Chapter 3 Rootly Powers.

Slides:

Advertisements

Similar presentations

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

Advertisements

Linux Users and Groups Management

Basic Unix system administration

2000 Copyrights, Danielle S. Lahmani UNIX Tools G , Fall 2000 Danielle S. Lahmani Lecture 12.

Homework 5b: Samba. Computer Center, CS, NCTU 2 Network-based File Sharing (1)  NFS (UNIX-based) mountd is responsible for mount request nfsd and nfsiod.

Chapter 3 Rootly Powers. Computer Center, CS, NCTU 2 The Root  Root Root is God, also called super-user. UID is 0  UNIX permits the superuser to perform.

User Account Management WeeSan Lee. Roadmap Add An Account Delete An Account /etc/{passwd,shadow} /etc/group How To Disable An Account? Root Account Q&A.

Sudo Access with Beowulf Clusters Chris Feehan CS Senior Capstone 12/18/06.

Unix Systems Administration 1Y. K. Chang root: the super user 4 The UNIX semigod who can perform privileged tasks: controlling processes, adding devices,

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Unix System Administration Rootly Powers Chapter 3.

CIS 191 – Lesson 2 System Administration. CIS 191 – Lesson 2 System Architecture Component Architecture –The OS provides the simple components from which.

1 Advanced Unix Administrative Tools. 2 VMWare Image Setup We all need to check out the VMWare FC6 image that you’ll be using We all need to check out.

Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.

ITN Wake Tech1 ITN270 Advanced Internet Databases Lecture 15. General MySQL Administration Topics: –Securing a New MySQL Installation –MySQL Server.

Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.

An Intro to Concurrent Versions System (CVS) ECE 417/617: Elements of Software Engineering Stan Birchfield Clemson University.

Linux Security. See who's logged in 1) w (more information) 2) who (less information)

Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.

Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.

A Practical Guide to Fedora and Red Hat Enterprise Linux Unit 9: Basic Linux Administration Chapter 11: System Administration: Core Concepts Chapter 16:

Introduction to System Admin Sirak Kaewjamnong. 2 The system administration’s job  Adding a new user  Doing backup and restoring files from backups.

SSH Tricks for CSF Slide 1 NEbraskaCERT SSH Tricks Matthew G. Marsh 05/21/03.

User Management. Adding New Users Computer Center, CS, NCTU 3 ID  User ID, Group ID % id liuyh  uid=10047(liuyh) gid=200(dcs) groups=200(dcs),0(wheel),700(ta),800(security),888(wwwadm)

Manually Creating a New User Account Presented by Carl South.

SCSC 455 Computer Security Chapter 3 User Security.

VIRTUAL HOSTING WITH PureFTPd And MYSQL (Quota And Bandwidth Management) BY Odoh Kenneth Emeka Sun Yu Patrick Appiah.

CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.

Unit – 5 FTP Server. FTP Introduction One of the oldest and most commonly used protocols The original specification for the File Transfer Protocol was.

 Last lesson, the Windows Operating System was discussed along with the Windows command shell  Unix is a computer operating system, that similarly manages.

Basic UNIX system administration CS 2204 Class meeting 14 *Notes by Doug Bowman and other members of the CS faculty at Virginia Tech. Copyright

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

UNIX Command RTFM: sudo(8)

Security Risk Assessment Determine how important your computer is to your group ● Mission critical? ● Sensitive information? ● Expensive hardware? ● Service.

System Administration II

ITIS 3110 System Hardening.

User Management Lctseng, arr. by pschiu.

Overview – SOE Sudo SEP 2014.

User Management.

Sudoers Meryll Larkin - that's me Why you are here:

Overview – SOE Sudo Dec 2013.

Rootly Powers and Controlling Processes

Chapter 11: Managing Users

User Management.

Exercise 7 Samba.

Overview – SOE Sudo September 2016.

LINUX ADMINISTRATION 1

Overview – SOE Sudo November 2015.

Chapter 2 User Management

Users and Accounts Lab 0.1. Users and Accounts Lab 0.1.

Overview of Unix Jagdish S. Gangolly School of Business

Linux Users and Groups Management

COP 4343 Unix System Administration

Shells, Help, and Paths.

The Linux Command Line Chapter 9

User Management lctseng.

User Management.

Chapter Introduction 3.2 The UNIX Model of Ownership

The Attack and Defense of Computers

Module 13 System and User Security

數位芝麻網路公司蔡志展 2001/8/18 CVS Setup 數位芝麻網路公司蔡志展 2001/8/18.

Linux Filesystem Management

Rootly Powers Chapter 3.

Adding New Users.

