Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

Linux Users and Groups Management
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Unix permissions, ownership and setuid File security and ownership The chmod(1) command Process Ownership Setuid, Setgid and the Sticky bit Writing setuid.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Building Secure Software Chapter 9 Race Conditions.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Unix System Administration Rootly Powers Chapter 3.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
Secure Operating Systems Lesson C: Linux Security Features.
Module 4 - File Security. Security Overview File Ownership Access to Files and Dircetories Changing File and Directory Ownership Changing File and Directory.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Chapter 10: Rights, User, and Group Administration.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
Lecture 14 Page 1 CS 236 Online Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Linux+ Guide to Linux Certification, Third Edition
Linux+ Guide to Linux Certification, Third Edition
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control.
1 Setuid Demystified Hao Chen David Wagner UC Berkeley Drew Dean SRI International Proceedings of the 11th USENIX Security Symposium San Francisco, California,
Understand Permissions LESSON Security Fundamentals.
SCSC 455 Computer Security Chapter 3 User Security.
Design Principles and Common Security Related Programming Problems
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
June 1, 2004© Matt Bishop [Changed by Hamid R. Shahriari] Slide #13-1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Company LOGO Security in Linux PhiHDN - VuongNQ. Contents Introduction 1 Fundamental Concepts 2 Security System Calls in Linux 3 Implementation of Security.
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
2. OPERATING SYSTEM 2.1 Operating System Function
Chapter 6 Integrity Policies
Outline What does the OS protect? Authentication for operating systems
Chapter 2: System Structures
Outline What does the OS protect? Authentication for operating systems
CE Operating Systems Lecture 21
Configuring Internet-related services
UNIX System Protection
Operating System Security
Security.
Chapter 29: Program Security
Rootly Powers Chapter 3.
Operating System Concepts
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Preventing Privilege Escalation
Race Condition Vulnerability
Presentation transcript:

Linux Security

Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing First Edition, June 2001

Abstract Much of the power of a linux system comes from its support for multiple users and for networking. Many people can use the system at once, and they can connect to the system from remote locations. Unfortunately, with this power comes risk, especially for systems connected to the Internet The Linux kernel provides a variety of facilities to ensure that these events do not take place.

Users and Groups Each Linux user is assigned a unique number, called a user ID, or UID. – We can control access to a file or other resource by associating it with a particular user ID. Then only the user corresponding to that user ID can access the resource. Each group is assigned a unique number, called a group ID, or GID. – Every group contains one or more user IDs. – A single user ID can be a member of lots of groups, but groups can’t contain other groups, they can contain only users.

Example: $ id uid=501(jigi) gid=501(jigi) groups=501(jigi),503(tycs) User IDGroup ID

Super User One user account is very special. This user has user ID 0 and usually has the username root. It is also sometimes referred to as the superuser account.

Process User IDs and Process Group IDs Every process has an associated user ID and group ID The process group id and user id are always going to be represented as Integer value.

File System Permission Current file systems have methods of assigning permissions or access rights to specific users and groups of users. These systems control the ability of the users to view or make changes to the contents of the file systems.

Basic ideas for file system permission The Three task which is mostly performed are :  Reading  Writing  Executing This task can be performed by USERS, GROUP, OTHERS.

Structure - rwx rw- r-- File type “-” indicates a regular file and “d” indicates directory file Read, write and execute permission for owner of the file Read and write permission for the owning group and not the execute permission Only read permission for the others

Security Hole : Programs Without Execute Permissions A user who execute the program without the permission are the Malicious user. Malicious user makes a copy of the program, change the permission and then execute the copy of program. Method to overcome are : – Restrict the copying of the program

Sticky Bits This bit is applicable only for Directories. A directory that has the sticky bit set allows you to delete a file only if you are the owner of the file. Hence it is also known as Magic bit

Real and Effective Ids There are two user and group ids : – real user id – real group id – effective user id – effective group id (everything that’s true about user IDs is also true about group IDs)

Effective User IDs Effective IDs are most common id which is used by the kernel. The Kernel always check for the Effective user id. For example, if a process tries to open a file, the kernel checks the effective user ID when deciding whether to let the process access the file.

Real User IDs The real user id is required for changing the effective user id of an already running process, here the kernel checks for the real user id and the effective user id.

Rules for exchanging the IDs The function used to change the user IDs for a process is setreuid. The kernel will let a process running with an effective user ID of 0(root) change its user IDs as it sees fit. A process whose effective user ID is 0 can do absolutely anything it pleases. Any other process however can do only one of the following things: – Set its effective user ID to be the same as its real user ID – Set its real user ID to be the same as its effective user ID – Swap the two user IDs

Setuid Programs How to become a root user if you are a non-root user ?? – $ whoami Mitchell – $ su Password….. – $ whoami Root

Authenticating Users Authentication is any process by which a system verifies the identity of a User who wishes to access it. Since Access Control is normally based on the identity of the User who requests access to a resource, Authentication is essential to effective Security. There is a way given out by Linux to overcome this problem through programs and that is Pluggable Authentication Module.

More Security Holes A security hole is a defect in a computer program that allows unauthorized users to gain access to a system or network and to interfere with its operation.

Buffer Overruns A buffer, in terms of a program in execution, can be thought of as a region of computer’s main memory that has certain boundaries in context with the program variable that references this memory.

Types of deamon Sendmail Finger Talk

Race Condition An execution ordering of concurrent flows that results in undesired behavior is called race condition (a software defect and frequent source of vulnerability)

Race Condition Properties There are three properties that are necessary for a race condition to exist: 1. Concurrency Property: There must be at least two control flows executing concurrently. 2. Shared Object Property: A shared race object must be accessed by both of the concurrent flows. 3. Change State Property: At least one of the control flows must alter the state of the race object.

Conclusion Designing and implementing a truly secure program is actually a difficult task on Unix-like systems such as Linux and Unix. Here are some of the key guidelines: Avoid buffer overflow: Make sure that long inputs (and long intermediate data values) can't be used to take over your program. This is the primary programmatic error at this time.

Structure program internals: Secure the interface, minimize privileges, make the initial configuration and defaults safe, and fail safe. Avoid race conditions (e.g., by safely opening any files in a shared directory like /tmp). Trust only trustworthy channels (e.g., most servers must not trust their clients for security checks or other sensitive data such as an item's price in a purchase). Carefully call out to other resources: Limit their values to valid values and check all system call return values.

References: ch10-security.pdf ch10-security.pdf HOWTO/conclusion.html HOWTO/conclusion.html

Thank You

Presented By:-  Jigisha Baria (4)  Shruti Chaudhari (7)  Heena Choudhary(9)  Renu Patel (19)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.