《安全协议与标准07a-Linux安全(内核)》由会员分享,可在线阅读,更多相关《安全协议与标准07a-Linux安全(内核)(55页珍藏版)》请在金锄头文库上搜索。
1、2008, 10 用户与文件从POST到sh 认证、授权Authentication、AuthorizationPAMPluggable Authentication Modules SUIDPermissionsetuid etc 认证/鉴别Authentication谁是谁授权Authorization能干什么鉴别手段基于口令/令牌/卡/指纹/声音等信息授权方法访问控制矩阵ACL/ACM 传统的AA应用程序自己管理PAM标准库PAM in Linux PAM was first proposed by Sun Microsystems in an Open Software Foundat
2、ion Request for Comments 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone infrastructure, PAM first appeared from an open-source, Linux-PAM, development in Red Hat Linux 3.0.4 in August 1996. PAM is currently supported in the
3、 AIX operating system, DragonFly BSD, FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris. PAM was later standardized as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on standard. Every application required its own security and authentication mechanism. is this
4、 user authorized to use me? PAM is used, for example, to dynamically link system binaries. 第一部分是第一部分是libpam,libpam,是实现是实现PAM APIPAM API的库的库, ,第二部分是第二部分是PAMPAM配置文件配置文件,/etc/pam.conf,/etc/pam.conf,第三部分有一套动态可装载两进位对象组成第三部分有一套动态可装载两进位对象组成, ,常常常常用来调用一些处理实际鉴别用来调用一些处理实际鉴别工工作的服务模块作的服务模块. .最后模块是使用最后模块是使用PAM A
5、PIPAM API的系统命令组成的系统命令组成, ,如如login,us,ftp,telnet etclogin,us,ftp,telnet etc #include #include int pam_start ;int pam_end ;const char *pam_strerror ;pam_set_item; pam_get_item; pam_authenticate; pam_chauthtok; pam_login is written specificly for PAM authentication. It is based on the version from the
6、util-Linux package, from which all code for non-PAM support was removed. Instead, support for the most important features of the login program from the shadow suite was added. X/Open Single Sign-on Service - X/Open Single Sign-on Service - Pluggable Authentication Modules Pluggable Authentication Mo
7、dules Authorization in Linux based on file permissionsException: root is allowed to do everythingOnce logged in, users cannot change their identityexcept through a SUID program, which allows them to run a command as someone else useruser idgroupgroup id#cat /etc/passwd | shadow#cat /etc/groups linde
8、nlocalhost $ lllindenlocalhost $ lltotal 0total 0-rw-rw-r- 1 linden linden 0 2007-12-10 20:28 -rw-rw-r- 1 linden linden 0 2007-12-10 20:28 my.docmy.docd | l | b | cd | l | b | cr rw wx | sx | s PermFileDirectoryRreadlistWchangechange contentXexecutecan cdSUIDProgram runs with effective N/Auser ID of
9、 owner SGIDProgram runs with effectiveFiles created in dir inheritGID of owner the same GID as the dirStickybitN/AOnly the owner of thefile and the owner of the dir may delete files in this dir #ls -l #chmod # Setting file permissions#chown# change file owner and group#chgrp# change group ownershipu
10、mask 有时,没有被授权的用户需要完成某项任务.一个例子是passwd程序,它允许用户改变口令,这就要求改变/etc/passwd文件的口令域.然而系统管理员决不允许普通用户拥有直接改变这个文件的权利,因为这绝对不是一个好主意.为了解决这个问题,SUID/SGID便应运而生.UNIX允许程序被授权,当程序被执行的时候,拥有超级用户的权限,完成时又回到普通用户的权限.这个主意很好,所以AT&T对它申请了专利.SUID/SGID程序在执行时的RealUid可以通过函数setuid改变. Examples of SUID programs:passwd: Allows users to updat
11、e the /etc/shadow filemount: Allows users to mount a floppy or CDsu: Runs a shell as another user, after supplying the passwordsudo: Runs a particular command as another userVarious games All SUID programs should be known to the administrator and checked/updated for security problems 查找SUID属性文件#find
12、 /usr/bin -type f -perm -2000 -printSGID#find /usr/bin -type f -perm -4000 -print 任何人都可写的文件,可能是入侵的遗留#find.-perm-2-print#find.-perm-20无主文件#find/dev-nouser-print#find/dev-nogroup-print CMOS口令LILO/GRUB口令磁盘/分区加密虚拟磁盘文件权限访问控制特权操作事件审计 搜索Debian的软件包源码:/debian.org/distrib/packages#search_packagesFedora8RedHat
13、EnterpriseLinux5 看源码的工具,首推LXR,其次也可以使用sourceinsight或则source-navigator.LXR可以自己安装也可以使用网上公用的LXR,如.本地临时的LXRoutdate Power ButtonPower OnBIOS Self TestPasswd开机口令vs. CMOS口令进入CMOS典型按键:del, f1, f2, tab, esc,BIOS/passwd/CMOS电池 single mode在/?/lilo.conf中设定口令restrictedpassword=a3xsf8dlilo口令的作用过程查lilo的源程序bootsect.
14、S,bsect.c,lilo.c Grub的口令机制/boot/grub/grub.confpassword -md5 则必须先输入口令才能进一步操作grub或者单独针对某项启用口令password /boot/grub/menu-admin.lst 还有lock选项可用为了产生md5后的grubmd5crypt Kernel image被lilo/grub曾经linux有自己的bootsect读入到内存,解压缩,重定位,跳转到Kernel从start_kernel被执行:/lxr.linux.no/linux/init/main.c#L513:/211.87.235.73/lxr/sourc
15、e/init/main.c#L502 Kernel做了重要的初始化,然后Kernel创建1号内核线程init,其装载/sbin/init配置文件是/etc/inittab. Kernel然后启动用户进程initstart_kernel; rest_init; kernel_thread;= init run_init_process; execve;init读取配置文件inittab/etc/inittab中的几行:# Run gettys in standard runlevels1:2345:respawn:/sbin/mingetty tty12:2345:respawn:/sbin/m
16、ingetty tty23:2345:respawn:/sbin/mingetty tty3 查mingetty的来历#rpm-qf/sbin/mingettymingetty-1.06-2GoogleDebiansoftwarepackagedirectories下载得到唯一的mingetty.c in mingetty.cdo_prompt;/ show login prompt, optionally preceded by /etc/issue contentsopen_tty ; / set up tty as standard input, output, error while logname = get_logname = 0;execl ;说明:从指定的tty获得用户名,并启动login程序 /dev/tty0/dev/pts/0tty_init vty_init kbd_init2419 static struct cdev tty_cdev, console_cdev;2420 #ifdef CONFIG_UNIX98_PTYS2421 static struct
