Linux and UNIX Overview 2
Linux and UNIX Linux and UNIX OSs are…
o Often targets for attackso Often used for launching attacks
So we need to understand basics
Linux and UNIX Overview 3
UNIX A “beautiful but strange beast”
o Developed as research project by AT&T
o More than 35 years oldo Internet was built on UNIXo Recently, popular for desktops, etc.
Linux and UNIX Overview 4
UNIX It’s beautiful because…
o It’s powerful Millions of people have worked on it
o Huge numbers of useful toolso “Been around the block” more than
onceo Closely associated with open sourceo Admins can find lots of useful tools
Linux and UNIX Overview 5
UNIX Strange because so many UNIX OSs Popular variants include
o Solaris by Suno MacOS by Appleo HP-UX by HPo IRIX by sgio AIX by IBMo FreeBSD, free open sourceo OpenBSD, “the #1 most secure” OS
Linux and UNIX Overview 6
UNIX Differences between UNIX variants
o File systems organizationo System calls, commands, command
options, etc. Two main “lines” of UNIX
o AT&T and BSD But some UNIXs are combinations
Linux and UNIX Overview 7
Linux Developed by Linus Torvalds
o Technically, not a variant of UNIXo Created without using any of the underlying
UNIX codeo A “UNIX-like environment”o Strictly speaking, “Linux” is just the kernelo Many Linux “distros”: Debian, Gentoo,
Mandrake, Red Hat, Slackware, SuSE, etc.
Linux and UNIX Overview 8
UNIX Here, generic UNIX/Linux concepts
o Things that apply to most UNIX/Linux UNIX also strange because
o Not designed for ease of useo Think command line, not GUIo Ironically, much simpler than Windows…
If you think Windows is easier, you don’t know Linux…
…and you don’t know Windows
Linux and UNIX Overview 9
UNIX Here, we focus on generic “UNIX”
o Things that apply to most variants Book use “UNIX”, “Linux”
interchangeably Here, we only scratch the surface For more info
o Linux Administration Handbook, by Nemetho Man pages
Linux and UNIX Overview 10
Architecture File system
o Like traveling thru a city…o Directories are like signs leading you
to “buildings” (files) Many things treated as files
o Devices, elements of processes, files
Linux and UNIX Overview 11
File System Top is root directory: / == “slash”
o “cd /” takes you to rooto For example: /home/fred/hack.txt
File hack.txt in directory /home/fred
Linux and UNIX Overview 12
Important Directories / == root (top level), called “slash” /bin, /sbin == critical system exe’s /dev == devices, terminal, CD, etc. /etc == system config files
o Accounts, pwds, network addresses, etc.
/home == user directories
Linux and UNIX Overview 13
Important Directories /lib == shared libraries for programs /mnt == exported file systems temporarily
mounted, removable devices (e.g., USB) /proc == images/data of current processes
o Not on hard drive---can see what kernel is doing /tmp == temporary files /usr == critical system files (utilities, man
pages, …) /var == stores various types of files, often for
administration (log files)
Linux and UNIX Overview 14
Important Directories “.” is current directory “..” is parent directory
o One level up “ls” lists all files in directory “ls -a” lists “.” and “..” too
Linux and UNIX Overview 15
Kernel UNIX and Linux are modular The core is the kernel
o Heart and brains of OSo Deals with critical system functionso E.g., hardware interactions, resource
allocation, … o Programs call on kernel for these
things
Linux and UNIX Overview 16
Processes For program, kernel starts a process
o Process is like a “bubble that contains the guts of a running program”
o Kernel creates bubble, inflates it and tries to keep bubbles from popping each other
User programs, admin tools, services (e.g., Web, email) are processeso May be 100s to 1000s of active processeso Kernel juggles these into CPU, manages
memory
Linux and UNIX Overview 18
Processes Many processes run in background Perform system-critical functions
o Printing, network activity, etc. Known as “daemons”
o Pronounced “day-muns” or “dee-muns”
o Named based on their functiono E.g., SSH daemon is sshd
Linux and UNIX Overview 19
Automatic Processes Booting: kernel starts init daemon
o Finishes boot process Init starts many network processes
o Httpd --- Web server, for http/httpso Sshd --- SSH serviceo Sendmail --- common UNIX email
servero NFS --- Network File System for
sharing files between UNIX systems
Linux and UNIX Overview 20
Network Services Network service listens to network
o Web server listens on TCP port 80o Email server listens on TCP port 25
Wait for incoming traffic Lots of email/Web traffic, so they
listen constantly What about, say, FTP?
Linux and UNIX Overview 21
Network Services To improve efficiency… “Internet daemon” listens for
uncommon serviceso inetd (“I-Net-D”) or xinetd
When traffic arrives, inetd activates appropriate service
Uncommon services: echo, chargen, ftpd, telnetd, rsh, rlogin, TFTP, …
Linux and UNIX Overview 22
inetd File /etc/inetd.conf tells inted what
services to listen for: must specifyo Service name --- e.g., telnet (defined in
/etc/services)o Socket type --- type of connection?o Protocol --- usually tcp or udpo Wait status --- process handles multiple
connection or noto User Name --- name services should run aso Server program and arguments
inetd.conf is target of attacks
Linux and UNIX Overview 24
cron Cron daemon
o Schedule programs to run at predetermined times
o For example, backup files at 3am Attackers also like cron
o E.g., shut down critical service at a particular time as part of back door
Linux and UNIX Overview 25
Processes Can also start processes manually “path” is searched for command To see path: echo $path
o Dangerous to have “.” in patho Why?
