User-level security Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 9.0
Unit objectives After completing this unit, you should be able to: Describe the concepts of Pluggable Authentication Modules (PAMs) Define ways of controlling root access to the system Define the use of SUID, SGID, and sticky bit permissions bits Configure access control lists Identify the data files associated with users
User-level security overview Authentication: Verifying that you are who you say you are Can be based on: Something you only know (for example: password, PIN) Something you only have (for example: smartcard, token, key) Something you only are (for example: fingerprints, retina scan) Authorization: Determining your level of access File permissions, ACLs Account restrictions (login times, login tty, and so forth)
Pluggable Authentication Modules Authentication system of Linux Implemented as a suite of shared libraries Enables the system administrator to choose how applications authenticate users Provides flexibility to applications that need authentication Initially developed by Sun Microsystems Adapted for Linux
Authentication before PAM Login ftp httpd Other program Very secure program /etc/passwd httpd authentication Other authentication Retina scan Voice recognition
Authentication with PAM Login ftp httpd Other program Very secure program PAM config files in /etc/pam.d PAM /etc/passwd httpd authentication Other authentication Retina scan Voice recognition
PAM configuration file example # cat /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_unix.so likeauth auth required /lib/security/pam_nologin.so auth required /lib/security/pam_env.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_unix.so nullok session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_console.so Note: PAM configuration is different from distribution to distribution. Please see the notes area below.
Common Pluggable Authentication Modules Some commonly used PAMs are: pam_unix.so: Regular UNIX authentication (passwords) pam_env.so: Set environment variables pam_cracklib.so: Check passwords for strength pam_pwdb.so: Enforce password aging rules pam_pwcheck.so: Check passwords (SLES only) pam_nologin.so: Deny login if /etc/nologin exists pam_listfile.so: Allow/deny login if user listed in file pam_securetty.so: Allow login for root only from secure ttys pam_time.so: Allow/deny login based on time of day pam_stack.so: Include another PAM config file (RHEL/FC only) pam_limits.so: Set limits on CPU and memory usage pam_console.so: Set permissions for console users pam_deny.so: Always gives an error pam_selinux.so: Sets up the default security context for the next exceed shell Several PAMs have additional configuration files in /etc/security.
Advanced authentication options Network Information Service (NIS/NIS+) Provides a means to distribute password files, group files, and configuration information across a set of managed machines Server-Client model Must be securely deployed Secure Remote Password (SRP) Provides secure remote authorization of passwords using one way hashing of login Kerberos Modern network authentication protocol Provides strong authentication security using secret-key cryptography Server-Client model Lightweight Directory Access Protocol (LDAP) Powerful protocol that can be used to access information from an objectorientated database Allows centralization of user information (including passwords, home dirs, and so on), encryption of data, all in single place on the network
Principles of authorization Authorization in Linux is based on file permissions. Exception: Root is allowed to do everything Once logged in, users cannot change their identity except through a SUID program, which allows them to run a command as someone else (most often root). Examples of SUID programs: passwd: Allows users to update the /etc/shadow file mount: Allows users to mount a floppy or CD su: Runs a shell as another user, after supplying the password sudo: Runs a particular command as another user Various games (to track high scores) All SUID programs should be known to the administrator and checked/updated for security problems.
File permissions Permission File Directory r User can see contents of User can list the contents of s directory file w User can change contents of file User can change the contents of the directory x SUID SGID User can execute file as a command Program runs with effective user ID of owner Program runs with effective group ID of owner User can cd to directory and can use it in PATH No effect Files created in directory inherit the same group ID as the directory Sticky bit No effect Only the owner of the file and the owner of the directory can delete files in this directory
Changing permissions Setting file permissions is done with the chmod command. # chmod 1755 (or o+t) commondir # ls -ld commondir drwxr-xr-t 2 root proj1 4096 May 19 09:00 commondir/ # chmod 2755 (or g+s) myprog # ls -l myprog -rwxr-sr-x 1 root root 729402 May 19 09:02 myprog # chmod 4755 (or u+s) passwd # ls -l /etc/passwd -rwsr-xr-x 1 root root 2721 Mar 15 10:58 /etc/passwd Changing file owner and group: # chown john finance # chgrp staff finance # chown john.staff finance
Access control lists (1 of 2) Access control lists (ACLs) provide additional user access controls. More flexibility and fine-grained control to files Enabled at the file system level; in /etc/fstab ACL for a file displayed using getfacl command: # getfacl myfile.txt # file: myfile.txt # owner: tux1 # group: tux1 user::rw- group::r-- other::r--
Access control lists (2 of 2) ACLs for a file are set using the setfacl command. The ls -l command indicates ACLs marked by a +. # setfacl -m u:tux2:rw- myfile.txt # file: myfile.txt # owner: tux1 # group: tux1 user::rwuser:tux2:rwgroup::r-- mask::rw- other::r-- # ls -l myfile.txt -rw-rw-r--+ 1 tux1 tux1 1 Jan 1 16:59 myfile.txt The mask entry indicates the effective rights mask. The mask will take precedence if it is more restrictive than the ACL permissions.
