Mô tả:
File System Security
HEÄ THOÁNG TAÄP TIN CUÛA UNIX
Ñoái vôùi heä ñieàu haønh UNIX, khoâng coù
khaùi nieäm caùc oå ñóa khaùc nhau. Sau
quaù trình khôûi ñoäng, toaøn boä caùc thö
muïc vaø taäp tin ñöôïc ‘gaén ‘ leân (mount)
vaø taïo thaønh moät heä thoáng taäp tin
thoáng nhaát, baét ñaàu töø goác ‘/’
SUN OS File System
Sun Microsystems Inc. SunOS 5.6
Generic August 1997
$ df -k
Filesystem
kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s0
192799 131990 41530 77% /
/dev/dsk/c0t0d0s6
962983 477544 427661 53% /usr
/proc
0
0
0 0% /proc
fd
0
0
0 0% /dev/fd
/dev/dsk/c0t0d0s3
289207 115445 144842 45% /var
/dev/dsk/c0t0d0s5
465775 28807 390391 7% /opt
/dev/dsk/c0t0d0s7
1290127 233611 1004911 19% /other
/dev/dsk/c0t0d0s1
311983 203961 76824 73% /usr/openwin
swap
418136 120 418016 1% /tmp
/dev/dsk/c0t1d0s2
4124422 2359571 1723607 58% /squid
$
Linux File System
[citd@server citd]$ df -k
Filesystem
1024-blocks Used Available Capacity Mounted on
/dev/sda1
447044 45006 378948 11% /
/dev/sda6
496627 119068 351909 25% /export
/dev/sda5
496627 405042 65935 86% /usr
/dev/sda7
492657 329963 137249 71% /var
[citd@server citd]$
/-------+
!-------/bin
!-------/sbin
!-------/usr-------/usr/bin
!
!------/usr/sbin
!
!------/usr/local
!
!------/usr/doc
!
!-------/etc
!-------/lib
!-------/var-------/var/adm
!------/var/log
!------/var/spool
TÖÔNG ÖÙNG GIÖÕA DISK PARTITIONS
VAØ CAÁU TRUÙC TAÄP TIN
/
/usr
/
/usr
/usr/home
/squid
/usr/home
/mnt
/squid
CD
/mnt/cdrom
GIÔÙI THIEÄU CAÙC THÖ MUÏC QUAN TROÏNG CUÛA
UNIX
/ (THÖ MUÏC GOÁC )
/bin
/sbin
/usr/bin
/usr/sbin
/var
/var/log
/var/adm
/home
/export/home (SUNOS)
Quyeàn vaø sôû höõu taäp tin vaø thö muïc cuûa Unix
(directory and file permission and ownership)
Keát quaû cuûa leänh ls -l
-rw-r—r— 1 fido users 163 Dec 7 14:31 myfile
Khi moät taäp tin hay thö muïc ñöôïc taïo ra, noù mang owner vaø
group cuûa ngöôøi taïo ra noù. Phaàn quyeàn daønh cho user, group,
other phuï thuoäc vaøo giaù trò cuûa umask
Umask vaø caùc quyeàn truy nhaäp taäp tin
Ví duï :
[tnminh@pasteur tnminh]$ umask
002
[tnminh@pasteur tnminh]$ echo “tao mot file” > tmp
[tnminh@pasteur tnminh]$ ls -l
total 5472
-rw-rw-r-- 1 tnminh tnminh 13 Oct 3 21:55 tmp
[tnminh@pasteur /etc]$ umask 022
[tnminh@pasteur tnminh]$ echo “tao mot file khac”>tmp1
[tnminh@pasteur tnminh]$ ls -l
-rw-rw-r-- 1 tnminh tnminh 13 Oct 3 21:55 tmp
-rw-r--r-- 1 tnminh tnminh 18 Oct 3 21:59 tmp1
Daïng nhò phaân cuûa quyeàn truy nhaäp taäp tin vaø thö muïc
Quyeàn truy nhaäp taäp tin chia thaønh ba nhoùm soá cho chuû nhaân (user), nhoùm (group) vaø coøn laïi
(others)
read permission
4
write permission
2
Execute permission
1
Nhö vaäy :
0 or —-: No permissions at all
4 or r—: read-only
2 or -w-: write-only (rare)
1 or —x: execute
6 or rw-: read and write
5 or r-x: read and execute
3 or -wx: write and execute (rare)
7 or rwx: read, write, and execute
Thay ñoåi caùc thuoäc tính cuûa taäp tin vaø thö muïc
Caùch thay ñoåi töông ñoái :
chmod g+w myfile theâm khaû naêng write cho group cuûa myfile
chmod o-x myfile bôùt khaû naêng chaïy cuûa others cuûa myfile
Caùch thay ñoåi tuyeät ñoái :
chmod 644 myfile => myfile seõ coù quyeàn rw-r--r-Ñoái vôùi caùc admin, neân duøng caùch tuyeät ñoái vì noù an toaøn hôn.
