Transcript 3_Linux_UNIX

Linux and UNIX Overview
Linux and UNIX Overview
1
Linux and UNIX
 Linux
and UNIX OSs are…
o Often targets for attacks
o Often used for launching attacks
 So
we need to understand basics
Linux and UNIX Overview
2
UNIX
A
“beautiful but strange beast”
o Developed as research project by AT&T
o More than 35 years old
o Internet was built on UNIX
o Recently, popular for desktops, etc.
Linux and UNIX Overview
3
UNIX
 It’s
beautiful because…
o It’s powerful
o
o
o
o
 Millions of people have worked on it
Huge numbers of useful tools
“Been around the block” more than once
Closely associated with open source
Admins can find lots of useful tools
Linux and UNIX Overview
4
UNIX
Strange because so many UNIX OSs
 Popular variants include

o
o
o
o
o
o
o
Solaris by Sun
MacOS by Apple
HP-UX by HP
IRIX by sgi
AIX by IBM
FreeBSD, free open source
OpenBSD, “the #1 most secure” OS
Linux and UNIX Overview
5
UNIX
 Differences
between UNIX variants
o File systems organization
o System calls, commands, command
options, etc.
 Two
main “lines” of UNIX
o AT&T and BSD
 But
some UNIXs are combinations
Linux and UNIX Overview
6
Linux

Developed by Linus Torvalds
o Technically, not a variant of UNIX
o Created without using any of the underlying
UNIX code
o A “UNIX-like environment”
o Strictly speaking, “Linux” is just the kernel
o Many Linux “distros”: Debian, Gentoo,
Mandrake, Red Hat, Slackware, SuSE, etc.
Linux and UNIX Overview
7
UNIX

Here, generic UNIX/Linux concepts
o Things that apply to most UNIX/Linux

UNIX also strange because
o Not designed for ease of use
o Think command line, not GUI
o Ironically, much simpler than Windows…
If you think Windows is easier, you don’t
know Linux…
 …and you don’t know Windows

Linux and UNIX Overview
8
UNIX

Here, we focus on generic “UNIX”
o Things that apply to most variants
Book use “UNIX”, “Linux” interchangeably
 Here, we only scratch the surface
 For more info

o Linux Administration Handbook, by Nemeth
o Man pages
Linux and UNIX Overview
9
Architecture
 File
system
o Like traveling thru a city…
o Directories are like signs leading you to
“buildings” (files)
 Many
things treated as files
o Devices, elements of processes, files
Linux and UNIX Overview
10
File System
 Top
is root directory: / == “slash”
o “cd /” takes you to root
o For example: /home/fred/hack.txt
 File hack.txt in directory /home/fred
Linux and UNIX Overview
11
Important Directories
/
== root (top level), called “slash”
 /bin, /sbin == critical system exe’s
 /dev == devices, terminal, CD, etc.
 /etc == system config files
o Accounts, pwds, network addresses, etc.
 /home
== user directories
Linux and UNIX Overview
12
Important Directories



/lib == shared libraries for programs
/mnt == exported file systems temporarily mounted,
removable devices (e.g., USB)
/proc == images/data of current processes
o Not on hard drive---can see what kernel is doing



/tmp == temporary files
/usr == critical system files (utilities, man pages, …)
/var == stores various types of files, often for
administration (log files)
Linux and UNIX Overview
13
Important Directories
 “.”
is current directory
 “..” is parent directory
o One level up
 “ls”
lists all files in directory
 “ls -a” lists “.” and “..” too
Linux and UNIX Overview
14
Kernel
 UNIX
and Linux are modular
 The core is the kernel
o Heart and brains of OS
o Deals with critical system functions
o E.g., hardware interactions, resource
allocation, …
o Programs call on kernel for these things
Linux and UNIX Overview
15
Processes

For program, kernel starts a process
o Process is like a “bubble that contains the guts
of a running program”
o Kernel creates bubble, inflates it and tries to
keep bubbles from popping each other

