INLS 187

1
INLS 187

• September 23, 2004
• Network and System Security

2
UNIX System Security

• In the early days, UNIX and security were a
  contradiction in terms
• Original system had plaintext passwords only, no
  concept of separate users, groups, etc.
• NIX security has come a long way to arrive at
  what you see today
• Along the way, companies often shipped systems
  wide open and you were supposed to lock them down
  as you saw fitcontrast with today

3
Basic concepts

• Two basic ways of preventing security problems in
  UNIX
• Passwordsdesigned to prevent unauthorized access
• File permissionsallow access control over users
  on the system
• Root, or superuser account has complete access

4
More basic concepts

• /etc/passwd is the UNIX password fileworld
  readable
• /etc/shadow holds shadow passwordsonly
  readable by root
• The concept of groups was soon added to solve
  workgroup-related access control problems
• /etc/group

5
System logins

• In a big enough environment, logins may be
  handles centrally using NIS (yellowpages), AFS,
  Kerberos, or another system

6
File and directory permissions

• Symbolic file access modes
• ls l command reveals file access information
• Three operationsreading, writing, executing
• Three tiers of privilegeowner, group, and other
• Nine slots 1 (called the mode)

7
Useful features of ls

• Not only can ls show you the access rights, it
  can also show you
• Owner
• Group
• Creation timestampactually, denotes last
  change to inode (ctime)
• Last modification timestamp (mtime)
• Last access timestamp (atime)

8
Setting permissions

• ls command also reveals owner group
• chmod or change mode command allows you to set
  or change file/directory permissions
• -rwxrxwrxw
• drwxrwxrwx
• srwxrwxrwx

9
Setting permissions

• Two ways to do this
• Use the alpha charactes
• Octal notation

10
Changing owner or group

• Other commands allow you to change the owner,
  group, or both
• chown
• chgrp
• chown usergroup

11
File mode

• Denotes a directory
• Denotes special files such as block special or
  character special files (not really
  security-related, so read about these offline)
• Also can denote suid root filesfiles that if
  run, run as root
• Suid is sometimes necessary, but can create
  gaping security holes (remember, root can do
  anything and by setting the sticky bit, you are
  handing over the keys to the castle in a sense)

12
Sticky bit

• If a user has file write permission on a
  directory, they can rename or remove any files
  underneath
• This can be prevented by setting the sticky bit
  on the directory
• Chmod 1777 test

13
Other useful tools

• ps command view running processes
• who
• last
• uptime
• netstat
• setting the umask

14
Okay, now Windows

• Windows security is now very similar to that of
  UNIX
• Concept of users and groups exists
• All GUI based, however
• Windows password file is very cryptic and
  obscure, but not really any more secure

15
Windows Logins

• Using active directory or netbios, users can
  login to multiple different workstations
• Can also substitute AFS or Kerberos to achieve
  the same things
• UNC GINA
• Novell Netware

16
File access in Windows

• Demonstrate