A vast array of threats is posed to our computer systems today, everything from simple file permissions to password security to social engineering and computer viruses. In this chapter, we look at some of the immediate threats to our computer systems and the valuable data held within them. Here's a brief list of the topics we discuss:
User-level security settings
HP-UX Trusted Systems
The /etc/default/security
configuration file
Common security administration tasks
Common first-level security concerns
In addition, we look at ways to address these issues.
We start with the basics: file and directory permissions. Commonly, I find in the UNIX arena that administrators often have misconceived ideas about what file and directory permissions actually mean. Let's put those misconceptions to rest once and for all.
I am not going to spend lots of time going through what read permissions give you in respect of files or directories. What I am going to do is pose some questions. If you can't answer these questions, then I would suggest that you study your CSA materials a little closer:
I don't think it unreasonable for a CSA to know the answers to these questions. If you feel the need, the answers are at the end of this chapter, but no peeking.
A topic we discuss here is Access Control Lists (ACL). ACLs are supported on both HFS and VxFS (recently) filesystems. They allow a system that is converted to an HP-UX Trusted System to conform to the Orange Book classification of C2 mandatory access controls (see later). With ACLs we can give individual users their own individual permissions for files and directories. In this way, we can customize user access to individual user's requirements, whereas with traditional UNIX permissions, we are stuck with the three-tier structure of user, group, and other.
As of VxFS version 3.3 (layout version 4) we can apply ACLs to VxFS files and directories. To check your layout version, use the fstyp -v
command:
root@hpeos004[] fstyp -v /dev/vg00/lvol3 vxfs version: 4 f_bsize: 8192 f_frsize: 1024 f_blocks: 1302528 f_bfree: 313226 f_bavail: 313226 f_files: 9216 f_ffree: 2139030336 f_favail: 2139030336 f_fsid: 1073741827 f_basetype: vxfs f_namemax: 254 f_magic: a501fcf5 f_featurebits: 0 f_flag: 0 f_fsindex: 7 f_size: 1302528 root@hpeos004[]
If you have an earlier version of VxFS, then you can download VxFS 3.3 free of charge from http://software.hp.com. It is available for HP-UX 10.20, 11.0, and 11i. To upgrade a VxFS filesystem to support ACLs, we can use the vxupgrade
command. The default ACL is known as the base ACL. We can apply up to 13 additional ACL entries per file and directory because VxFS ACLs are stored in the 44-byte attribute area of a VXFS inode. The commands to list and modify VxFS ACLs are getacl
and setacl
. Here, we can see a list of ACL entries for the /etc/passwd
file:
root@hpeos004[] getacl /etc/passwd
# file: /etc/passwd
# owner: root
# group: sys
user::r--
group::r--
class:r--
other:r--
root@hpeos004[]
I am going to add additional ACLs for this file. I know this is not the best file to choose, but it's only for demonstration purposes. Here, I am allowing a user fred
to write to this file, and barney
read and write access:
root@hpeos004[] setacl -m 'user:fred:w,user:barney:rw' /etc/passwd root@hpeos004[] getacl /etc/passwd # file: /etc/passwd # owner: root # group: sys user::r-- user:barney:rw- user:fred:-w- group::r-- class:rw- other:r-- root@hpeos004[]
I can also add group level ACLs. Here the group quarry
is given read and execute permission:
root@hpeos004[] setacl -m 'group:quarry:rx' /etc/passwd root@hpeos004[] getacl /etc/passwd # file: /etc/passwd # owner: root # group: sys user::r-- user:fred:-w- user:barney:rw- group::r-- group:quarry:r-x class:rwx other:r-- root@hpeos004[]
You might have noticed the class
group entry. This is a catchall entry that signifies the maximum permissions allowed for the file or directory, depending on individual user/group level access. Whenever we add, delete, or modify an ACL entry, the class
entry is recalculated to reflect the new maximum permissible combination of permissions. It can be used to great effect when we want to temporarily deny access to all additional ACL entries. In this example, I am using the –n
option, which means that we do not want to recalculate the group class
; this makes sense because we are modifying the class
directly:
root@hpeos004[] setacl -nm 'class:---' /etc/passwd root@hpeos004[] getacl /etc/passwd # file: /etc/passwd # owner: root # group: sys user::r-- user:fred:-w- #effective:--- user:barney:rw- #effective:--- group::r-- #effective:--- group:quarry:r-x #effective:--- class:--- other:r-- root@hpeos004[]
We can set this back to its previous value to reactivate the additional ACL entries:
root@hpeos004[] setacl -m 'class:rwx' /etc/passwd root@hpeos004[] getacl /etc/passwd # file: /etc/passwd # owner: root # group: sys user::r-- user:fred:-w- user:barney:rw- group::r-- group:quarry:r-x class:rwx other:r-- root@hpeos004[]
One thing to remember about ACLs is that they are an additional security attribute on a per-file and per-directory basis. As such, some traditional UNIX utilities will exhibit slightly strange behavior when interacting with ACLs; look at the output from a long listing:
root@hpeos004[] ll /etc/passwd
-r--rwxr--+ 1 root sys 862 Oct 4 15:07 /etc/passwd
root@hpeos004[]
Notice the plus (+) symbol after the permission bits? As long as you remember that you have applied ACLs, this kind of output will simply remind you that ACLs have been applied. Look at the permissions displayed by a long listing; by adding additional ACL entries, a long listing will display an amalgamation of the permissions for all additional ACL entries. Another command with slightly different behavior is chmod
. If we change the mode permissions on a file with ACLs applied, chmod
will affect the group class setting.
