Connor's Notes

⬅️ Back to portfolio

COSC 4P50: Week 2 Notes

8 min read

Note

Week 1 was “why you should be interested”, “why you should consider a career in cybersecurity”, “facts about cyber security”, and the usual introduction/course overview.

Info

We are using a VM from SeedLabs. To follow along, use the instructions on this site.

Software Security - Linux Security Basics

Outline

  1. Users and groups
  2. Permissions and access control
  3. Running commands with privilege
  4. Authentication

Users and groups

Users

  • In Linux, each user is assigned a unique user ID
  • User ID is stored in /etc/passwd
    • Each line has the following format: username:password:UID:GID:comment:home_directory:shell
    • username: login name of the user, must be unique
    • password: historically stored the hashed password, modern systems store an x here, indicating that the hashed password is stored in /etc/shadow
    • UID (user ID): numerical identifier for the user, 0 is reserved for root user
    • GID (group ID): numerical identifier for the user’s primary group, group details stored in /etc/group file
    • comment: usually contains description of the user
    • home_directory: path to the user’s home directory
    • shell: the user’s default shell, ususally /bin/bash or /bin/zsh
root:x:0:0:root:/root:/bin/bash
seed:x:1000:1000:SEED,,,:/home/seed:/bin/bash
  • Find user ID
seed@seedvm:~$ id
uid=1000(seed) gid=1000(seed)
groups=1000(seed),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)

Add Users & Switch to Other Users

  • Add Users
    • Directly add to /etc/passwd
    • Use adduser {username} command
  • Switch to other user
    • Use su {username} command
seed@seedvm:~$ sudo adduser bob
Adding user `bob' ...
Adding new group `bob' (1001) ...
Adding new user `bob' (1001) with group `bob' ...
Creating home directory `/home/bob' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for bob
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y
seed@seedvm:~$ su bob
Password: 
bob@seedvm:/home/seed$

Group

  • Represents a collection of users
  • Assigning permissions based on groups
  • A user can belong to multiple groups
  • A user’s primary group is in /etc/passwd

If a user has multiple groups which have conflicting permissions, which permissions are the user granted?

Which group does a user belong to?

seed@seedvm:~$ grep seed /etc/group
adm:x:4:syslog,seed
cdrom:x:24:seed
sudo:x:27:seed
dip:x:30:seed
plugdev:x:46:seed
lxd:x:110:seed
seed:x:1000:
docker:x:999:seed
 
seed@seedvm:~$ groups
seed adm cdrom sudo dip plugdev lxd
 
seed@seedvm:~$ id
uid=1000(seed) gid=1000(seed) groups=1000(seed),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)

Group Management

How to add users:

$ sudo groupadd alpha         # create a group alpha
$ sudo usermod -a -G alpha seed  # add seed to alpha
$ sudo usermod -a -G alpha bob   # add bob to alpha

Permissions and access control

Principles

Least Privilege Principle

  • Each user is only assigned the minimum permissions necessary to execute the task successfully

Need To Know Principle

  • Each user is only given access to the objects/resources that they need to execute the task successfully

Access Control

  • Computer system is a collection of
    • Resources or objects
    • Users or subjects
  • Access Control
    • Field of computer security that defines that way the subjects access the objects
    • Discretionary access control (DAC)
    • Role-based access control (RBAC)
      • Used by most enterprises (Sun Life used them)
    • Mandatory access control (MAC)
      • Users are assigned tags or “clearance” values, which grant permissions and access (e.g. Top Secret)
    • Attributed-based access control (ABAC) or policy-based access control
      • Granted permissions based on attributes (location (wifi, company computer), etc.)

Traditional Permission Model

  • Types of access on files
    • read (r): user can view the contents of the file
    • write (w): user can change the contents of the file
    • execute (x): user can execute or run the file if it is a program or script
  • Types of access on directories
    • read (r): user can list the contents of the directory (e.g., using ls)
    • write (w): user can create files and sub-directories inside the directory
    • execute (x): user can enter that directory (e.g., using cd)

File Permissions

-rw-rw-r-- seed abc 1802 Feb 6 11:39 xyz

  • - (first character): type of file, possible values include:
    • -: regular file
    • d: directory
    • l: symbolic link
    • c: character device file
    • b: block device file
    • p: named pipe (FIFO)
    • s: socket
  • Permissions
    • rw- (first): owner
      • meaning the user (me) has access to read and write, but not execute
    • rw- (second): group
      • meaning members of the group “abc” has access to read and write, but not execute
    • r-- (third): other
      • meaning that other users/groups has access to read, but not write or execute
  • seed: owner of file/directory
  • abc: group associated with the file/directory
  • 1802: size of the file in bytes
  • Feb 6 11:39 when the file was last modified
  • xyz file/directory name

