Embed Size (px)
Citation preview
Operating Systems Security
Managing Users & Permissions in Linux/UNIX
Computer Security & OS lab.
Cho, Seong-je (조성제)
Fall, 2018
sjcho at dankook.ac.kr
524870, F’18- 2 -
Contents
Permissions = Access rights
Readable, Writable, eXectuable, setuid, setgid, sticky, …
Protection & Security Protection
Defining what is allowed
Controlling who gets access to what
A protection system dictates whether an action is allowed for a subject,
object
Security
Enforcing a protection policy
» In the face of adversaries
SetUID
Computer Security & OS Lab.
524870, F’18- 3 -
References
UNIX Security: setuid and chroot - Static Security Analysis with MOPS, VitalyShmatikov
Secure Architecture Principles, CS 155, Spring 2016, John Mitchell, (Introduction to Programming)
Computer Security, CS 426, Lecture 9, Unix Access Control, Fall 2010/Lecture9 (426_Fall10_lect09.ppt)
Security, Andrew Whitaker, CSE451, (os-security.ppt)
https://courses.cs.washington.edu/courses/cse451/.../os-security.pp
How to write a Setuid Program, Matt Bishop, UC Davis
Computer Security & OS Lab.
524870, F’18- 4 -
Background
Permissions = Access rights
R/W/X bits, SetUID/SetGID/Sticky bits
UID, GID
/etc/passwd, /etc/shadow,
Administrator’s UID = ? (administrator = root = Super user)
Commands
uname -a, id, ls –l, ls –i,
chmod, chown, chgrp,
Set-UID privileged programs
passwd, su, chsh, lpr, sendmail,
System calls
getuid(), setuid(), seteuid(), setreuid(), setresuid()
getresuid, getresgid - get real, effective and saved user/group IDs
getresuid(uid_t *ruid, uid_t *euid, uid_t *suid);
Computer Security & OS Lab.
524870, F’18- 5 -
Users and Superuser in UNIX/Linux
Computer Security & OS Lab.
A user has username, group name, password
Root is an administrator / superuser (UID 0)• Can read and write any file or system resource (network,
etc.)
• Can modify the operating system
• Can become any other user– Execute commands under any other user’s ID
• Can the superuser read passwords?
shmat, UID 13630 prof, GID 30 “WouldntchaLikeToKnow”
524870, F’18- 6 -
Root = Superuser
Root account is all-powerful user
Maximum privilege --- can read, write any file
Root == superuser or “God” Root acts as an owner for all files
UID == 0
“root” could be called anything, provided UID is 0
Can be multiple root accounts
Computer Security & OS Lab.
524870, F’18- 7 -
Access Control in UNIX/Linux
Everything is a file• Files are laid out in a tree
• Each file with associated with an inode data structure
• Each file has a unique inode number
inode records OS management information about the file• UID and GID of the file owner
• Type, size, location on disk
• Time of last access (atime), last inode modification (ctime), last file contents modification (mtime)
• Permission bits (12 bits per each file)
• r, w, x, s, t
Computer Security & OS Lab.
524870, F’18- 8 -
Permissions
Every file has an owner and group
Owner (or root) sets permissionso Permissions: owner, group, everybody
o For each of the 3, read, write, execute
o Use “ls -l” to see permissions
-rw-r--r-- 1 markstam markstam 767 Feb 6 19:31 cs286.txt
drwxr-xr-x 40 markstam markstam 1360 Jan 25 17:33 docs
Computer Security & OS Lab.
524870, F’18- 9 -
UNIX Permission Bits
Computer Security & OS Lab.
Access rights of everybody else
Access rights of group members
-rw-r--r-- 1 shmat prof 116 Sep 5 11:05 midterm.tex
File type
- regular file
d directory
b block file
c character file
l symbolic link
p pipe
s socket
Access rights of file owner
Permission bits
r read
w write
x execute (if directory, traverse it)
s setuid, setgid (if directory, files have gid of dir owner)
t sticky bit (if directory, append-only)
524870, F’18- 10 -
Permissions
Change permissions using chmod “change modes”
Give new permissions in octal For example: chmod 745 foo
This corresponds to: rwxr--r-x
Each file (object) has owner
group
12 permission bits rwx for owner, rwx for group, and rwx for others
SetUID, SetGID, “sticky bit”
Computer Security & OS Lab.
524870, F’18- 11 -
User IDs and SetUID
Each process has three user IDs:Real: the user who invoked the process
Effective: the user for access control
Saved: a previous user ID
setuid changes the effective userWhich is the one that matters for security
Two ways to invoke setuid(), seteuid() system call
setuid bit
changes the effective user into the file owner
All programs run as a particular user The user must have “execute” privilege
A program can change its user by invoking a setuid
Computer Security & OS Lab.
524870, F’18- 12 -
SetUID
Sometimes user needs to access file and they do not have permissions Example: to change password (assuming hashes stored in shadow
file)
SetUID == Set User ID
Use this so program will execute with permission of it’s owner As opposed to permission of user executing it
Password changing program: SetUID root
Gives “common” users lots of power OK if used in controlled way for specific tasks
Computer Security & OS Lab.
524870, F’18- 13 -
SetUID bit
permissions-rwxr-x--- 1 jane staff 23054 Sep 10 17:30 /home/jane/a.out
-rw-r----- 1 root root 3302 Aug 17 12:54 /etc/passwd
-rw-r----- 1 root shadow 1101 Feb 7 15:18 /etc/shadow
-rwxr-xr-x 1 root roor 108708 Jan 17 2012 /bin/ls
How can Jane change her password?