Linux and UNIX Overview 26
Interacting with Processes Each process has process ID (PID) To get info on current processes
o “ps -aux” (all running processes)o “lsof” (list of open files)
Can send a signal to a processo TERM to terminate, HUP to “hang up”
(often rereads config), kill, killall, etc.
Linux and UNIX Overview 27
Accounts Need an account to log in A process runs with permissions of a
given account /etc/passwd file
o One line for every account, e.g.,o sshd:*:75:75:sshd Privilege
separation:/var/empty:/usr/bin/false
Linux and UNIX Overview 28
Passwd File Each line contains
o Login nameo Hashed/encrypted passwordo UID number --- number assigned to account,
used to determine permissions of processeso Default GID --- default group numbero GECOS info --- not used by system, names,
etc.o Home directory --- directory after logino Login shell --- sh, bash, csh, ksh, or another
program
Linux and UNIX Overview 29
Passwd File Passwd file is world readable
o Attackers like to know hashed passwordso Used for password guessing
Most modern UNIX systems do not include hashed passwords in passwd fileo Instead, in “shadow” passwd file,
/etc/shadowo Requires super-user privilege to access
So passwd file contains no passwords…
Linux and UNIX Overview 30
Password File After much searching… Found my OS X hashed password
iso 0x3BBC2A94D59EB1D5D3452EA6FA47399B2A25664C
Where SHA1 hash is used, with salt o 0x8429A223
Extra credit: Find my password!
Linux and UNIX Overview 31
Groups Group users together Assign permission to the group Stored in file /etc/group, format is
o Group nameo Hashed group password --- never usedo GID number --- used by the system instead
of group nameo Group members --- by login names
Linux and UNIX Overview 32
Root Root account is all-powerful user Maximum privilege --- can read, write any
file Root == superuser or “God” UID == 0
o “root” could be called anything, provided UID is 0
o Can be multiple root accounts
Linux and UNIX Overview 33
Permissions Every file has an owner and group Owner (or root) sets permissions
o Permissions: owner, group, everybodyo For each of the 3, read, write, executeo Use “ls -l” to see permissions-rw-r--r-- 1 markstam markstam 767 Feb 6 19:31 cs286.txt
drwxr-xr-x 40 markstam markstam 1360 Jan 25 17:33 docs
Linux and UNIX Overview 35
Permissions Change permissions using chmod
o “change modes” Give new permissions in octal
o For example: chmod 745 fooo This corresponds to: rwxr--r-x
Linux and UNIX Overview 36
SetUID Sometimes user needs to access file
and they do not have permissionso Example: to change password (assuming
hashes stored in shadow file) SetUID == Set User ID Use this so program will execute with
permission of it’s ownero As opposed to permission of user executing
ito Password changing program: SetUID root
Linux and UNIX Overview 37
SetUID Gives “common” users lots of power
o OK if used in controlled way for specific tasks SetUID permissions appear before 9
standard permission bitso In fact, 3 additional bitso SetUID, SetGID, “sticky bit”o For example: chmod 4745 fooo Shows up in “ls -l” as an s: -r-sr-xr-x 1 root wheel 75636 Jan 11 2007 /usr/bin/passwd
Linux and UNIX Overview 38
SetUID Attackers like SetUID programs
o May be possible to exploit flaws in code (buffer overflow) to elevate privilege
New/modified SetUID programs may be evidence of attack
Linux and UNIX Overview 39
Trust Relationships That is, trust between machines
o Can specify which machines to trust
BobtrustsAlice
Linux and UNIX Overview 40
Trust Relationships Unauthenticated access by users from
trusted machineo Since trusted machine (presumably) already
authenticated the user If trusted, the r-commands (rlogin, rsh,
rcp) require no passwordo Also, r-commands do not encrypt
How does Bob know trusted Alice is Alice?
Linux and UNIX Overview 41
Logs and Audit Created by syslog daemon
(syslogd) Typical log files
o Secure --- logins, successful and failedo Message --- catch-all system logo Individual app logs --- for specific
apps
Linux and UNIX Overview 42
Logs and Audit Forensic info also logged Attackers like to cover their tracks To do so, may need to manipulate…
o utmp --- who is logged ino wtmp --- record of all logins and
logoutso lastlog --- time and location of each
user’s most recent login
Linux and UNIX Overview 43
Common Network Services Telnet --- command line remote access
o No encryption, session can be hijacked, … FTP --- file transfer
o Insecure, like telnet SSH --- encrypted “tunnel”
o Then safe to use unsafe serviceso SSH version 1 insecure, version 2 is good
Linux and UNIX Overview 44
Common Network Services HTTP --- Web
o Source of many attacks Email --- sendmail, several security
issues r-commands --- rlogin, rsh, rcp
o Considered very insecure DNS --- domain names to IP addresses
o Critical service, good one for attackers…
Linux and UNIX Overview 45
Common Network Services NFS --- transparently access files across
networko NFS server “exports” directory infoo Local machine can “mount” these, so files appear to
be locally accessibleo Like FTP without all of the trouble of FTP-ingo Of course, exporting too much may be bad
X-Window System --- X11 (or just “X”)o The underlying GUI service in UNIXo X server controls screen, provides serviceo Must limit who can display/access your screen
Linux and UNIX Overview 46
Conclusion UNIX/Linux Popular OSs More than 30 years old Fundamental part of Internet Widely used OSs Platform of choice for many attackers