User programs, admin tools, services (e.g.,
Web, email) are processes
o May be 100s to 1000s of active processes
o Kernel juggles these into CPU, manages memory
Linux and UNIX Overview
16
Processes
 High
level
view of
architecture
Linux and UNIX Overview
17
Processes
 Many
processes run in background
 Perform system-critical functions
o Printing, network activity, etc.
 Known
as “daemons”
o Pronounced “day-muns” or “dee-muns”
o Named based on their function
o E.g., SSH daemon is sshd
Linux and UNIX Overview
18
Automatic Processes
 Booting:
kernel starts init daemon
o Finishes boot process
 Init
o
o
o
o
starts many network processes
Httpd --- Web server, for http/https
Sshd --- SSH service
Sendmail --- common UNIX email server
NFS --- Network File System for
sharing files between UNIX systems
Linux and UNIX Overview
19
Network Services
 Network
service listens to network
o Web server listens on TCP port 80
o Email server listens on TCP port 25
 Wait
for incoming traffic
 Lots of email/Web traffic, so they
listen constantly
 What about, say, FTP?
Linux and UNIX Overview
20
Network Services
To improve efficiency…
 “Internet daemon” listens for uncommon
services

o inetd (“I-Net-D”) or xinetd
When traffic arrives, inetd activates
appropriate service
 Uncommon services: echo, chargen, ftpd,
telnetd, rsh, rlogin, TFTP, …

Linux and UNIX Overview
21
inetd

File /etc/inetd.conf tells inted what
services to listen for: must specify
o Service name --- e.g., telnet (defined in
o
o
o
o
o

/etc/services)
Socket type --- type of connection?
Protocol --- usually tcp or udp
Wait status --- process handles multiple
connection or not
User Name --- name services should run as
Server program and arguments
inetd.conf is target of attacks
Linux and UNIX Overview
22
inetd
 Relationship
between inetd
and other
daemons
Linux and UNIX Overview
23
cron
 Cron
daemon
o Schedule programs to run at
predetermined times
o For example, backup files at 3am
 Attackers
also like cron
o E.g., shut down critical service at a
particular time as part of back door
Linux and UNIX Overview
24
Processes
 Can
also start processes manually
 “path” is searched for command
 To see path: echo $path
o Dangerous to have “.” in path
o Why?
Linux and UNIX Overview
25
Interacting with Processes
 Each
process has process ID (PID)
 To get info on current processes
o “ps -aux” (all running processes)
o “lsof” (list of open files)
 Can
send a signal to a process
o TERM to terminate, HUP to “hang up”
(often rereads config), kill, killall, etc.
Linux and UNIX Overview
26
Accounts
 Need
an account to log in
 A process runs with permissions of a
given account
 /etc/passwd file
o One line for every account, e.g.,
o sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
Linux and UNIX Overview
27
Passwd File

Each line contains
o Login name
o Hashed/encrypted password
o UID number --- number assigned to account,
o
o
o
o
used to determine permissions of processes
Default GID --- default group number
GECOS info --- not used by system, names, etc.
Home directory --- directory after login
Login shell --- sh, bash, csh, ksh, or another
program
Linux and UNIX Overview
28
Passwd File

Passwd file is world readable
o Attackers like to know hashed passwords
o Used for password guessing

Most modern UNIX systems do not include
hashed passwords in passwd file
o Instead, in “shadow” passwd file, /etc/shadow
o Requires super-user privilege to access

So passwd file contains no passwords…
Linux and UNIX Overview
29
Password File
 After
much searching…
 Found my OS X hashed password is
o 0x3BBC2A94D59EB1D5D3452EA6FA47399B2A25664C
 Where
SHA1 hash is used, with salt
o 0x8429A223
 Extra
credit: Find my password!
Linux and UNIX Overview
30
Groups
Group users together
 Assign permission to the group
 Stored in file /etc/group, format is

o Group name
o Hashed group password --- never used
o GID number --- used by the system instead of
group name
o Group members --- by login names
Linux and UNIX Overview
31
Root
Root account is all-powerful user
 Maximum privilege --- can read, write any file
 Root == superuser or “God”
 UID == 0

