# HG changeset patch # User Christian Urban # Date 1381233719 -3600 # Node ID 3822d91a46391c260d08fb0255bf10679d8cbfb1 # Parent 0332f8102121bbdb7f45b4c3681551da3441610c added slides diff -r 0332f8102121 -r 3822d91a4639 slides/slides03.pdf Binary file slides/slides03.pdf has changed diff -r 0332f8102121 -r 3822d91a4639 slides/slides03.tex --- a/slides/slides03.tex Tue Oct 08 11:57:05 2013 +0100 +++ b/slides/slides03.tex Tue Oct 08 13:01:59 2013 +0100 @@ -192,6 +192,196 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{Process Ownership} + +\begin{itemize} +\item access control in Unix is very coarse +\end{itemize}\bigskip\bigskip\bigskip + +\begin{center} +\begin{tabular}{c} +root\\ +\hline + +user$_1$ user$_2$ \ldots www, mail, lp +\end{tabular} +\end{center}\bigskip\bigskip\bigskip + + +\textcolor{gray}{\small root has UID $=$ 0}\\\pause +\textcolor{gray}{\small you also have groups that can share access to a file}\\ +\textcolor{gray}{\small but it is difficult to exclude access selectively}\\ +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Access Control in Unix (2)} + + +\begin{itemize} +\item privileges are specified by file access permissions (``everything is a file'') +\item there are 9 (plus 2) bits that specify the permissions of a file + +\begin{center} +\begin{tabular}{l} +\texttt{\$ ls - la}\\ +\texttt{-rwxrw-r-{}- \hspace{3mm} foo\_file.txt} +\end{tabular} +\end{center} +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Login Process} + + +\begin{itemize} +\item login processes run under UID $=$ 0\medskip +\begin{center} +\texttt{ps -axl | grep login} +\end{center}\medskip + +\item after login, shells run under UID $=$ user (e.g.~501)\medskip +\begin{center} +\texttt{id cu} +\end{center}\medskip\pause + +\item non-root users are not allowed to change the UID --- would break +access control +\item but needed for example for \texttt{passwd} +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Setuid and Setgid} + +The solution is that unix file permissions are 9 + \underline{2 Bits}: +\alert{Setuid} and \alert{Setgid} Bits + +\begin{itemize} +\item When a file with setuid is executed, the resulting process will assume the UID given to the owner of the file. +\item This enables users to create processes as root (or another user).\bigskip + +\item Essential for changing passwords, for example. +\end{itemize} + +\begin{center} +\texttt{chmod 4755 fobar\_file} +\end{center} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Privilege Separation in\\ OpenSSH\end{tabular}} + +\begin{center} +\begin{tikzpicture}[scale=1] + + \draw[line width=1mm] (0, 1.1) rectangle (1.2,2); + \draw (4.7,1) node {Internet}; + \draw (0.6,1.7) node {\footnotesize Slave}; + \draw[line width=1mm] (0, 0) rectangle (1.2,0.9); + \draw (0.6,1.7) node {\footnotesize Slave}; + \draw (0.6,0.6) node {\footnotesize Slave}; + \draw (0.6,-0.5) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] processes\end{tabular}}; + \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; + + \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); + \draw (-2.9,1.7) node {\footnotesize Monitor}; + + \draw[white] (1.7,1) node (X) {}; + \draw[white] (3.7,1) node (Y) {}; + \draw[red, <->, line width = 2mm] (X) -- (Y); + + \draw[red, <->, line width = 1mm] (-0.4,1.4) -- (-1.4,1.1); + \draw[red, <->, line width = 1mm] (-0.4,0.6) -- (-1.4,0.9); + + \end{tikzpicture} +\end{center} + +\begin{itemize} +\item pre-authorisation slave +\item post-authorisation\bigskip +\item 25\% codebase is privileged, 75\% is unprivileged +\end{itemize} +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Network Applications} + +ideally network application in Unix should be designed as follows: + +\begin{itemize} +\item need two distinct processes +\begin{itemize} +\item one that listens to the network; has no privilege +\item one that is privileged and listens to the latter only (but does not trust it) + +\end{itemize} + +\item to implement this you need a parent process, which forks a child process +\item this child process drops privileges and listens to hostile data\medskip + +\item after authentication the parent forks again and the new child becomes the user +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Famous Security Flaws\\[-1mm] in Unix\end{tabular}} + + +\begin{itemize} +\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause +\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause +\item \texttt{mkdir foo} is owned by root\medskip +\begin{center} +\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} +\end{center}\medskip +it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)} +\end{itemize} + +\only<5->{ +\begin{textblock}{1}(3,7) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\begin{minipage}{8cm} +Only failure makes us experts. + -- Theo de Raadt (OpenBSD, OpenSSH) +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} + + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ diff -r 0332f8102121 -r 3822d91a4639 slides/slides04.pdf Binary file slides/slides04.pdf has changed