SetUID permissions o Shows up in “ls -l” as an s:
-r-sr-xr-x 1 root wheel 75636 Jan 11 2007 /usr/bin/passwd*
-r-sr-xr-x 1 root sys 25144 May 25 2007 /usr/bin/su*
-rwsr-sr-x 1 root root 34780 Oct 2 2012 /bin/ping
Computer Security & OS Lab.
524870, F’18- 14 -
SetUID bit
chmod command
For example: chmod 4745 foo
Computer Security & OS Lab.
source: http://eunguru.tistory.com/115
524870, F’18- 15 -
SetUid Root
Many programs run as “setuid root” Can be invoked by anybody
But, run as root
Example: /usr/bin/passwd Passwords stored in a file
Users do not have access to this file
But, they need the ability to change a password
Other examples: sudo, su, lpr
setuid root is extremely dangerous A compromised setuid program can basically do anything
Attackers like SetUID programs
o May be possible to exploit flaws in code (buffer overflow) to elevate privilege
New/modified SetUID programs may be evidence of attack
Computer Security & OS Lab.
524870, F’18- 16 -
User IDs in UNIX/Linux
Each process has a real UID (ruid), effective UID (euid), saved UID (suid); similar for GIDs• Real: ID of the user who started the process
• Effective: ID that determines effective access rights of the process
• Saved: used to swap IDs, gaining or losing privileges
If an executable’s setuid bit is set, it will run with effective privileges of its owner, not the user who started it• E.g., when I run passwd, real UID is shmat (13630), effective UID is root
(0), saved UID is shmat (13630)
Computer Security & OS Lab.
524870, F’18- 17 -
Example of used ids
Computer Security & OS Lab.
…;…;exec( );
RUID 25 SetUID
program
…;…;i=getruid()setuid(i);…;…;
RUID 25EUID 18
RUID 25EUID 25
-rw-r--r--
file
-rw-r--r--file
Owner 18
Owner 25
read/write
read/write
Owner 18
524870, F’18- 18 -
User ids
Domain transition
Computer Security & OS Lab.
524870, F’18- 19 -
Dropping and Acquiring Privilege
To acquire privilege, assign privileged UID to effective ID
To drop privilege temporarily, remove privileged UID from effective ID and store it in saved ID• Can restore it later from saved ID
To drop privilege permanently, remove privileged UID from both effective and saved ID
Computer Security & OS Lab.
524870, F’18- 20 -
Setting UIDs Inside Processes
setuid(newuid) • If process has “appropriate privileges”, set effective, real, and saved ids
to newuid
• Otherwise, if newuid is the same as real or saved id, set effective id to newuid (Solaris and Linux), or set effective, real, and saved ids to newuid (BSD)
What does “appropriate privileges” mean?• Solaris: euid=0 (i.e., process is running as root)
• Linux: process has special SETUID capability
– Note that setuid(geteuid()) will fail if euid{0,ruid,suid}
• BSD: euid=0 OR newuid=geteuid()
Computer Security & OS Lab.
524870, F’18- 21 -
More setuid Magic
seteuid(neweuid) • Allowed if euid=0, OR if neweuid is ruid or suid, OR if neweuid is euid
(Solaris and Linux only)
• Sets effective ID, leaves real and saved IDs unchanged
setreuid(newruid, neweuid)• Sets real and effective IDs
• Can also set saved ID under some circumstances
– Linux: if real ID is set OR effective ID is not equal to previous real ID, then store new effective ID in saved ID
setresuid(newruid, neweuid, newsuid)• Sets real, effective, and saved IDs
It’s better to refer online manual on your system.
Computer Security & OS Lab.
524870, F’18- 22 -
Basic UNIX/Linux Security Mechanisms
setuid() allows a system process to run with higher privileges than those of the user who invoked it• Enables controlled access to system resources such as email, printers,
etc.
• 99% of local vulnerabilities in UNIX systems exploit setuid-rootprograms to obtain root privileges
– The other 1% target the OS itself
chroot() confines a user process to a portion of the file system
Computer Security & OS Lab.
524870, F’18- 23 -
Principle of Least Privilege
Each program should be given the minimum privilege to accomplish its task
setuid root is a flagrant violation of this
Least privilege for passwd: read and write the password file
Privilege afforded by root: modify any file in the system; inspect kernel memory; access any I/O device; etc.
Flagrant: 명백한, 행동이노골적인
Computer Security & OS Lab.
524870, F’18- 24 -
Why Can’t We Enforce Least Privilege?
The policy is too complex
Which files can a web browser access?
Which files can a web server access?
The mechanisms are not sufficient
For example, no way to control network accesses
In the end, usability wins out over security
Computer Security & OS Lab.
524870, F’18- 25 -
File Access Mode
Octal argument of chmod
setuid: 4000
setgid: 2000
stiky: 1000
Computer Security & OS Lab.
suid sgid sticky bit
non-executable files
no effect affect locking
(unimportant for us)
not used anymore
executable files
change euid when executing the file
change egid when executing the file
not used anymore
directories no effect new files inherit group of the directory
only the owner of a file can delete
524870, F’18- 26 -
Summary
Basic buffer overflows
Stack structure
Stack overflow / Stack smashing
shellcode
Permissions Least privilege
Setuid programs Escalation of privilege
Hands-on experience with LoB A Guide to Linux Privilege Escalation
https://payatu.com/guide-linux-privilege-escalation/
Computer Security & OS Lab.