Decoding the mode

  • chmod to change the permissions of a file or directory
  • Absolute mode
    • Use the numeric system
    • chmod 755 somefile
  • Relative mode
    • user (u), group (g), and others (o)
    • + sign to add a permission
    • - sign to remove a permission
    • r, w, x to specify what permissions you want to set
    • chmod +x somefile
    • chmod u+rwx,g+r,o-r somefile
BinaryOctalString RepresentationPermissions
0000 (0+0+0)---None
0011 (0+0+1)—xExecute
0102 (0+2+0)-w-Write
0113 (0+2+1)-wxWrite + Execute
1004 (4+0+0)r—Read
1015 (4+0+1)r-xRead + Execute
1106 (4+2+0)rw-Read + Write
1117 (4+2+1)rwxRead + Write + Execute

Access Control List (ACL)

  • Extend the traditional Linux access control model
  • Assign permissions to individual users/groups
  • Coexist with the traditional permission model
$ getfacl example
# file: example
# owner: seed
# group: seed
user::rw-
group::rw-
other::r--

ACL Commands

setfacl {-m, -x} {u, g}:<name?:[r, w, x] <file, directory>
$ setfacl -m u:alice:r-- example
$ setfacl -m g:faculty:rw- example
$ getfacl example
# file: example
# owner: seed
# group: seed
user::rw-
user:alice:r--
group::rw-
group:faculty:rw-
mask::rw-
other::r--
-rw-rw-r--+ 1 seed seed 1050 Feb 7 10:57 example
        # ^ the + indicates that ACLs are defined

Reminder

Google “Zero Trust List”

Running commands with privilege

Why

Three command mechanisms:

  • sudo
  • Set-UID programs (covered in separate chapter)
  • POSIX capabilities

Using sudo

  • sudo: Super-user Do
  • Run commands as a superuser
  • A user must be authorized (/etc/sudoers)
  • Here is how the seed user is allowed to run sudo:
% sudo ALL=(ALL:ALL) ALL
  • X ALL=(ALL:ALL) ALL
    • ALL: indicates that this rule applies to all hosts
    • ALL: indicates that X can run commands as all users
    • ALL: indicates that X can run commands as all groups
    • ALL: indicates that these rules apply to all commands
sudo:x:27:seed
  • Both examples:
    • sudo: the sudo group, not command

Getting Root Shell

Note

  • In Ubuntu 20.04, the root user account is locked
  • Cannot log into the root account
  • There are many ways to get a root shell
    • sudo -s
    • sudo bash
    • sudo su
  • Rule of Thumb
    • It is not recommended to run commands using a root shell
    • Instead, use sudo to run individual commands

Running Command Using Another User

  • run command using another user (instead of root, default)
  • -u option
sudo -u bob id

POSIX Capabilities

  • Divide the root privilege into smaller privilege units
  • Known as capabilities
  • Use man capabilities to find all the capabilities
    • Entire user manual, very long
    • Examples below
CAP_CHOWN: Make arbitrary chagnes to file UIDs and GIDs.
CAP_DAC_OVERRIDE: Bypass file read/write/execute permissions checks.
CAP_DAC_READ_SEARCH: Bypass file read permissions checks ...
CAP_NET_RAW: Use RAW and PACKET sockets ...

Example: ping

  • The ping program
    • Uses raw socket that requires privilege
    • Has the CAP_NET_RAW capability set
$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep
  • Ping program used to have Set-UID privilege

Authentication

Authentication Methods

  • A process to verify a user’s identity
  • Typical authentication metods:
    • Based on something the user knows:
      • e.g. password
    • Based on something the user has:
      • e.g. ID Card, authentication app (cell phone)
    • Based on something the user is or does:
      • e.g. touch ID, facial recognition
  • Multi-factor Authentication
    • 2FA is considered secure, but it has been defeated by social engineering attacks that exploit human factors

The Password File

  • Each entry contains a user account information
  • Password is not stored here
root:x:0:0:root:/root:/bin/bash
seed:x:1000:1000:SEED,,,:/home/seed:/bin/bash
bob:x:1001:1001:Bob,,,:/home/bob:/bin/bash

The Shadow File

  • Store password hashed
  • Multiple algorithms
    • $1$: MD5
    • $2a$: Blowfish
    • $2y$: Eksblowfish
    • $5$: SHA-256
    • $6: SHA-512
username:$6$abcdefghijklmnopqrstuv$hashedpassword:19000:0:99999:7:::

The Purpose of Salt

  • Random string
  • Defeat brute-force attacks
    • dictionary attack, rainbow table attack
  • These 3 accounts have the same password
seed: $6$n8DimvsbIgU0OxbDSYZ0h1EA... (omitted) ...wFd0:18590:0:
alice: $6$.1CMCeSFZd8/8QZ1SQhfhId... (omitted) ...Sga.:18664:0:
bob: $6$NOLhqomO3yNwyFsZ$K.Q1/KnP... (omitted) ...b8v.:18664:0:

Locking Account

  • Invalid value in the password field
  • The root account is locked
root:!:18590:0:99999:7:::

Graph View

Backlinks