Intrusion Detection: Network Security Beyond the Firewall:The Role of Access Control in Your Environment
function GetCookie (name)
{
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen)
{
var j = i + alen;
if (document.cookie.substring(i, j) == arg) {
var end = document.cookie.indexOf (";", j);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(j, end));
}
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
var m1='';
var gifstr=GetCookie("UsrType");
if((gifstr!=0 ) && (gifstr!=null)) { m2=gifstr; }
document.write(m1+m2+m3);
Keyword
Title
Author
ISBN
Publisher
Imprint
Brief
Full
Advanced Search
Search Tips
Please Select
-----------
Components
Content Mgt
Certification
Databases
Enterprise Mgt
Fun/Games
Groupware
Hardware
IBM Redbooks
Intranet Dev
Middleware
Multimedia
Networks
OS
Prod Apps
Programming
Security
UI
Web Services
Webmaster
Y2K
-----------
New Titles
-----------
Free Archive
To access the contents, click the chapter and section titles.
Intrusion Detection: Network Security beyond the Firewall
(Publisher: John Wiley & Sons, Inc.)
Author(s): Terry Escamilla
ISBN: 0471290009
Publication Date: 11/01/98
function isIE4()
{
return( navigator.appName.indexOf("Microsoft") != -1 && (navigator.appVersion.charAt(0)=='4') );
}
function bookMarkit()
{
var url="http://www.itknowledge.com/PSUser/EWBookMarks.html?url="+window.location+"&isbn=0";
parent.location.href=url;
//var win = window.open(url,"myitk");
//if(!isIE4())
// win.focus();
}
Search this book:
Previous
Table of Contents
Next
IDs associated with a process can change during the course of program execution. The importance of this capability in UNIX and similar security models cannot be overemphasized. The ability to increase your security privileges by changing your EUID, EGID, RUID, or RGID is one of the basic notions in the UNIX security model. This privilege escalation mechanism is at the root (pun intended) of many UNIX hacks. The chief goal of most hacking attempts is to gain root privileges to exercise total control over the system. If you do not know or cannot guess the root password, the quickest path to becoming root is to log in as another user and find a way to change one of the UIDs to zerothe UID of the root user. Related hacks involve changing one of the IDs to any user or group on the system other than the current user. Even incrementally increasing your privileges to those of nonroot users might lead to eventually compromising the root account.
You can change who a UNIX system thinks you are in two ways:
You can explicitly change the IDs associated with a process by invoking library or kernel routines.
You also can let the system automatically change your identity based on access permissions that are set for program files on the system.
This latter technique is the one you will explore first as you investigate access control rules for UNIX files and directories.
UNIX File and Directory Permissions
The UNIX operating system provides a hierarchical virtual file system that might consist of multiple physical storage devices. Each entry in the file system represents a file or directory. The file abstraction is used in the normal sense as a container for data, but in UNIX, the file abstraction also encompasses other concepts such as sockets, character and block devices, and even system memory. Many major UNIX entities are implemented in the file system in one way or another.
The basic storage identifier is an inode that contains information about a file-system object. Each inode is associated with an owner UID and GID. These values are assigned when the file is created but can be changed later using the chown or chgrp command or with a corresponding library routine if invoked from a program. An inode can have only a single owner and a single group ID associated with it.
Traditional UNIX systems support DAC through the use of permission bits. Stored with each inode is a 16-bit mode word that controls access to the files represented by the inode. The least significant nine bits are the most important. Access control in UNIX can be specified for either the files owner, the files group, or all others. The three primary access modes are read (R), write (W), and execute (X). The interpretation for these modes varies for files and directories as shown in Table 3.1.
Table 3.1 Standard UNIX File Permissions
Permission
Allowed Action If Object Is a File
Allowed Action If Object Is a Directory
R (read)
Read contents of file
List contents of the directory
X (execute)
Execute file as a program
Search the directory
W (write)
Change file contents
Add, rename, create files and subdirectories
Notice that these interpretations lead to some interesting conditions. If you have execute permission for a directory but not read permission, you can run programs but only if you know the name of the program. You cannot search the directory or list its contents to find the name of the program. In addition, if the file or program you want to access is nested deep within several subdirectories, you must have execute permissions to traverse the directory path.
The ls command displays the permission bit settings for a file or directory. Additional arguments for ls cause it to reveal other inode attributes including file create date, last access time, and last change of any value in the inode (such as the files length). See Figure 3.1 for an example of a directory listing.
Figure 3.1 Sample UNIX directory listing.
In this example, the file entry for the file gunzip divulges important security information, such as the following:
The user who owns the file, the one whose name is bin.
The group owner of the file is also group bin (although it could have been a different group).
The file is composed of 110 512K blocks.
The last modification time of the file was Mar 09 at 17:28.
The files inode has a link count of 1, meaning that no other files on the system reference this inode (such as through a hard link).
The permissions are read, write, and execute for the owner; read and write for anyone in group bin; and only execute for any other user.
Another value that can be set in the inodes 16-bit mode field is the sticky bit. The original design of UNIX required that some directories be writeable by all users on the system. In general, this feature is not desirable in a software product. Nonetheless, the /tmp directory has always been writeable by anyone. To prevent users from deleting files that they do not own, the directorys sticky bit can be set. A command for setting the typical permissions for the /tmp directory would be as follows:
chmod 7777 /tmp
The first 7 sets the sticky bit and the remaining 7s respectively enabled read, write, and execute permissions for owner, group, and world (or user, group, and other). World-writeable directories are not recommended. If you must use them, at least set the sticky bit to prevent the malicious deleting of files.
Other mode bits that can be set include the set user ID and set group ID bits, SUID and SGID respectively. When a files SUID bit is enabled, program execution can result in increased privileges for the requesting user. Recall that as a normal user on the system, you do not have sufficient privileges to perform all tasks on a system. For example, normal users are not allowed to write a new password directly into the shadow password file. Instead, to change your password, you must execute a privileged program that changes the password on your behalf. Hopefully, the program is well behaved. If not, the flaw can be exploited by you or any interested hacker.
Previous
Table of Contents
Next
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.
Wyszukiwarka
Podobne podstrony:
088 092088 092092 Sanders Glenda Doktor Hunk092 93085 088088 COURT085 088086 0882 4 Układy hybrydoweid 088v 03 088087 092 zzhjfir6ptmapevkxbqtgyde3cqjmuka5gvkrua083 092088 089085 088088 89więcej podobnych podstron