Linux and UNIX Overview

Linux and UNIX Linux and UNIX OSs are… So we need to understand basics Often targets for attacks Often used for launching attacks So we need to understand basics Linux and UNIX Overview 2

UNIX A “beautiful but strange beast” Developed as research project by AT&T More than 35 years old Internet was built on UNIX Recently, popular for desktops, etc. Linux and UNIX Overview 3

UNIX It’s beautiful because… It’s powerful Millions of people have worked on it Huge numbers of useful tools “Been around the block” more than once Closely associated with open source Admins can find lots of useful tools Linux and UNIX Overview 4

UNIX Strange because so many UNIX OSs Popular variants include Solaris by Sun MacOS by Apple HP-UX by HP IRIX by sgi AIX by IBM FreeBSD, free open source OpenBSD, “the #1 most secure” OS Linux and UNIX Overview 5

UNIX Differences between UNIX variants Two main “lines” of UNIX File systems organization System calls, commands, command options, etc. Two main “lines” of UNIX AT&T and BSD But some UNIXs are combinations Linux and UNIX Overview 6

Linux Developed by Linus Torvalds Technically, not a variant of UNIX Created without using any of the underlying UNIX code A “UNIX-like environment” Strictly speaking, “Linux” is just the kernel Many Linux “distros”: Debian, Gentoo, Mandrake, Red Hat, Slackware, SuSE, etc. Linux and UNIX Overview 7

UNIX Here, generic UNIX/Linux concepts UNIX also strange because Things that apply to most UNIX/Linux UNIX also strange because Not designed for ease of use Think command line, not GUI Ironically, much simpler than Windows… If you think Windows is easier, you don’t know Linux… …and you don’t know Windows Linux and UNIX Overview 8

UNIX Here, we focus on generic “UNIX” Things that apply to most variants Book use “UNIX”, “Linux” interchangeably Here, we only scratch the surface For more info Linux Administration Handbook, by Nemeth Man pages Linux and UNIX Overview 9

Architecture File system Many things treated as files Like traveling thru a city… Directories are like signs leading you to “buildings” (files) Many things treated as files Devices, elements of processes, files Linux and UNIX Overview 10

File System Top is root directory: / == “slash” “cd /” takes you to root For example: /home/fred/hack.txt File hack.txt in directory /home/fred Linux and UNIX Overview 11

Important Directories / == root (top level), called “slash” /bin, /sbin == critical system exe’s /dev == devices, terminal, CD, etc. /etc == system config files Accounts, pwds, network addresses, etc. /home == user directories Linux and UNIX Overview 12

Important Directories /lib == shared libraries for programs /mnt == exported file systems temporarily mounted, removable devices (e.g., USB) /proc == images/data of current processes Not on hard drive---can see what kernel is doing /tmp == temporary files /usr == critical system files (utilities, man pages, …) /var == stores various types of files, often for administration (log files) Linux and UNIX Overview 13

Important Directories “.” is current directory “..” is parent directory One level up “ls” lists all files in directory “ls -a” lists “.” and “..” too Linux and UNIX Overview 14

Kernel UNIX and Linux are modular The core is the kernel Heart and brains of OS Deals with critical system functions E.g., hardware interactions, resource allocation, … Programs call on kernel for these things Linux and UNIX Overview 15

Processes For program, kernel starts a process Process is like a “bubble that contains the guts of a running program” Kernel creates bubble, inflates it and tries to keep bubbles from popping each other User programs, admin tools, services (e.g., Web, email) are processes May be 100s to 1000s of active processes Kernel juggles these into CPU, manages memory Linux and UNIX Overview 16

Processes High level view of architecture Linux and UNIX Overview 17

Processes Many processes run in background Perform system-critical functions Printing, network activity, etc. Known as “daemons” Pronounced “day-muns” or “dee-muns” Named based on their function E.g., SSH daemon is sshd Linux and UNIX Overview 18

Automatic Processes Booting: kernel starts init daemon Finishes boot process Init starts many network processes Httpd --- Web server, for http/https Sshd --- SSH service Sendmail --- common UNIX email server NFS --- Network File System for sharing files between UNIX systems Linux and UNIX Overview 19

Network Services Network service listens to network Web server listens on TCP port 80 Email server listens on TCP port 25 Wait for incoming traffic Lots of email/Web traffic, so they listen constantly What about, say, FTP? Linux and UNIX Overview 20

Network Services To improve efficiency… “Internet daemon” listens for uncommon services inetd (“I-Net-D”) or xinetd When traffic arrives, inetd activates appropriate service Uncommon services: echo, chargen, ftpd, telnetd, rsh, rlogin, TFTP, … Linux and UNIX Overview 21

inetd File /etc/inetd.conf tells inted what services to listen for: must specify Service name --- e.g., telnet (defined in /etc/services) Socket type --- type of connection? Protocol --- usually tcp or udp Wait status --- process handles multiple connection or not User Name --- name services should run as Server program and arguments inetd.conf is target of attacks Linux and UNIX Overview 22

inetd Relationship between inetd and other daemons Linux and UNIX Overview 23

cron Cron daemon Attackers also like cron Schedule programs to run at predetermined times For example, backup files at 3am Attackers also like cron E.g., shut down critical service at a particular time as part of back door Linux and UNIX Overview 24