o “root” could be called anything, provided UID is 0
o Can be multiple root accounts
Linux and UNIX Overview
32
Permissions
Every file has an owner and group
 Owner (or root) sets permissions

o Permissions: owner, group, everybody
o For each of the 3, read, write, execute
o Use “ls -l” to see permissions
-rw-r--r-- 1 markstam markstam 767 Feb 6 19:31 cs286.txt
drwxr-xr-x 40 markstam markstam 1360 Jan 25 17:33 docs
Linux and UNIX Overview
33
Permissions
Linux and UNIX Overview
34
Permissions
 Change
permissions using chmod
o “change modes”
 Give
new permissions in octal
o For example: chmod 745 foo
o This corresponds to: rwxr--r-x
Linux and UNIX Overview
35
SetUID

Sometimes user needs to access file and
they do not have permissions
o Example: to change password (assuming hashes
stored in shadow file)
SetUID == Set User ID
 Use this so program will execute with
permission of it’s owner

o As opposed to permission of user executing it
o Password changing program: SetUID root
Linux and UNIX Overview
36
SetUID

Gives “common” users lots of power
o OK if used in controlled way for specific tasks

SetUID permissions appear before 9 standard
permission bits
In fact, 3 additional bits
SetUID, SetGID, “sticky bit”
For example: chmod 4745 foo
Shows up in “ls -l” as an s:
-r-sr-xr-x 1 root wheel 75636 Jan 11 2007
/usr/bin/passwd
o
o
o
o
Linux and UNIX Overview
37
SetUID
 Attackers
like SetUID programs
o May be possible to exploit flaws in code
(buffer overflow) to elevate privilege
 New/modified
SetUID programs may
be evidence of attack
Linux and UNIX Overview
38
Trust Relationships
 That
is, trust between machines
o Can specify which machines to trust
Bob
trusts
Alice
Linux and UNIX Overview
39
Trust Relationships

Unauthenticated access by users from
trusted machine
o Since trusted machine (presumably) already
authenticated the user

If trusted, the r-commands (rlogin, rsh,
rcp) require no password
o Also, r-commands do not encrypt

How does Bob know trusted Alice is Alice?
Linux and UNIX Overview
40
Logs and Audit
 Created
by syslog daemon (syslogd)
 Typical log files
o Secure --- logins, successful and failed
o Message --- catch-all system log
o Individual app logs --- for specific apps
Linux and UNIX Overview
41
Logs and Audit
 Forensic
info also logged
 Attackers like to cover their tracks
 To do so, may need to manipulate…
o utmp --- who is logged in
o wtmp --- record of all logins and logouts
o lastlog --- time and location of each
user’s most recent login
Linux and UNIX Overview
42
Common Network Services

Telnet --- command line remote access
o No encryption, session can be hijacked, …

FTP --- file transfer
o Insecure, like telnet

SSH --- encrypted “tunnel”
o Then safe to use unsafe services
o SSH version 1 insecure, version 2 is good
Linux and UNIX Overview
43
Common Network Services

HTTP --- Web
o Source of many attacks
Email --- sendmail, several security issues
 r-commands --- rlogin, rsh, rcp

o Considered very insecure

DNS --- domain names to IP addresses
o Critical service, good one for attackers…
Linux and UNIX Overview
44
Common Network Services

NFS --- transparently access files across network
o NFS server “exports” directory info
o Local machine can “mount” these, so files appear to be
locally accessible
o Like FTP without all of the trouble of FTP-ing
o Of course, exporting too much may be bad

X-Window System --- X11 (or just “X”)
o The underlying GUI service in UNIX
o X server controls screen, provides service
o Must limit who can display/access your screen
Linux and UNIX Overview
45
Conclusion
UNIX/Linux
 Popular OSs
 More than 30 years old
 Fundamental part of Internet
 Widely used OSs
 Platform of choice for many attackers

Linux and UNIX Overview
46
Summary
Linux and UNIX Overview
47