218 Advanced UNIX 1 Directory Implementation The starting (root) directory of each filesystem is created by formatting . A UNIX directory is a file : it has an owner, group

502 views • 12 slides
CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview

32C3, Hamburg 2015-12-28 CloudABI: Pure capability-based security for UNIX Speaker: Ed Schouten, ed@nuxi.nl Overview Whats wrong with UNIX? Introducing CloudABI Developing CloudABI software Starting CloudABI processes Use

849 views • 40 slides
Unix Essentials Devin J. Pohly <djpohly@cse.psu.edu> CMPSC 311: Introduction to Systems

Unix Essentials Devin J. Pohly <djpohly@cse.psu.edu> CMPSC 311: Introduction to Systems

Systems and Internet i Infrastructure Security i Institute for Networking and Security Research Department of Computer Science and Engineering Pennsylvania State University, University Park, PA Unix Essentials Devin J. Pohly

315 views • 20 slides
UNIX Programming: A brief introduction to UNIX history and most useful commands. Toni Hermoso

UNIX Programming: A brief introduction to UNIX history and most useful commands. Toni Hermoso

UNIX Programming: A brief introduction to UNIX history and most useful commands. Toni Hermoso Pulido Bioinformatics Core Facilty UNIX History (I) UNIX is a computer operating system originally developed in 1969 by a group of AT&T

336 views • 30 slides
Advanced UNIX CIS 218 Advanced UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 218 Advanced UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 218 Advanced UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to supplement the Introduction to UNIX slides with extra information on files 1 CIS 218 Advanced UNIX Overview 1 . Access Permissions 2 . Links 2

358 views • 22 slides
Advanced UNIX CIS 118 Intro to UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 118 Intro to UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to

Advanced UNIX CIS 118 Intro to UNIX 1 . The File Structure (Ch. 4 , Sobell) Objectives to supplement the Introduction to UNIX slides with extra information on files 1 CIS 118 Intro to UNIX Overview 1 . Access Permissions 2 . Links 2

266 views • 22 slides
What is Unix? Unix: explained markus schnalke <meillo@marmaro.de> Unix Operating

What is Unix? Unix: explained markus schnalke <meillo@marmaro.de> Unix Operating

What is Unix? Unix: explained markus schnalke <meillo@marmaro.de> Unix Operating system Kernel (Systemcalls) Userland Filesystem Background and History Philosophy Historical background Timeline The late 60s and early 70s

579 views • 9 slides
Interprocess Communication Pipes (UNIX) Sockets (UNIX) Shared Memory (UNIX)

Interprocess Communication Pipes (UNIX) Sockets (UNIX) Shared Memory (UNIX)

BS1 WS19/20 topic-based slides Interprocess Communication Pipes (UNIX) Sockets (UNIX) Shared Memory (UNIX) Anonymous Pipes (Windows) Named Pipes (Windows) Mailslots (Windows) Windows vs. UNIX 2 Inter-Process

480 views • 24 slides
User Management Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de

User Management Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de

User Management Xavier Martorell-Bofill 1 Ren Serral-Graci 1 Universitat Politcnica de Catalunya (UPC) May 26, 2014 Introduction Databases Baixa Login Permisos Lectures System administration introduction 1 Operating System

821 views • 28 slides
Anonymity Networks for Crypto Geeks, the Department of Defense, and you. Nick Mathewson

Anonymity Networks for Crypto Geeks, the Department of Defense, and you. Nick Mathewson

Anonymity Networks for Crypto Geeks, the Department of Defense, and you. Nick Mathewson <nickm@freehaven.net> The Free Haven Project MIT SIPB talk; 2 Feb 2006 This talk is about anonymity. Technical Social 1. What is it? 2. Why does

1.02k views • 71 slides
INTERNET CLIENT PROGRAMMING USING PYTHON C U A U H T E M O C C A R B A J A L I T E S M C E M A

INTERNET CLIENT PROGRAMMING USING PYTHON C U A U H T E M O C C A R B A J A L I T E S M C E M A

INTERNET CLIENT PROGRAMMING USING PYTHON C U A U H T E M O C C A R B A J A L I T E S M C E M A P R I L 0 6 , 2 0 1 3 1 INTRODUCTION In the previous lecture we took a look at low-level networking communication protocols using sockets.

1.16k views • 76 slides
Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation

Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation

Vulnerable Machines with Ansible Nathaniel Beckstead whoami Nathaniel Beckstead Automation Infrastructure Tooling scriptingis.life 2 Why Vulnerable Machines? King of the Hill Practice Red team - scan and exploit Blue team

304 views • 18 slides
Simulation in Particle Physics David Grellscheid What are the fundamental building blocks of

Simulation in Particle Physics David Grellscheid What are the fundamental building blocks of

Simulation in Particle Physics David Grellscheid What are the fundamental building blocks of Nature? T-Shirt, explain rules here T-Shirt, explain rules here 4e candidate with m 4e = 124.6 GeV p T (electrons)= 24.9, 53.9, 61.9, 17.8 GeV m

1.09k views • 50 slides
Outline Clare in our context Religion and contemplation Violence as Clares context

Outline Clare in our context Religion and contemplation Violence as Clares context

9/25/19 Class 1b Life as a Sacred Text: Clare of Assisi Outline Clare in our context Religion and contemplation Violence as Clares context Radical poverty as a response to violence Responses to violence in our world 1 9/25/19

513 views • 12 slides
Global Ionosphere Maps and Related Products Generated by CODE Stefan Schaer Astronomical

Global Ionosphere Maps and Related Products Generated by CODE Stefan Schaer Astronomical

Global Ionosphere Maps and Related Products Generated by CODE Stefan Schaer Astronomical Institute, University of Berne, Switzerland stefan.schaer@aiub.unibe.ch January 17, 2002 IGS Ionosphere Workshop ESA/ESOC, Darmstadt, Germany

248 views • 11 slides
CCT395, Week 7 SQL with PHP Yuri Takhteyev University of Toronto October 20, 2010 This

CCT395, Week 7 SQL with PHP Yuri Takhteyev University of Toronto October 20, 2010 This

CCT395, Week 7 SQL with PHP Yuri Takhteyev University of Toronto October 20, 2010 This presentation is licensed under Creative Commons Attribution License, v. 3.0. To view a copy of this license, visit

352 views • 34 slides

More recommend