Session (4) Secure Unix Administration

Mounting and Unmounting Filesystems The filesystem is composed of smaller pieces which are also called filesystem. Each one of these pieces consists of one directory and its subdirectories and files. The overall layout of the filesystem is called “file tree”. Most filesystems are attached to the tree with the mount command. Mount maps a directory within the existing file tree, called the mounting point, to the root of the newly attached filesystem. The previous contents of the mount point become inaccessible after a new filesystem is mounted there.

Mounting a filesystem An example: % mount /dev/sd1c /users This mounts the filesystem stored as the disk partition /dev/sd1c under the pathname /users. Depending on the OS, a file called /etc/fstab, /etc/vfstab, or /etc/checklist keeps the list of filesystems that are customarily mounted. One can check the information in this file by using: fsck –p. We can also require an automatic mounting of a filesystem using : mount –a.

Sample fstab file root_domain#root / advfs rw,userquota,groupquota 0 1 /proc /proc procfs rw,userquota,groupquota 0 0 usr_domain#var /var advfs rw,userquota,groupquota 0 2 tmp_domain#tmp /tmp advfs rw,userquota,groupquota 0 2 users_domain#u /u advfs rw,userquota,groupquota 0 2 student_dmn#csgs /u/csgs advfs rw,userquota,groupquota 0 2 student_dmn#css /u/css advfs rw,userquota,groupquota 0 2 archive_dmn#accts /u/expired advfs rw,userquota,groupquota 0 2 usr_domain#usr /usr advfs rw,userquota,groupquota 0 2 local_dmn#local /usr/local advfs rw,userquota,groupquota 0 2 src_dmn#src /usr/local/src advfs rw,userquota,groupquota 0 2 /usr/local/etc/httpd@sc /usr/local/etc/httpd nfs rw

/dev/root / xfs rw,raw=/dev/rroot 0 0 Sample fstab file /dev/root / xfs rw,raw=/dev/rroot 0 0 /dev/dsk/dks0d2s7 /home xfs rw,quota 0 0 suphys:/d3 /d3 nfs2 rw,hard,intr,bg,quota 0 0 suphys:/d2 /d2 nfs2 rw,hard,intr,bg,quota 0 0 planck:/physics2 /physics2 nfs2 rw,hard,intr,bg,quota 0 0 mandela:/physics7 /physics7 nfs2 rw,hard,intr,bg,quota 0 0

Unmounting a filesystem To detach a filesystem, one can use umount. An example: % umount /users This detach the filesystem that is mounted as the /user. If you remember we had mounted /dev/sd1c under the pathname /users. The umount –f command forces the detachment of a filesystem that is busy (is in use). Sometimes when you attempt to detach a file system you will get a complaint that file is in use. You can find who is using a mount point by executing: fuser –c mountpoint Example: fuser –c /user

Unmounting a filesystem - cont The fuser –c mountpoint returns the list process Ids and a code. % fuser –c /usr /usr 157tm 315ctom …. The code varies from system to system. c for process that has its current directory on the filesystem t for a running program m for a mapped file (shared library) r for a process whose root directory is on the filesystem We can use the ps –fp “process Ids” to find what the processes are. The fuser –f filename report on the use of a specific file. The fuser –k filename the offering processes.

The organization of a file tree

File Types Regular files Directories (mkdir or rmdir, or rm –r) , “..” and “.”. Character device files – Devices files allow Unix programs to communicate with the system’s hardware and peripherals. Block device files Unix domain sockets Named pipes (FIFO) Symbolic links

The Network File System The network file system commonly known as NFS allows filesystem sharing among computers on a network. The shared files are transparent to users as if they are sitting on the same machine. NFS consists of a number of components: A monitoring protocol, Mount server, Daemons to coordinate basic file service, and several diagnostic utilities. Part of both the server-side and client-side software resides in the kernel. NFS has been from stable since its creation in 1985 by Sun Microsystems in 1985. Initial version was 2.0. The later version 3.0 had some improvements including a mechanism that improved the write operation. The new version will send an acknowledgement from the server once the write operation is complete.

The Network File System – cont. NFS runs on the top of Remote Procedure Call (RPC) protocol. This protocol defines a system-independent way for processes to communicate over a network. It is possible to use either UDP or TCP as the transport protocol for NFS. In its original version, NFS used UDP. Since NFS does its own package sequence reassembly and error checking, UDP and NFS both lack the congestion control algorithms. Today most systems allow the use of TCP to reduce the severity of the problem. But since the CPUs are becoming fast there seem to be no difference between the two and either option can be used without a major difference in performance. An addition to NFS called WebNFS was introduced in 1996 by Sun that allows NFS operations over the Internet.

