sign in sign up
<<
Home , File size, Sticky bit, System file

84-01-17 UNIX Security: Part 1 Previous screen Douglas G. Conorich Payoff The most important issue facing the UNIX system security administrator is understanding the key security issues surrounding the . The UNIX file system has built- in security features and utilities that can either enhance file security or create areas of exposure, depending on how they are set. The file permissions are the final line of defense, allowing the user to control the type of access (e.g., , , and execute) users can have to files and directories. This article, the first in a two-part series, examines how file permissions are set and their impact on security; specific controls and monitoring techniques are discussed. The second article in this series will address how to mitigate the risks associated with startup files; it will also discuss the appropriate controls for such special files as device and link files and describe how to use a checklist file to monitor changes to files.

Introduction All information pertaining to a UNIX file, with the exception of the file name, is listed in the information node (i-node). The i-node contains the file s permissions, link count, ownership, , and the a-time, m-time and c-time of the file. (The a-time is the last time the file was read; the m-time is the last time the file was written or modified; and the c-time is the last time the i-node was written or modified.) Each i-node is distinguished by a unique number called the i-node number. The i-node numbers range from 2 (the root i- node) to 65535. The i-node acts as a pointer to the actual file data. A is a special type of file that contains a listing of the i-node numbers and their related file names. Directories have their own set of permission bits and their own i-node number. The directory provides the link between the file name and the i-node number.

File Permissions Each file and directory has two allocated to it that are associated with the file permissions and identity. These two bytes are divided into octals (i.e., sets of three bits whose additive value ranges from 0 to 7). The octals are arranged as shown in Exhibit 1. The extra and the high order (fifth)octal determine the file type (e.g., file, directory, special, character device, block device, or link). The next octal (the fourth)grants increased permissions to the file (set-user-id, set- group-id, or sticky bits). The last three octals determine the permissions for the file. The third, second, and first octals set the permissions for the user (including the owner), the group, and all others (i.e., the world), respectively.

File Permission Bit Structure

There are three permissions for each of the three user areas: user, group, and world, on each file and directory: á r (read). This permission bit allows the file to be accessed, or copied. In the case of a directory, this permission bit allows the names of the files in the directory to be listed. á w (write). This permission bit allows the file contents to be modified. In order for a Previous screen file to be created, deleted, or renamed, the write permission must be set on the parent directory. á x (execute). This permission bit allows the file or directory to be executed. Programs contained in the file can be run. Binary files (e.g., compiled programs) require only the execute bit to be set. Other programs, such as shell scripts, must also have the read permission bit set to run, because the shell under which the program is running must read the program in order to run it. The execute permission allows directories to be accessed (e.g., to search the directory). Without this permission set, the user cannot change directory. (It should be noted that for directories, the read permission bit allows the files to be visible and the execute bit makes them accessible.) Special features may be given to a file or directory by setting the bits in the fourth octal:

á suid (set-user-id). With this permission bit set, the user executing the file gains the permissions of the owner of the file allowing users to execute programs they would not normally have the privilege to run. While running the program, the user's effective ID is that of the owner of the file. For this reason, it is extremely important that the program cannot execute a shell (i.e., shell escape). If the person shell escapes, they retain the effective ID of the suid program. If the owner of the program is root, shell escapes could lead to a devastating breach of the integrity of the system and data. Examples of suid programs are passwd, mail, and ps.The suid bit has no meaning for files, and directories that are not executable.

