安全協(xié)議與標(biāo)準(zhǔn)07a-Linux安全(內(nèi)核)

1、12008, 10 2用戶與文件從POST到sh 3認(rèn)證、授權(quán)Authentication、AuthorizationPAMPluggable Authentication Modules SUIDPermissionsetuid etc 4認(rèn)證/鑒別Authentication誰是誰授權(quán)Authorization能干什么鑒別手段基于口令/令牌/卡/指紋/聲音等信息授權(quán)方法訪問控制矩陣 ACL/ACM 5傳統(tǒng)的AA應(yīng)用程序自己管理PAM標(biāo)準(zhǔn)庫PAM in Linux 6PAM was first proposed by Sun Microsystems in an Open Software

2、Foundation Request for Comments (RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone infrastructure, PAM first appeared from an open-source, Linux-PAM, development in Red Hat Linux 3.0.4 in August 1996. PAM is currently sup

3、ported in the AIX operating system, DragonFly BSD, FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris. PAM was later standardized as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. 7Every application required its own security and authenticati

4、on mechanism. 8“is this user authorized to use me?” 9 10PAM is used, for example, to dynamically link system binaries.(Dynamic linking does necessitate a recovery mechanism to address potential problems in the linker or in shared libraries. One way of implementing a recovery mechanism is to supply a

5、 /rescue directory that contains statically linked versions of important system binaries. This method is used in both NetBSD and FreeBSD.) 11第一部分是第一部分是libpam,libpam,是實現(xiàn)是實現(xiàn)PAM APIPAM API的庫，的庫，第二部分是第二部分是PAMPAM配置文件，配置文件，/etc/pam.conf,/etc/pam.conf,第三部分有一套動態(tài)可裝載兩進(jìn)位對象組成，常第三部分有一套動態(tài)可裝載兩進(jìn)位對象組成，常常用來調(diào)用一些處理實際鑒別

6、常用來調(diào)用一些處理實際鑒別(authentication)(authentication)工作的服務(wù)模塊。工作的服務(wù)模塊。最后模塊是使用最后模塊是使用PAM APIPAM API的系統(tǒng)命令組成，如的系統(tǒng)命令組成，如login,us,login,us, etcetc 12#include #include int pam_start (.);int pam_end (.);const char *pam_strerror (.);pam_set_item(); pam_get_item(); pam_authenticate(); pam_chauthtok(); 13 14 pam_login

7、 is written specificly for PAM authentication. It is based on the version from the util-Linux package, from which all code for non-PAM support was removed. Instead, support for the most important features of the login program from the shadow suite was added. pam_login-3.14.tar.bz2 15X/Open Single Si

8、gn-on Service (XSSO) - X/Open Single Sign-on Service (XSSO) - Pluggable Authentication Modules Pluggable Authentication Modules 16Authorization in Linux based on Exception: rootroot is allowed to do everythingOnce logged in, users cannot change their identityexcept through a SUID program, which allo

9、ws them to run a command as someone else (most often root) 17useruser idgroupgroup id#cat /etc/passwd | shadow#cat /etc/groups 18lindenlocalhost $ lllindenlocalhost $ lltotal 0total 0-rw-rw-r- 1 linden linden 0 2007-12-10 20:28 my.doc-rw-rw-r- 1 linden linden 0 2007-12-10 20:28 my.docd | l | b | crw

10、x | s 19PermFileDirectoryRreadlistWchangechange contentXexecutecan cdSUIDProgram runs with effective N/Auser ID of owner SGIDProgram runs with effectiveFiles created in dir inheritGID of owner the same GID as the dirStickybit N/AOnly the owner of the the owner of the dir may delete files in this dir

11、 20#ls -l #chmod # Setting #chown# change and group#chgrp# change group ownershipumask 21有時，沒有被授權(quán)的用戶需要完成某項任務(wù)。一個例子是passwd程序，它允許用戶改變口令，這就要求改變/etc/passwd文件的口令域。然而系統(tǒng)管理員決不允許普通用戶擁有直接改變這個文件的權(quán)利，因為這絕對不是一個好主意。為了解決這個問題，SUID/SGID便應(yīng)運而生。UNIX允許程序被授權(quán)，當(dāng)程序被執(zhí)行的時候，擁有超級用戶的權(quán)限，完成時又回到普通用戶的權(quán)限。這個主意很好，所以AT&T對它申請了專利。SUID/SGID程

12、序在執(zhí)行時的Real Uid可以通過函數(shù)setuid()改變。 22 23Examples of SUID programs:passwdpasswd: Allows users to update the /etc/shadow filemountmount: Allows users to mount a floppy or CDsusu: Runs a shell as another user, after supplying the passwordsudosudo: Runs a particular command as another userVarious games (to

13、 track highscores)All SUID programs should be known to the administrator and checked/updated for security problems 24查找SUID屬性文件#find /usr/bin -type f -perm -2000 -printSGID#find /usr/bin -type f -perm -4000 -print 25任何人(同組)都可寫的文件，可能是入侵的遺留#find . -perm -2 -print#find . -perm -20無主文件# find /dev -nouse

14、r -print# find /dev -nogroup -print 26CMOS口令LILO/GRUB口令磁盤/分區(qū)加密虛擬磁盤文件權(quán)限訪問控制特權(quán)操作事件審計 27搜索Debian的軟件包源碼 Fedora 8 Red Hat Enterprise Linux 5 28看源碼的工具，首推LXR，其次也可以使用source insight或則source-navigator。LXR可以自己安裝也可以使用網(wǎng)上公用的LXR，如。本地臨時的LXR(2.6.21.5) outdate 29 30Power ButtonPower OnBIOS Self TestPasswd開機口令 vs. CMO