The Network File System – cont. Global UID and GID is an important issue when we use NFS. If a file is to be shared between two machines, then the user names and groups on both machines must mean the same thing otherwise there will be security risk involved. Root access is almost entirely controlled by NFS. By default any request coming with UID 0, will be intercepted by the NFS server and will be changed to something that seem to be coming from an ordinary user. In most system the “nobody” account is defined specifically for this purpose. Security tip: The root on the client machine is able to su to other users. Sp files are not really protected. Security tip: Also, system logins such as “sys” and “bin” are not UID mapped. Thus, any file they own may come under attacks.

The Network File System – cont. The data transferred via NFS is not encrypted. So a packet sniffer can intercept the process and access the data. Kerberos was introduced as an effort to extend the authentication to RPC. Security tip: If you are running a firewall, block access to TCP and UDP ports 2049. This port is used by NFS for transport. An NFS server is the side that “export” a directory to be used by other machines. Solaris uses the word “share” instead. The client uses mount to access an exported or shared directory.

Sample /etc/exports file # # NFS exported filesystem database (see exports(4) for more information). # Entries in this file consist of lines containing the following fields: # filesystem [ options ] [ netgroup ] [ hostname ] ... # Filesystem must be left-justified and may name any directory within a # local filesystem. A backslash (\) at the end of a line permits splitting # long lines into shorter ones. Netgroup(4) and hostname refer # to machines or collections of machines to which filesystem is exported. #/var/spool/pcnfs /home -nohide,rw,access=gills.phys.subr.edu:tashakkori.phys.subr.edu:ali.phys.su br.edu:hermity.phys.subr.edu:suphys.phys.subr.edu:lamb.phys.subr.edu:planck.phys .subr.edu:gauss.phys.subr.edu:mandela.phys.subr.edu:feynman.phys.subr.edu

Character and Block Device Files Device files allow UNIX programs to communicate with the system’s hardware and peripherals. When the kernel is configured, modules that know how to communicate with each of the system’s devices are linked in. The module for a particular device, device driver, takes care of the messy details of managing the device. Device drivers present a standard communication interface that looks like a regular file. There is distinction between device files and device drivers. The files are just the point that are used to communicate with drivers. Character device files allow their associated drivers to do their own input and output buffering. Block device files are used by drivers that handle I/O in large chunks and want the kernel to perform buffering for them.

Character and Block Device Files – cont. Some hardware, such as hard disks and tape drives, can be represented by both block and character device files. Which do we use? How do we determine what to use? There is really no rule of thumb – either memorize them or look them up. Device files are characterized by two numbers: major device number – tells the kernel which driver to which the file refers minor device number – tells the driver which physical unit to address Example: The parallel port on a Linux machine indicates the parallel port driver. The first parallel port (/dev/lp0) has the major device number 6 and minor device number 0. Some device drivers use the minor device number in a nonstandard way, Tape drivers often use the minor device number to select a density at which to write tapes and to determine whether the tape should be rewound when the device file is closed.

Character and Block Device Files – cont. We can create device files using : mknod We can remove them with: rm Most systems provide a shell script called MAKEDEV (/dev) that creates the appropriate sets off device files for common devices. Warning: be extra careful when you use the MAKEDEV script.

Unix domain sockets Sockets are connections between processes that allow them to communicate in a hygienic manner. Unix provides several different kinds off sockets. Most off these sockets involve use of network. Unix domain sockets are local to a particular host and referenced through a filesystem object rather than a network port. Socket files are visible to other processes as directory entries but they cannot be read from or written to by processes not involved in the connection. The printing system, X windows system, and syslog are examples off Unix domain sockets. Unix domain sockets are created with socket( ) system call. They can be removed using rm or the unlink( ) system call when the socket is not used by any user.

Named Pipes Named pipes allows communication between two unrelated processes running on the same host. They can be created using mdnod and can be removed using rm.