Ñoái vôùi caùc thö muïc, thao taùc hoaøn toaøn töông ñöông.
chown cho pheùp ñoåi ngöôøi sôû höõu taäp tin,
Chgrp cho pheùp ñoåi nhoùm cuûa taäp tin,
setuid vaø setgid bits
Set-user-id : Set-user-id nghóa laø khi chöông trình ñöôïc chaïy, noù seõ coù quyeàn nhö
ngöôøi chuû (owner) cuûa file cho duø ngöôøi goïi chöông trình laø ai ñi nöõa.
Ví duï :
$ ls –l /usr/sbin/sendmail
rwsr-xr-x root root sendmail
Töông töï, set-group-id cho quyeàn chöông trình nhö group cuûa taäp tin chöông trình.
Bit thöù 4 maõ giaù trò naøy. 4 = setuid; 2= setgid,
Neáu /bin/sh coù setuid bit set thì ai cuõng laø root vì owner cuûa /bin/sh laø root vaø moïi
user ñeàu duøng /bin/sh khi login .
setgid cho thö muïc = taäp tin taïo ra trong thö muïc naøy coù cuøng group nhö group cuûa
thö muïc
Setuid cho taäp tin = khoâng coù taùc duïng
Sticky bit = user chæ coù quyeàn xoùa file do mình laø owner. Ví duï /tmp
Baûo maät heä thoáng baèng kieåm tra setuid vaø setgid bits
•Tìm taäp tin coù setuid bit set
•find / -perm -4000 -exec ls -l {} \;
•Töông töï cho setguid :
•Tìm taäp tin khoâng user
•find / -nouser -exec ls -l {} \;
•Tìm taäp tin vieát ñöôïc
•find / -perm –2 -print
•Tìm taäp tin khoâng sôû höõa
•find / -nouser -print
-r-s--x--x 1 root
root
10704 Apr 15 1999 /usr/bin/passwd
-rws--x--x 2 root
root
517916 Apr 7 1999 /usr/bin/suidperl
-rws--x--x 2 root
root
517916 Apr 7 1999 /usr/bin/sperl5.00503
-rwsr-sr-x 1 root
mail
64468 Apr 7 1999 /usr/bin/procmail
-rwsr-xr-x 1 root
root
14036 Apr 16 1999 /usr/bin/rcp
-rwsr-xr-x 1 root
root
10516 Apr 16 1999 /usr/bin/rlogin
•Chuù yù : Khoâng neân cho caùc shell script giaù trò setuid hay setgid. Neáu chuùng ta caàn setuid,
setgid, vieát chöông trình baèng C hay moät ngoân ngöõ laäp trình töông ñöông.
Moät soá taäp tin "nguy hieåm". Trusted hosts
•/etc/hosts.equiv : Ngöôøi söû duïng töø moät maùy coù IP trong taäp tin naøy, coù cuøng account
name, coù theå söû duïng rlogin vaø rsh maø khoâng caàn vaøo password treân maùy naøy. Raát may
raèng root laø moät ngoaïi leä .
•.rhosts : gioáng nhö /etc/hosts.equiv, nhöng kieåm tra host-user. Ñaëc bieät user coù theå taïo .rhosts
khoâng thoâng qua admin. Vì vaäy, neân hoaøn toaøn caám vieäc taïo ra .rhosts taïi caùc thö muïc caù
nhaân.