umask Sets the default permissions on new files System-wide umask for all users in /etc/profile Individual umask in $HOME/.bash_profile or $HOME/.profile Default value of umask is: For root 022 For user 002 (if user private groups are used) or 022 (otherwise)
Example: Creating a team directory Create a group: # groupadd penguins Add users to the group: # usermod -G penguins tux1 or: # gpasswd -a tux1 penguins Create a directory and set group permissions: # mkdir /groups/penguins # chgrp penguins /groups/penguins # chmod 2770 /groups/penguins
Root access Dangerous Root's password should be changed on an unannounced schedule by the system administrator. Assign different root passwords to different machines. Always log in as yourself, not as root. Remote login as root by default is disabled. Some Linux distributions (such as Ubuntu) disable local login as root altogether, opting to force users down a more secure path of using sudo for admin commands.
su command Switch to another user ID: $ whoami tux1 $ su Password: # whoami root Using su - <user> changes to the environment of that user. Execute a command as another user: $ su - root -c /sbin/poweroff Password: $ Broadcast message from root (tty1): The system is going down for system halt NOW!
sudo command Allows users to execute specific commands as another user without requiring that user s password. Do not use sudo for interactive commands! /etc/sudoers file lists which users are allowed to execute which commands on which host as which user. Edit this file with visudo only. Macros can be defined to reduce complexity. Syntax: user host = [(newuser)] command # cat /etc/sudoers User_Alias OPERATORS = tux1, tux2, tux3 Host_Alias WEBSERVERS = www, www-1, www-2 Cmnd_Alias PRINTCMDS = /usr/bin/printtool, /usr/bin/klpq tux1 WEBSERVERS = (root) /sbin/service httpd restart OPERATORS printsvr = (root) PRINTCMDS
Security logs /var/log/lastlog /var/log/messages /var/log/secure /var/log/wtmp /var/run/utmp - Last successful login - General log file - Failed logins - Successful logins - Currently logged in users
Useful commands Who is logged in and doing what? Who is logged in and examine the contents of /var/log/wtmp and /var/log/utmp? # w 09:43:46 up 17 days, 20:50, 6 users, load average: 0.00, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/3 sig-9-49-140-187 09:40 2:09 0.03s 0.01s ssh 10.0.02 root pts/4 sig-9-49-140-187 09:40 2:13 0.02s 0.01s ssh 10.0.0.3 root pts/5 sig-9-49-140-187 09:41 49.00s 0.02s 0.01s ssh 10.0.0.4 root pts/6 sig-9-49-140-187 09:43 0.00s 0.01s 0.00s w # who root pts/3 May 19 09:40 (sig-9-49-140-187.mts.ibm.com) root pts/2 May 8 07:43 (:1.0) root pts/1 May 8 10:22 (:1.0) root pts/4 May 19 09:40 (sig-9-49-140-187.mts.ibm.com) root pts/5 May 19 09:41 (sig-9-49-140-187.mts.ibm.com) root pts/6 May 19 09:43 (sig-9-49-140-187.mts.ibm.com)
Additional commands (1 of 2) Show information about a user: # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t Show the last time a user logged in or the last time a tty was used to log in: # last root pts/6 sig-9-49-140-187 Fri May 19 09:43 still logged in... reboot system boot 2.6.9-27.ELsmp Mon May 1 12:53 (17+20:53) root pts/1 sig-9-65-56-32.m Mon May 1 11:40 - down (00:03) wtmp begins Mon May 1 11:40:45 2006
Additional commands (2 of 2) Show the last login time of all users: # lastlog Username Port From Latest root pts/6 sig-9-49-140-187 Fri May 19 09:43:15-0700 2006 bin **Never logged in**... guest pts/7 sig-9-48-37-17.m Mon Apr 24 10:52:59-0700 2006
Checkpoint 1. What is the difference between authentication and authorization? 2. True or false: The user root can log in anywhere, anytime. 3. True or false: PAM is the subsystem responsible for user authentication.
Checkpoint solutions 1. What is the difference between authentication and authorization? The answer is authentication is how you identify yourself to the system, and authorization specifies what you can do once logged in. 2. True or false: The user root can log in anywhere, anytime. The answer is false. 3. True or false: PAM is the subsystem responsible for user authentication. The answer is true.
Exercise: User-level security What you will do in this exercise: Perform various activities related to user-level security
Unit summary Having completed this unit, you should be able to: Describe the concepts of Pluggable Authentication Modules (PAMs) Define ways of controlling root access to the system Define the use of SUID, SGID, and sticky bit permissions bits Configure access control lists Identify the data files associated with users