á sgid (set-group-id). As with the suid bit, the user executing the file gains the permissions of the owner s group associated with the file. The sgid bit has no meaning for files that are not executable. SunOS gives special meaning to the sgid bit set on directories. Under the System V rules, a file created in a directory is assigned the group ID of that user as defined in the/etc/passwdfile. The UNIX Berkeley Software Distribution (BSD) method assigns the group ID of the directory in which it is created. Without the sgid bit set, the group is assigned in accordance with the UNIX System V mechanism. The sgid bit set causes the BSD mechanism to be used. á sticky bit. With the sticky bit set, the text image of a remains in memory. The sticky bit was designed to increase the performance of commonly called binaries. With the text image already in memory, the program will start up quicker in subsequent executions. Problems can be encountered if too many files are sticky; memory or swap space could be filled with overuse. Since directories are not executable(they are only read into memory when listed or searched), retaining them in memory has no purpose. SunOS and System V versions of UNIX have given the sticky bit meaning on directories. If the sticky bit is set on a directory that is group- or world-writable, only files owned by that user may be moved or removed. This can give more security to directories that must be writable by all. The fifth octal and the extra bit determine the file type. A dash(Ð) is used to designate an ordinary file. The d designator shows that a file is a directory. The b, c, s and the p are used with special device files. They represent block devices, character devices, sockets, and ports, respectively. Listing Directories Previous screen The ls command is used to list the contents of directories. The lscommand can be executed with several options to produce various outputs. Typing ls without arguments creates a listing of only the file names, as shown in this example:

$ ls /usr/doug BART chicken lock.c thirty_days FILES craker_pgm policy tmp appendix_d holes pwage check_files lock pwage.c The -i argument lists the files and their i-node numbers, as shown here:

ls -i /user/doug 23564 BART 23577 craker_pgm 23593 pwage 23591 FILES 23574 holes 23589 pwage.c 23587 appendix_d 23586 lock 23595 thirty_days 23575 check_files 23576 lock.c 23579 chicken 23598 policy

To produce a long listing of the directory, add the -l argument. A-a can be used to print all the file, including those that would normally be hidden ( dot files, named because of the leading dot). Some systems include the group name in the long listing; other versions of UNIX require the use of a -g argument.

ls -lag /usr/doug total 256

drwx--x--x5 doug 2011024 Mar 28 06:39 . drwxr-sr-x20 root 2011536 Mar 19 17:01 .. -rw------1 doug doug148 Mar 28 06:39 .Xauthority -rw-r--r--1 doug doug217 Jun 30 1992 .cshrc -rw-r--r--1 doug doug294 Nov 18 21:49 .login -rw-r--r--1 doug 201900 Oct 22 16:22 .mailrc -rw-r--r--1 doug doug 186 May 18 1992 .profile -rw-r--r--1 doug 20112 Sep 3 1992 .rhosts drwxr-xr-x11 doug 201512 Feb 25 16:45 .wastebasket -r------1 doug kmem44 Mar 28 06:39 .xnews.tiger:0 -rw-r--r--1 doug doug790 May 22 1992 BART -rw-r--r--1 doug 2015527 Mar 28 02:58 FILES -rw-r--r--1 doug 2013007 Oct 13 12:34 appendix_d -rw-r--r--1 doug 2012363 Aug 25 1992 check_files -rw-r--r--1 doug 2011253 Sep 4 1992 chicken -rw-r--r--1 doug 2014446 Aug 25 1992 craker_pgm -rwsr-xr-x 1 root 2011420 Aug 25 1992 holes -rwxr-xr-x1 doug 20124576 Sep 21 1992 lock -rw-r--r--1 doug 201818 Sep 21 1992 lock.c -rw-r--r--1 doug 20154757 Aug 12 1992 policy -rwxr-xr-x1 doug 20124576 Sep 29 15:36 pwage -rw-r--r--1 doug 201941 Oct 22 16:16 pwage.c -rwxr-xr-x1 root 201244 Dec 18 15:59 thirty_days The file type and permissions are displayed in the first field followed by the number of links to the file, the file owner, the file s group, the , the date and time of the last modification, and the file name. (It should be noted that the -R recurses the listing through the various subdirectories.) File Types and Permissions Previous screen The file type and permission bits are listed as file type followed by the user s, group s, and the world s permissions, as shown in Exhibit 2. (In the exhibit, the letter r signifies read, w signifies write, and * signifies execute.) If the suid bit is set, the * in the user s permissions is replaced by an s to indicate that the suid bit is turned on. Likewise, if the sgid bit is set, the * in the group permissions is replaced by an s. A t replaces the * in the world area to denote that the sticky bit is set. When the underlying execute bit is set, the s and t will appear as a lowercase letter. The letters are capitalized when the execute bit is not set.