root@hpeos004[] chmod 444 /etc/passwd root@hpeos004[] ll /etc/passwd -r--r--r--+ 1 root sys 862 Oct 4 15:07 /etc/passwd root@hpeos004[] getacl /etc/passwd # file: /etc/passwd # owner: root # group: sys user::r-- user:fred:-w- #effective:--- user:barney:rw- #effective:r-- group::r-- group:quarry:r-x #effective:r-- class:r-- other:r-- root@hpeos004[]
We would need to reapply the setacl
command(s) afterward to reset the group class back to its former setting.
Another aspect of ACLs is their relationship with standard UNIX backup utilities. tar
, cpio
, and pax
do not know what an ACL is and will print out a warning message to the effect that the ACL for the file is not backed up.
root@hpeos004[] pax -w -f /tmp/pax.out /etc
pax: /etc/passwd : Optional ACL entries are not backed up.
root@hpeos004[]
This can have an effect on your disaster recovery procedures such as make_net_recovery
, which use pax/tar
as a backup interface. You may have to create an ACL-apply file where all ACL entries are listed in a file that can be applied with the setacl –m –f <filename>
command once a machine has been Ignite-UX recovered.
root@hpeos003[] getacl /etc/passwd # file: /etc/passwd # owner: root # group: sys user::r-- user:barney:rw- user:fred:-w- group::r-- group:quarry:r-x class:rwx other:r-- root@hpeos003[] root@hpeos003[] mkdir ~root/ACL root@hpeos003[] getacl /etc/passwd > ~root/ACL/passwd.acl root@hpeos003[] cat ~root/ACL/passwd.acl # file: /etc/passwd # owner: root # group: sys user::r-- user:barney:rw- user:fred:-w- group::r-- group:quarry:r-x class:rwx other:r-- root@hpeos003[] root@hpeos003[] setacl -d 'user:fred,user:barney,group:quarry' /etc/passwd root@hpeos003[] getacl /etc/passwd # file: /etc/passwd # owner: root # group: sys user::r-- group::r-- class:r-- other:r-- root@hpeos003[] root@hpeos003[] setacl -f ~root/ACL/passwd.acl /etc/passwd root@hpeos003[] getacl /etc/passwd # file: /etc/passwd # owner: root # group: sys user::r-- user:barney:rw- user:fred:-w- group::r-- group:quarry:r-x class:rwx other:r-- root@hpeos003[]
If the ACL-apply file was part of the Recovery Archive, you could implement the routine as a post_configure_cmd
!