Tools and Explanations for Mac Beginners

Access Control and Audit

Presentation transcript:

Chapter 3 Rootly Powers

Charlie Root /usr/share/calendar/calendar.freebsd (src/usr.bin/calendar/calendars/calendar.freebsd) 06/19 Charlie Root <root@FreeBSD.org> born in Portland, Oregon, United States, 1993 Who’s Charlie Root? http://lists.freebsd.org/pipermail/freebsd-questions/ 2005-September/098410.html Charlie & http://lists.freebsd.org/pipermail/freebsd-advocacy/ 2007-June/003253.html 年紀最小的 calendar.freebsd -> ijliao -> 610 /usr/ports/astro/xearth/files/freebsd.committers.markers

The Root Root Root is God, also called super-user. UID is 0 UNIX permits the superuser to perform any valid operation on any file or process, such as (but not limited to): Changing the root directory of a process with chroot Creating device files (mknod) Setting the system clock Raising anyone’s resource usage limits and process priorities (renice, edquota) Setting the system’s hostname (hostname command) Configuring network interfaces (ifconfig command) Shutting down the system (shutdown command)

Becoming root (1) Login as root Console login Allow root login on console but not cross network. If you don’t want to permit root login in the console /etc/ttys: ttyv1 "/usr/libexec/getty Pc" cons25 on secure → ttyv1 "/usr/libexec/getty Pc" cons25 on insecure Remote login (login cross network) sshd: /etc/ssh/sshd_config #PermitRootLogin yes Not recommended!

Becoming root (2) su : substitute user identity su, su -, su username ※ Environment is unmodified with the exception of $USER, $HOME, $SHELL which will be changed to target user. ※ “su -” will simulate as a full login. Sudo (/usr/ports/security/sudo): a limited su Subdivide superuser’s power Who can execute what command on which host as whom Each command executed through sudo will be logged Edit /usr/local/etc/sudoers using visudo command visudo can check mutual exclusive access of sudoers file Log bad users: Oct 7 16:09:20 csduty sudo: lwhsu : TTY=ttys0 ; PWD=/usr/src ; USER=root ; COMMAND=/usr/bin/make update > sudo -s Password: wayne is not in the sudoers file. This incident will be reported. *** SECURITY information for knight.lwhsu.ckefgisc.org ***

Becoming root (3) sudoers format Who can execute what command on which host as whom The user to whom the line applies The hosts on which the line should be noted The commands that the specified users may run The users as whom they may be executed Use absolute path Host_Alias BSD=bsd1,bsd2,alumni Host_Alias LINUX=linux1,linux2 Cmnd_Alias DUMP=/usr/sbin/dump, /usr/sbin/restore Cmnd_Alias PRINT=/usr/bin/lpc, /usr/bin/lprm Cmnd_Alias SHELLS=/bin/sh, /bin/tcsh, /bin/csh

Becoming root (4) Host_Alias BSD=bsd1,bsd2,alumni Host_Alias LINUX=linux1,linux2 Cmnd_Alias DUMP=/usr/sbin/dump, /usr/sbin/restore Cmnd_Alias PRINT=/usr/bin/lpc, /usr/bin/lprm Cmnd_Alias SHELLS=/bin/sh, /bin/tcsh, /bin/csh Cmnd_Alias SU=/usr/bin/su User_Alias wwwTA=chenpc, silin User_Alias printTA=yzlin, yzlin lwhsu ALL=ALL chwong ALL=(ALL)ALL,!SHELL,!SU printTA csduty=PRINT wwwTA BSD=(nobody)/usr/bin/more %wheel ALL=NOPASSWD:/sbin/shutdown

Becoming root (5) $ sudo -u nobody more \ /usr/local/etc/apache/httpd.conf $ cp -p /bin/csh /tmp/csh; sudo /tmp/csh

Advantage of sudo Accountability is much improved because of command logging Operators can do chores without unlimited root privileges The real root password can be known to only one or two people It’s faster to use sudo than to run su or login as root Privileges can be revoked without the need to change the root password A canonical list of all users with root privileges is maintained There is less chance of a root shell being left unattended A single file can be used to control access for an entire network

Why not su nor sudo? Becoming other users /etc/inetd.conf A pseudo-user for service, sometimes shared by multiple users sudo -u notftpadm –s (?) /etc/inetd.conf login stream tcp nowait root /usr/libexec/rlogind logind ~notftpadm/.rhosts localhost manic login -l notftpadm localhost User_Alias NOTFTP_ADMINS=manic Runas_Alias NOTFTP=notftp,notftpadm ICANFTP_ADMINS ALL=(NOTFTP) ALL Too dirty!