Permissions

The Command The permission bits, or mode, of a file may be altered with the chmod command. The chmod command takes two required arguments, the first indicating the permissions to change and the second indicating the file or directory to be changed. The mode of the file may be represented as either absolute or symbolic. The absolute mode uses the actual value of each bit in the octal and is represented by a single number for each octal. Therefore, the value of each of the permissions in the octal (read, write, and execute) is added together to produce the octal value. To use the absolute mode, at least the octal of the user, group, and world must be present. á Permissions for the user:

r - 400 w - 200 x - 100

á Permissions for the group:

r - 40 w - 20 x - 10

á Permissions for the world:

r - 4 w - 2 x - 1

Using the absolute mode, the permissions shown in Exhibit 2 are expressed as follows: r - 400 w - 200 x - 100 r - 040 w - 020 -- 000 -- 000 -- 000 x - 001 761 Previous screen Therefore, the command line to set a files permissions to those of the example above is: chmod 761 (If one or more of the permission octals is missing, UNIX assumes that it has a value of zero and deleted all permissions. The command chmod 1 filename is the same as chmod 001 filename. The symbolic mode uses the symbolic representations of the permissions (r, w, and x). As opposed to the absolute mode, the symbolic mode allows the user to make changes to a specific permission bit without specifying the others. The plus (+) and minus (-)signs are used to add or remove a permission. The first argument, referred to as the who argument, specifies whose permissions will be changed. This can be done one at a time or in combination. If the who argument is omitted, then by default, UNIX assumes the all option. The who argument symbols include:

u The (owner's) permissions. g The group permissions. o Other (the world) permissions. a All of the above, also can be written ugo.

The second argument is the operation argument; it includes:

+ Adds the specified permission. - Removed the specified permission. = Explicitly assigns the permission, removing any not specified.

Only one argument may be used. The third argument is the permissions argument; it includes:

r Read. w Write. x Execute. X Gives execute permission, if a directory or the file is executable (the execute bit is on in one of the other classes). s Turns on the set-user-id bit when used with u or the set-group-id bit when used with g. t Sets the sticky bit.

To add the write permission to the group and the world, the following command is entered:

chmod go+w filename To remove permissions from all classes, one of these commands is used:

chmod ugo-w filename chmod a-w filename chmod -w filename On most newer versions of UNIX, the -R option can be used to add or remove permissions recursively through a directory tree. To remove the write permission from the world on all directories and files under a certain directory, use:

chmod -R o-w directory name The find Command One of the most useful commands for finding security holes in the file system is the find Previous screen command. The syntax for the find command is: find directory(s) ... expression The find command recursively descends the directory hierarchy for each directory generating a list of all pathnames that are in the directory(s) specified that returns true when the Boolean expression is applied to them. The expression indicates all of the primaries and operators, that together make up the expression. Some of the primaries that can be used with the find command are as follows:

- name pattern. This returns true if the last component of the pathname matches the listed pattern. The * may be used for filename expansion.(*.c—all files ending in .c) - perm mode. This returns true if the mode(permissions) of a file matches the listed mode. - type type. This returns true if the type of a file matches the listed type: d - directory. f - file. b - block special file. c - character special file. l - symbolic links. p - type port. s - type socket. - print. This is always true. Displays the pathname of each match. Without this argument, the file is found but will not be displayed. - exec command [argument].This returns true if the executed command has a return of zero on exit. The argument is used to have the command executed on the current pathname. - user username. This returns true if the owner of a file matches the listed user. - nouser. This returns true if the owner of a file does not match a user on the system. - size [m]n. This returns true if the size of a file matches the listed n. - mtime [m]n. This returns true if the file was modified in the last n. days. A plus (+) sign in front of a number n finds all files greater than n. A minus (-) sign in front of a number n finds all files greater than n. A n. without a plus or minus sign means exactly n.. Logical operators may be used in conjunction with the primaries to form complex Boolean expressions. These operators are:

! Unitary negation operator. -a Binary and operator. -o Binary or operator. (-a has a higher precedence than -o) \(...\) A parenthesized group of primaries and operators (parentheses are special to the shell and must be escaped).