Processes Can also start processes manually “path” is searched for command To see path: echo $path Dangerous to have “.” in path Why? Linux and UNIX Overview 25

Interacting with Processes Each process has process ID (PID) To get info on current processes “ps -aux” (all running processes) “lsof” (list of open files) Can send a signal to a process TERM to terminate, HUP to “hang up” (often rereads config), kill, killall, etc. Linux and UNIX Overview 26

Accounts Need an account to log in A process runs with permissions of a given account /etc/passwd file One line for every account, e.g., sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false Linux and UNIX Overview 27

Passwd File Each line contains Login name Hashed/encrypted password UID number --- number assigned to account, used to determine permissions of processes Default GID --- default group number GECOS info --- not used by system, names, etc. Home directory --- directory after login Login shell --- sh, bash, csh, ksh, or another program Linux and UNIX Overview 28

Passwd File Passwd file is world readable Attackers like to know hashed passwords Used for password guessing Most modern UNIX systems do not include hashed passwords in passwd file Instead, in “shadow” passwd file, /etc/shadow Requires super-user privilege to access So passwd file contains no passwords… Linux and UNIX Overview 29

Password File After much searching… Found my OS X hashed password is 0x3BBC2A94D59EB1D5D3452EA6FA47399B2A25664C Where SHA1 hash is used, with salt 0x8429A223 Extra credit: Find my password! Linux and UNIX Overview 30

Groups Group users together Assign permission to the group Stored in file /etc/group, format is Group name Hashed group password --- never used GID number --- used by the system instead of group name Group members --- by login names Linux and UNIX Overview 31

Root Root account is all-powerful user Maximum privilege --- can read, write any file Root == superuser or “God” UID == 0 “root” could be called anything, provided UID is 0 Can be multiple root accounts Linux and UNIX Overview 32

Permissions Every file has an owner and group Owner (or root) sets permissions Permissions: owner, group, everybody For each of the 3, read, write, execute Use “ls -l” to see permissions -rw-r--r-- 1 markstam markstam 767 Feb 6 19:31 cs286.txt drwxr-xr-x 40 markstam markstam 1360 Jan 25 17:33 docs Linux and UNIX Overview 33

Permissions Linux and UNIX Overview 34

Permissions Change permissions using chmod “change modes” Give new permissions in octal For example: chmod 745 foo This corresponds to: rwxr--r-x Linux and UNIX Overview 35

SetUID Sometimes user needs to access file and they do not have permissions Example: to change password (assuming hashes stored in shadow file) SetUID == Set User ID Use this so program will execute with permission of it’s owner As opposed to permission of user executing it Password changing program: SetUID root Linux and UNIX Overview 36

SetUID Gives “common” users lots of power OK if used in controlled way for specific tasks SetUID permissions appear before 9 standard permission bits In fact, 3 additional bits SetUID, SetGID, “sticky bit” For example: chmod 4745 foo Shows up in “ls -l” as an s: -r-sr-xr-x 1 root wheel 75636 Jan 11 2007 /usr/bin/passwd Linux and UNIX Overview 37

SetUID Attackers like SetUID programs May be possible to exploit flaws in code (buffer overflow) to elevate privilege New/modified SetUID programs may be evidence of attack Linux and UNIX Overview 38

Trust Relationships That is, trust between machines Can specify which machines to trust Bob trusts Alice Linux and UNIX Overview 39

Trust Relationships Unauthenticated access by users from trusted machine Since trusted machine (presumably) already authenticated the user If trusted, the r-commands (rlogin, rsh, rcp) require no password Also, r-commands do not encrypt How does Bob know trusted Alice is Alice? Linux and UNIX Overview 40

Logs and Audit Created by syslog daemon (syslogd) Typical log files Secure --- logins, successful and failed Message --- catch-all system log Individual app logs --- for specific apps Linux and UNIX Overview 41

Logs and Audit Forensic info also logged Attackers like to cover their tracks To do so, may need to manipulate… utmp --- who is logged in wtmp --- record of all logins and logouts lastlog --- time and location of each user’s most recent login Linux and UNIX Overview 42

Common Network Services Telnet --- command line remote access No encryption, session can be hijacked, … FTP --- file transfer Insecure, like telnet SSH --- encrypted “tunnel” Then safe to use unsafe services SSH version 1 insecure, version 2 is good Linux and UNIX Overview 43

Common Network Services HTTP --- Web Source of many attacks Email --- sendmail, several security issues r-commands --- rlogin, rsh, rcp Considered very insecure DNS --- domain names to IP addresses Critical service, good one for attackers… Linux and UNIX Overview 44

Common Network Services NFS --- transparently access files across network NFS server “exports” directory info Local machine can “mount” these, so files appear to be locally accessible Like FTP without all of the trouble of FTP-ing Of course, exporting too much may be bad X-Window System --- X11 (or just “X”) The underlying GUI service in UNIX X server controls screen, provides service Must limit who can display/access your screen Linux and UNIX Overview 45

Conclusion UNIX/Linux Popular OSs More than 30 years old Fundamental part of Internet Widely used OSs Platform of choice for many attackers Linux and UNIX Overview 46

Summary Linux and UNIX Overview 47