190 \end{itemize} |
190 \end{itemize} |
191 |
191 |
192 \end{frame}} |
192 \end{frame}} |
193 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
193 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
194 |
194 |
|
195 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
196 \mode<presentation>{ |
|
197 \begin{frame}[t] |
|
198 \frametitle{Process Ownership} |
|
199 |
|
200 \begin{itemize} |
|
201 \item access control in Unix is very coarse |
|
202 \end{itemize}\bigskip\bigskip\bigskip |
|
203 |
|
204 \begin{center} |
|
205 \begin{tabular}{c} |
|
206 root\\ |
|
207 \hline |
|
208 |
|
209 user$_1$ user$_2$ \ldots www, mail, lp |
|
210 \end{tabular} |
|
211 \end{center}\bigskip\bigskip\bigskip |
|
212 |
|
213 |
|
214 \textcolor{gray}{\small root has UID $=$ 0}\\\pause |
|
215 \textcolor{gray}{\small you also have groups that can share access to a file}\\ |
|
216 \textcolor{gray}{\small but it is difficult to exclude access selectively}\\ |
|
217 \end{frame}} |
|
218 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
219 |
|
220 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
221 \mode<presentation>{ |
|
222 \begin{frame}[c] |
|
223 \frametitle{Access Control in Unix (2)} |
|
224 |
|
225 |
|
226 \begin{itemize} |
|
227 \item privileges are specified by file access permissions (``everything is a file'') |
|
228 \item there are 9 (plus 2) bits that specify the permissions of a file |
|
229 |
|
230 \begin{center} |
|
231 \begin{tabular}{l} |
|
232 \texttt{\$ ls - la}\\ |
|
233 \texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt} |
|
234 \end{tabular} |
|
235 \end{center} |
|
236 \end{itemize} |
|
237 |
|
238 \end{frame}} |
|
239 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
240 |
|
241 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
242 \mode<presentation>{ |
|
243 \begin{frame}[c] |
|
244 \frametitle{Login Process} |
|
245 |
|
246 |
|
247 \begin{itemize} |
|
248 \item login processes run under UID $=$ 0\medskip |
|
249 \begin{center} |
|
250 \texttt{ps -axl | grep login} |
|
251 \end{center}\medskip |
|
252 |
|
253 \item after login, shells run under UID $=$ user (e.g.~501)\medskip |
|
254 \begin{center} |
|
255 \texttt{id cu} |
|
256 \end{center}\medskip\pause |
|
257 |
|
258 \item non-root users are not allowed to change the UID --- would break |
|
259 access control |
|
260 \item but needed for example for \texttt{passwd} |
|
261 \end{itemize} |
|
262 |
|
263 \end{frame}} |
|
264 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
265 |
|
266 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
267 \mode<presentation>{ |
|
268 \begin{frame}[c] |
|
269 \frametitle{Setuid and Setgid} |
|
270 |
|
271 The solution is that unix file permissions are 9 + \underline{2 Bits}: |
|
272 \alert{Setuid} and \alert{Setgid} Bits |
|
273 |
|
274 \begin{itemize} |
|
275 \item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. |
|
276 \item This enables users to create processes as root (or another user).\bigskip |
|
277 |
|
278 \item Essential for changing passwords, for example. |
|
279 \end{itemize} |
|
280 |
|
281 \begin{center} |
|
282 \texttt{chmod 4755 fobar\_file} |
|
283 \end{center} |
|
284 |
|
285 \end{frame}} |
|
286 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
287 |
|
288 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
289 \mode<presentation>{ |
|
290 \begin{frame}[c] |
|
291 \frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}} |
|
292 |
|
293 \begin{center} |
|
294 \begin{tikzpicture}[scale=1] |
|
295 |
|
296 \draw[line width=1mm] (0, 1.1) rectangle (1.2,2); |
|
297 \draw (4.7,1) node {Internet}; |
|
298 \draw (0.6,1.7) node {\footnotesize Slave}; |
|
299 \draw[line width=1mm] (0, 0) rectangle (1.2,0.9); |
|
300 \draw (0.6,1.7) node {\footnotesize Slave}; |
|
301 \draw (0.6,0.6) node {\footnotesize Slave}; |
|
302 \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}}; |
|
303 \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; |
|
304 |
|
305 \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); |
|
306 \draw (-2.9,1.7) node {\footnotesize Monitor}; |
|
307 |
|
308 \draw[white] (1.7,1) node (X) {}; |
|
309 \draw[white] (3.7,1) node (Y) {}; |
|
310 \draw[red, <->, line width = 2mm] (X) -- (Y); |
|
311 |
|
312 \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1); |
|
313 \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9); |
|
314 |
|
315 \end{tikzpicture} |
|
316 \end{center} |
|
317 |
|
318 \begin{itemize} |
|
319 \item pre-authorisation slave |
|
320 \item post-authorisation\bigskip |
|
321 \item 25\% codebase is privileged, 75\% is unprivileged |
|
322 \end{itemize} |
|
323 \end{frame}} |
|
324 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
325 |
|
326 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
327 \mode<presentation>{ |
|
328 \begin{frame}[c] |
|
329 \frametitle{Network Applications} |
|
330 |
|
331 ideally network application in Unix should be designed as follows: |
|
332 |
|
333 \begin{itemize} |
|
334 \item need two distinct processes |
|
335 \begin{itemize} |
|
336 \item one that listens to the network; has no privilege |
|
337 \item one that is privileged and listens to the latter only (but does not trust it) |
|
338 |
|
339 \end{itemize} |
|
340 |
|
341 \item to implement this you need a parent process, which forks a child process |
|
342 \item this child process drops privileges and listens to hostile data\medskip |
|
343 |
|
344 \item after authentication the parent forks again and the new child becomes the user |
|
345 \end{itemize} |
|
346 |
|
347 |
|
348 \end{frame}} |
|
349 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
350 |
|
351 |
|
352 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
353 \mode<presentation>{ |
|
354 \begin{frame}[c] |
|
355 \frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws\\[-1mm] in Unix\end{tabular}} |
|
356 |
|
357 |
|
358 \begin{itemize} |
|
359 \item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause |
|
360 \item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause |
|
361 \item \texttt{mkdir foo} is owned by root\medskip |
|
362 \begin{center} |
|
363 \texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} |
|
364 \end{center}\medskip |
|
365 it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)} |
|
366 \end{itemize} |
|
367 |
|
368 \only<5->{ |
|
369 \begin{textblock}{1}(3,7) |
|
370 \begin{tikzpicture} |
|
371 \draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] |
|
372 {\begin{minipage}{8cm} |
|
373 Only failure makes us experts. |
|
374 -- Theo de Raadt (OpenBSD, OpenSSH) |
|
375 \end{minipage}}; |
|
376 \end{tikzpicture} |
|
377 \end{textblock}} |
|
378 |
|
379 |
|
380 |
|
381 \end{frame}} |
|
382 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
383 |
|
384 |
195 |
385 |
196 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
386 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
197 \mode<presentation>{ |
387 \mode<presentation>{ |
198 \begin{frame}[c] |
388 \begin{frame}[c] |
199 \frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}} |
389 \frametitle{\begin{tabular}{@ {}c@ {}}A ``Cron''-Attack\end{tabular}} |