HFS Access Control Lists give us the same benefits as VxFS ACLs. They are implemented slightly differently in the filesystem; they use an additional inode called the continuation inode to store the ACL entries. Like VxFS ACLs, we can have up to 13 additional ACL entries per file or directory. If you are tuning your HFS filesystem such that you are restricting the number of inodes created, if you have additional ACL entries for every file, you will effectively have half as many inodes available. HFS ACLs also cause problems to backup commands like tar
, cpio
, and pax
and hence similar problems surrounding Ignite-UX recoveries. We also see similar behavior from a long listing. One difference is the commands we use to list and set ACL entries, lsacl
and chacl
in this case:
root@hpeos004[] lsacl -l /stand/vmunix
/stand/vmunix:
rwx root.%
r-x %.sys
r-x %.%
root@hpeos004[]
In this case, the percent (%
) symbol indicates a wildcard. So an entry of the form fred.%
would mean the user fred in any group. Here, I am giving fred
write access, barney
read and write access, and the group quarry
read and execute access to the /stand/vmunix
file (no, it's not a good file to choose, but it's only a demonstration):
root@hpeos004[] chacl 'fred.%=w,barney.%=rw,%.quarry=rx' /stand/vmunix root@hpeos004[] lsacl -l /stand/vmunix /stand/vmunix: rwx root.% -w- fred.% rw- barney.% r-x %.sys r-x %.quarry r-x %.% root@hpeos004[]
An interesting feature of HFS ACLs is their behavior in relation to the chmod
command. With VxFS ACLs, we saw that chmod
affected only the class
specification. With HFS ACLs, using chmod
will delete the additional ACL entries:
root@hpeos004[] ll /stand/vmunix -rwxr-xr-x+ 1 root sys 25932192 Sep 20 10:32 /stand/vmunix root@hpeos004[] chmod 755 /stand/vmunix root@hpeos004[] ll /stand/vmunix -rwxr-xr-x 1 root sys 25932192 Sep 20 10:32 /stand/vmunix root@hpeos004[] lsacl -l /stand/vmunix /stand/vmunix: rwx root.% r-x %.sys r-x %.% root@hpeos004[]
There is the –A
option to chmod
that preserves additional ACL entries:
root@hpeos004[] chacl 'fred.%=w,barney.%=rw,%.quarry=rx' /stand/vmunix root@hpeos004[] lsacl -l /stand/vmunix /stand/vmunix: rwx root.% -w- fred.% rw- barney.% r-x %.sys r-x %.quarry r-x %.% root@hpeos004[] chmod -A 755 /stand/vmunix root@hpeos004[] ll /stand/vmunix -rwxr-xr-x+ 1 root sys 25932192 Sep 20 10:32 /stand/vmunix root@hpeos004[] lsacl -l /stand/vmunix /stand/vmunix: rwx root.% -w- fred.% rw- barney.% r-x %.sys r-x %.quarry r-x %.% root@hpeos004[]
You might want to think about setting up a system-wide alias for chmod
to alias to chmod –A
if you use HFS ACLs extensively.
One of the primary motivations for moving to HP-UX Trusted Systems can be easily demonstrated with a standard HP-UX /etc/passwd
file. By default, everyone needs read access to the /etc/passwd
file so we can equate UIDs with usernames; humans are never very good at remembering that UID=106 is a user called fred
. Every time we want to communicate with fred
, we use programs like mail
that look up fred
's UID from the /etc/passwd
file. Without this feature, using the system on a day-to-day basis would be virtually impossible. But therein lies the problem: If everyone can read an entry from the /etc/passwd
file, then they can read someone's password. The fact is that when we log in, the login/passwd
program takes what we type as a password, encrypts it, and then compares it with what is stored in the /etc/passwd
file. If the comparison finds a match, we have typed the correct password and we are logged in. The clever part is trying to emulate the comparison technique employed by the login/passwd
commands. In fact, it's relatively simple. Figure 29-1 shows basically how the UNIX login/passwd
process works; we take a plain-text password and encrypt it with an encryption algorithm and an associated secret key.
This is at the heart of the login/passwd
process. These commands encrypt the password you type in and compare the result with the encrypted password in the /etc/passwd
file. If the comparison finds a match then you are allowed to login/change
your password. At no time does UNIX decrypt the passwords stored in the /etc/passwd
file. The fact that UNIX does not decrypt passwords is a very good thing for security. If we take a look again at Figure 29-1, we can see a random element to the encryption process. This random component is known as a salt or a seed. It is random(ish) in that it is based on the time of day and your current PID. This is used along with the encryption algorithm to generate the cyphertext from the plaintext password you type in. All looks fine up until now. The problem is that the login/passwd
process must EXACTLY match the encryption process when you login at some time in the future. If the salt/seed are truly random how can login/passwd
process recreate the random component? The answer is simple; the salt/seed are stored IN PLAIN VIEW in the /etc/passwd
file. Some people get a little upset that I am telling the world the secrets of the UNIX password algorithm. The rest of the world has known this for years. In fact, it's documented in the manual pages to the command /usr/lbin/makekey
. The 13-character password stored in /etc/passwd
contains the two-character salt, and the remaining 11 characters constitute the remainder of the cyphertext of your encrypted password. Let's boil this down a bit by looking at an example. Here's the password entry for the root
user on one of my systems:
root@hpeos004[] pwget -n root
root:sM.XPxuSW7HSQ:0:3::/:/sbin/sh
root@hpeos004[]
The first two characters, sM
, is the salt. Somehow I must generate matching cyphertext using a plain-text password, the salt, and the encryption algorithm. For my first attempt, I will use a password of root
. Here goes:
root@hpeos004[] echo "root sM" | /usr/lbin/makekey sMnn9T.kL2Nucroot@hpeos004[] root@hpeos004[] root@hpeos004[]
I hope you can read the output = sMnn9T.kL2Nu
. There's no match. The reason I have used four