To create a listing of all directories under the root (/) directory that are world-writable, the following command is used:

find / -type d -perm -2 -print The minus (-) sign on the mode tells the find command that it only cares if the last permission octal has the 2 (write) bit on. This could also have been written -000002. If the security administrator is looking for the group-writeable permission bit, he or she should substitute either -20 or -000020. To find all the files, directories, and special device files that are group- and world- Previous screen writable in the user group, this command is used:

find / \( -perm -20 -o -perm -2 \)-group user \! \(-type l -o -type p -o -type s \) -print The find command can be used to not only find, but to execute a command on the found file. Now if we want to not only find all the files, directories, and special device files that are group- and world-writable in the user group, but also want to remove the write permission, this command is entered:

find / \( -perm -20 -o -perm -2 \)-group user \! \(-type l -o -type p -o -type s \) -exec chmod go-w {} \;

To write all the files under the /usr/dougdirectory to tape, this command sequence is used:

find / uster / doug -mount -print -cpio / dev / rmt?h cpio -iBvt < / dev / rmt ? h

The suid AND sgid FILES It is unrealistic to require the system administrator to execute all the programs that require root privileges. On the other hand, it is equally unsafe to give everyone root privileges. To solve this problem, UNIX provides suid (set-user-id) and sgid (set-group- id)programs. These programs enable unprivileged users to accomplish tasks that would normally be impossible or that would require special support from the kernel. During the execution of the program, the user receives the effective user ID (uid) set of the owner of the program. suid andsgid files allow the average user to do such things as write in the /etc/passwd file and change his or her password or access file system devices using the df command, allowing users to send mail and create new directories. Every process running on a UNIX system has four labels for the identity of the user invoking that process: the real uid, the effective uid, the real gid, and the effective gid. When a user logs in, the suid root program, /bin/login, assigns the user a real user ID according to the /etc/passwd file entry for that user. Normally any process started by that user inherits the ID of the user. If the user starts an suid program, the child process spawned now has the effective ID of the program's owner. In the case of the/bin/passwdprogram (an suid root program), any request made by the process is effectively made by root. While the process is running, the user has his or her log-in ID as the real ID and a user ID of 0 (i.e., root) as the effective ID. When the process completes, both the real and effective user ID are again his or her log-in ID. The real and effective user ID normally remains the same; the child process receives the ID of the parent process spawning it. With suid programs, the child process takes on the user ID of the owner of the suid program. The following ls command illustrates this:

ls -lg /bin/passwd -rwsr-xr-x 5 root staff 32768 Apr 23 1993 /bin/passwd

parent child process /bin/sh /bin/date real uid doug doug real gid prog prog effective uid doug root effective gid prog prog There may be as many as 50 suid files on a given system, depending on how many Previous screen third-party applications are running. The danger to the system from suid files arises from their design. System suid files allow the user to perform privileged operations, but in a very restricted way. For example, the /bin/passwd program, suid 0, allows the user to change only one field in a single entry of the/etc/passwdfile. A problem arises when users working as root create an suid program, such as a shell script. Anyone who can run this program will have access to root privileges through the program. If the program was not constructed correctly, the user may be able to invoke a shell escape. A shell escape allows the user to invoke a new child shell without leaving the program. The new shell would inherit the uid of the parent program (i.e., the suid program)and run as a privileged user. Suid and sgid shell scripts are very dangerous. Several UNIX features, including interrupts, job controls, and symbolic links can be used to gain uncontrolled access to protected files. In essence, shell scripts cannot be made secure. Therefore, suid and sgid shell scripts should never be allowed on the system. If an suidor sgid program is needed, the user should write a C program. The security administrator can identify suid and sgid programs by entering:

find / \(-perm -4000 -o -perm -2000 \) -print > /etc/suidfils A sample listing is shown in Exhibit 3

