《{安全生产管理}安全协议与标准PPT55页》由会员分享,可在线阅读,更多相关《{安全生产管理}安全协议与标准PPT55页(55页珍藏版)》请在金锄头文库上搜索。
1、安全协议与标准, 2008, 10,Linux安全的实现机制,用户与文件 从POST到sh,用户级安全,认证、授权Authentication、Authorization PAMPluggable Authentication Modules SUID Permission setuid etc,基本概念,认证/鉴别Authentication 谁是谁 授权Authorization 能干什么 鉴别手段 基于口令/令牌/卡/指纹/声音等信息 授权方法 访问控制矩阵 ACL/ACM,PAM,传统的AA 应用程序自己管理 PAM 标准库 PAM in Linux,PAM history,PAM w
2、as first proposed by Sun Microsystems in an Open Software Foundation Request for Comments (RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone infrastructure, PAM first appeared from an open-source, Linux-PAM, development i
3、n Red Hat Linux 3.0.4 in August 1996. PAM is currently supported in the AIX operating system, DragonFly BSD, FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris. PAM was later standardized as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard.,鉴别
4、Authentication before PAM,Every application required its own security and authentication mechanism.,鉴别 Authentication with PAM,“is this user authorized to use me?”,PAM框架,PAM impl,PAM is used, for example, to dynamically link system binaries. (Dynamic linking does necessitate a recovery mechanism to
5、address potential problems in the linker or in shared libraries. One way of implementing a recovery mechanism is to supply a /rescue directory that contains statically linked versions of important system binaries. This method is used in both NetBSD and FreeBSD.),PAM有四部分组成,第一部分是libpam,是实现PAM API的库, 第
6、二部分是PAM配置文件,/etc/pam.conf, 第三部分有一套动态可装载两进位对象组成,常常用来调用一些处理实际鉴别(authentication)工作的服务模块。 最后模块是使用PAM API的系统命令组成,如login,us,ftp,telnet etc,PAM API,#include #include int pam_start (.); int pam_end (.); const char *pam_strerror (.); pam_set_item(); pam_get_item(); pam_authenticate(); pam_chauthtok(); ,PAM_L
7、OGIN,PAM例子导读,授权 Principles of Authorization,Authorization in Linux based on file permissions Exception: root is allowed to do everything Once logged in, users cannot change their identity except through a SUID program, which allows them to run a command as someone else (most often root),user rest_in
8、it(); kernel_thread(init, NULL, CLONE_KERNEL); = init() run_init_process(/sbin/init); execve(init_filename, argv_init, envp_init); init读取配置文件inittab /etc/inittab中的几行: # Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingett
9、y tty3 ,System-V,http:/packages.debian.org/etch/sysvinit,mingetty,查mingetty的来历 #rpm -qf /sbin/mingetty mingetty-1.06-2 Google(“mingetty”) Debian software package directories http:/packages.debian.org/stable/admin/mingetty 下载 mingetty_0.9.4.orig.tar.gz 得到唯一的mingetty.c,mingetty,in mingetty.c do_prompt
10、();/ show login prompt, optionally preceded by /etc/issue contents open_tty (); / set up tty as standard input, output, error while (logname = get_logname () = 0); execl (_PATH_LOGIN, _PATH_LOGIN, -, logname, NULL); 说明:从指定的tty获得用户名,并启动login程序,ALT+F1/F2/F6/F7/F8,/dev/tty0 /dev/pts/0 tty_init vty_init
11、 kbd_init,2419 static struct cdev tty_cdev, console_cdev; 2420 #ifdef CONFIG_UNIX98_PTYS 2421 static struct cdev ptmx_cdev; 2422 #endif 2423 #ifdef CONFIG_VT 2424 static struct cdev vc0_cdev; 2425 #endif,login,in login.c retcode = pam_get_item(pamh, PAM_USER, (const void *) 用户可以有几次机会输入口令 但是会有故意的延迟 数
12、次失败,则退出 init会把mingetty再次起动,login.c关键部分缩写, childPid = fork(); if (childPid) wait(NULL);/ login进程等着 exit(0); / 下面是子进程(用户的shell) setsid(); opentty(ttyn); setuid(pwd-pw_uid); chdir(pwd-pw_dir); execvp(/bin/sh -sh -c exec %pwd-pw_shell%, .); ,login.c in shadow_4.0.18.1.orig.tar.gz,http:/packages.debian.o
13、rg/etch/login PAM,PCB: uid, setuid, ,setuid()/setgid() sys_setuid() setreuid()/setregid()sys_setreuid() in PCB 404 /* process credentials */ 405 uid_t uid,euid,suid,fsuid; 406 gid_t gid,egid,sgid,fsgid; 407 int ngroups; 408 gid_t groupsNGROUPS; 409 kernel_cap_t cap_effective, cap_inheritable, cap_pe
14、rmitted; 410 int keep_capabilities:1; 411 struct user_struct *user;,bash,Bash http:/packages.debian.org/etch/bash,试图访问一个自己的或者别人的文件,用户使用文件时linux内核是怎样使用权限信息做访问控制的? 用户身份 vs. 文件的权限信息 典型数据文件:-rw-r-r-,自己可读写,别人只读 int fd = open(“my_or_your_file_name”, r|w|x, m); 打开文件准备用来读/写/执行 如果创建新文件,则mode指示了其权限属性 long sys
15、_open(filename, flags, mode),sys_open()/permission() and more,sys_open() filp_open() open_namei() may_open() permission(),permission(),207 int permission(struct inode * inode,int mask, struct nameidata *nd) 208 int retval; 210 int submask; 212 / Ordinary permission routines do not understand APPEND.
16、 213 submask = mask 223 ,k?,在某个函数中对代码适当修改可以允许特定用户有任意权限 ? sys_open() ? permission() ? vfs_permission() ? security_inode_permission(),尝试改 permission() !,在/etc/passwd有两个普通用户linden和susan linden:x:500:500:/home/linden:/bin/bash susan:x:501:501:/home/susan:/bin/bash 在permission()开头添加一行: if (current-uid = 500) return 0; / add by linden # make/ 速度很快的 # make modules_install # make install # reboot,-,用linden登录,发现linden有访问如何文件的特权 vi /et