Checksum vaø checklist
•Leänh sum cho pheùp xem xeùt xem taäp tin coù bò thay ñoåi veà noäi dung hay khoâng. Ñieàu naøy
giuùp chuùng ta phaùt hieän ñöôïc virus vì virus noùi chung phaûi thay ñoåi noäi dung cuûa file.
•Neân chaïy sum taïi nhöõng thö muïc maø noäi dung khoâng thay ñoåi veà nguyeèn taéc /sbin, /bin .
Ghi laïi keát quaû vaøo moät taäp tin vaø söû duïng sau naøy ñeå bieát nhöõng taäp tin coù checksum
thay ñoåi.
•Checklist (thoâng qua leänh ls) cho pheùp tìm ra nhöõng thay ñoåi cuûa caùc taäp tin heä thoáng.
Chuùng ta, cuõng nhö checksum, neân taïo moät file checklist ngay töø ñaàu. Baèng caùch naøy,
chuùng ta seõ bieát ñöôïc caùc taäp tin môùi taïo ra khoâng hôïp phaùp.
Access Control List (ACL)
•Ñaây laø moät chuaån môùi cuûa Unix cho pheùp phaân quyeàn haïn truy nhaäp vaøo heä thoáng
taäp tin moät caùch chi tieát hôn heä thoáng cuûa Unix truyeàn thoáng. Heä thoáng naøy cho pheùp ví
duï caû group ggg coù quyeàn ñoïc vaø user uuu cuûa group ggg naøy coù quyeàn ñoïc vaø vieát.
•Hai leänh cô baûn cuûa ACL laø getfacl vaø setfacl.
•Neáu chuùng ta boå sung ACL cho moät taäp tin, chuùng ta duøng leänh
•setfacl -m acl_entry_list filename
•ñeå bieát moät taäp tin coù söû duïng ACL, vôùi leänh ls -l ta coù
•-rw-r-----+ ..etc . Daáu + hieån thò raèng taäp tin söû duïng ACL
•Coù theå söû duïng ACL treân SUN OS 5.6
Network File System (NFS)
NFS, the Network File System has three important characteristics:
It makes sharing of files over a network possible.
It mostly works well enough.
It opens a can of security risks that are well understood by
crackers, and easily exploited to get access (read, write and delete)
to all your files.
Treân nguyeân taéc, NFS server tin NFS client vaø ngöôïc laïi. Do ñoù, neáu NFS server hay
client bò xaâm nhaäp seõ deã daøng daãn ñeán söï xaâm nhaäp vaøo toaøn boä maïng NFS.
NFS model
Server : eris. /etc/exports
/mn/eris/local apollon(rw)
Client : apollon
mount -o size=1024,wsize=1024 eris:/mn/eris/local /mnt
cd /mnt
ls –l
Or in /etc/fstab
# device mountpoint fs-type options
dump fsckorder
eris:/mn/eris/local /mnt nfs
rsize=1024,wsize=1024 0 0
NFS Client Security
nosuid option : the server's root user cannot make a suid-root
program on the file system, log in to the client as a normal user and
then use the suid-root program to become root on the client.
Remote Call Procedure (RPC)-based
services
- ñoái vôùi TCP, UDP protocols, port number coù 2 bytes (65536 max.)
- Moãi RPC-based coù moät RPC service number duy nhaát 4 bytes (4294 Mports
- portmapper ñôïi ôû coång 111 (TCP vaø UDP)
- khi moät RPC based server khôûi ñoäng, noù seõ chieám moät coång TCP hay UDP port, sau ñoù
thoâng baùo cho portmapper aùnh xaï giöõa soá RPC duy nhaát cuûa noù vaø coâng
TCP/UDP noù vöøa nhaän.
- khi moät RPC client muoán keát noái vôùi moät RPC-based server, noù “hoûi “ portmapper vaø
ñöôïc bieát coång TCP ma ø RPC-based server ñang ñôïi.
- Client vaø server “queân “ portmapper vaø noái tröïc tieáp vôùi nhau.
- Keû xaâm nhaäp coù theå bypass portmapper
- Xem thêm -