15、S口令進(jìn)入CMOS典型按鍵：del, f1, f2, tab, esc,BIOS/passwd/CMOS電池 31single mode在/?/lilo.conf中設(shè)定口令restrictedrestrictedpassword=a3xsf8dpassword=a3xsf8dlilo口令的作用過程查lilo的源程序 bootsect.S，bsect.c，lilo.clilo_22.6.1.orig.tar.gz 32Grub的口令機制/boot/grub/grub.confpassword -md5 則必須先輸入口令才能進(jìn)一步操作grub或者單獨針對某項啟用口令password /boot/g

16、rub/menu-admin.lst 還有l(wèi)ock選項可用為了產(chǎn)生md5后的grubmd5cryptgrub_0.97.orig.tar.gz 33Kernel image被lilo/grub（曾經(jīng)linux有自己的bootsect）讀入到內(nèi)存，解壓縮，重定位，跳轉(zhuǎn)到Kernel從start_kernel()被執(zhí)行 Kernel做了重要的初始化，然后Kernel創(chuàng)建1號內(nèi)核線程init，其裝載/sbin/init（配置文件是/etc/inittab）。 34Kernel然后啟動用戶進(jìn)程initstart_kernel(); rest_init(); kernel_thread(init, NU

17、LL, CLONE_KERNEL);= init() run_init_process(/sbin/init); execve(init_, argv_init, envp_init);init讀取配置文件inittab/etc/inittab中的幾行：# Run gettys in standard runlevels1:2345:respawn:/sbin/mingetty tty12:2345:respawn:/sbin/mingetty tty23:2345:respawn:/sbin/mingetty tty3 35sysvinit_2.86.ds1.orig.tar.gz 36查m

18、ingetty的來歷#rpm -qf /sbin/mingettymingetty-1.06-2Google(“mingetty”)Debian software package directories 下載 mingetty_0.9.4.orig.tar.gz得到唯一的mingetty.cmingetty_1.07.orig.tar.gz 37in mingetty.cdo_prompt();/ show login prompt, optionally preceded by /etc/issue contentsopen_tty (); / set up tty as standard

19、input, output, error while (logname = get_logname () = 0);execl (_PATH_LOGIN, _PATH_LOGIN, -, logname, NULL);說明：從指定的tty獲得用戶名，并啟動login程序 38/dev/tty0/dev/pts/0tty_init vty_init kbd_init2419 static struct cdev tty_cdev, console_cdev;2420 #ifdef CONFIG_UNIX98_PTYS2421 static struct cdev ptmx_cdev;2422 #

20、endif2423 #ifdef CONFIG_VT2424 static struct cdev vc0_cdev;2425 #endif 39in login.c retcode = pam_get_item(pamh, PAM_USER, (const void *) &username);pp = getpass(_(Password: );p = crypt(pp, salt);/ 加密口令得到密文memset(pp, 0, strlen(pp);if (pwd & !strcmp(p, pwd-pw_passwd) / 密文匹配break;用戶可以有幾次機會輸入口令但是會有故意的延

21、遲數(shù)次失敗，則退出 init會把mingetty再次起動 40 childPid = fork(); if (childPid) wait(NULL); / login進(jìn)程等著 exit(0); / 下面是子進(jìn)程（用戶的shell） setsid(); opentty(ttyn); setuid(pwd-pw_uid); chdir(pwd-pw_dir); execvp(/bin/sh -sh -c exec %pwd-pw_shell%, .); 41login.c in PAMshadow_4.0.18.1.orig.tar.gz 42setuid()/setgid() sys_setu

22、id()setreuid()/setregid()sys_setreuid()in PCB404 /* process credentials */405 uid_t uid,euid,suid,fsuid;406 gid_t gid,egid,sgid,fsgid;407 int ngroups;408 gid_t groupsNGROUPS;409 kernel_cap_t cap_effective, cap_inheritable, cap_permitted;410 int keep_capabilities:1;411 struct user_struct *user; 43Bas

23、h 44用戶使用文件時linux內(nèi)核是怎樣使用權(quán)限信息做訪問控制的？用戶身份 vs. 文件的權(quán)限信息典型數(shù)據(jù)文件：-rw-r-r-，自己可讀寫，別人只讀int fd = open(“my_or_your_”, r|w|x, m);打開文件準(zhǔn)備用來讀/寫/執(zhí)行如果創(chuàng)建新文件，則mode指示了其權(quán)限屬性long sys_open(, flags, mode) 45sys_open() filp_open() open_namei() may_open() permission() 46207 int permission(struct inode * inode,int mask, struct

24、nameidata *nd)208 int retval;210 int submask; 212 / Ordinary permission routines do not understand APPEND.213 submask = mask & MAY_APPEND; 215 if (inode-i_op & inode-i_op-permission)216 retval = inode-i_op-permission(inode, submask, nd);217 else218 retval = vfs_permission(inode, submask);219 if (retval)220 return retval; 222 return security_inode_permission(inode, mask, nd);223 47在某個函數(shù)中對代碼適當(dāng)修改可以允許特定用戶有任意權(quán)限? sys_open()? permission()? vfs_permission()? security_inode_permission() 48在/etc/passwd有兩個普通用戶linden和susanlinden:x:500:500:/home/