Symbolic Links A symbolic link points to a file by name. When kernel comes to a symbolic link, it redirect its attention to where the link is pointing to. They can be created using: ln –s They can be removed using: rm Example: % ln –s ../../ufs /usr/include/bsd/sys/ufs Links /usr/include/bsd/sys/ufs to /usr/include/ufs with relative path. NOTE: The entire /usr/include directory can be moved without causing the symbolic link to stop working. Question: Where does this /usr/include/bsd/sys/ufs/../param.h refers to? a. /usr/include/bsd/sys/param.h b. /usr/include/ufs/param.h c. /usr/include/param.h d. /usr/include/bsd/sys/ufs/param.h

File Attributes Every file has a set off 9 permission bits that control who can read, write, and execute the contents of the file. There are 3 other bits that affects the operation off executable programs. These 12 bits are referred to as the mode bits. The 12 mode bits are stored with 4 bits of file-type information in a 16 bit word. The 4 file-type bits are set when the file is created and cannot be changed by the owner or the root. The 12 mode bits can be changed using: chmod. The setuid and setgid bits The bits with octal values 4000 and 2000 are the setuid and setgid bits. These bits allow programs to access files and processes that would otherwise be off-limits to the user that created the file. On most Unix systems, when set on a directory, the setgid bit will make the group ownership of the files created within the directory the same as the group ownership of the directory. Make it easy to share directory of files.

3-bit Corresponding to 3-bit Octal Binary Permission 3 011 - - - Permission encoding: 3-bit Corresponding to 3-bit Octal Binary Permission 3 011 - - - Read Write Execute r w x

User Management The /etc/passwd file contains: Login name Encrypted password when shadow file is not used UID Default GID “GECOS” information: full name, office, extension, home phone. chfn (passwd –g on solaries) Home directory Login shell The contents of a passwd file maybe shared with other systems with shared access through NIS or NISPlus. The user name must be meaningful while being of a reasonable size. If there is a name that is too long, one can make a short version and add an alias in the /etc/mail/aliases directory to refer to the long name. For instance, Rahman Tashakkori is rt on cs. An alias could be added in the aliases file as: rt: rtashakkori. rtashakkori. Security tip: avoid duplicate ids on different systems on the same network. At some point you may decide to share resources and that can cause problems. This in particular may cause a serious problem with e-mail.

The /etc/master.passwd file On FreeBSD, the real passwd file is /etc/master.passwd. The /etc/paaswd file exists for backward compatibility, but it is generated from the master.passwd file and is never edited directly. This file acts like the shadow file which is readable by root only. The master.passwd file contains three additional fields: Login class – determines user resource limits and control other login settings. It is an entry in the /etc/login.conf file. Password change time - known as “password aging”. It contains the time after which the user will be forced to change his/her password. Expiration time – the time and date at which the account will expire. The user will not be able to log into the system after the expiration time unless the account is reset.

FreeBSD /etc/login.conf file This file sets account-related parameters for users and groups of users. It follows the same format as termcap and printcap. Entries in this file are: Resource limits (max process size, number of open files, etc..) Session accounting limits (when login is allowed and for how long) Default environment variables Default paths (PATH, MANPATH, etc…) Location of the message of the day Host and TTY-based access control Default umask Account control (min password length, password aging) Example: sysadmin:\ who? :ignorenologin:\ can login eben if nologin :requirehome@:\ No need for /home, NFS fail :maxproc=unlimited:\ Unlimited number of processes :openfiles=unlimited:\ Unlimited open files :tc=default: Use the default for other entries

The shadow file This file is part of the added security precaution on Solaris and Red Hat Linux. This file is not a superset of passwd file. Both files must be maintained by manually. It contains 9 fields for each user: Login name Encrypted password Date of last password change Minimum number of days between password change Maximum number of days between password change Number of days to give advance notice regarding password expiration Account expiration date Flags – reserved for future use Example: rt:inNO.VAsc1Wn.:11031::180:14::18627

The /etc/group file This file contains the names of Unix groups and a list of each groups members. It contains: Group name Encrypted password (rarely used) – can be blank or * GID number List of members, separated by ,. NOTE: no space Security tip: Do not use the system group name as the default group for any user. NOT EVEN THE SYSTEM ADMIN. Security tip: Add new Ids after the vendor provided groups or use a GID starting from 100 whichever is larger. Security tip: To edit the password file, if available, use vipw.

Security tip: Be aware that a Security tip: Be aware that a . File may have been placed in your directory.

Disk Quotas Disk quotas allows you to set a limit on the disk space that a user can have. It is highly recommended that we use this tool to limit the disk space. To set the disk quota we can use the edquota command several ways. edquota username – will open a blank sheet where you can set up the limit, allow you to set the limit to give a warning. edquota –p proto-user newuser - will duplicate the same disk quota that previously existed to for a new user. This command must be run manually.