Sample suid Program Listing

cat/etc/suidfiles /usr/bin/newgrp /usr/bin/login /usr/bin/mail /usr/bin/passwd /usr/bin/at /usr/bin/chsh /usr/bin/chfn /usr/bin/ypchsh /usr/bin/ypchfn /usr/bin/crontab /usr/bin/atq /usr/bin/atrm /usr/bin/cu /usr/bin/tip /usr/bin/su /usr/bin/cancel /usr/bin/lpstat /usr/bin/yppasswd /usr/bin/uucp /usr/bin/uuname /usr/bin/uustat /usr/bin/uux /usr/ucb/lpr /usr/ucb/opq /usr/ucb/lprm /usr/ucb/quota /usr/ucb/rcp /usr/ucb/rdist

The security administrator should then review the /etc/suid files, identify the suid and sgid shell scripts, and examine and remove any questionable files. This process establishes a baseline of the authorized suid and sgid files on the system. By using the following Previous screen sequence of commands, the security administrator can identify any changes to the list: find / \( -perm-4000 -o -perm-2000 \) -print>/etc/current-suid-files diff /etc/suidfiles /etc/current-suid-files

Monitoring Techniques It is important to keep constant vigilance. Intruders will try to add suid and sgid files to the system so they can gain uncontrolled access to files. One method is to hide a wolf among the chickens, giving the suid or sgid file the same name, but a different , as a . Because only the owner and superuser can add the suid and sgid bits to a files mode, hackers also attempt to get a legitimate user to create the suid or sgid file, either by means of a Trojan horse or by accessing an unattended terminal. Either way, the command sequence is:

cp /bin/sh /usr/doug/sh chmod 4755 /usr/doug/sh

In this example, the Bourne shell (/bin/sh) is copied to the file/usr/doug/sh. The ownership of /usr/doug/sh is that of the user of the system (whoever is login). The permissions of /usr/doug/sh are then changed such that the suid bit is set and the file is world executable; /usr/doug/sh can now be executed by anyone./usr/doug/shevokes a new shell with the effective uid of the original user. If that user is root, the hacker now has an suid file giving him or her unlimited access to the system. Anyone is susceptible to this ploy. Senior executives may know to lock their desk, files, and office door, but they often don t give a second thought to the dangers of remaining logged in. A check for unattended terminals can be run using the wcommand, as shown in this example:

w 10:59am up 34 mins, 7 users, load average: 0.72, 0.58, 0.61 User tty login at idle JCPU PCPU what carl console 10:29am 32 /usr/stk/.hppa/bin/stkjobd carl pty/ttysd 10:30am 11 1 1 emacs stk pty/ttyse 10:30am 2 -bash carl ttyp2 10:30am -bash dougp ttys0 10:59am w carl pty/ttysc 10:36am 20 rlogin salty rootb ttyp3 10:50am 7 2 2 -bash

In this example, the first line reports the time the w command was executed, the total elapsed time since the last bootup, the number of users logged in, and the load now, and the five and fifteen minute average load. The next lines identify the users, when they logged in, and how long they have been idle. A program that logs users out after fifteen minutes of inactivity can easily be written for UNIX System V Release 3.2 or 4.0 users, as follows:

cat /etc/timeout kill -1 `who -u | sed -e s/:// -e 's/:// | awk '$lar;6 > 15 {print &7}'`

The program should be run by the superuser; it does not work on hosts running BSD. This program can be placed in the crontabfile (a chronological table that associates programs and times; it is used for scheduling) and executed every fifteen minutes. The crontabentry Previous screen looks like: 5,20,35,50, * * * * /etc/timeout

Conclusion The UNIX file system is a complex and ever changing entity. The security administrator must understand how file permissions are established and maintained and monitor the system to identify changes and understand their implications. Although this can require a substantial commitment of time and effort, it is essential to ensure the security and integrity of data residing on these systems. Author Biographies Douglas G. Conorich Douglas G. Conorich is the UNIX product manager with Raxco, Inc., in Orem, Utah. Conorich served for 20 years in the US Air Force as a computer systems engineer specializing in information security. In the last 10 years, he has focused on UNIX and VAX platforms. He has also taught classes in information security management.